Computers, Privacy & the Constitution

Comparison of Protection of Privacy in Finland and the United States

Finnish Data Protection Regime

The right to privacy is fundamental right, and protected in Finland by Section 10 of Chapter II, Basic Rights and Liberties of the Constitution of Finland (731/1999). According to Section 10, “Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act."
European Commission has issued the Directive on Data Protection. Finland has, as a member to European Union, been obligated to implement said Directive, which is the ultimate reason for the existence of vast Finnish data protection regulations in force in Finland. The detailed provisions on protection of privacy are provided in the Personal Data Act (523/1999) implementing the European Commission’s Directive on Data Protection, the Act on Openness of Government Activities, the Act on the Protection of Privacy in Electronic Communications (516/2004) and the Act on the Protection of Privacy in Working Life (759/2004). Consequently, the Finnish data protection regime is heavily regulated. Further, there is even a special authority in Finland, the Office of Data Pro-tection Ombudsman, which operates in connection with the Ministry of Justice and the main task of which is to improve the opportunity of individuals to control the use of their personal data. The Office also inspects the compliance with data protection regulations, provides both data subjects and controllers guidance on their respective rights and obligations and may bring an act of violation to the consideration of the Data Protection Board.

Differences Between the United States and European Data Protection Regimes

Compared to the United States, the approach to data protection taken by European Union is essentially different from that of the United States. In the European Union, the conditions for collection, processing and disclosure of personal data are extremely strict. By way of example, every citizen has the right to know why and how his or her personal data is being processed and to decide about the processing of his or her personal data, unless otherwise stipulated by the law. However, United States does not have uniform data protection regulation, despite of the existence of some federal and state level law of right to privacy. Further, existing privacy laws mainly concern public sector, whereas data protection in the private sector is subject to even lighter regulation. Also special data protection authorities ensuring compliance with data protection regulations are missing from the United States.

Safe Harbor and Transfer of Personal Data

Actually, the European data protection regime is so strict, that many non-European countries are not even able to fulfill the data protection requirements deemed adequate by the European Union. By way of example, United States is listed as one of the countries that does not fulfill the adequate level of protection. However, personal data may be transferred outside of the European Union or the European Economic Area only if the country in question guarantees an adequate level of data protection. Without the existence of special arrangements, transfer of personal from European Union to the United States would be prohibited. Therefore, the cap between the United States and European standards of privacy protection has been solved by so called “Safe Harbor” regime developed jointly by European Union and the US Department of Commerce. Safe Harbor provides possibility for US companies and other organizations to comply with the Directive. United States based entities which adhere to data protection legislation effectively protecting personal data may take part to the Safe harbor regime and may be thus deemed to meet adequate level of data protection also in Europe. Personal data may be transferred from the European Union to United States based entities which are members of Safe Harbor. The US Department of Commerce maintains a list of the entities admitted to Safe Harbor.

The entities being members of Safe Harbor must inform the data subject for which purpose it collects and uses its data. Further, the entity must let the data subject to decide, whether the collected data can be used for any other purpose or to disclosed to a third party. The data subject has the right to check all the data collected of him or her and get wrong information corrected. The entity must also ensure strict protection of the data as well as implement effective procedure for the protection of the data including appropriate consequences for violence of the data protection principles.

Current Changes for Privacy in Electronic Communications in Finland

Despite of the high standard of data protection, concerns have recently raised over the future of adequate privacy in electronic communications in Finland. The second subparagraph of Section 10 of the Finnish Constitution has been a hot topic already for some time. The sentence provides that "The secrecy of correspondence, telephony and other confidential communications is inviolable.” However, the third subparagraph allows that “Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual or society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act.” The above mentioned right to secrecy in electronic communications set forth by the Constitution has been argued to be violated by the new bill of government (48/2008) regarding the amendment of the Act on the Protection of Privacy in Electronic Communications and related acts. The major change proposed by the government is that companies would be given the right to survey their employees’ identification data in order to prevent leakage of confidential information. The application sphere of the act would allow employers to follow their staff’s e-mails, chat messages, internet browsing and calls – but “only” the identification data, of course. The Finnish Parliament accepted the proposed changes on the law in early March.

  • A concise and useful summary both of the basic principles and of the current issues.


Webs Webs

r4 - 05 Jan 2010 - 22:30:05 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM