Data protection of electronic communications and traffic data is governed by the Act on Electronic Communications Services.
- Electronic communications include phone calls, emails, SMS, MMS and voice messages, instant messages and online messages.
- Traffic data include telephone numbers, email addresses and IP addresses. Traffic data is information that is used to transmit, distribute or provide messages in communications networks, and they can be associated with a subscriber or user.
Processing rights of parties to communication
Under the Act on Electronic Communications Services, parties to communication are entitled to process their own electronic messages and the traffic data associated with these messages unless otherwise provided by law. In addition, electronic messages and traffic data may be processed with the consent of the party to the communication, or if permitted by law. Whoever receives or obtains in any other way knowledge of an electronic message, radio communication or traffic data not intended for him or her shall not disclose or make use of the content or traffic data of such a message, or the knowledge of its existence, without the consent of a party to the communication, unless otherwise provided by law.
In other words, the sender and the intended recipient may, in principle, process the communication between themselves but third parties may not process such communication.
- It is legal to record your own phone calls, for example.
- The confidentiality of communications is not violated, either, if a party to communication forwards a message, for example an email, he or she has received to a third party, unless the secrecy is based on some other act or agreement.
- A recipient of a message is allowed to tell others about the message he or she has received and its contents unless the recipient is bound by a specific non-disclosure obligation. For example, a person in the service of an authority may be bound by a non-disclosure obligation under the Act on the Openness of Government Activities.
Processing rights and obligations of communications providers
Under the Act on Electronic Communications Services, communications providers, including telecommunications operators, corporate and associate subscribers and other parties that convey electronic communications, may process messages and traffic data only to the extent necessary for transmitting communications, implementing the agreed service and for the purpose of ensuring information security as provided by law.
The Act on Electronic Communications Services also contains provisions on communications providers’ rights to process electronic communications and traffic data for purposes, such as billing, marketing and technical development.
In certain cases, the subscriber to a communications service and some authorities have the right to obtain information on the user’s communications from telecommunications operators.
Besides processing rights, the Act contains provisions on communications providers’ obligations related to processing of electronic communications and traffic data. The Act provides, for example, that after processing, electronic messages and traffic data must be destroyed or rendered such that they cannot be associated with the subscriber or user involved, unless otherwise provided by law.
In addition to confidential communications, there is public communications. Traffic data related to public communications are confidential, too. Operators involved in the transmission of communications, such as telecommunications operators and corporate and associate subscribers, may process this data only for the purposes provided by law. They are also bound by a non-disclosure obligation regarding traffic data.
A provider of a message board or a similar service intended for publication of messages has the right to publish traffic data related to the messages posted on the forum, if permitted under the terms of the service. These services are comparable to a newspaper’s letters to the editor section, which is also a forum for publishing writings under the writer’s own name or a pseudonym.
Responsibility for the contents of a published message and the publishers’ duty to disclose the source of information or writer of an anonymous message is provided by law.
Limitations to confidential communications and penalties for message interception
It is possible to limit the right to confidential communications, for example, in some criminal investigations.
The police have the right to intercept and monitor telecommunications when investigating certain types of crimes. In addition, emergency services authorities have the right to obtain information on the location of the subscriber connection of users making emergency calls and users in distress.
Message interception is a crime. For example, it is punishable to obtain information on a message which is protected from outsiders by hacking.
The NCSC-FI at Traficom supervises that communications providers implement their network and communications services securely so that the confidentiality of the communications is not endangered. Furthermore, the NCSC-FI guides and monitors that communications providers process confidential communications in accordance with the related statutory rights and obligations.
The Data Protection Ombudsman supervises the processing of location data related to personal data and communications. This means data available from a communications network or terminal device that shows the geographic location of a subscriber connection or terminal device.
All criminal matters related to confidential communications should be reported to the police.
Cookies are small text files that a web browser stores on a user's device. Cookies are used, for example, to store user information when the user moves from one webpage to another. In principle, the placement of cookies requires the user’s consent.
A cookie may be stored on the user’s device permanently (stored cookie) or erased after the user leaves a service (session cookie).
Cookies may be used for collecting the following information:
- the user's IP address
- pages visited
- browser type
- the web address from which the user landed to the website
- the server from which the user landed to the website
- the domain name from which the user landed to the website.
Cookies require user's consent
Website users must be provided with clear and comprehensive information about cookies and the purposes of saving or using user data. Users must also be given information on at least how long the cookies are used and whether third parties may have access to the cookies. Storing and using information collected by cookies require the user’s consent. Informing users on data collected by cookies and allowing them to refuse the storage of cookies must be implemented in the most user-friendly manner possible.
Finland interprets the Directive on privacy in electronic communications (‘ePrivacy Directive (External link)’) so that users can give their consent to store cookies on their terminal equipment, for example, by using the appropriate settings of a browser or other application.
Cookies may be used without informing or requesting consent from the user if
- their sole purpose is to carry out the technical transmission of a communication
- their use is necessary for the service provider in order to provide a service explicitly requested by the subscriber or user.
Cookies in EU legislation
The EU General Data Protection Regulation (EU) 2016/679 (‘GDPR’) (External link) has been applied since 25 May 2018. The GDPR repealed its predecessor, the Personal Data Directive.
The definition of and conditions for consent in the provisions on cookies of the Act on Electronic Communications Services were based on the Personal Data Directive. However, the conditions for consent in the GDPR have changed only a little compared to the Personal Data Directive.
A new regulation on privacy and electronic communications (External link) is currently being prepared in the EU, which, once completed, will replace the ePrivacy Directive and provisions on cookies in the Act on Electronic Communications Services. Under the Commission's proposal for the regulation, consent to store cookies on a user's terminal equipment may be expressed by using the appropriate settings of a browser or other application. The process of adopting the regulation is still underway, and the final contents or schedule of the regulation have not been confirmed.
Cookies and case-law