Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The powers available to the Finnish law enforcement authorities for the investigation of certain serious crimes are mainly provided for in the Coercive Measures Act passed in 1987.1 The Coercive Measures Act contains provisions on telecommunications interception and monitoring, acquisition of identification data showing the location of mobile communications devices, and technical surveillance (technical listening, viewing, and homing2). A general condition for the use of these methods is that the information obtained can be assumed to be of great relevance for the investigation of the offence.

A court can give permission to perform electronic surveillance or tap the telephone lines of a suspect ("telemonitoring") and obtain his account information if the suspect is liable to imprisonment for any of the crimes that are exhaustively listed in the Coercive Measures Act.3 The latest update to the list was made in June 2010, when suspicion of crimes of, e.g., trafficking and hostage taking, were added to the list of suspected crimes that justified electronic surveillance and telephone tapping.4 The conditions for performing coercive measures depend on the measure in question. For example, transactional data of a suspect's telecommunications activity can be obtained if the suspect potentially faces at least four years of imprisonment. Telecommunications monitoring is possible, with the permission of the court, if the suspect is accused of a drug-related crime or a crime that can be punished with more than four years of imprisonment.

The Electronic Communications Act5broadens police access to telecommunications information in criminal cases. In addition to permanent Internet protocol (IP) addresses and telephone numbers, police now have the right to obtain dynamic IP addresses and international mobile equipment identity (IMEI) codes of mobile telephones. The FICORA is responsible for ensuring compliance with the Electronic Communications Act and regulations issued under it, while the DPO monitors the processing of location data and provisions on direct marketing.6

Data retention

Following minor amendments, the EU approved a Directive7 on mandatory data retention in December 2005.8 The Directive requires Internet Service Providers (ISPs) and phone companies to keep data on every electronic message sent and every phone call made for between six months and two years. The directive has been criticised as a threat to the personal privacy of European citizens. Finland originally postponed the entry into force of mandatory retention on the Internet to Spring 2009 at the earliest.9 Under the Act on the Protection of Privacy in Electronic Communications,10 amended on 1 June 200811 to comply with the Directive, ISPs and phone companies must retain their customers' traffic data for a period of 12 months from the date of the communication. Such data may be used only for the purposes of investigating and resolving crimes, and the consideration of charges for criminal acts referred to in the Coercive Measures Act.12 The retention obligation does not apply to the contents of a message or identification data generated through Internet browsing, but only information on, for example, the time and location of certain electronic communications.13

National databases for law enforcement and security purposes

In October 1999, the government amended the law and granted the police a new high-tech means of enforcing traffic fines, which in Finland are based on the driver's income. Whereas previously the police would simply ask violators for their income and calculate the fine manually based on that information, they now use cellular phones to access the official tax records. Within seconds the driver's reported income appears on the device along with a calculation of the appropriate fine.14

National and international data disclosure agreements

Nothing to report under this section.

Cybercrime

Nothing to report under this section.

Critical infrastructure

Nothing to report under this section.

Territorial privacy

Video surveillance

The Act on the Protection of Privacy in Working Life15 contains new regulations on camera surveillance: it is allowed as long as no employee is singled out and employees are informed how and when such monitoring is to be conducted).16

Location privacy (GPS, mobile phones, location based services, etc.)

The Electronic Communications Act clarifies rules for processing confidential identification and location data: except in an emergency, telecommunications users aged 15 years or older may not be located without their prior consent.17 However, parents or guardians of children under 15 years old may decide on the use of location services, a change in the law that was made in response to a 2003 proposal to allow parents to track the whereabouts of their young children through the use of mobile phones.18 Finland's leading mobile operators, TeliaSonera and Elisa, offer such positioning services, which are based on user proximity to base stations.19 In an emergency situation, positioning is always possible.20 The DPO oversees the processing of location data.

In May 2005 the Helsinki District Court handed down suspended sentences to five defendants in a case involving unauthorised use of mobile telephone records by executives of telecommunications service provider Sonera.21 The court found there had been extensive misuse of telecommunications information at Sonera from 1998 to 2001.22 The case was appealed, and the Court of Appeals affirmed the sentences in March 2007, also increasing the amount of monetary damages and court costs. The Supreme Court did not grant permission to appeal the case to the Supreme Court making the decision final.23 After the scandal, Sonera was merged with Swedish telecommunications operator Telia, creating TeliaSonera.24 At the time of the scandal, the Finnish state was a majority shareholder in Sonera.25 Sonera's security department was suspected of having misused telecommunications logs of at least 100 people, among them journalists, in an attempt to discover who was responsible for information leaks that had been troubling the company.26 One journalist commented at the time, "Communications privacy in Finland, as elsewhere, is seen as a sacred right. The strong suspicion that this privacy has been shamelessly violated has prompted talk of an Orwellian society."27

Travel privacy (travel identification documents, biometrics, etc.)and border surveillance

Finland made biometric passports available in 200628 by enacting a new Passport Act in July 2006 and amending it in June 2009. The Ministry of the Interior reports that the introduction of biometric passports is a joint project of all EU member states to fight passport fraud and forgery.29 According to the Ministry, biometrics will improve the efficiency of identification and help fight illegal immigration and terrorism.30 The biometric passports introduced by the Passport Act of 2006 included a microchip that stores a digital facial image, personal data, and passport data on the data page of the passports.31 Along with the amendment of the Act in 2009, fingerprints were also added to the biometric passports. The fingerprints constitute a personal data register that authorities suggested be made available for police criminal investigation. The suggestion has been widely criticised in the media due to the risk of misuse.32

National ID and smart cards

National identification numbers have long been in use in Finland. Since the 1970s, all citizens have been issued a national identification number consisting of their date of birth and four other characters. The number is used extensively in the public and private sectors. It is included on passports, driving licences, and other personal data files held by the public administration.33 Identity cards are delivered by the Finnish Police, and consist of standard identity cards, minors' ID cards, and temporary ones.34

The Finnish government in December 1999 began issuing new national ID cards (FINEID) based on smart card technology.35 A "Citizen Certificate" could originally be incorporated into a chip ID card issued by the police, a bank card or the Subscriber Identity Module (SIM) card of a mobile phone.36 As of December 2008, that choice is no longer available due to, among other things, a lack of demonstrated interest.37 This certificate can be used for secure identification in e-transactions, email, and document encryption and as an electronic signature.38 The cards include digital signatures to communicate online with government agencies and companies. The Citizen Certificate can also be used on different platforms and is channel-independent and not bound to the ID Card issued by the Finnish government.39 The Finnish Population Register Centre operates as the digital signature certificate authority.

The Identity Card Actwas passed in early 1999 to regulate the adoption and use of digital ID cards.40 As of June 2003, cardholders have been able to have their cards imprinted with their social security data. The card can be used as a travel document in EU member states, and about 50 services use the card. The citizen certificate can also be used on different platforms and is channel-independent.

Beginning in June 2004, medical insurance data could be put into identification cards on a voluntary basis, thus replacing social security (KELA) cards issued by the Social Security Institution of Finland.41 As of May 2007, 34,300 people had integrated their health insurance information into their ID cards.42 The Population Register Centre reported in 2006 that chip ID cards are being adopted for Finnish government employees.43 The ID cards contain a Government Employee Certificate that is part of the same Finnish certificate infrastructure as the Citizen Certificates.44 The certificate on the government ID cards enables identification and to log into information networks, to authenticate network users and their usage rights, encrypt email, and use electronic signatures.45

In May 2009 a Finnish ID card was used to register a business in Estonia, without the founders of the company ever having to leave their desks.46 The company is the result of the Estonian e-Commercial Register Portal, opened to Finnish ID cards for the first time in December 2008.47

RFID tags

In late 2002, VTT Technologies, a government research centre, developed a new type of high-frequency (900 MHz) Radio Frequency Identification (RFID) tag that can be read with a transceiver up to four metres away. The signal can also penetrate obstacles. In 2004, the city library of Kauhajoki was the first in Finland to implement RFID technology, which was introduced to help manage collections, cut losses, speed up customer service, and increase self-service. RFID technology is widely used for theft prevention in libraries.48

In the Helsinki region, the most familiar application of RFID technology is the green travel cards provided by Helsinki Region Transport. The travel cards are contactless integrated circuit cards, or proximity cards, that are based on the ISO 14443 A standard.49 They replaced paper tickets in the area's public transport system by the end of 2002. Partners in the project were the Helsinki Metropolitan Area Council (YTV), Helsinki City Transport, and the railway company VR. The use of travel cards is recorded in a database. This information can be accessed to aid transport capacity planning. The movements of travel card users are saved and can be accessed for later retrieval. The data from the transport system has been used for crime investigations in serious cases.50 YTV records the customer information it needs for customer service and consumer protection in the Travel Card System. Then, YTV municipal service point employees and the people in charge of the system have the right to browse and update the customer data recorded in the system, as well as the data stored in the central processing unit, concerning travel periods and the amount of money a passenger has loaded into his/her card and where the card was last used. It is not possible to browse the travel data at the point of service.51 The travel card received heavy public criticism after its introduction, since it was theoretically possible to connect a specific traveler's identity with travel route information. After the DPO made the issue public, YTV changed its policy.52

Bodily privacy

The Act on the Protection of Privacy in Working Life53 contains new regulations on camera surveillance and drug testing. Camera surveillance is allowed as long as no employee is singled out and employees are informed how and when such monitoring is to be conducted. Drug testing is widely allowed at work, provided such testing is legally justified, as when the job requires accuracy or the ability to react quickly.54

Footnotes