Section 10 of the Constitution of Finland, entitled "The right to privacy," states: "Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act. The secrecy of correspondence, telephony and other confidential communications is inviolable. Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual, society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act."[1079] Also, Section 12 of the Constitution provides "documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings."[1080] This includes name, birth year, municipality of residence, state taxable income, state property taxes, and total taxes paid.
The Personal Data Protection Act of 1999 (PDPA)[1081] went into effect on June 1, 1999, and was amended by the Act on the Amendment of the Personal Data Act.[1082] The law replaced the 1987 Personal Data File Act[1083] to make Finnish law consistent with the EU Data Protection Directive. The PDPA does not apply to processing of personal data for a private or purely personal use. Activities of "the media, the arts and literary expression" are also excluded from its scope. Exemptions for defense and public security are included in separate legislation. The new act introduces the concept of informed consent and self-determination into Finnish law. The previous act regulated the use and disclosure of information in a personal data file but did not generally require the individual's consent or provide for the same level of notice and access.[1084] Processing without consent may still occur under the new system, for example, if there is "assumed consent," or the Data Protection Board has granted permission, or if the matter concerns publicly available data on the "status, duties or performance" of a public figure.[1085] The PDPA lays down civil and criminal sanctions (including imprisonment of up to one year) for unlawful processing.
The Data Protection Ombudsman (DPO) enforces the Act and receives complaints. In 2000, the number of new cases brought before the DPO increased by nearly one-third.[1086] The DPO says that this increase is, in part, a result of switching from telephone to electronic customer service. The DPO usually receives 5,000 to 8,000 requests for advice each year.[1087] A Data Protection Board (DPB) resolves disputes and hears appeals of decisions rendered by the DPO. The DPB consists of a chair, deputy chair and five members, who are required to be familiar with register operations. The Board is appointed by the Council of State for a term of three years.[1088]The DPO must be heard during the preparation of legislative or administrative reforms which may impact upon individual privacy rights. In 2000, the DPO issued 43 statements on legislative proposals.[1089] The DPO issues guidance and consultation documents and assists in the compilation and review of Codes of Conduct by the private sector. In 2001, the DPO issued a guidance paper on the transfer of personal data to third countries.[1090]
In November 2002, in an answer to a questionnaire by the Council of the European Union, Finland responded that data traffic retention has been covered by the Finnish Data Protection Law, and that, by default a communications service provider (CSP) must either destroy or alter retained traffic data in such a way that communicating individuals can not be identified afterwards. In addition, a CSP may retain logs for a maximum period of three years, should it be necessary for either business (invoicing, marketing) or data security-related tasks. If a CSP is selling services, it must keep the traffic data for a minimum of three months for invoicing purposes. Other than that, there is no obligation to retain any data traffic.[1091]
The publicizing of Finland's policy on data retention, coupled with the news that the head of Finland's largest telecommunications company was arrested in connection with his company's suspected "serious traffic data misuses," led to outrage among privacy advocates.[1092] At the same time, Finland's Parliament was considering a law proposal that would have imposed far-reaching data retention obligations, and liability for Internet providers, for the posted content of their members, while extending the coverage of the law to include Internet-based discussion groups in Finland.[1093]
This proposal received tremendous opposition, including from Electronic Frontier Finland,[1094] and resulted in "substantial revisions" by the Constitutional Committee of the Finnish Parliament.[1095] The final draft proposed on February 11, 2003, and passed by the Finnish Parliament on February 17, 2003 contained all of the Constitutional Committee's revisions.[1096] These included: "Section 1.2 of the law now explicitly states that the freedom of expression principle should always have a priority when interpreting the law." The definitions were clarified so that the regulation essentially applies only to material produced by or codified by the publisher. The law is no longer a threat to the discussion groups: everyone will be responsible for his or her own writing. Web portals or typical home pages were also excluded from the definition.[1097]
Moreover, the time period publishers are required to store the web publications or programs was reduced from two or three months, to three weeks. However, it remains unclear whether the three weeks begins the moment of first publication or from the time the publication was last available to the public. Mandatory storing of traffic data was completely removed from the law.[1098]
Telecommunications privacy is regulated by the Protection of Privacy and Data Security in Telecommunications Act, which came into force in July 2000. The law is broad in scope. It covers all telecommunications, including e-mails and communications on the Internet.[1099] A new version of the law is currently being drafted under the Ministry of Transport and Telecommunication (MTT). It will add new provisions on electronic marketing and spamming and also transpose the EU Privacy and Electronic Communications Directive.[1100]
On February 1, 2003, the Act on Electronic Signatures,[1101] went into effect. The purpose of the Act is to promote the use of electronic signatures and the provision of products and services related to them as well as to promote data protection and data security of electronic commerce and electronic communication.[1102]
In late 2002, VTT Technologies, a government research center, developed a new type of high frequency (900 MHz) Radio Frequency Identification (RFID) tag that can be read with a transceiver up to four meters away. The signal can also penetrate obstacles. VTT experts believe that these RFID tags will be commonplace within ten years. In the Helsinki region, the most familiar application of RFID technology is the new travel cards that are replacing paper tickets in the area's public transport system. The partners in the project are Helsinki Metropolitan Area Council (YTV), Helsinki City Transport, and the railway company VR. The use of travel cards is recorded in a database. This information can be accessed to aid transport capacity planning. The movements of travel card users are saved and can be accessed for later retrieval. The data from the transport system has been used for crime investigations in serious cases.[1103]
YTV records the customer information it needs for customer service and consumer protection in the Travel Card System. Then, YTV municipal service points' employees, and the people in charge of the system, have the right to browse and update the customer data recorded in the system, as well as the data stored in the central processing unit, concerning travel periods and the amount of money a passenger has loaded into his/her card and where the card was last used. It is not possible to browse the travel data at the point of service.[1104]
The travel card received heavy public criticism after its introduction since it was theoretically possible to connect traveler's identity with travel route information. After the DPO made the issue public, YTV changed its policy.[1105]
In May 2001 a specific law on Data Protection in Working Life[1106] was adopted and entered into force in October 2001. This law determines the legality of several issues in the workplace, such as psychological, genetic and drug tests, the processing of medical histories and the use of video and audio surveillance devices. In addition, the Telecommunications Privacy Act applies equally in the workplace, which, at least currently, prevents Finnish employers from monitoring the contents of employee's e-mail messages.[1107] Recently a working group has proposed that the law on Data Protection in Working Life be changed to make it legal for employers to read work-related e-mails if the employee is not available because of sickness or vacation.[1108] On 26 June, the Finnish Ministry of Labor released a draft new version of the law protecting privacy at the workplace. The proposal would make it legal to read employees' e-mail under certain circumstances. It also contains new regulations on camera surveillance (allowed as long as one employee is not singled out) and drug testing (widely allowed at work, but not as part of job interviews).[1109] The Finnish government has enacted special ordinances that apply to particular personal data systems. These include those operated by the police such as criminal information systems,[1110] the National Health Service, passport systems, population registers,[1111] farm registers, and motor vehicle registers.[1112] In January 2001, a new law on the status and rights of social welfare clients came into force and includes data protection provisions relating to the use of social services.[1113] The Act on the Openness of Government Activities, most of which came into force in December 1999, also contains provisions on privacy.[1114] In October 1999 the government amended the laws and granted the police a new high-tech means of enforcing traffic fines, which in Finland are based on the driver's income. Whereas before the police would simply ask violators for their income and calculate the fine manually based on that income, they now use cellular phones to access the official tax records. Within seconds the drivers reported income appears up on the screen along with the corresponding fine.[1115]
Electronic surveillance and telephone tapping by the government are authorized by the criminal law. A judge can give permission to tap the telephone lines of a suspect if the suspect is liable for a jail sentence for crimes that are exhaustively listed in the Coercive Criminal Investigations Means Act. Transactional data of a suspect's telecommunications activity can be obtained if the suspect faces at least four months of jail. Electronic surveillance is possible, with the permission of the judge, if the suspect is accused of a drug related crime or a crime that can be punished with more than four years in jail. There were twelve orders for wiretapping in 1997. Although cases of political telecommunications eavesdropping are rare in Finland, there have been published reports that the Finnish military has either supported Western signals intelligence operations (via its large base at Santahamina on the outskirts of Helsinki), or acquiesced to a Swedish/United States eavesdropping collaborative effort from the Swedish embassy in downtown Helsinki.[1116] In 1996, the PENET anonymous remailer was forced to shut down after Scientologists demanded that the identity of users posting critical messages be revealed to the Church. The court order was later enjoined by the Court of Appeals.[1117]
National identification numbers have long been in use in Finland. Since the 1970's all citizens have been issued a national identification number consisting of their date of birth and four other characters. The number is used extensively in the public and private sectors. It is included on passports, driving licenses and other personal data files held by the public administration.[1118] The Finnish government in December 1999 began issuing new national ID cards (FINEID) based on smart card technology.[1119] The cards include digital signatures to communicate online with government agencies and companies. The Finnish Population Register Centre operates as the digital signature certificate authority. The cards can be used in smart card readers in personal computers. There are plans to put them in the SIM ("Subscriber Identity Module") cards in mobile phones[1120] and interactive television systems. The Electronic Services in Administration Act was passed in early 2000 to encourage the use of these digital ID cards but, so far, they have not proved very popular among the public.[1121]
The Act on the Openness of Government Activities (mentioned earlier) replaced the Publicity of Official Documents Act of 1951.[1122] It provides for a general right to access any document created by a government agency, or sent or received by a government agency, including electronic records. Finland is a country that has traditionally adhered to the Nordic tradition of open access to government files. In fact, the world's first Freedom of Information act dates back as far as the Riksdag's (Swedish Parliament) 1766 Access to Public Records Act. This Act also applied to Finland, then a Swedish-governed territory.[1123]
Finland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1124] Finland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1125] In November 2001, Finland signed the Council of Europe Convention on Cyber-Crime.[1126] Finland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The Parliament of the self-governing Åland Islands (Landsting) passed its own Data Protection Act in 1991 and independently ratified the Council of Europe's Convention 108.[1127] If an international treaty entered into by Finland contains a provision which is in conflict with the Autonomy Act[1128] or which falls within the authority of Åland, the Parliament must approve such a provision for it to be valid in Åland.[1129] Although the Åland Data Protection Act makes reference to the Finnish Data Protection Act, there has always been some resistance by the Åland Swedish-speaking majority to following orders from Helsinki. Constitutionally, the Åland Parliament may nullify Finnish laws on its territory.[1130]