Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


On 1 September 2009, the Act on Strong Electronic Identification and Electronic Signatures (617/2009) went into effect. The Act revokes the 2003 Act on Electronic Signatures.1 The purpose of the Act of 2009 is to create ground-level legislation on strong electronic identification of natural persons and the provision of products and services related to them, as well as to promote data protection and data security of electronic commerce and electronic communications. Further, the purpose of the act is to set "ground rules" for the entities acting in the field of electronic commerce. FICORA has authority to ensure, through monitoring and auditing, that certification service providers that issue qualified certificates comply with the Act.2 FICORA also issues regulations governing information supplied by certification service providers and handles customer complaints.3

Presently services using strong electronic identification directed at consumers are offered by banks and by the Population Register Centre. The most commonly used strong identification method is the Tupas-identification developed by the Federation of Finnish Financial Services (Pankkiyhdistys). The main part of all identification transactions made by consumers are located on Internet banks (over 500 million identification annually) or the electronic payment services they offer. Moreover, identification methods utilising the Citizen Certificate and that were developed for the Population Register Centre, are used in a couple of services, but the identification method has not reached the expected level of popularity: only about 150,000 chip ID cards utilising the Citizen Certificate have been issued thus far and its usage has been further constrained by the small amount of reader devices.4 It is presumed that new service providers will emerge on the market for strong identification in the near future. The mobile certification system, currently being developed by several major mobile phone operators, will presumably fulfil the requirements for strong electronic identification in the future.5 The certification authority for the mobile authentication system is the Population Register Centre.


On 4 September 2003, the Finnish government submitted a resolution on the National Information Security Strategy. The Strategy aims to increase citizens' and companies' trust in the information society and formulates the efforts of the government, trade, and industry organisations, and private citizens into common information security objectives. The Strategy, one of the first proposals in the world that concerns the development of information security in the whole society, was praised as the best European security guidelines at the International RSA Information Security Conference held in Amsterdam in November, 2003.6

In October 2003, the Finnish Ministry of Transport and Communications appointed the National Information Security Advisory Board to oversee implementation of the National Information Security Strategy.7 The Board began its work in spring 2004 and continued through May 2007. On 14 December 2004, the Board submitted to the government a progress report that provided an overview of the state of information security in Finland. The report also outlined four primary projects for 2005: adoption of a programme on information-secure electronic services, analysis of national information security risks, assessing and remedying cybercrime, and organising the nation's second annual National Information Security Day, which was held on 8 February 2005.8 The Strategy was updated in December 2008 and is entitled "Everyday Security in the Information Society – a Matter of Skills, not of Luck." The Strategy's vision is that people and businesses will be able to trust that their information is secure when it is processed in information and communications networks and related services. The three priority areas of the Strategy are: 1) basic skills in the ubiquitous information society, 2) information risk management and process reliability, and 3) competitiveness and international network cooperation.9

FICORA's Computer Emergency Response Team (CERT-FI) reported in its 2006 annual review that distributing spyware to hacked computers in Finland became common in 2006.10 CERT-FI reported that spyware software activities, which can hijack personal data, user identification, passwords, and credit card numbers, were "large-scale and systematic".11 The agency reports, however, that it received word of only a few cases where information about Finnish users of electronic services had fallen into the wrong hands.12 FICORA's CERT-FI reported in its information security review of April 2009, that there had been a few cases reported where access to confidential information of Finnish organisations were accidentally available on Web sites.13 After preparing an international survey, they concluded that slip-ups were fairly common worldwide.14 FICORA's CERT-FI's Annual Review of 2009 reported on the computer worm Conficker, which spread to millions of computers in 2009. Also during 2009, a Trojan was reported to interfere with Finnish online banking sessions and make several unauthorised bank transfers. The annual report states further that international information security communities and authorities tightened their cooperation over the course of the year. In addition to dealing with the Conficker worm, that cooperation ensured that certain companies offering malicious content have been shut off from the Internet. The report notes that CERT-FI completed a research on European CERT organisations during 2009. The operation of 11 CERT units was compared in the research. This research was the first of its kind in Europe, and its results were met with international interest. The report notes further that a new Act concerning signals intelligence in Sweden (the Signals Intelligence Act) came into force on 1 December 2009. The Act gives the Swedish National Defence Radio Establishment (Försvarets Radioanstalt) the right to perform signals intelligence activities on fixed networks for national defence purposes. But such monitoring also applies to electronic communication traffic going to and passing through Sweden, thereby including Finnish communications. The new Swedish law emphasises telecom operators' responsibility to inform their customers of information security threats targeting services implemented abroad, but offered to Finnish customers. This notification responsibility is further detailed in the Act on the Protection of Privacy in Electronic Communications.15

The Ministry of Finance broadly oversees the coordination of information security for the Finnish Government and for this purpose set up the Government Information Security Management Board "VAHTI" for steering and developing government information security.16 On 15 June 2004, VAHTI appointed a working group to develop and prepare propositions to privacy in administration and electronic surveillance. The issues that the working group is dealing with include biometrics, electronic identification, and electronic surveillance. The working group will further consider privacy when dealing with data security and develop cooperation in administration which is related to privacy issues.17 In 2009, VAHTI launched a new development programme for preparing the public administration information security during the period 2010 to 2015. In 2010, the development programme will be put into action, coordinated, and supervised by VAHTI. In 2009, VAHTI also issued the first provisional instructions for ICT issues aimed to the public administration, published a report on data security assaults, and supervised the data security instructions regarding local area networks and system development.18

Online behavioural marketing and search engine privacy

Nothing to report under this section.

Online social networks and virtual communities

CERT-FI's information security review of July 2010 was focused on security problems in social networks, specifically in Facebook where worms have spread through malicious links or applications (the so-called "likejacking" problem). The malicious link takes the user to a Web site containing program code that hijacks the mouse cursor in the user's browser. Further, in the same information security review, it was reported that a very popular social network site, "Suomi24," had been hacked in April 2010. The hackers managed to steal the Web site’s user data: usernames and passwords.19

Online youth safety

In August 2005, the Minister of Transport and Communications announced a voluntary scheme asking Finnish ISPs to block a list of Web pages suspected of containing child pornography.20 Critics have denounced the plan, saying it may be unconstitutional, could block legitimate Web sites, and might not advance its goal of preventing access to child pornography.21

Authorised by an Act Against Distribution of Child Pornography, entered into force on 1 January 2007, the Finnish Police Authority is entitled to maintain and update a confidential list of Web sites containing child pornography. ISPs are allowed, not compelled, to censor the child pornography Web sites on the list. The purpose of the law is to prevent access to foreign Web sites that contain child pornography.22 Upon the Police Authority's discretion, the list can be disclosed to telecommunications companies. A telecommunications company receiving such list has a confidentiality obligation provided by law.23

In May 2009, the Helsinki Administrative Court decided that being added on the list of child pornography Web sites is not an action subject to appeal.24 The case concerned the censorship of a Web site that listed the full censorship list.25 By publishing the list, the police determined that the Web site was acting as a "portal" to child pornography content.26 However, the Supreme Administrative Court gave a decision in September 2010 repealing the decision and remitting the case to the lower court.27

Workplace privacy

On 1 October 2004, the Act on the Protection of Privacy in Working Life took effect.28 The Act determines the legality of several privacy issues in the workplace, such as psychological, genetic, and drug tests; the processing of medical histories and health information; and the use of video and audio surveillance devices. The main principle of the Act is that the employer shall collect personal data about the employee primarily from the employee himself. In order to collect personal data from elsewhere, the employer must obtain the employee's consent.29 The Act also delineates procedures by which employers may, in their employees' absence, open email messages sent to or from employees' work email addresses.30 Previously, the Telecommunications Privacy Act prevented Finnish employers from monitoring the contents of employees' email messages.31

The statute also contains new regulations on camera surveillance (allowed as long as no employee is singled out and employees are informed how and when such monitoring is to be conducted) and drug testing (widely allowed at work, provided such testing is legally justified, as when the job requires accuracy or the ability to react quickly).32

One of the latest amendments to the Act in 2008 concerns the employer's right to receive and process credit status information on the job applicant for evaluating his reliability if the job applied for includes tasks requiring a particular reliability, e.g. tasks relating to making decisions about financial commitments on the employer's behalf.33

In November 2006, the Finnish Data Protection Ombudsman (DPO) ruled that the Act barred employers from researching prospective employees using Internet search engines without the employees' consent.34 Media reports indicate that the "Ombudsman’s decision may make life more difficult for Human Resources personnel, as employers may not be permitted to even check the reliability of a job applicant's CV from publicly available sources available through the Internet without first obtaining the applicant's permission."35

From June 2009, a new amendment to the Electronic Communications Act, generally known publicly as "Lex Nokia",36 entered into force. It allows companies and associations ("association subscribers")37 who suspect that business secrets are being leaked or that communication networks are being misused, to process "identification data"38 in order to prevent such disclosure of business secrets or investigate their potential disclosure,39 but under the supervision of the DPO.40 Association subscribers may process identification data for producing and consuming services, for invoicing, marketing, and technical developing, detecting a technical defect or error, and for carrying out information security tasks.41 Association subscribers are not, however, allowed to read the content of employees' messages themselves; the right to process identification data explicitly concerns electronic communications and does not apply to, e.g., telephone and mobile phone communications. During the legislative process, the "Lex Nokia" gained an enormous amount of publicity and criticism, critics claiming that it would encourage association subscribers to "snoop" on their employees, and could also be construed to allow snooping on any IP-based telecommunications.42 This amendment was, however, approved by the Parliament and association subscribers may exercise that new right as of 1 June 2009. Before commencing any actions, the association subscriber has to notify the Finnish Data Protection Ombudsman (DPO) (notification is payable).43 In 2009, the DPO did not receive any notification from association subscribers and as of 2010 none of them had used the right to process identification data as intended in the amendment.44 The true added value of that new right therefore remains to be seen in the coming years.

Health and genetic privacy

Health privacy

Privacy in health care is protected by the Act on the Status and Rights of Patients, which became effective in 1993. Under the Act, health care must be administered in a way that does not violate human dignity and that protects the patient's convictions and privacy. In general, medical records may not be released without the patient's written consent, except when otherwise provided by law.45 In addition, the Medical Research Act, in force since 1 November 1999, prohibits disclosure of patient information including health status, personal circumstances, or financial situation by medical research workers and ethics committee members.46

Genetic privacy

Nothing to report under this section.

Financial privacy

In February 2007, the Supreme Administrative Court agreed that the right of access extends to data on a bank's client's own loan transactions and associated interest rates. The bank had argued that transaction statements and interest rate data are not part of the client data files because the microfilms containing this data are stored separately from the client's data file. However, according to the Court, this view is erroneous because the extent of the personal data file is determined by its use. According to the Personal Data Act, data processed in order to attend to the same task belongs to the same personal data file (logical data file), even though various parts of the data file (sub-registers) are stored separately. Because the purpose of using the interest rate data was the same as for the client's data, both data sets were part of the same data file. Whether it was technically stored together or apart was deemed irrelevant.47

The demand for instant (quick) loans requested via mobile phone or over the Internet has lately dramatically increased in Finland. In several of the quick loan companies, authentication of the loan applicant is based solely on the social security number given by the applicant and subscription data from the telecommunications company. Inadequate authentication has in some cases led to identity theft. In March 2007 the Data Protection Board (DPB), on request of the Data Protection Ombudsman (DPO), ordered a quick loan company to change their authentication process pertaining to loan applicants. The DPB required that creditors identify their clients in order to ensure the accuracy of any personal data processed. The case proceeded to the Supreme Administrative Court, which gave its ruling in January 2010 in accordance with the decision of the Data Protection Board.48

A 2008 amendment to the Act on the Protection of Privacy in Working Life concerns the employer's right to receive and process credit status information on the job applicant for evaluating his reliability if the job applied for includes tasks requiring a particular reliability, e.g. tasks relating to making decisions about financial commitments on the employer's behalf.49

In 2009, the Supreme Administration Court made a ruling according to which the company Satakunnan Markkinapörssi Oy had violated the Personal Data Act by publishing data concerning the taxation of Finnish citizens in a publication named Veropörssi. The company intended to create a service where personal data was processed by ordering taxation information on individual persons by SMS. The Court deemed this particular type of publishing taxation information on private individuals a violation of the Personal Data Act. The ruling does not apply to the publicity of taxation information in general.50