Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

Section 10 of the Constitution of Finland, entitled "The right to privacy", states: "Everyone's private life, honour, and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act. The secrecy of correspondence, telephony, and other confidential communications is inviolable. Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual, society, or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act."1 Additionally, Section 12 of the Constitution, titled "Freedom of expression and right of access to information," provides that "documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings."2

Privacy and data protection laws and regulations

Comprehensive law

The Personal Data Act of 1999 (PDA)3 went into effect on 1 June 1999. The PDA replaced the 1987 Personal Data File Act4 to make Finnish law consistent with the EU Data Protection Directive.5 The PDA was amended by the Act on the Amendment of the Personal Data Act, effective 1 December 2000, to incorporate provisions on policy and effects of the European Commission's decision-making.6 Under the PDA, everyone has the right of access to the data files on him or her or to notice that the file contains no such data. If a data controller refuses to rectify an error at the request of a data subject, the data subject may inform the Data Protection Ombudsman (DPO) of the matter. The DPO may order a data controller to recognize the data subject's right of access or to rectify an error. The PDA does not apply to processing of personal data for a private or purely personal use. Activities of "the media, the arts and literary expression" are also excluded from its scope. Exemptions for defense and public security are included in separate provisions of the PDA.

The PDA introduces the concept of informed consent and self-determination into Finnish law, giving data subjects the rights to access or correct their data, or to prohibit their use for stated purposes. The previous act regulated the use and disclosure of information in a personal data file but did not generally require the individual's consent or provide for the same level of notice and access.7 Processing without consent may still occur under the new system – for example, if there is "assumed consent", or the Data Protection Board (DPB) has granted permission, or if the matter concerns publicly available data on the "status, duties or performance" of a public figure.8 The PDA lays down civil and criminal sanctions (including imprisonment of up to one year)9 for unlawful processing.10,11

Sector-based laws

Telecommunications privacy is regulated by the Act on the Protection of Privacy in Electronic Communications ("Electronic Communications Act"), which entered into force on 1 September 2004.12 The Electronic Communications Act is broad in scope, covering all telecommunications, including emails and communications on the Internet.13 Together with Section 10 of the Constitution of Finland,14 the Electronic Communications Act ensures a right to confidential communications: all messages, identification data and location data are confidential, unless the Electronic Communications Act or another act provides otherwise.15 The confidentiality means that the messages and identification data can be processed only for the purposes set out in the law. The protection includes all messages transmitted in the communications network, this including for instance so called “pre-paid” connections. There is, however, an important exception to the main confidentiality rule described above: where a message has been transmitted to be universally received, it is not considered confidential. The identification data associated with such message is, however, confidential.16 Practically, this means that everyone is entitled to express his opinion in various social networks and discussion forums. The administrators of such forums are not, however, entitled to disclose any identification data, such as IP addresses.17

The Electronic Communications Act also clarifies rules for processing confidential identification and location data: except in an emergency, telecommunications users aged 15 years or older may not be located without their prior consent.18 The DPO oversees the processing of location data. (See more details under the "Location Privacy" section.)

The Electronic Communications Act provides new means to prevent unsolicited commercial emails ("spam") and viruses. Previous legislation banning the sending of spam failed to protect against messages sent from outside Finland; thus, the Act permits telecommunications operators and corporate and association subscribers to block email and to remove malicious content in order to protect against security infringement or to ensure communications access.19 The Electronic Communications Act prohibits direct marketing through email or mobile telephone except with the user's prior consent.20

The Finnish government has enacted special ordinances that apply to particular personal data systems. These include those operated by the police such as criminal information systems,21 the National Health Service, passport systems, population registers,22 farm registers, and motor vehicle registers.23 In January 2001, a new law on the status and rights of social welfare clients came into force and includes data protection provisions relating to the use of social services.24

On 1 October 2004, the Act on the Protection of Privacy in Working Life took effect.25 The Act determines the legality of several privacy issues in the workplace, such as psychological, genetic, and drug tests; the processing of medical histories and health information; and the use of video and audio surveillance devices. The main principle of the Act is that the employer shall collect personal data about the employee primarily from the employee himself. In order to collect personal data from elsewhere, the employer must obtain the employee's consent.26 (See more details under the "Workplace Privacy" section.)

Data protection authority

The Data Protection Ombudsman (DPO) enforces the Personal Data Act of 1999 (PDA) and receives complaints. The DPO's primary tools for compliance with legislation are direction and guidance. Under the PDA, the DPO provides direction and guidance on the processing of personal data and supervises the processing to achieve the objectives of the statute. Before bringing charges of a violation of the PDA, the public prosecutor must hear from the DPO. In such cases, the court affords the DPO an opportunity to be heard.27

The number of new cases brought before the DPO increased by approximately 20 percent from 2004 to 2005.28 Every complaint directed at the public sector was matched by nearly two complaints directed at the private sector. The DPO explains that this development is probably because while public authorities are usually regulated by law, private companies often try to test the boundaries of legal protections. The change in proportion between public and private sector complaints represents a deterioration in the private sector rather than an improvement in the public sector. The number of complaints against the public sector has remained fairly static.29 When comparing the latest figures, the number of unprompted cases brought before the DPO increased by 232 percent from 2008 and 2009, and the number of statements issued by the DPO increased by 55 percent.30 As of July 2010, there were 20 staff employed by the Data Ombudsman's office.31 Each DPO inspector specialises in a particular field, including education, social services, working life, and credit issues.32

The Data Protection Board (DPB) resolves disputes and hears appeals of decisions rendered by the DPO and, under the PDA, grants permissions for the processing of personal data.33 The DPB consists of a chair, a deputy chair, and five members, and they are required to be familiar with the operations of the register. The Board is appointed by the Council of State for a term of three years.34 At the DPO's direction, the DPB drafts regulations for the processing of personal data. The DPO must be heard during the preparation of legislative or administrative reforms that may affect individual privacy rights.35 In 2009, the DPO issued 72 (against 45 in 2005) statements on legislative matters related to the protection of personal rights or freedoms in the processing of personal data and 39 (as opposed to 20 in 2005) on administrative reform projects.36

Major privacy and data protection case law

In May 2005 the Helsinki District Court handed down suspended sentences to five defendants in a case involving unauthorized use of mobile telephone records by executives of telecommunications service provider Sonera.37 The court found there had been extensive misuse of telecommunications information at Sonera from 1998 to 2001.38 The case was appealed, and the Court of Appeals affirmed the sentences in March 2007, also increasing the amount of monetary damages and court costs. The Supreme Court did not grant permission to appeal the case, making the decision final.39 (See more details under the "Location Privacy" section.)

In February 2007, the Supreme Administrative Court agreed that the right of access extends to data on a bank client's own loan transactions and their associated interest rates. (See more details under the "Financial Privacy" section.)

The demand for instant loans requested via mobile phone or over the Internet has dramatically increased in Finland in recent years. In March 2007 the Data Protection Board (DPB), at the request of the Data Protection Ombudsman (DPO), ordered an instant loan company to change their authentication process pertaining to loan applicants. The DPB required that creditors identify their clients in order to ensure the accuracy of any personal data processed. The case proceeded to the Supreme Administrative Court, which gave its ruling in January 2010 in accordance with the decision of the Data Protection Board.40 (See more details under the "Financial Privacy" section.)

On 17 July 2008, in I v. Finland,41 the European Court of Human Rights (ECtHR) decided a case on the issue of an individual's right to find out, on the basis of log data, who had had access to his patient records. However, the hospital's data system had been implemented in such a way that the administration of access rights and log files did not allow the tracking of the individuals who had accessed the patient's health records. As a result, and by applying the principle of obligatory prosecution, the Finnish court could not convict any specific person of a crime. The ECtHR stated that a lack of protection had resulted, caused by the functional characteristics of a data system that was not controlled as provided by law, and in which the protection of the individual's personal life, as guaranteed by Article 8 of the European Convention on Human Rights, had been violated.

On 2 December 2008, the European Court of Human Rights (ECtHR) announced its judgment in the case of K.U. v. Finland, regarding the violation of the right to private life protected under Article 8 of the European Convention of Human Rights (ECHR) in a case where a minor's personal information was placed online without the minor's consent.42 The ECtHR held that Finland was in breach of its obligations under Article 8 of the ECHR, because it did not provide effective criminal sanctions for serious privacy infringements on the Internet or enabling the means of identifying the offenders.43

In 2009, the Supreme Administration Court made a ruling according to which the company Satakunnan Markkinapörssi Oy had violated the Personal Data Act by publishing data concerning the taxation of Finnish citizens in a publication named Veropörssi.44 (See more details under the "Financial Privacy" section.)