I. Legal framework
Constitutional privacy and data protection framework
Section 10 of the Constitution of Finland, entitled "The right to privacy", states: "Everyone's private life, honour, and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act. The secrecy of correspondence, telephony, and other confidential communications is inviolable. Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual, society, or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act."1 Additionally, Section 12 of the Constitution, titled "Freedom of expression and right of access to information," provides that "documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings."2
Privacy and data protection laws and regulations
The Personal Data Act of 1999 (PDA)3 went into effect on 1 June 1999. The PDA replaced the 1987 Personal Data File Act4 to make Finnish law consistent with the EU Data Protection Directive.5 The PDA was amended by the Act on the Amendment of the Personal Data Act, effective 1 December 2000, to incorporate provisions on policy and effects of the European Commission's decision-making.6 Under the PDA, everyone has the right of access to the data files on him or her or to notice that the file contains no such data. If a data controller refuses to rectify an error at the request of a data subject, the data subject may inform the Data Protection Ombudsman (DPO) of the matter. The DPO may order a data controller to recognize the data subject's right of access or to rectify an error. The PDA does not apply to processing of personal data for a private or purely personal use. Activities of "the media, the arts and literary expression" are also excluded from its scope. Exemptions for defense and public security are included in separate provisions of the PDA.
The PDA introduces the concept of informed consent and self-determination into Finnish law, giving data subjects the rights to access or correct their data, or to prohibit their use for stated purposes. The previous act regulated the use and disclosure of information in a personal data file but did not generally require the individual's consent or provide for the same level of notice and access.7 Processing without consent may still occur under the new system â€“ for example, if there is "assumed consent", or the Data Protection Board (DPB) has granted permission, or if the matter concerns publicly available data on the "status, duties or performance" of a public figure.8 The PDA lays down civil and criminal sanctions (including imprisonment of up to one year)9 for unlawful processing.10,11
Telecommunications privacy is regulated by the Act on the Protection of Privacy in Electronic Communications ("Electronic Communications Act"), which entered into force on 1 September 2004.12 The Electronic Communications Act is broad in scope, covering all telecommunications, including emails and communications on the Internet.13 Together with Section 10 of the Constitution of Finland,14 the Electronic Communications Act ensures a right to confidential communications: all messages, identification data and location data are confidential, unless the Electronic Communications Act or another act provides otherwise.15 The confidentiality means that the messages and identification data can be processed only for the purposes set out in the law. The protection includes all messages transmitted in the communications network, this including for instance so called â€œpre-paidâ€ connections. There is, however, an important exception to the main confidentiality rule described above: where a message has been transmitted to be universally received, it is not considered confidential. The identification data associated with such message is, however, confidential.16 Practically, this means that everyone is entitled to express his opinion in various social networks and discussion forums. The administrators of such forums are not, however, entitled to disclose any identification data, such as IP addresses.17
The Electronic Communications Act also clarifies rules for processing confidential identification and location data: except in an emergency, telecommunications users aged 15 years or older may not be located without their prior consent.18 The DPO oversees the processing of location data. (See more details under the "Location Privacy" section.)
The Electronic Communications Act provides new means to prevent unsolicited commercial emails ("spam") and viruses. Previous legislation banning the sending of spam failed to protect against messages sent from outside Finland; thus, the Act permits telecommunications operators and corporate and association subscribers to block email and to remove malicious content in order to protect against security infringement or to ensure communications access.19 The Electronic Communications Act prohibits direct marketing through email or mobile telephone except with the user's prior consent.20
The Finnish government has enacted special ordinances that apply to particular personal data systems. These include those operated by the police such as criminal information systems,21 the National Health Service, passport systems, population registers,22 farm registers, and motor vehicle registers.23 In January 2001, a new law on the status and rights of social welfare clients came into force and includes data protection provisions relating to the use of social services.24
On 1 October 2004, the Act on the Protection of Privacy in Working Life took effect.25 The Act determines the legality of several privacy issues in the workplace, such as psychological, genetic, and drug tests; the processing of medical histories and health information; and the use of video and audio surveillance devices. The main principle of the Act is that the employer shall collect personal data about the employee primarily from the employee himself. In order to collect personal data from elsewhere, the employer must obtain the employee's consent.26 (See more details under the "Workplace Privacy" section.)
Data protection authority
The Data Protection Ombudsman (DPO) enforces the Personal Data Act of 1999 (PDA) and receives complaints. The DPO's primary tools for compliance with legislation are direction and guidance. Under the PDA, the DPO provides direction and guidance on the processing of personal data and supervises the processing to achieve the objectives of the statute. Before bringing charges of a violation of the PDA, the public prosecutor must hear from the DPO. In such cases, the court affords the DPO an opportunity to be heard.27
The number of new cases brought before the DPO increased by approximately 20 percent from 2004 to 2005.28 Every complaint directed at the public sector was matched by nearly two complaints directed at the private sector. The DPO explains that this development is probably because while public authorities are usually regulated by law, private companies often try to test the boundaries of legal protections. The change in proportion between public and private sector complaints represents a deterioration in the private sector rather than an improvement in the public sector. The number of complaints against the public sector has remained fairly static.29 When comparing the latest figures, the number of unprompted cases brought before the DPO increased by 232 percent from 2008 and 2009, and the number of statements issued by the DPO increased by 55 percent.30 As of July 2010, there were 20 staff employed by the Data Ombudsman's office.31 Each DPO inspector specialises in a particular field, including education, social services, working life, and credit issues.32
The Data Protection Board (DPB) resolves disputes and hears appeals of decisions rendered by the DPO and, under the PDA, grants permissions for the processing of personal data.33 The DPB consists of a chair, a deputy chair, and five members, and they are required to be familiar with the operations of the register. The Board is appointed by the Council of State for a term of three years.34 At the DPO's direction, the DPB drafts regulations for the processing of personal data. The DPO must be heard during the preparation of legislative or administrative reforms that may affect individual privacy rights.35 In 2009, the DPO issued 72 (against 45 in 2005) statements on legislative matters related to the protection of personal rights or freedoms in the processing of personal data and 39 (as opposed to 20 in 2005) on administrative reform projects.36
Major privacy and data protection case law
In May 2005 the Helsinki District Court handed down suspended sentences to five defendants in a case involving unauthorized use of mobile telephone records by executives of telecommunications service provider Sonera.37 The court found there had been extensive misuse of telecommunications information at Sonera from 1998 to 2001.38 The case was appealed, and the Court of Appeals affirmed the sentences in March 2007, also increasing the amount of monetary damages and court costs. The Supreme Court did not grant permission to appeal the case, making the decision final.39 (See more details under the "Location Privacy" section.)
In February 2007, the Supreme Administrative Court agreed that the right of access extends to data on a bank client's own loan transactions and their associated interest rates. (See more details under the "Financial Privacy" section.)
The demand for instant loans requested via mobile phone or over the Internet has dramatically increased in Finland in recent years. In March 2007 the Data Protection Board (DPB), at the request of the Data Protection Ombudsman (DPO), ordered an instant loan company to change their authentication process pertaining to loan applicants. The DPB required that creditors identify their clients in order to ensure the accuracy of any personal data processed. The case proceeded to the Supreme Administrative Court, which gave its ruling in January 2010 in accordance with the decision of the Data Protection Board.40 (See more details under the "Financial Privacy" section.)
On 17 July 2008, in I v. Finland,41 the European Court of Human Rights (ECtHR) decided a case on the issue of an individual's right to find out, on the basis of log data, who had had access to his patient records. However, the hospital's data system had been implemented in such a way that the administration of access rights and log files did not allow the tracking of the individuals who had accessed the patient's health records. As a result, and by applying the principle of obligatory prosecution, the Finnish court could not convict any specific person of a crime. The ECtHR stated that a lack of protection had resulted, caused by the functional characteristics of a data system that was not controlled as provided by law, and in which the protection of the individual's personal life, as guaranteed by Article 8 of the European Convention on Human Rights, had been violated.
On 2 December 2008, the European Court of Human Rights (ECtHR) announced its judgment in the case of K.U. v. Finland, regarding the violation of the right to private life protected under Article 8 of the European Convention of Human Rights (ECHR) in a case where a minor's personal information was placed online without the minor's consent.42 The ECtHR held that Finland was in breach of its obligations under Article 8 of the ECHR, because it did not provide effective criminal sanctions for serious privacy infringements on the Internet or enabling the means of identifying the offenders.43
In 2009, the Supreme Administration Court made a ruling according to which the company Satakunnan MarkkinapÃ¶rssi Oy had violated the Personal Data Act by publishing data concerning the taxation of Finnish citizens in a publication named VeropÃ¶rssi.44 (See more details under the "Financial Privacy" section.)
- 1. Constitution of Finland (unofficial translation), available at http://www.finlex.fi/fi/laki/kaannokset/1999/en19990731.pdf.
- 2. Id.
- 3. Personal Data Act (523/99) (unofficial translation), available at http://www.tietosuoja.fi/uploads/hopxtvf.HTM.
- 4. Personal Data Files Act (Law No. 471/87).
- 5. See Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, available at http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_pa....
- 6. Amendment of the Personal Data Act (986/2000) (unofficial translation), available at http://www.tietosuoja.fi/uploads/p9qzq7zr3xxmm9j.rtf.
- 7. Peter Blume et al., Nordic Data Protection 49 (DJOF Publishing 2000).
- 8. Id.
- 9. See Finland Penal Code 1389/99, Chapter 38, Â§ 9 (unofficial translation), available at http://www.finlex.fi/pdf/saadkaan/E8890039.PDF,
- 10. Personal Data Act (523/1999), supra.
- 11. The latest amendment to the PDA relates to the processing of identity numbers, adding companies offering payment services to the list of operations that are allowed to process identity numbers in their business. Amendment (294/2010) of 1 May 2010 to the Personal Data Act (523/99), available in Finnish at http://www.finlex.fi/fi/laki/alkup/2010/20100294.
- 12. Act on the Protection of Privacy in Electronic Communications (516/2004) (unofficial translation), available at http://www.finlex.fi/fi/laki/kaannokset/2004/en20040516.pdf.
- 13. Id.
- 14. See Chapter Constitutional Privacy Framework, supra.
- 15. Act on the Protection of Privacy in Electronic Communications, (516/2004), Chapter 2, Â§ 4 (1).
- 16. Act on the Protection of Privacy in Electronic Communications, (516/2004), Chapter 2, Â§ 4 (2).
- 17. Sanna Helopuro, Juha Perttula, Juhapekka Ristola: SÃ¤hkÃ¶isen viestinnÃ¤n tietosuoja (Talentum, Helsinki 2004), pp. 45-47.
- 18. Finland Ministry of Transport and Communication, "New Means to Improve Data Protection and Information Securityâ€”Act on Data Protection in Electronic Communications to Enter into Force on 1st September," Press release, 16 June 2004, available at http://www.valtioneuvosto.fi/ajankohtaista/tiedotteet/tiedote/en.jsp?oid....
- 19. Act on the Protection of Privacy in Electronic Communications, (516/2004), Chapter 5, Â§ 20.
- 20. Act on the Protection of Privacy in Electronic Communications, (516/2004), Chapter 7, Â§ 26.
- 21. Criminal Records Act (770/93).
- 22. Act on Population Information (1993/507).
- 23. Jorma Kuopus, Data Protection Regulatory System - Data Transmission and Privacy (D. Campbell & J. Fisher, eds., Martinus Nijhoff Publishers 1994).
- 24. Act on Experiments with Seamless Service Chains in Social Welfare and Health Care Services and with a Social Security Card (811/2000) (unofficial translation), available at http://www.finlex.fi/pdf/saadkaan/E0000811.PDF.
- 25. Act on the Protection of Privacy in Working Life (759/2004), available at http://www.finlex.fi/en/laki/kaannokset/2004/en20040759.pdf.
- 26. Article 4.
- 27. Personal Data Act (523/1999), Chapter 9, Â§ 41.
- 28. Article 29 Working Party on Data Protection, Ninth Annual Report (2006) at 34, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual... .
- 29. Review 2005 Of The Data Protection Ombudsman, available at http://www.tietosuoja.fi/uploads/q0vw1ft5.rtf.
- 30. The DPO Annual Report of 2009, available at http://www.tietosuoja.fi/uploads/dr3ecvra.pdf.
- 31. Tietosuojavaltuutetun Toimisto, available at http://www.tietosuoja.fi/.
- 32. Tietosuojavaltuutetun Toimisto, supra.
- 33. Personal Data Act (523/1999), Chapter 9, Â§ 38.
- 34. Statutory Order on the Data Protection Board and Data Protection Ombudsman (3.6.1994/432) (no English translation available), available at http://www.finlex.fi/fi/laki/ajantasa/1994/19940432.
- 35. Personal Data Act (523/1999), Chapter 9, Â§ 41.
- 36. Article 29 Working Party on Data Protection, Ninth Annual Report (2006), supra at 35.
- 37. "Five Get suspended Sentences in Sonera Telephone Record Case," Helsingin Sanomat International Edition, 30 May 2005, available at http://www.hs.fi/english/article/1101979719153.
- 38. Id.
- 39. "Court of Appeals Affirms Sentences in Sonera Snooping Case," Helsingin Sanomat (International Edition), 16 March 2007, (English translation) available here.
- 40. Summary of the Supreme Administrative Court ruling of 8 January 2010, available in Finnish at http://www.tietosuoja.fi/49514.htm.
- 41. ECtHR, I v. Finland (20511/03) 17 July 2008, available at http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=htm...
- 42. "ECHR Rules on Identifying Serious Privacy Infringers," number 6.24, 17 December 2008, available at http://www.edri.org/edri-gram/number6.24/echr-privacy-ku-finland. ECtHR, K.U. v. Finland (2872/02), 2 December 2008, available at http://cmiskp.echr.coe.int/tkp197/view.asp?item=4&portal=hbkm&action=htm...
- 43. Id.
- 44. Notice by the Supreme Administrative Court of the ruling of 23 September 2009, available in Finnish at http://www.kho.fi/47999.htm.