[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Republic of Finland

Constitutional Privacy Framework

Section 10 of the Constitution of Finland, entitled "The right to privacy," states: "Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act. The secrecy of correspondence, telephony and other confidential communications is inviolable. Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual, society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act."[2265] Also, Section 12 of the Constitution, titled "Freedom of expression and right of access to information," provides that "documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings."[2266] Information in the public domain includes each Finland resident's name, birth year, municipality of residence, state taxable income, state property taxes, and total taxes paid.

Statutory Rules on Privacy

The Personal Data Act of 1999 (PDA)[2267] went into effect on June 1, 1999. The PDA replaced the 1987 Personal Data File Act[2268] to make Finnish law consistent with the EU Data Protection Directive.[2269] The PDA was amended by the Act on the Amendment of the Personal Data Act, effective December 1, 2000, to incorporate provisions on policy and effects of the European Commission's decision-making.[2270 ]Under the PDA, everyone has the right of access to the data files on him or her or to notice that the file contains no such data. If a data controller refuses to rectify an error at the request of a data subject, the data subject may inform the Data Protection Ombudsman (DPO) of the matter. The DPO may order a data controller to recognize the data subject's right of access or to rectify an error. The PDA does not apply to processing of personal data for a private or purely personal use. Activities of "the media, the arts and literary expression" are also excluded from its scope. Exemptions for defense and public security are included in separate legislation.

The PDA introduces the concept of informed consent and self-determination into Finnish law, giving data subjects the rights to access or correct their data, or to prohibit their use for stated purposes. The previous act regulated the use and disclosure of information in a personal data file but did not generally require the individual's consent or provide for the same level of notice and access.[2271] Processing without consent may still occur under the new system -- for example, if there is "assumed consent," or the Data Protection Board (DPB) has granted permission, or if the matter concerns publicly available data on the "status, duties or performance" of a public figure.[2272] The PDA lays down civil and criminal sanctions (including imprisonment of up to one year)[2273] for unlawful processing.[2274]

The Act on the Openness of Government Activities, most of which came into force in December 1999, also contains provisions on privacy.[2275] Chapter 6 of the Act exempts from public disclosure government documents containing data on the annual income or net worth of a person, documents containing information on a secret telephone number or information on the location of a mobile communications device, and documents revealing a person's place of residence, telephone number, or other contact information if the person has asked that the information be kept secret and is justified in believing that disclosure would endanger himself or his family.[2276]

Data Protection Authority

The DPO enforces the PDA and receives complaints. The DPO's primary tools for compliance with legislation are direction and guidance. Under the PDA, the DPO provides direction and guidance on the processing of personal data and supervises the processing to achieve the objectives of the statute. Before bringing charges of a violation of the DPA, the public prosecutor must hear from the DPO. In such cases, the court affords the DPO an opportunity to be heard.[2277]

The number of new cases brought before the DPO increased by approximately 20% from 2004 to 2005.[2278] Every complaint directed at the public sector was matched by nearly two complaints directed at the private sector. The DPO explains that this development is probably because while public authorities are usually regulated by law, private companies often try to test the boundaries of legal protections. The change in proportion between public and private sector complaints represents deterioration in the private sector rather than an improvement in the public sector. The number of complaints against the public sector has remained fairly static.[2279] As of July 2007, there were 20 persons working at the Data Ombudsman's office.[2280] Each DPO inspector specializes in a certain field of problems, including education, social services, working life and credit issues.[2281]

The DPB resolves disputes and hears appeals of decisions rendered by the DPO and, under the PDA, grants permissions for the processing of personal data.[2282] The DPB consists of a chair, a deputy chair and five members, and they are required to be familiar with register operations. The Board is appointed by the Council of State for a term of three years.[2283] At the DPO's direction, the DPB drafts regulations for the processing of personal data. The DPO must be heard during the preparation of legislative or administrative reforms that may affect individual privacy rights.[2284] During 2005, the DPO issued 45 statements on legislative matters related to the protection of personal rights or freedoms in the processing of personal data and 20 on administrative reform projects.[2285]

Anti-terrorism Measures

The EU approved a Directive[2286] on mandatory data retention in December 2005 after minor amendments. [2287] The Directive requires Internet Service Providers (ISPs) and phone companies to keep data on every electronic message sent and phone call made for between six months and two years. The directive has been criticized as a threat to the personal privacy of European citizens. Finland has postponed the entry into force of mandatory retention on the Internet to Spring 2009 at the earliest.[2288]

On September 4, 2003, the Finnish government submitted a resolution on the National Information Security Strategy. The Strategy aims to increase citizens' and companies' trust in the information society and formulates the efforts of the government, trade and industry organizations, and private citizens into common information security objectives. The Strategy, one of the first proposals in the world that concern the development of information security in the whole society, was praised as the best European security guidelines at the International RSA Information Security Conference held in Amsterdam in November, 2003.[2289]

In October 2003, the Finnish Ministry of Transport and Communications appointed the National Information Security Advisory Board to oversee implementation of the National Information Security Strategy.[2290] The Board began its work in spring 2004 and continued through May 2007. On December 14, 2004, the Board submitted to the government a progress report that provided an overview of the state of information security in Finland. The report also outlined four primary projects for 2005: adoption of a program on information-secure electronic services, analysis of national information security risks, assessing and remedying cybercrime, and organizing the nation's second annual National Information Security Day, which was held on February 8, 2005.[2291]

Wiretapping and Surveillance Rules

Electronic surveillance and telephone tapping by the government are authorized by the criminal law. A judge can give permission to tap the telephone lines of a suspect if the suspect is liable for a jail sentence for crimes that are exhaustively listed in the Coercive Criminal Investigation Means Act passed in 1987.[2292] Transactional data of a suspect's telecommunications activity can be obtained if the suspect faces at least four months of jail. Electronic surveillance is possible, with the permission of the judge, if the suspect is accused of a drug-related crime or a crime that can be punished with more than four years in jail.

The Finnish government has enacted special ordinances that apply to particular personal data systems. These include those operated by the police such as criminal information systems,[2293] the National Health Service, passport systems, population registers,[2294] farm registers, and motor vehicle registers.[2295] In January 2001, a new law on the status and rights of social welfare clients came into force and includes data protection provisions relating to the use of social services.[2296] In October 1999, the government amended the laws and granted the police a new high-tech means of enforcing traffic fines, which in Finland are based on the driver's income. Whereas before the police would simply ask violators for their income and calculate the fine manually based on that income, they now use cellular phones to access the official tax records. Within seconds the drivers reported income appears up on the screen along with the corresponding fine.[2297]

Recent Developments Related to Privacy

FICORA’s Computer Emergency Response Team (CERT-FI) reported in its annual review that distributing spyware to hacked computers in Finland became common in 2006.[2298] CERT-FI reported that spyware software activities, which can hijack personal data, user identification, passwords and credit card numbers, were “large-scale and systematic.”[2299] The agency reports, however, that it received word of only a few cases where information of Finnish users of electronic services had fallen into the wrong hands.[2300]

In August 2005, the Minister of Transport and Communications announced a voluntary scheme asking Finnish ISPs to block a list of web pages suspected of containing child pornography.[2301] Critics have denounced the plan, saying the plan may be unconstitutional, could block legitimate websites and might not advance its goal of preventing access to child pornography.[2302]

Telecommunications Privacy

Telecommunications privacy is regulated by the Act on the Protection of Privacy in Electronic Communications, which was approved by the President on June 16, 2004, and came into force on September 1, 2004.[2303] The law, which replaces the Protection of Privacy and Data Security Act of 2000, is broad in scope, covering all telecommunications, including e-mails and communications on the Internet.[2304] The new Act clarifies rules for processing confidential identification and location data: except in an emergency, telecommunications users aged 15 years or older may not be located without their prior consent.[2305] However, parents or guardians of children under 15 years old may decide on the use of location services, a change in the law that was made in response to a 2003 proposal to allow parents to track the whereabouts of their young children through the use of mobile phones.[2306] Finland’s leading mobile operators TeliaSonera and Elisa, offer such positioning services, which are based on user proximity to base stations.[2307]

In May 2005 the Helsinki District Court handed down suspended sentences to five defendants in a case involving unauthorized use of mobile telephone records by executives of telecommunications service provider Sonera.[2308] The court found there had been extensive misuse of telecommunications information at Sonera from 1998 to 2001.[2309] The case is expected to be appealed.[2310] After the scandal, Sonera was merged with Swedish telecommunications operator Telia, creating TeliaSonera.[2311] At the time of the scandal, the Finnish state was a majority shareholder in Sonera.[2312] Sonera’s security department was suspected of having misused telecommunications logs of at least 100 people, among them journalists, in an attempt to discover who was responsible for information leaks that had been troubling the company.[2313] One journalist commented at the time, “Communications privacy in Finland, as elsewhere, is seen as a sacred right. The strong suspicion that this privacy has been shamelessly violated has prompted talk of an Orwellian society.”[2314]

The Act on the Protection of Privacy in Electronic Communications also provides new means to prevent spam and viruses. Previous legislation banning the sending of spam failed to protect against messages sent from outside Finland; thus, the Act permits telecommunications operators and corporate and association subscribers to block e-mail and to remove malicious content in order to protect against security infringement or to ensure communications access.[2315] The Act prohibits direct marketing through e-mail or mobile telephone except with the user's prior consent.[2316] The Act also broadens police access to telecommunications information in criminal cases: in addition to permanent Internet protocol (IP) addresses and telephone numbers, police now have the right to obtain dynamic IP addresses and international mobile equipment identity (IMEI) codes of mobile telephones. The Finnish Communications Regulatory Authority (FICORA) is responsible for ensuring compliance with the Act and regulations issued under it, while the DPO monitors the processing of location data and provisions on direct marketing.[2317] The Act transposed the EU Privacy and Electronic Communications Directive nearly a year after the European Commission deadline of October 31, 2003.[2318]

The Ministry of Finance broadly oversees the coordination of information security for the Finnish Government and for this purpose created the Government Information Security Board (Steering Committee for Data Security in State Administration), or VAHTI.[2319] On June 15, 2004, VAHTI appointed a working group to develop and prepare propositions to privacy in administration and electronic surveillance. The issues that the working group is dealing with include biometrics, electronic identification, and electronic surveillance. The working group will further consider privacy when dealing with data security and develop cooperation in administration which is related to privacy issues.[2320]

On February 1, 2003, the Act on Electronic Signatures[2321] went into effect. The purpose of the Act is to promote the use of electronic signatures and the provision of products and services related to them, as well as to promote data protection and data security of electronic commerce and electronic communication. FICORA has authority to ensure, through monitoring and auditing, that certification service providers that issue qualified certificates comply with the Act.[2322] FICORA also issues regulations governing information supplied by certification service providers and handles customer complaints.[2323]

Radio Frequency Identification

In late 2002, VTT Technologies, a government research center, developed a new type of high-frequency (900 MHz) Radio Frequency Identification (RFID) tag that can be read with a transceiver up to four meters away. The signal can also penetrate obstacles. In 2004, the city library of Kauhajoli was the first in Finland to implement RFID technology, which was introduced to help manage collections, cut losses, speed up customer service, and increase self-service.[2324] Other libraries have already implemented RFID technology for theft prevention.[2325]

In the Helsinki region, the most familiar application of RFID technology is the travel cards, which replaced paper tickets in the area's public transport system by the end of 2002. The partners in the project are Helsinki Metropolitan Area Council (YTV), Helsinki City Transport, and the railway company VR. The use of travel cards is recorded in a database. This information can be accessed to aid transport capacity planning. The movements of travel card users are saved and can be accessed for later retrieval. The data from the transport system has been used for crime investigations in serious cases.[2326] YTV records the customer information it needs for customer service and consumer protection in the Travel Card System. Then, YTV municipal service points' employees, and the people in charge of the system, have the right to browse and update the customer data recorded in the system, as well as the data stored in the central processing unit, concerning travel periods and the amount of money a passenger has loaded into his/her card and where the card was last used. It is not possible to browse the travel data at the point of service.[2327]

The travel card received heavy public criticism after its introduction since it was theoretically possible to connect a specific traveler's identity with travel route information. After the DPO made the issue public, YTV changed its policy.[2328]

RFID Lab Finland, a Finnish application center for RFID technology that is partly publicly funded, opened in early 2005.[2329] Partnering with universities, research centers, and government programs in Finland, the center will provide information, consulting, and training services and will include a showroom and a test room for Finnish RFID applications. Nokia Corporation and UPM Rafsec are among 11 companies that agreed to provide equipment and demonstrations.[2330]

Workplace Privacy

On October 1, 2004, the Act on the Protection of Privacy in Working Life took effect.[2331] The new Act replaces the Act on Data Protection in Working Life,[2332] which had been in force since October 2001. Like its predecessor, the new Act determines the legality of several issues in the workplace, such as psychological, genetic, and drug tests; the processing of medical histories; and the use of video and audio surveillance devices. The Act also delineates procedures by which employers may, in their employees' absence, open e-mail messages sent to or from employees' work e-mail addresses.[2333] Previously, the Telecommunications Privacy Act prevented Finnish employers from monitoring the contents of employees’ e-mail messages.[2334] The statute also contains new regulations on camera surveillance (allowed as long as no employee is singled out and employees are informed how and when such monitoring is to be conducted) and drug testing (widely allowed at work, provided such testing is legally justified, as when the job requires accuracy or ability to react quickly).[2335] In November 2006, the Finnish Data Ombudsman ruled that the new act barred employers from researching prospective employees using Internet search engines without the employees’ consent.[2336] Media reports indicate that the “Ombudsman’s decision may make life more difficult for HR personnel, as employers may not be permitted to even check the reliability of a job applicant’s CV from publicly available sources available through the Internet without first obtaining the applicant’s permission.”[2337]

National ID System

National identification numbers have long been in use in Finland. Since the 1970s, all citizens have been issued a national identification number consisting of their date of birth and four other characters. The number is used extensively in the public and private sectors. It is included on passports, driving licenses, and other personal data files held by the public administration.[2338] The Finnish government in December 1999 began issuing new national ID cards (FINEID) based on smart card technology.[2339] A Citizen Certificate can be incorporated into a chip ID card issued by the police, a bank card or the Subscriber Identity Module (SIM) card of a mobile phone.[2340] The Citizen Certificate can be used for secure identification in e-transactions, e-mail and document encryption and as an electronic signature.[2341] The cards include digital signatures to communicate online with government agencies and companies. The Finnish Population Register Centre operates as the digital signature certificate authority. By the end of May 2007, Citizen Certificates had been issued to 145,200 people.[2342]

Beginning in June 2004, medical insurance data could be put into identification cards on a voluntary basis, thus replacing social security (KELA) cards issued by the Social Security Institution of Finland.[2343] As of May 2007, 34,300 people had integrated their health insurance information into their ID cards.[2344] The Population Register Centre reported in 2006 that chip ID cards are being adopted for Finnish government employees.[2345] The photo ID cards contain a Government Employee Certificate that is part of the same Finnish certificate infrastructure as the Citizen Certificates.[2346] The certificate on the government ID cards enables identification to log into information networks, authentication of network users and their usage rights, encryption of email and electronic signatures.[2347]

The Electronic Services in Administration Act was passed in early 2000 to encourage the use of digital ID cards.[2348] As of June 2003, cardholders have been able to have their cards imprinted with their social security data. The card can be used as a travel document in EU member states, and about 50 services use the card. The citizen certificate can also be used on different platforms and is channel-independent. Since October 2003, it has been available for the Visa Electron cards issued by the OP Bank Group. The first mobile citizen certificate started to be used in November. The mobile phone service based on the use of the mobile citizen certificate that allows the electronic identification of users became available for consumers in early 2005.[2349]

Finland made biometric passports available on August 21, 2006.[2350] The Ministry of the Interior reports that the introduction of biometric passports is a joint project of all EU Member States to fight passport fraud and forgery.[2351] The new passport’s data page will contain a microchip that will store a facial image, personal data and passport data.[2352] The Finnish Ministry of Interior had planned to introduce biometric identification in passports as early as May 2005, making Finland a pioneer in biometric passports. However, the introduction of biometrics was stalled by a Market Court hearing of a claim brought by Finnish passport manufacturer, Setec, which was challenging the award of the contract for manufacture of the passports to its Swedish and Dutch competitors.[2353] According to the Ministry, biometrics will improve efficiency of identification and help fight illegal immigration and terrorism.[2354]

E-Voting Privacy

The Population Register Centre is also working with mobile operators to design a smart card suitable for remote electronic voting. The Ministry of Justice plans to introduce e-voting at polling stations in three municipalities for the 2007 Parliamentary election as part of a pilot program.[2355] It is expected that electronic voting will be available to all of Finland by 2009.[2356] An electronic ID card or other certification will be used to protect voter identity.[2357] Several organizations are critical of electronic voting, citing increased potential for error and loss of voter confidence in the democratic process.[2358]

Health Privacy

Privacy in health care is protected by the Act on the Status and Rights of Patients, which became effective in 1993. Under the Act, health care must be administered in a way that does not violate human dignity and that protects the patient's convictions and privacy. In general, medical records may not be released without the patient's written consent except when otherwise provided by law.[2359] In addition, the Medical Research Act, in force since November 1, 1999, prohibits disclosure of patient information including, health status, personal circumstances, or financial situation, by medical research workers and ethics committee members.[2360]

Open Government

The Act on the Openness of Government Activities (mentioned above) replaced the Publicity of Official Documents Act of 1951.[2361] It provides for a general right to access any document created by a government agency, or sent or received by a government agency, including electronic records. Finland is a country that has traditionally adhered to the Nordic tradition of open access to government files. In fact, the world's first Freedom of Information act dates back as far as the Riksdag's (Swedish Parliament's) 1766 Access to Public Records Act. This Act also applied to Finland, then a Swedish-governed territory.[2362]

International Obligations

Finland is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108).[2363] Finland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2364] Finland signed the CoE Convention on Cybercrime in November 2001.[2365] Finland ratified the convention on May 24, 2007, and it is scheduled to go into force September 1, 2007.[2366] Finland is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Åland Islands

The Parliament of the self-governing Åland Islands (Landsting) passed its own Data Protection Act in 1991 and independently ratified the CoE's Convention No. 108.[2367] If an international treaty entered into by Finland contains a provision that is in conflict with the Autonomy Act[2368] or that falls within the authority of Åland, the Parliament must approve such a provision for it to be valid in Åland.[2369] Although the Åland Data Protection Act makes reference to the Finnish Data Protection Act, there has always been some resistance by the Åland Swedish-speaking majority to follow orders from Helsinki. Constitutionally, the Åland Parliament may nullify Finnish laws on its territory.[2370]

[2265] Constitution of Finland (unofficial translation), available at <http://www.finlex.fi/pdf/saadkaan/E9990731.PDF>.
[2266] Id.

[2267] Personal Data Act (523/99) (unofficial translation), available at <http://www.tietosuoja.fi/uploads/hopxtvf.HTM>.
[2268] Personal Data Files Act (Law No. 471/87).
[2269] See Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, available at <http://europa.eu.int/comm/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf>.
[2270 ]Amendment of the Personal Data Act (986/2000) (unofficial translation), available at <http://www.tietosuoja.fi/uploads/p9qzq7zr3xxmm9j.rtf>.

[2271] Peter Blume et al., Nordic Data Protection 49 (DJOF Publishing 2000).
[2272] Id.
[2273] See Finland Penal Code 1389/99, Chapter 38, § 9 (unofficial translation), available at <http://www.finlex.fi/pdf/saadkaan/E8890039.PDF>,
[2274] Personal Data Act (523/1999), supra.

[2275] Act on the Openness of Government Activities, available at <http://www.finlex.fi/en/laki/kaannokset/1999/en19990621.pdf>.
[2276] Id.

[2277] E-mail from Reijo Aarnio, Data Protection Ombudsman, Finland, to Kate Ó Súilleabháin, Law Clerk, Electronic Privacy Information Center (EPIC), June 13, 2005 (on file with EPIC).

[2278] Ninth Annual Report of the Article 29 Working Party on Data Protection, available at <http://www.europa/eu/justic_home/fsj/privacy>.
[2279] Review 2005 Of The Data Protection Ombudsman, available at <http://www.tietosuoja.fi/uploads/q0vw1ft5.rtf>.
[2280].Tietosuojaviranomaiset, supra
[2281] Tietosuojaviranomaiset, supra.

[2282] Personal Data Act (523/1999), supra.
[2283] Privacy International, Privacy, Technology, and Europe: A Report for Japan's Ministry of Public Management, Home Affairs, Postal, and Telecommunication, March 2003.

[2284] European Union Article 29 Data Protection Working Party ("WP29"), Sixth Annual Report on the Situation Regarding the Protection of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries Covering the Year 2001, December 16, 2003, available at <http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/2003-6th-annualreport_en.pdf>.
[2285] WP29, Ninth Annual Report on the Situation Regarding the Protection of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries Covering the Year 2005, June 14, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.

[2286] Directive 2006/24/EC, Official Journal of the European Union, March 15, 2006, available at <http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf>.
[2287] “Finland: Internet Data Retention to Start in 2009?,” eFinland, February 28, 2006, available at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=48378>.
[2288] Id.

[2289] E-mail from Reijo Aarnio, supra, and Timo Poropudas, "Finnish Information Security Strategy Receives an Award," Mobile Monday, November 5, 2003, available at <http://www.mobilemonday.net/news/finnish-information-security-strategy-receives-an-award>.

[2290] National Information Security Advisory Board Report Submitted to the Government on December 14, 2004, available at <http://www.mintc.fi/oliver/upl501-NISAB%20report%20(lowres).pdf>.
[2291] Id.

[2292] See Collection of Laws for Electronic Access, World Intellectual Property Organization <http://www.wipo.int/clea/en/fiche.jsp?uid=fi039> (full text not available online).

[2293] Criminal Records Act (770/93).
[2294] Act on Population Information (1993/507).
[2295] Jorma Kuopus, Data Protection Regulatory System - Data Transmission and Privacy (D. Campbell & J. Fisher, eds., Martinus Nijhoff Publishers 1994).
[2296] Act on Experiments with Seamless Service Chains in Social Welfare and Health Care Services and with a Social Security Card (811/2000) (unofficial translation), available at <http://www.finlex.fi/pdf/saadkaan/E0000811.PDF>.
[2297] Steve Stecklow, "Finnish Drivers Don't Mind Sliding Scale, but Instant Calculation Gets Low Marks," Wall Street Journal, January 2, 2001.

[2298] CERTI-FI, “Annual Review 2006,” January 5, 2007, available at <http://www.cert.fi/attachments/5mfKbZPac/5mW7X6Cdx/Files/CurrentFile/CERT-FI_situation_report_4-2006.pdf>.
[2299] Id.
[2300] Id.

[2301] “Finnish ISPs Must Voluntarily Block Access”, EDRI-gram newsletter, number 3.18 September 8, 2005, available at <http://www.edri.org/edrigram/number3.18/censorshipFinland>.
[2302] Id.

[2303] Act on the Protection of Privacy in Electronic Telecommunications, 516/2004 (unofficial translation), available at <http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pdf>.
[2304] Id.
[2305] Finland Ministry of Transport and Communication, "New Means to Improve Data Protection and Information Security—Act on Data Protection in Electronic Communications to Enter into Force on 1 September," Press release, June 16, 2004, available at <http://www.valtioneuvosto.fi/ajankohtaista/tiedotteet/tiedote/en.jsp?oid=113506>.
[2306] Associated Press, “Finns Ready Cellphone Tracking Law” MSNBC, October 17, 2003, available at <http://msnbc.msn.com/id/3226848/>.
[2307]Id.

[2308] “Five get suspended sentences in Sonera telephone record case,” Helsingin Sanomat International Edition, May 30, 2005, available at <http://www.hs.fi/english/article/1101979719153>.
[2309] Id.
[2310] Id.
[2311] Kyösti Karvonen, “Finland's Intelligence Service Shaken by SUPOgate,” Virtual Finland, September 23, 2004, available at <http://www.finland.fi/netcomm/news/showarticle.asp?intNWSAID=28174&intIGID=&intCatID=607&CatTypeNumber=3&LAN=EN&contlan=&Thread=&intThreadPosition=0>.
[2312] Id.
[2313] Id.
[2314] Id.

[2315] Associated Press, “Finns Ready Cellphone Tracking Law” MSNBC, October 17, 2003, available at <http://msnbc.msn.com/id/3226848/>.
[2316] Id.
[2317] Id.
[2318] Paul Meller, "EU Pressures Member States to Implement Spam Law," IDG News Service, April 1, 2004, available at <http://www.infoworld.com/article/04/04/01/HNeuspamlaw_1.html>.

[2319] Ministry of Finance, Information Security and Management by Results, January 2005, available at<http://www.vm.fi/vm/en/04_publications_and_documents/01_publications/08_other_publications/20060320Inform/94247.pdf>.
[2320] E-mail from Reijo Aarnio, supra.

[2321] Act on Electronic Signatures (14/2003) (unofficial translation), available at <http://www.finlex.fi/en/laki/kaannokset/2003/en20030014.pdf>.
[2322] Id.
[2323] Finnish Communications Regulatory Authority, Regulation on Certification Authorities’ Obligation to Notify FICORA, January 29, 2003 <http://www.ficora.fi/attachments/englanti/1156489107542/Files/CurrentFile/FICORA072003M.pdf>.

[2324] "Library Introduces RFID Technology," eFinland, June 9, 2004, at <http://www.e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=24842>.
[2325] "Finland: RFID To Be Used in Libraries," eFinland, April 20, 2005, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=35683>.

[2326] Privacy International, Privacy, Technology, and Europe: A report for Japan's Ministry of Public Management, Home Affairs Postal and Telecommunications, March 2003, available at <http://personal.lse.ac.uk/hosein/pets/japan_pets.pdf>.
[2327] Id.

[2328] Id.

[2329] "RFID Lab Finland Is a Newly Opened Finnish Application Center for RFID Technology," eFinland, February 11, 2005, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=33122>.
[2330] Id.

[2331] Act on the Protection of Privacy in Working Life (759/2004), available at <http://www.finlex.fi/en/laki/kaannokset/2004/en20040759.pdf>.
[2332] The Act on Data Protection in Working Life (477/2001), available at <http://www.mol.fi/english/working/dataprotection.html>.
[2333]Act on the Protection of Privacy in Working Life, supra.
[2334] Peter Blume et al., supra at 71.
[2335] Id.
[2336] RoschierRaidla News, “The Internet and Privacy in the Workplace,” November-December 2006, available at <http://www.roschier.com/monthlybriefs/RoschierRaidla/December2006/RRnewsletter_December2006.htm>.
[2337] Id.

[2338] Peter Blume et al., supra.
[2339] See, Finnish Population Register Centre's homepage <http://www.vaestorekisterikeskus.fi/>.
[2340] Press Release, Population Register Centre, “Finnish Government Employees Get Chip ID Cards,” October 5, 2006, available at <http://www.fineid.fi/vrk/bulletin.nsf/fineidbd/A25EC94E8F7395B0C22571FD004232A4?opendocument>.
[2341] Id.
[2342] Press Release, Population Register Center, “By the end of May, Citizen Certificates Had Been Issued to a Total of 145,200 People,” June 1, 2007, available at <http://www.fineid.fi/vrk/bulletin.nsf/fineidbd/E5A1FF4246988100C2257305004AB47F?opendocument>.

[2343] "Social Security Data on Electronic ID Cards," eFinland, June 2, 2004, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=24579>.
[2344] Press Release, Population Register Center, “By the end of May, Citizen Certificates Had Been Issued to a Total of 145,200 People,” supra.
[2345] Press Release, Population Register Center, “By the end of May, Citizen Certificates Had Been Issued to a Total of 145,200 People,” supra.
[2346] Id.
[2347] Id.

[2348] Peter Blume et al., supra.
[2349] "Pan-European Electronic Identity Being Developed in Wide Cooperation," eFinland, December 22, 2004, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=30901>.

[2350] Press Release, Ministry of the Interior, “New Biometric Passports to be Introduced on 21 August 2006,” May 31, 2006, available at <http://www.intermin.fi/intermin/bulletin.nsf/HeadlinesPublicEng/A4C2738C1289CCF2C225717F00213A38>.
[2351] Id.
[2352] Id.
[2353] R. A. Hettinga, "Finland's Issuing of Biometric Passports Delayed," Helsingin Sanomat International Edition, March 31, 2005, available at <http://www.hs.fi/english/article/Finlands+issuing+of+biometric+passports+delayed/1101978984487>.
[2354] "Biometric Passports Possibly in May 2005," eFinland, March 9, 2004, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=21813>.

[2355] Ministry of Justice, “Electronic Voting,” available at <http://www.vaalit.fi/17102.htm>.
[2356] “Finland: Electronic Voting to be Tested in 2007,” eFinland, January 13, 2006, available at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=46243>.
[2357] "Electronic Voting To Be Tested in 2007," eFinland, April 15, 2005, at <http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=35478>.
[2358] See Press Release, “New Campaign Calls for Safe E-voting,” Electronic Frontier Finland, November 4, 2003, available at <http://www.effi.org/julkaisut/tiedotteet/pressrelease-2003-11-04.html>; “Policy on E-voting and Counting,” Electoral Reform Society, available at <http://www.electoral-reform.org.uk/downloads/Electronic%20voting%20POLICY.pdf>.

[2359] Act on the Status and Rights of Patients (785/1992), August 17, 1992, unofficial translation available at <http://www.finlex.fi/fi/laki/kaannokset/1992/en19920785.pdf>.
[2360] Medical Research Act (488/1999), issued April 9, 1999, unofficial translation available at <http://www.finlex.fi/en/laki/kaannokset/1999/en19990488.pdf>.

[2361] Act 83/9/2/1951.
[2362] Wayne Madsen, Handbook of Personal Data Protection (Stockton Press 1992).

[2363] Signed April 10, 1991; ratified December 2, 1991; entered into force April 1, 1992.
[2364] Signed May 5, 1989; ratified May 10, 1990; entered into force May 10, 1990; See also Finland Ministry of Foreign Affairs, Government Report to Parliament on the Human Rights Policy of Finland 2004, May, 2004, available at <http://formin.finland.fi/public/default.aspx?nodeid=34787>.
[2365] Convention on Cybercrime CETS No. 185 <http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=1&CL=ENG>.
[2366] Id.

[2367] Kuopus, supra.
[2368] Act on the Autonomy of Åland, available at <http://www.lagtinget.Aland.fi/eng/act.html>.
[2369] Åland and the European Union, available at <http://www.lagtinget.Aland.fi/eng/eu.html#anchor360419>.
[2370] Madsen, supra.