Confidential communications

It is prohibited to process another person’s messages or related traffic data without the consent of the party or a legitimate basis laid down by law. The confidentiality of communications is guaranteed in the Constitution of Finland. We supervise data protection in the electronic communications of communications providers. Under certain conditions, we also supervise services provided abroad.

Data protection of electronic communications and traffic data is governed by the Act on Electronic Communications Services.

  • Electronic communications include phone calls, emails, SMS, MMS and voice messages, instant messages and online messages.
  • Traffic data include telephone numbers, email addresses and IP addresses. Traffic data is information that is used to transmit, distribute or provide messages in communications networks, and they can be associated with a subscriber or user.

Processing rights of parties to communication

Under the Act on Electronic Communications Services, parties to communication are entitled to process their own electronic messages and the traffic data associated with these messages unless otherwise provided by law. In addition, electronic messages and traffic data may be processed with the consent of the party to the communication, or if permitted by law. Whoever receives or obtains in any other way knowledge of an electronic message, radio communication or traffic data not intended for him or her shall not disclose or make use of the content or traffic data of such a message, or the knowledge of its existence, without the consent of a party to the communication, unless otherwise provided by law.

In other words, the sender and the intended recipient may, in principle, process the communication between themselves but third parties may not process such communication.

  • It is legal to record your own phone calls, for example.
  • The confidentiality of communications is not violated, either, if a party to communication forwards a message, for example an email, he or she has received to a third party, unless the secrecy is based on some other act or agreement.
  • A recipient of a message is allowed to tell others about the message he or she has received and its contents unless the recipient is bound by a specific non-disclosure obligation. For example, a person in the service of an authority may be bound by a non-disclosure obligation under the Act on the Openness of Government Activities.

Processing rights and obligations of communications providers

Who do we regulate?

Under the Act on Electronic Communications Services, communications providers, including telecommunications operators, corporate and associate subscribers and other parties that convey electronic communications, may process messages and traffic data only to the extent necessary for transmitting communications, implementing the agreed service and for the purpose of ensuring information security as provided by law.

The Act on Electronic Communications Services also contains provisions on communications providers’ rights to process electronic communications and traffic data for purposes, such as billing, marketing and technical development.

In certain cases, the subscriber to a communications service and some authorities have the right to obtain information on the user’s communications from telecommunications operators.

Besides processing rights, the Act contains provisions on communications providers’ obligations related to processing of electronic communications and traffic data. The Act provides, for example, that after processing, electronic messages and traffic data must be destroyed or rendered such that they cannot be associated with the subscriber or user involved, unless otherwise provided by law.

Public communications

In addition to confidential communications, there is public communications. Traffic data related to public communications are confidential, too. Operators involved in the transmission of communications, such as telecommunications operators and corporate and associate subscribers, may process this data only for the purposes provided by law. They are also bound by a non-disclosure obligation regarding traffic data.

A provider of a message board or a similar service intended for publication of messages has the right to publish traffic data related to the messages posted on the forum, if permitted under the terms of the service. These services are comparable to a newspaper’s letters to the editor section, which is also a forum for publishing writings under the writer’s own name or a pseudonym.

Responsibility for the contents of a published message and the publishers’ duty to disclose the source of information or writer of an anonymous message is provided by law.

Limitations to confidential communications and penalties for message interception

It is possible to limit the right to confidential communications, for example, in some criminal investigations.

The police have the right to intercept and monitor telecommunications when investigating certain types of crimes. In addition, emergency services authorities have the right to obtain information on the location of the subscriber connection of users making emergency calls and users in distress.

Message interception is a crime. For example, it is punishable to obtain information on a message which is protected from outsiders by hacking.

Supervision

The NCSC-FI at Traficom supervises that communications providers implement their network and communications services securely so that the confidentiality of the communications is not endangered. Furthermore, the NCSC-FI guides and monitors that communications providers process confidential communications in accordance with the related statutory rights and obligations.

The Data Protection Ombudsman supervises the processing of location data related to personal data and communications. This means data available from a communications network or terminal device that shows the geographic location of a subscriber connection or terminal device.

All criminal matters related to confidential communications should be reported to the police.

Cookies

Cookies are small text files that a web browser stores on a user's device. Cookies are used, for example, to store user information when the user moves from one webpage to another. In principle, the placement of cookies requires the user’s consent.

A cookie may be stored on the user’s device permanently (stored cookie) or erased after the user leaves a service (session cookie).

Cookies may be used for collecting the following information:

  • the user's IP address
  • time
  • pages visited
  • browser type
  • the web address from which the user landed to the website
  • the server from which the user landed to the website
  • the domain name from which the user landed to the website.

Cookies require user's consent

JUDGMENT OF THE COURT OF JUSTICE OF THE EUROPEAN UNION ON 1 OCTOBER 2019

The Court of Justice of the European Union issued a judgment on cookie practices on 1 October 2019. Because of the judgment, Traficom has specified its cookie guidelines on giving consent and providing users with information on the duration of the operation of cookies and third-party access to cookies. According to the more detailed guidance, users can still give their consent to the use of cookies by using browser settings.

CJEU's judgment in case C-673/17 (External link)

Website users must be provided with clear and comprehensive information about cookies and the purposes of saving or using user data. Users must also be given information on at least how long the cookies are used and whether third parties may have access to the cookies. Storing and using information collected by cookies require the user’s consent. Informing users on data collected by cookies and allowing them to refuse the storage of cookies must be implemented in the most user-friendly manner possible.

Section 205 of the Act on Electronic Communications Services (External link) (In Finnish)

Finland interprets the Directive on privacy in electronic communications (‘ePrivacy Directive (External link)’) so that users can give their consent to store cookies on their terminal equipment, for example, by using the appropriate settings of a browser or other application.

In Finland, providing information about cookies or giving consent to their storage does not require a pop-up window. Consent can be requested by using any preferred method (e.g. browser/application setting or pop-up window) as long as it is not requested by using a pre-ticked checkbox. The use of cookies and the related practices must also be indicated on a website in such a manner that a user can obtain additional information about them.

Cookies may be used without informing or requesting consent from the user if 

  • their sole purpose is to carry out the technical transmission of a communication
  • their use is necessary for the service provider in order to provide a service explicitly requested by the subscriber or user.

Such services include online banks and online stores. In practice, these services cannot function without cookies. However, users may still be informed about the use of cookies in the above-mentioned services.

Cookies in EU legislation

The EU General Data Protection Regulation (EU) 2016/679 (‘GDPR’) (External link) has been applied since 25 May 2018. The GDPR repealed its predecessor, the Personal Data Directive.

The definition of and conditions for consent in the provisions on cookies of the Act on Electronic Communications Services were based on the Personal Data Directive. However, the conditions for consent in the GDPR have changed only a little compared to the Personal Data Directive.

A new regulation on privacy and electronic communications (External link) is currently being prepared in the EU, which, once completed, will replace the ePrivacy Directive and provisions on cookies in the Act on Electronic Communications Services. Under the Commission's proposal for the regulation, consent to store cookies on a user's terminal equipment may be expressed by using the appropriate settings of a browser or other application. The process of adopting the regulation is still underway, and the final contents or schedule of the regulation have not been confirmed.

In March 2019, the European Data Protection Board issued an opinion on the interplay between the ePrivacy Directive and the GDPR in events covered by both the ePrivacy Directive and the GDPR (External link). The opinion contains examples on the use of cookies.

Cookies and case-law

The Court of Justice of the European Union issued a judgment on cookies on 1 October 2019 (Case C-673/17 (External link)). According the judgment, consent to the use of cookies is not valid if it is given by way of a pre-checked checkbox on a website. The judgment also states that a service provider must inform users of the duration of the operation of cookies and whether or not third parties may have access to those cookies.