Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
As a member of the European Union, Finland must ensure that the requirements for data protection under Finnish law are at least as strict as those set out by EU legislation. After undergoing a comprehensive reform, EU legislation is known as ‘the global platinum standard’ in the field of data security and cybercrime (see next question). Consequently, Finnish data protection legislation forms a robust framework, especially as compliance with rules and regulations is a central feature of Finnish society and its business environment.
Are any changes to existing data protection legislation proposed or expected in the near future?
Yes. The Personal Data Act (523/1999), which implemented the EU Data Protection Directive (95/46/EC), will be repealed and replaced with a new Data Protection Act when the EU General Data Protection Regulation (GDPR) becomes effective on May 28 2018. As a member of the European Union, Finland will be subject to GDPR and other EU legislative changes. The first draft of the national law implementing GDPR (the Draft Data Protection Law) was published in June 2017 and the final government proposal for the law is expected to be submitted to Parliament shortly.
Further changes to national legislation will be required in the near future. The Act on the Protection of Privacy in Working Life (759/2004) is also under review and may be amended.
What legislation governs the collection, storage and use of personal data?
The right to privacy is a fundamental right under the Constitution of Finland (731/1999); thus, it enjoys wide protection.
The Personal Data Act governs as a general law the collection, storage and use of personal data. Finland has also several other laws in place governing data protection. The most relevant general laws are the Information Society Code (917/2014) and the Act on the Protection of Privacy in Working Life. The Information Society Code governs telecommunication and electronic communication, but also collection and use of location data, processing of traffic data and confidentiality of communications. The Act on the Protection of Privacy in Working Life regulates the processing of employees' personal data, and sets additional and stricter requirements in this context than the Personal Data Act and EU legislation.
In addition, there are hundreds of different sector-specific laws governing, to some extent, data protection. These include, among others, the Act on the Openness of Government Activities (621/1999) and the Act on Background Checks (726/2014).
The Personal Data Act will be repealed when the EU General Data Protection Regulation (GDPR) enters into force, as GDPR is directly applicable in Finland. As the possibility for derogations from GDPR and for national exemptions will be only limitedly used in Finland, the Draft Data Protection Law will only be supplementing GDPR, the latter becoming the main legislation governing the collection, storage and use of personal data in Finland.
Scope and jurisdiction
Who falls within the scope of the legislation?
The data controller is subject to the requirements set forth in the Data Protection Law. By contrast, the data subject is provided with several rights. From a territorial perspective, the Finnish data protection legislation applies if the controller is established in the territory of Finland or otherwise subject to Finnish law. In addition, the Personal Data Act applies to processing carried out by a controller not established in the European Union, but whose equipment used for the processing is located in Finland. The latter does not apply if the equipment is used solely to transfer data through Finland.
What kind of data falls within the scope of the legislation?
In principle, the Finnish data protection legislation applies to processing of personal data, unless subject to exceptions set out in the law. Data that is not regarded as personal data falls outside the scope of the data protection legislation. ‘Personal data’ means any information on an identified or identifiable private individual.
Are data owners required to register with the relevant authority before processing data?
As neither the entity processing the data nor the individual concerned owns the data processed, in Finland the term ‘data owner’ is not typically used. A ‘data controller’ means the natural or legal person, or a number of them, determining the purposes for the processing. Data controllers have no general obligation to register with the Finnish data protection authority, the Data Protection Ombudsman. A data controller has certain notification obligations, such as an obligation to notify the Data Protection Ombudsman of the outsourcing of personal data processing. However, such requirements will be repealed when GDPR comes into effect.
Is information regarding registered data owners publicly available?
No, there is no publicly accessible register of registered data controllers (ie, data owners). However, all notifications made to the authorities under the Personal Data Act are, in principle, publicly accessible by request, in accordance with the Finnish Act on the Openness of Government Activities, as amended.
Is there a requirement to appoint a data protection officer?
The Personal Data Act provides no general obligation to appoint a data protection officer. There are, however, sector-specific requirements in the healthcare and social welfare sectors to name a data protection officer. When GDPR comes into effect, the appointment of a data protection officer will become mandatory for certain controllers and processors. A data protection officer shall be appointed, for example, in cases where the core activities of the data controller consist of either processing data on a large scale, or systematic monitoring of data subject.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Finnish data protection authority, the Data Protection Ombudsman, is responsible for enforcing data protection legislation in Finland. The Data Protection Ombudsman guides and controls the processing of personal data in Finland, and makes decisions on the lawfulness of processing activities. The Data Protection Ombudsman provides also guidance, both to those whose data is being processed and to those processing it. The Data Protection Ombudsman has the right to access and inspect data files in order to issue directions or make decisions.
The Data Protection Ombudsman may bring an act of violation to the consideration of the Data Protection Board, which deals with significant questions of principle relating to data processing, and issues decisions in cases where processing must be approved by the board (a legitimate interest does not, as such, constitute a lawful processing purpose). At the request of the Data Protection Ombudsman, the Data Protection Board may:
- compel the controller to remedy the unlawful data processing activities;
- prohibit the unlawful processing; or
- order that the processing operations seriously compromising the protection of privacy of the data subject be ceased.
The authorities have no powers to impose fines, but the Data Protection Board may threaten to impose a default fine in order to reinforce the issued orders.
Under the Draft Data Protection Law, a new Data Protection Authority (Tietosuojavirasto) will continue the activities of the Data Protection Ombudsman with certain organisational changes. GDPR requires that each EU member state ensure that each supervisory authority is provided with the resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. In Finland, it has been estimated that the new Data Protection Authority will require up to 75% more resources (€1.32 million) in 2019 compared with the existing resources of the Data Protection Ombudsman.
According to the Draft Data Protection Law, a separate Sanctions Board (Seuraamuslautakunta) will be established within the Data Protection Authority. The board is proposed to have the power to issue administrative fines under GDPR. The Draft Data Protection Law also provides the possibility of an oral hearing in accordance with the Finnish administrative judicial procedure. Consequently, in Finland data controllers (and processors) will likely have the possibility to defend against claims more efficiently than in many other EU member states. The administrative fines will be supplemented with criminal sanctions (for individuals representing the controllers/processors), but only when the administrative fines are unavailable for the matter. The criminal sanctions do not apply to companies.
The Finnish authorities do not currently bring strong enforcement actions for non-compliance, and we do not expect this approach to change significantly in the near future, especially as the current Data Protection Ombudsman Reijo Aarnio will continue to head the new Data Protection Authority until October 2020. The Finnish authorities are fairly business minded, and open to discussion and consultation with businesses. GDPR will, to some extent, harmonise the roles of national data protection authorities in the European Union, but only time will show the level of harmonisation.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data can be processed (including collection and storing the data) only if one of the prerequisites listed exhaustively in the Personal Data Act are met. Personal data may be processed for example if:
- the data subject has consented to the processing;
- the data subject has given an assignment for the processing or it is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- processing is necessary to protect the vital interest of the data subject, in order to ensure compliance with a task or obligation of the controller set out by law;
- there is a relevant connection between the data subject and the operations of the controller based on the data subject being a client or member of the controller or subject to a comparable relationship between the data subject and the controller; or
- the Data Protection Board has granted a permission.
The EU General Data Protection Regulation (GDPR) sets out similar prerequisites. Most importantly, the permission of the data protection authorities will no longer be a prerequisite, but the data may be processed based on the legitimate interest pursued by the controller or by a third party. Under GDPR, the rights of the data subject (eg, right to erasure) differ, to some extent, based on the prerequisite for the processing. Therefore, especially with the main processing prerequisites (consent, connection requirement and legitimate interest), the controller should determine the most suitable lawful basis with due care.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Personal data may be processed only if it is necessary for the purpose to which it was collected. Therefore, personal data must be deleted when it is no longer necessary. This same principle is set forth in GDPR. Accordingly, the retention period must always be determined on a case-by-case basis.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Data subjects have the right to request access to the data that is stored about them. This right is provided in GDPR. Additionally, under GDPR controllers must provide data subjects, upon request, with a copy of their personal data (processed by the controllers).
Do individuals have a right to request deletion of their data?
The Personal Data Act does not grant data subjects with a general right to request that their data is deleted. However, controllers must, at their own initiative or the request of the data subjects, rectify, erase or supplement any erroneous, unnecessary, incomplete or obsolete personal data.
GDPR will provide data subjects with a new right to request data deletion. However, this so-called ‘right to be forgotten’ does not provide data subjects with a general right to get all their personal data deleted. The data must be erased if one of the grounds set forth in the GPDR applies. This includes situations where personal data is no longer necessary for the purposes to which it was collected, and situations where the data subject withdraws his or her consent.
Is consent required before processing personal data?
While consent is one of the prerequisites for processing under the current Finnish law, the GPDR will not require that consent be obtained before processing personal data. That said, some processing activities (eg, automated decision making and processing of sensitive personal data) are subject to stricter requirements than other data groups. Consent is not the only processing prerequisite even in such cases, but may be the most suitable one.
The processing of location data is covered by the Information Society Code rather than the Personal Data Act. Under the code, location data on an identifiable natural person may be processed if that natural person has given consent or if it is otherwise provided by law.
Furthermore, the processing of employees' personal data is subject to specific requirements. Some activities, such as collecting data from a source other than the employees in question, are lawful only with the employees’ consent.
If consent is not provided, are there other circumstances in which data processing is permitted?
Yes. There are a number of other legal bases for the processing of personal data, as consent is only one of the prerequisites for processing.
What information must be provided to individuals when personal data is collected?
GDPR sets out requirements for the information provided to the data subject. Therefore, all privacy policies should be drafted in accordance with the requirements set forth in GDPR. As the information content that the controller must provide under GDPR is wider than under the Personal Data Act, all existing privacy policies and descriptions of files need to be amended. As privacy notice drafted in accordance with GDPR fulfils the requirements set forth in the Personal Data Act, all privacy notices should already be drafted in accordance with GDPR.
Data security and breach notification
Are there specific security obligations that must be complied with?
Finland has no general data security law. The data security requirements are set in various laws.
The Personal Data Act sets forth general data security requirements. However, the security obligations are not specific and it is the data controllers’ responsibility to ensure that adequate measures are implemented. The controllers must take technical and organisational measures in order to protect personal data from accidental or unlawful access and destruction, as well as manipulation, disclosure and transfer and other unlawful processing. The EU General Data Protection Regulation (GDPR) takes a similar risk-based approach, as it requires that controllers and processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In addition to the general data security requirements regarding personal data processing, sector-specific requirements exist, in particular in the financial, telecommunications and healthcare sectors.
Are data owners/processors required to notify individuals in the event of a breach?
Under the Personal Data Act, controllers or processors are not required to notify individuals in the event of a data breach.
Under the GPDR, controllers must notify the data subjects without undue delay after becoming aware of a personal data breach, if the breach is likely to result in a high risk to the rights and freedoms of natural persons. Processors have no obligation to notify individuals, and have the right to do so only under instructions from controllers.
Are data owners/processors required to notify the regulator in the event of a breach?
There is no general obligation for data controllers or data processors to notify the authorities of a breach under the current national legislation.
GDPR introduces such notification obligation. Under GDPR, controllers must notify the supervisory authority, the Data Protection Ombudsman, of a personal data breach within 72 hours of becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Processors are required to notify controllers without undue delay after becoming aware of a personal data breach.
Sector-specific legislation provides for some notification obligations, but these are not based on data protection legislation and do not set obligations for data controllers or processors; rather, they apply to specific sectors regardless of whether the breach is a personal data breach.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
No; however, unsolicited electronic direct marketing is, in principle, prohibited.
Electronic direct marketing to private individuals by means of automated calling system, fax, email, text, voice, sound or image message requires the individual's prior consent, also referred to as the ‘opt-in mechanism’.
There are some exceptions to this principle. For example, a service provider or a product seller may use contact information, provided by the customer when buying a product or service, for direct marketing of the provider's own products of the same product group and other similar products or services. The customer must be given the opportunity to prohibit easily the use of contact information for marketing purpose without any additional charge.
Electronic direct marketing to legal persons (including representatives of such) does not require consent. However, the receiver has the right to opt out.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
There are no rules governing transfer of data outside Finland. However, transfer of data outside the European Union or the European Economic Area is strictly regulated.
The Personal Data Act sets restrictions for the transfer of data to countries outside the European Union and the European Economic Area. As an EU member state, Finland is bound by the EU legislation on data transfer, especially the General Data Protection Regulation (GDPR) and the adequacy decisions of the European Commission, such as the Privacy Shield. Under GDPR, personal data may be transferred outside the European Union or the European Economic Area only if there is a lawful basis for the transfer. Transfer may be based on an adequacy decision by the European Commission that the receiving country or international organisation can ensure an adequate level of protection. In the absence of such decision, data may still be transferred if the controller or processor puts in place appropriate safeguards, such as the Privacy Shield mechanism and the European Commission’s Standard Contractual Clauses.
A supervisory authority may also approve binding corporate rules; after such approval, the binding corporate rules will provide a lawful basis for data transfers between the parties to which the rules apply.
Are there restrictions on the geographic transfer of data?
There are no general restrictions on geographic transfers. Personal data may be transferred outside the European Union or the European Economic Area only if there is a lawful basis for such transfer, as described above.
The legislation and regulations covering the security of supply set additional requirements regarding geographic transfers of certain data groups. For example, the most important data sets must be in Finland (eg, some health data, data relating to the energy infrastructure).
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
When a controller transfers personal data to another entity and that entity processes the data on behalf of the controller, that entity is regarded as a data processor.
Under the Personal Data Act, no specific requirements apply to controllers regarding the outsourcing of personal data processing.
GDPR sets forth specific requirements on the outsourcing of processing activities. According to GDPR, the processing by a processor must be governed by a contract between the data controller and the data processor. GPDR sets out the minimum requirements for such contracts. Therefore, all such contracts must be drafted in accordance with GDPR. Further, several provisions of GDPR apply directly to the processor.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Under the current data protection legislation, the controller may be compelled to remedy unlawful data processing activities, prohibited to continue unlawful processing, or ordered to cease the processing operations seriously compromising the protection of privacy of the data subject. Additionally, the Finnish Criminal Code sets out penalties for data protection offences. These are applicable only to natural persons. A person who intentionally or grossly negligently processes personal data in violation of the Personal Data Act by giving false or misleading information, or prevents or attempts to prevent a data subject from using his or her right of inspection or conveys personal data to states outside the European Union or the European Economic Area in violation of the Personal Data Act, can be sentenced to a fine or imprisonment for a maximum of one year. The criminal sanctions are rarely imposed in practice.
The EU General Data Protection Regulation (GPDR) will change the penalty scheme significantly. GDPR introduces a system of administrative fines of up to €10 million or up to 2% or 4% of the total annual worldwide annual turnover of the preceding financial year, whichever is the highest, for non-compliance with GDPR. These sanctions will be issued by the new Finnish Data Protection Board.
As administrative fines are an effective sanctioning system, they would be supplemented with criminal sanctions only when the administrative fines are not available for the matter. The current data protection offence will be replaced by a more limitedly available offence (that would be subject to the same penalties).
Also the new criminal responsibility will apply only to natural persons. The criminal responsibility will apply only to persons who have not acted in the capacity of data controller or processor.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. The data controller is obliged to compensate the damage incurred to the data subject or any other person as a result of data being processed in violation of the Personal Data Act. Further, the data subject may be entitled to compensation for a damage caused to the data subject as a result of a criminal offence in accordance with the general Tort Liability Act (412/1974, as amended).
The GPDR provides individuals with a right to compensation. According to GDPR, any person who has suffered material or non-material damage as a result of an infringement of GDPR has the right to receive compensation from either the controller or processor for the damage suffered. The data subject has also the right to receive compensation, at his or her own choice, from either the processor or the controller regardless of their actual responsibilities. The party who has compensated the data subject has a right of recourse.
In addition, Finland will, during the implementation of GDPR, assess the necessity and possibility to allow class actions for data subjects.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
No, there is no specific legislation on cybercrime or cybersecurity.
However, the Criminal Code of Finland contains several provisions that cover cybercrime (in its different forms).
In Finland the need and possibility for a general data security law has been fairly recently assessed. It was concluded that the data security requirements should still be kept in sector-specific laws.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The Finnish privacy legislation is exceptionally strict compared with many other countries, including other EU member states, and grants the users of information communication systems very extensive rights. The right to private communication and the protection of privacy in relation of the employees' private information are absolute and based on fundamental rights. Therefore, even when investigating cybercrimes and cyberattacks an employer may not access its employees' email accounts or personal files. The only possibility for the employer to access private information without the employees' consent is when such information has been processed by the police as a part of a criminal investigation.
In September 2015 the Ministry of Transport and Communications appointed a development group to prepare Finland's Information Security Strategy, which was published in April 2016. Also in April 2016 the Finnish Ministry of Justice and the Finnish Ministry of the Interior published a working group’s report on a proposal for legislation on intelligence activities that would give law enforcement agencies more extensive access to data in order to increase the level of security. The legislative process is in progress and a new law is expected to come into force in 2020.
Which cyber activities are criminalised in your jurisdiction?
The Criminal Code criminalises:
- business espionage committed by accessing information systems;
- criminal mischief by unlawfully interfering with communication channels in a way that seriously endangers important societal functions;
- damage to data;
- fraud committed by destroying or deleting data or otherwise interfering with the operation of data systems and thereby falsifying the end result of data processing in a way that causes economic loss;
- message interception;
- interference with communications and information systems;
- computer break-in;
- offences involving a system for accessing protected services;
- data protection offences; and
- identity theft.
Which authorities are responsible for enforcing cybersecurity rules?
The Finnish Communications Regulatory Authority (FICORA) is responsible for enforcing the Information Society Code. FICORA also has a special unit that concentrates fully on cyber security, called National Cyber Security Center Finland (or NCSC-FI). The Data Protection Ombudsman is responsible for the enforcement of the data protection rules.
The Finnish Police is responsible for investigating crimes. When it comes to organised crime, the National Bureau of Investigation investigates cyber security offences. The Finnish Security Intelligence Service works with national security matters such as espionage and other threats to national security. The national general courts are responsible for enforcing the criminal legislation.
Further, in addition to the proposed Intelligence Act, the Ministry of Justice has suggested the creation of a new authority, an Intelligence Ombudsman, that would be responsible for the legal checks and balances of intelligence actions. This proposal is, however, still under review.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
It is possible for a company to obtain an insurance that covers cybersecurity breaches. Currently, only a few insurers offer insurances that cover cybersecurity breaches, but the market is developing rapidly.
It is currently uncommon to obtain insurances for cybersecurity breaches. We are expecting them to become more popular in the coming years.
Are companies required to keep records of cybercrime threats, attacks and breaches?
No, the current national legislation does not set general obligations for companies to keep records of cybercrime threats, attacks and breaches.
Under GDPR, there are no specific requirements to record cybercrime threats, attacks or breaches. However, all personal data breaches must be documented in accordance with the general documentation obligations set forth in the GPDR.
Also, sector-specific requirements apply. For example, under the amended Payment Institutions Act (290/2010), implementing the new Payment Services Directive (201/2366) (known as PSD2), payment institutions must report their operational and security risks and incident management procedures to the Finnish Financial Supervisory Authority annually.
Under the Information Society Code, telecommunications operators and added-value service providers are required to retain the data regarding the notifications sent to subscribers and users.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
There are no general requirements for companies to report threats, attacks or breaches. Personal data breaches must be reported in accordance with the above-mentioned principles.
However, sector-specific regulations set additional requirements. For example, telecommunication providers are required to notify the Finnish Communications Regulatory Authority of information security breaches and threats without undue delay. The provider must also notify the authority of the estimated duration and consequences of cyber threats and violations, corrective measures taken and measures taken in order to prevent the reoccurrence of violations, as set out in the Information Society Code.
Further, credit institutions and insurance companies must, for instance, notify the Financial Supervisory Authority of a data breach in accordance with the binding regulation issued by the Finnish Financial Supervisory Authority.
EU Directive 2016/1148 on security of network and information systems (the NIS Directive) is currently being implemented into Finnish law (the deadline for implementation is May 9 2018). The directive sets forth new breach notification requirements for the operators of essential services in the following sectors: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure.
In addition to the mandatory notifications, all private persons, companies and organisations can notify FICORA's NCSC-FI of information security violations targeted against them. This is not a mandatory obligation, but as FICORA provides guidance and maintains statistics of cybersecurity threats, such as phishing or denial of service attacks, notification is recommended.
Are companies required to report cybercrime threats, attacks and breaches publicly?
There are no general obligations in Finland for companies to report cybercrime threats, attacks or breaches publicly. Also, the sector-specific obligations require making the notification only to the competent authority or directly to the individuals.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The Criminal Code criminalises a range of offences and the potential criminal sanctions are set out specifically for each offence. The criminal sanctions include both fines and imprisonment.
What penalties may be imposed for failure to comply with cybersecurity regulations?
If a company fails to comply with the security obligations – that is, it fails to secure the data as required – it may, depending on the sectoral law, be subject to fines. If the data includes personal data, the penalties are currently mainly imposed on the individuals representing the company. For some violations, a corporate fine is possible.
According to the Draft Data Protection Law, the administrative fines would be directed to the company and be supplemented with criminal sanctions only when fines are unavailable for the matter. Criminal responsibility would apply only to natural persons.