Press release
Ministry of Transport and Communications
16.6.2004 13.38

New means to improve data protection and information security - Act on Data Protection in Electronic Communications to enter into force on 1 September

A new act will safeguard confidentiality and protection of privacy in electronic communications. It will clarify the rules of processing confidential identification and location data and provide new means to prevent spam and viruses. The new Act on Data Protection in Electronic Communications will promote users' trust as well as information security and development of electronic services.

The President of the Republic of Finland approved the bill on data protection in electronic communications on Wednesday, 16 June 2004. The Act will enter into force on 1 September 2004.

- This Act is of especial importance to every citizen and the whole of society. Citizens' increased trust in the information society will also promote the development of new services, says Ms Leena Luhtanen, Minister of Transport and Communications of Finland.

Clarified processing of identification data

Rights and obligations related to the processing of identification data will extend to cover, in addition to telecommunications operators, corporate and association subscribers, i.e. all enterprises and associations that process confidential data in their telecommunications networks. The identification data reveal, among other things, callers, and senders and receivers of SMS messages, and the Internet pages the user has browsed. In order to avoid misuse related to the processing, the telecommunications operators have to store the detailed data showing the time, duration and processor of the identification data for a period of two years.

Rules for location data processing

Introduction and provision of location services will be promoted by clarifying the rules for processing location data. Nobody may be located without his or her prior consent. With regard to children under 15 years of age, the decisions of taking the location services into use will be made by their guardians. Provisions on emergency positioning will not be amended. In an emergency situation, positioning is always possible.

New ways to combat spam and viruses

In Finland, it is already forbidden by law to send spam email. However, this has not brought the problem under control, because unsolicited messages arrive almost solely from outside Finland and the EU. According to the Act on Data Protection in Electronic Communications, telecommunications operators and corporate and association subscribers have the right to prevent the reception of email and SMS messages and remove malicious programs from messages in order to remove information security disturbances and prevent infringements. The measures can be put to use only if communication services or the recipient's access to means of communication are endangered. In such cases, messages can be filtered out without the recipient's consent. With the user's consent, a telecommunications operator or a corporate or association subscriber can always prevent the reception of disturbing email.

Electronic direct marketing only with prior consent

Direct marketing through email or a mobile phone may not be addressed to consumer customers without their prior consent.

However, a service provider may use a customer's contact information received in the context of the sale of a product or a service for direct marketing of its own similar products or services. The service provider must give the customer the opportunity to object to such use when the service is given and on the occasion of each message.

Users entitled to access their location data

Users' rights to access data concerning their own communication will be extended. The user is entitled to receive, at request, a fully itemised phone bill from the operator as well as the identification data concerning his or her own communication, e.g. the location data of the mobile phone. These data are subject to a charge.

Content service providers entitled to direct billing

A telecommunications operator is obliged to provide content service providers, e.g. providers of news, timetables, weather information or ringing tones to a mobile phone, with data necessary for billing purposes. Thus, content service providers can bill the subscriber or user directly for their services instead of billing through a telecommunications operator. The data can be provided only with the prior consent of the subscriber or user.

Rules for the use of cookies

Cookies are data that illustrate the use of Internet service, which are stored in the user's computer and can be used to direct the communication between the Internet browser and the server.

Internet pages must inform the users of the use of cookies. No informing is needed, however, if the only purpose of cookies is to technologically facilitate the use of the service or if the user has specifically requested a service based on the use of cookies, such as Internet bank services.

Police will have access to IP addresses and IMEI codes

The Act will give the police better access to information. In suspected criminal cases, the police have the right to obtain from the telecommunications operators information on the possessors of dynamic IP addresses as well as on IMEI codes of mobile phones, in addition to secret phone numbers and permanent IP addresses.

Compliance with the Act on Data Protection in Electronic Communications and regulations issued under it will be mainly monitored by the Finnish Communications Regulatory Authority, whereas the processing of location data and provisions on direct marketing will be monitored by the Data Protection Ombudsman.

For further information, please contact:

Mr Harri Pursiainen, Director-General of the Communications Department, tel. +358 9 160 28389, +358 500 787 742

Mr Juhapekka Ristola, Ministerial Adviser, tel. +358 9 160 28348, +358 400 788 530