Execute and Maintain the Target | Part 4/4
Data Governance in Action – Implementation and Maintenance Designing a data governance strategy is only the beginning. To truly manage
Nordic Privacy Arena 2025 – key insights and discussion topics
Nordic Privacy Arena (NPA) is the most significant Nordic conference focusing on data protection and privacy. It is held annually in Stockholm and online, bringing together data protection officers, authorities, lawyers, activists, and privacy professionals to discuss the latest developments in the field.
The 2025 conference took place on 29–30 September at the Münchenbryggeriet venue. The theme was “Ten years of progress, responsibility for the future,” celebrating the tenth anniversary of the event and focusing on the changing landscape of privacy – from AI governance to digital sovereignty.
GDPR Tech participated in the event for the third time and was also a sponsor this year. Juha Sallinen and Jaanaliisa Kuoppa attended the conference in person, and in this article they share the key takeaways and their own observations.
AI, oversight, and sandboxes – Sweden’s approach interests Finland
Sweden’s new Data Protection Authority Commissioner Eric Lejonram delivered the most impactful keynote of the event. He emphasised risk-based governance of AI and the need for stronger safeguards alongside high-risk technologies.
Jaanaliisa Kuoppa summarised her view as follows:
“From a Finnish perspective it was noteworthy that Lejonram highlighted sandboxes and oversight mechanisms. In Sweden these have been in place for years – in Finland the work is still ongoing.”
The status of Finland’s AI sandboxes remains open. According to Traficom (14 October 2025), “Work is underway in Finland and the national implementation model is still open.” Haaga-Helia is participating in the EU’s EUSAir sandbox project, which may accelerate practical progress.
Juha Sallinen commented directly on the situation:
“Finland’s AI sandboxes are still at a weak level. Compared to Sweden, we are clearly behind.”
Max Schrems – the realisation of GDPR fines
The conference also featured one of the most recognised figures in the field, Max Schrems, who highlighted an important and worrying observation: while significant GDPR fines have been issued in Europe, only a fraction of them have actually been collected.
Max Schrems
Schrems also pointed out that courts remain reluctant to take on data protection cases. Their technical complexity is understandable, but this undermines both the credibility and the enforcement of the GDPR.
Digital sovereignty – realism or European optimism?
One of the most discussed themes was digital sovereignty: how Europe can maintain independence and capability in technology when the United States dominates the landscape of AI and cloud services.
In one panel, Bill Clinton was quoted: “Pessimism is an excuse for not trying.”
Juha Sallinen shared his perspective:
“There are alternatives in Europe. Finland has skilled software providers and data centres. OVHcloud is a good example of a European provider offering both infrastructure and SaaS environments. But realism matters – replacing Microsoft Office with LibreOffice would reduce productivity in many organisations.”
Swedish expert Daniel Melin summarised Europe’s situation succinctly: “We have outsourced our core to other states.”
Jaanaliisa Kuopa considered Melin’s proposal the most practical contribution of the conference:
“His solution was simple – the public sector should purchase more European systems. This means adjusting procurement legislation to favour European alternatives.”
The Draghi Report and regulatory simplifications: necessary or harmful?
The conference also discussed the Draghi Report and the GDPR simplification proposals based on it, including raising the employee threshold from 250 to 750.
Jaanaliisa Kuoppa commented candidly:
“From a Finnish perspective that increase is quite drastic. The 250-employee threshold is justified – a company with 200 employees already processes large amounts of staff, customer, and partner data.”
Juha Sallinen saw cosmetic aspects in the change:
“If larger companies are sensible, they will require their subcontractors to maintain at least a basic level of data protection anyway. The change does not remove responsibility.”
Panels also explored the broader question: is Europe stifling itself with regulation, or does the “Brussels effect” force global service providers to comply with EU requirements? This trend is already visible, for example, in India’s new data protection law, which is largely modelled on the GDPR.
Technologies that forgot privacy
Anna Berlee highlighted examples of technologies where privacy took a back seat:
- Google Glass, whose users became known as “Glassholes”
- Clearview AI, which Finnish police used without an adequate security assessment (the National Bureau of Investigation received a reprimand in 2021)
These cases remind us why privacy must be considered already at the design phase of technology.
Sport Admin – an example of what happens when data protection fails
Juha Sallinen took part in a panel discussing the data breach involving the Swedish Sport Admin platform. The case concerned the processing of children’s and guardians’ data – and illustrated what can happen when data protection and security are not handled with sufficient care.
A separate blog article on this topic will follow.
Why should Finns attend NPA?
Once again, few participants came from Finland, but attending is highly worthwhile.
Jaanaliisa Kuoppa summed up the reason:
“Absolutely worth it! The GDPR is not a Finnish invention. Meeting European experts face-to-face was truly eye-opening. And we Finns should probably start recognising that Sweden is actually a very good neighbour.
NPA 2025 offered:
- an up-to-date view of the intersection of AI and privacy
- insights into digital sovereignty
- discussion on GDPR simplifications and their implications
- concrete examples of why data protection remains critical
- valuable networking with European experts
The event once again demonstrated how quickly the privacy and data protection landscape is evolving – and why Nordic cooperation is more important than ever.
Would you like to learn more about data protection or discuss the themes of the event?
Contact us – let’s continue the conversation and explore how your organisation can strengthen data protection and security in a practical and effective way.
What's new?
In the blog you will find current information, interesting articles and a lot of detailed information related to data protection.
Read these also
Design the Target Level | Part 3/4
Unstructured data is growing rapidly, and without a clear governance strategy, organisations risk being overwhelmed by outdated, unmanaged, and potentially
Identify the Data – Even in Legacy Archives | Part 2/4
Introduction Legacy data often hides in plain sight—stored in personal folders, shared drives, or temporary locations. These files may contain