The Information Society Code (2014/917) (Code) – a new act in Finland on electronic communications, privacy, data security, communications, and the information society in general – took effect 1 January.

This sees a consolidation of 10 existing acts into one, which had included Finland’s Communications Market Act; Act on the Protection of Privacy in Electronic Communications; Domain Name Act; Act on Radio Frequencies and Telecommunications Equipment; Act on the Measures to Prevent Distribution of Child Pornography; and Act on Television and Radio Operations.

Besides simplifying existing rules and increased regulatory powers over the information society, there are three significant changes:

1. Extending Confidentiality Obligations

The Code extends the obligation to protect the confidentiality of communication from traditional telecom companies to ALL intermediaries of electronic communications services.

Under the changes, social media companies must now ensure that users of their messaging services get the same standards of privacy and security as other, already regulated, sectors, such as telecommunications companies.  

2. Extraterritorial Application

The Code’s scope has been increased, allowing the extraterritorial application of its rules. It now also covers companies based outside the EU that offer services in Finland. The obligation on operators to maintain the information security in connection with their services will apply where (1) an operator is based in Finland; (2) the communications network or other equipment to be used in the business operation are located or maintained in Finland; or (3) the services are offered in Finnish or are otherwise targeting Finland or Finns.

3. Joint Liability

The Code introduces a new obligation where a telecom operator and service provider can be held jointly liable for a defect in the provision of a service. As a big drive on consumer protection, the Code allows, in cases where consumers order and pay for products and services via their mobile phone, that telecom operators and the companies selling the said products or services share accountability.

With its focus on transparency, accountability, and its extraterritorial application, the Code does reflect many aspects of the upcoming EU General Data Protection Regulation, and is a clear enhancement of Finland’s laws on information security.