“Lex Nokia” And Confidentiality In Electronic Communications In Finland

By Eija Warma, of Castren & Snellman, Helsinki, Finland[1]. In Finland, the Constitution[2] guarantees everyone a basic right of privacy, and specifically states that “The secrecy of correspondence, telephony and other confidential communication is inviolable”. Because of this fundamental right, a recent amendment to Finland’s Act on the Protection of Privacy in Electronic Communications (the “Act’) prompted a broad discussion about the essential rights of the country’s citizens and garnered the amendment several nicknames, including “Lex Nokia” and the “Snoop Act”.

Background

Privacy in electronic communications guarantees confidentiality for both the content of the message and any identification data. According to the Act, a “message” means a phone call, e-mail message, SMS message, voice message or any comparable message transmitted between parties or to unspecified recipients in a communications network through which such message and data is not meant to be commonly available. “Identification data” means data that can be associated with an individual subscriber or user and which is handled in a communications networks for the purpose of transmitting, distributing or providing messages.

In 1997, the European Parliament enacted a Directive that focused on protection of privacy in the telecommunications sector[3]. Its purpose was to supplement an earlier directive addressing the processing of personal data and the free movement of such data[4] and sets basic requirements for all type of processing of personal data. The 1997 Directive was amended in 2002[5] to correspond to more current technical developments and terminology and covered “electronic communications”. In the preamble of the 1997 Directive, the European Parliament stated that the purpose of the Directive is to guarantee confidentiality of communication in accordance with the international instruments relating to human rights. In addition, in the case of public communication networks specific legal, regulatory and technical provisions should be made in order to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing capacity for automated storage and processing of data relating to subscribers and users. The preamble also stated that equipment of users of electronic communications networks and any information stored on such equipment are included within the private sphere of the users requiring protection under the European Convention for Human Rights and Fundamental Freedoms. Spyware, web bugs, hidden identifiers and other similar devices have the ability to enter a user’s equipment without user knowledge in order to gain access to information, to store hidden information or to trace the activities of the user, all of which may seriously intrude upon the privacy of the user. Because of this, the use of such devices is only allowed for legitimate purposes with the knowledge of the applicable user.

The Finnish Electronic Communications Privacy Act

The 2002 directive was enacted in Finland in 2004 by the Act[6]. The purpose of the Act is to guarantee confidentiality in electronic communications and define specific circumstances when confidentiality is allowed to be breached. According to the Act, a breach is permissible in the following situations: 1) by  consent of a sender or recipient, 2) to facilitate handling of providing and using services, 3) to allow handling for billing purposes, 4) to allow handling for marketing purposes by the service provider, 5) handling for the purposes of technical development, 6) handling for the purpose of detecting a technical fault or error; and 7) handling in cases of misuse. In practice these exceptions proved to be very problematic. The content of the section of the Act dealing with these exceptions was so broad and ambiguous that telecommunication operators and corporate subscribers[7] had insufficient guidance to address several important business matters that involved email communications in their workplaces.  Among these concerns was how properly to investigate suspicions of unauthorized disclosures by employees of business secrets through use of email accounts. This was a particular concern for technology companies, whose businesses are largely dependent on innovations resulting from highly confidential research and development activities.  Chief among these was Nokia, which is based in Finland, and, thus, the at times critical references to the amendment as the “Lex Nokia”.

The “Lex Nokia” Amendment

To address various concerns raised by the initial form of the Act, a follow up legislative committee was established shortly after the Act was passed into Finnish law. The committee drafted an amendment specifically to address the problematic situation posed by the risk of employees making unauthorized information disclosures through use of email.  The amendment was enacted and it came into effect on June 1st 2009.  The amendment essentially provides that a corporate subscriber has the right to monitor identification data automatically within the network if certain prerequisites are satisfied but a corporate subscriber is not allowed to read or open the content of the actual message. Prior to its enactment, the amendment faced significant opposition among labour organizations, professors, many interest groups and individual citizens because there was a widespread belief that the proposed modifications to the Act would give a corporate subscriber a right to breach a user’s confidentiality, which, as already noted, is considered as a fundamental right in Finland.

According to the amendment before a corporate subscriber can undertake automatic monitoring, the corporate subscriber must  1) limit access to trade secrets and draft an adequate data security policy, 2) identify those  persons who have access to trade secrets, and it is only these people whose emails can be subject to suggested automatic monitoring, 3) handle the issue in a co-operation procedure, 4) notify the office of the Finnish Data Protection Ombudsman[8], and 5) give a yearly report to the employees and to the data protection ombudsman of the actions under the amendment that the corporate subscriber has actually undertaken.   Automatic monitoring can be based on the size, type, quantity or means of communications or the receiver of the relevant information. If any suspected unauthorized disclosures are found a corporate subscriber has the right to manually review the identification data of that specific message. However, this does not give a right to review the content of the message. Based on the information obtained by the company, the corporate subscriber must then decide whether it wants to take further actions in the matter. If it suspects that the elements of an offense are fulfilled, then a request for a police investigation has to be made. If a corporate subscriber violates this procedure the sanctions vary from fines to imprisonment of responsible agents for up to three years.

The Effect To Date

By the end of September 2009 the Finnish Data Protection Ombudsman had not received any notification from corporate subscribers for the adoption of allowed automatic monitoring. However, this is not surprising given that companies cannot start monitoring before drafting an adequate data security policy and it takes time to prepare the required documentation.  Both the data protection ombudsman and the representatives of the Confederation of Finnish Industries, EK[9], which is the leading business organisation in Finland, believe that there will be notifications in the course of time. The actual implementation by businesses is just going to take some time.

In other Scandinavian countries legislation does not prohibit business from monitoring identification data for legitimate purposes. Even in Germany, which has one of the strictest European privacy laws, legislation allows monitoring of identification data if it is necessary for preventing misuse. In general, many European countries allow a company to monitor its own communications networks so long as the company has informed employees in advance of this possibility. As a practical matter, this means that Finland has enacted one of the strictest laws with respect to privacy in electronic communications.

[1] Ms. Warama has studied at Tulane Univesrsity Law School and holds an LLM from the University of Minnesota Law School.  In 2009 she completed a six-months secondment with the Atlanta office of Smith, Gambrell & Russell, LLP.  Ms. Warma’s practice focuses on employment law and intellectual property, technology and life sciences matters.

[2] The Finnish Constitution (731/1999)

[3] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector

[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[5] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

[6] The Act on the Protection of Privacy in Electronic Communications (516/2004)

[7] A “corporate subscriber” means a company or organization that subscribes to a communications service or a value added service and which handles users’ confidential messages, identification data or geographic information in its communications network. The term is unique to Finland and it has not been adopted in any other European country.

[8] http://www.tietosuoja.fi/1560.htm (September 25, 2009) The Data Protection Ombudsman guides and controls the processing of personal data and provides related consultation.

[9] http://www.ek.fi/www/en/index.php (September 25, 2009) EK was one of the biggest exponents of the amendment.