Supervision of data protection
FICORA supervises the data protection of electronic communications in the operations of telecommunications operators, corporates or associations, and, as of 1 January 2015, also in other communications providers' operations. As of 1 January 2015, the supervision also concerns, on certain conditions, services provided from abroad.
Without grounds prescribed under law or a consent, no-one has the right to process another person’s messages or identification data related to communication. The confidentiality of communications is guaranteed in the Constitution of Finland. However, the confidentiality of communications is not violated in cases where a party to communication forwards a message he/she has received to a third party, unless the secrecy is based on some other act or contract.
Calls, e-mail messages, text messages, picture messages, voice messages and instant messages are electronic communications. Further provisions on the information security of electronic communications are laid down in part VI of the Information Society Code.
According to the Information Society Code, a telecommunications operator means a network operator or a communications service operator offering services to a set of users that is not subject to any prior restriction, i.e. provides public telecommunications services. Examples of communications services are broadband subscriptions (internet access service), telephone subscriptions, text messages, e-mail, and instant messaging.
FICORA supervises that telecommunications operators implement their network and communications services in an information secure-manner so that the confidentiality of the communications is not endangered.
The page Interpretation guidelines on players and operators contains more detailed information on the cases where a service provider is considered to be a telecommunications operator, e.g. in broadband operator-neutral services provided on the internet, and on the cases where the operations are considered to to be provision of programmes and not operations of a telecommunications operator.
The obligations of the data protection regulation also concern, to some extent, undertakings and organisations using communications services and added value services, not just undertakings providing services. The regulation extends to subscribers of services if they process in their own internal communications network users' confidential messages, identification data or location data. These are referred to in the legislation as corporate or association.
Examples of corporate or association subscribers are business operators, cooperatives, limited companies, associations, universities, and government agencies. A corporate or association subscriber can be, for example, an undertaking that acquires and provides telephone and broadband subscriptions for its employees and a WLAN connection for those who visit the premises, and processes identification data in its internal network.
Also, residents of housing companies sharing a subscriber connection can also be corporate subscribers. A family does not qualify as a corporate subscriber, even though the home has an internal information network or a telephone device that stores information on telephony.
With regard to the regulation, other providers of electronic communications, which have become subject to the regulation of information security and data protection as of the beginning of 2015 in accordance with the Information Society Code, must be distinguished from telecommunications and telecommunications operators.
According to the Information Society Code, a communications provider means, in addition to telecommunications operators and corporate subscribers, other party that conveys electronic communications for other than personal or comparable customary private purposes.
It is stated in the explanatory memorandum of the Information Society Code (HE 221/2013, detailed justifications in section 3) that the aim is to protect the right of communications parties to confidential communications in relation to the communications with regard to a third party.
According to the explanatory memorandum, communications providers can be parties whose service is based on the conveyance of confidential communications also within a certain electronic service. According to the explanatory memorandum, this would refer to confidential communications on Facebook or in the Suomi24 service.
According to the explanatory memorandum, the conveyance of communications is not e.g. the provision of a discussion forum or other public communications on the internet or any other publishing operations or the provision of network messages subject to the Act on the Exercise of Freedom of Expression in Mass Media (460/2003).
Personal or similar normal, private purposes mean, according to the explanatory memorandum, e.g. households that are not subject to the regulation.
FICORA supervises compliance with the Information Society Code and other provisions and regulations issued under it. FICORA supervises, for example,
- processing of identification data
- protection of communications and decoding, and
- compliance with the provisions on the information service of communications services.
Identification data means data that is associated with the subscriber or the user and that is processed in communications networks for the purposes of transmitting, distributing or providing messages. Examples of identification data are telephone numbers, e-mail address and IP addresses. The data processing related to messages is, to some extent, necessary in order to deliver them to recipients.
The Information Society Code governs for which purposes and how the parties participating in the message conveyance have the right to handle messages and the identification data saved in the networks.
PART VI OSA CONFIDENTIALITY OF COMMUNICATIONS AND PROTECTION OF PRIVACY
- Chapter 17 Processing Electronic Messages and Identification Data
- Chapter 18 Special Provisions for Corporate or Association Subscribers (so-called Lex Nokia)
- Chapter 19 Information Related to Authorities (so-called Data Retention)
- Chapter 20 Location Data and Other Subscriber Connection or Terminal Device Location Data
PART IX COMMUNICATIONS NETWORKS, SERVICES AND EQUIPMENT
- Chapter 29 Quality Requirements for Communications Networks and Communications Services
- Section 243 Quality requirements for a communications network and service (telecommunications)
- Section 247 Obligation of a communications provider or a provider of added value services to maintain information security (other provision of communications)
The special provisions for corporate or association subscribers and the processing of identification data is supervised by the Data Protection Ombudsman.
Unencrypted e-mail messages can be read by anyone capable of monitoring network traffic that is used for delivering messages. The confidentiality of e-mail can be ensured by encrypting the messages before sending them. Subscribers and users have the right to protect their messages and identification data in any way they wish, using any technical means available for the purpose.
However, the protection must not interfere with the provision or use of network services and communications services. The possession, import, manufacture and distribution of any system or part thereof for decoding the technical protection of electronic communications is prohibited in cases where such a system or part thereof is primarily intended for unlawful decoding of technical protection.