On January 1, 2015, Finland’s Information Security Code (2014/ 917, the “Code”) became effective. The Code introduces substantial revisions to Finland’s existing electronic communications legislation and consolidates several earlier laws into a single, unified text. Although many of these earlier laws remain unchanged, the Code includes extensive amendments in a number of areas.
The most significant change is the broadened obligation to protect the confidentiality of communications, which previously applied only to telecommunications providers. Under the Code, this obligation applies to all providers of electronic communications services, such as instant messaging services and many online social networking tools. As a result of this change, providers of these services have an obligation to maintain the security and confidentiality of electronic messages sent over their systems.
Another important new provision allows for the extraterritorial application of the Code. Businesses that are established outside the EU, but offer their services in Finnish or otherwise target Finnish residents are, in theory, subject to the requirements of the Code. This is a similar approach to that taken in the forthcoming EU General Data Protection Regulation, which seeks to require businesses located outside the EU to comply with EU privacy laws if they (1) offer goods or services to EU residents, or (2) monitor the behavior of EU residents. How these extraterritoriality provisions will be enforced against businesses that have no assets in the EU remains an open question at this stage.