Finland

[FI] New Act on Data Protection in Electronic Communications

IRIS 2004-10:1/18

Marina Österlund-Karinkanta

Finnish Broadcasting Company YLE, EU and Media Unit

On 16 June 2004, the Sähköisen viestinnän tietosuojalaki (Act on Data Protection in Electronic Communications) was ratified. It entered into force on 1 September 2004. The Act repeals the Laki yksityisyyden suojasta televiestinnässä ja teletominnan tietoturvasta, 565/1999 (Act on the Protection of Privacy and Data Security in Telecommunications).

The new Act aims at safeguarding confidentiality and protection of privacy in electronic communications. It extends the protection of privacy and the confidentiality of communications from the telecoms sector alone to every activity of the information society. All enterprises and associations that process confidential data in their telecommunications networks are subject to the rights and obligations set out in the Act. The Act clarifies the rules for processing confidential identification and location data and provides new means to prevent spam and viruses. Electronic direct marketing may not be addressed to consumers without their prior consent. Users' rights to access data concerning their own communications and e.g. location data are extended. Rules are defined concerning the use of cookies and the police are given better access to information on the possessors of dynamic IP addresses and IMEI codes of mobile phones.

What specifically matters to the audiovisual sector is that content providers will have the right to obtain invoicing data concerning their own customers from the telecommunications operator. A telecommunications operator is obliged to give a provider of information society services, e.g. providers of audiovisual content, news, timetables, weather information or ringing tones to a mobile phone, the data necessary for billing purposes. Thus, content service providers can bill the subscriber or user directly for their services instead of billing through a telecommunications operator. The data can be given only with the prior consent of the subscriber or user.

Compliance with the Act on Data Protection in Electronic Communications and regulations issued under it will be mainly monitored by the Finnish Communications Regulatory Authority, FICORA (see IRIS 2001-8: 14). The processing of location data and provisions on direct marketing will be monitored by the Data Protection Ombudsman.