alt Hacker News> The Helsinki Court of Appeal has overturned the criminal conviction of Ville Tapio, the former CEO of psychotherapy provider Vastaamo, in a case linked to one of Finland’s most serious data breaches. The court ruled on Thursday that Tapio was not criminally liable for alleged data protection failures related to the unauthorised access and publication of tens of thousands of patients’ sensitive information. Tapio had previously received a three-month suspended prison sentence from the District Court of Helsinki in spring 2023.
No prison time, and the conviction was overturned. Your post rather got my hopes up when it suggested that a CEO faced consequences...
They did: the Finnish CEO was criminally charged and convicted (under GDPR); that never happens in the US. (I wasn't aware it was overturned on appeal in 12/2025, neither is Wikipedia currently).
They did face consequences. That ex-CEO (and CTO) also essentially had their reputations shredded, and their behavior was publicly scrutinized (have you ever seen the Comcast CEO grilled by Congress? I haven't). Sure, it would be better if they had actually gone to prison. But my point is GDPR has teeth, unlike US state digital privacy laws.