7. Finland

7.1 Introduction

FECA § 157 provides for data retention “in the interest of public authorities.” The provision is localized in FECA Part VI “The confidentiality of communication and protection of integrity.” This part also includes, i.a., the general obligation of confidentiality (§ 136), and general principles for the processing of data (§ 137). To data retention the following principles seem particularly relevant:

Electronic messages (“meddelanden”)
See FECA § 3 no. 22: “electronically transmitted or distributed information”.
and related data (“förmedlingsuppgifter)
See FECA § 3 no. 40: “information related to a legal or natural person and is processed in order to transmit electronic messages … [omitted].”
may be disclosed solely to actors who have a legal basis for processing the data (§ 137 second para.).
Once lawful processing is finalized the data shall be destructed or transformed so they cannot be related to the subscriber
See FECA § 3 no. 30, and Section 5.4.2.
or user,
See FECA § 3 no. 7, and Section 5.4.2.
unless further storage is mandated by law (§ 137 third para.).

7.2 The data to be registered and stored

The data to be retained are specified in FECA § 157 second and third para., as follows:

Second paragraph: Data related to the following services:

Telephone services and text messaging services in mobile networks, including communications connecting with the endpoint without reaching the recipient (unsuccessful calls), and communications that were hindered due to operational interventions in the network,
Internet telephone services, i.e., services based on internet protocol all the way to the end-user
See FECA § 3 no. 10 a: “a physical or legal person using or requesting access to a communications service or VAS, and does not itself provide publicly available electronic communications networks or services to others.”
making conversation possible,
Internet access services.

Third paragraph sets the data out in detail:

Re: The data related to the services mentioned in points 1 and 2 above:

the subscriber’s and registered user’s name and address,
data identifying the subscription agreement (“abonnemang”),
data on basis of which users of communication services may be identified, and the users’ transactions, including forwarded communications (“omstyrda samtal”), based on the type of message, the recipient, time and duration of the communication.

In addition, regarding services mentioned in point 1 above, the following data:

Data that may assist in the identification of the communications equipment used in the transaction, and the geographical position of the communications equipment and of the subscription agreement at the time when the transaction commenced.

Regarding a service as mentioned in point 3 the following data:

The subscriber’s and registered user’s name and address,
data identifying the subscription agreement and the address where it is installed,
data that may assist in the identification of a user of communications services and the equipment used, and time and duration of use of the service.

The registration of data shall not exceed that what is necessary for the purpose (FECA § 157 third para., last sentence). It is emphasised that the obligation does not concern content data or data exposing servers accessed by the user (§ 157 fifth paragraph). Finally, it is made clear that the obligation is limited to concern data that are available and have been generated or processed as part of the ordinary operation of the service (§ 157 sixth paragraph).

7.3 Storage period

The storage time is specified in § 157 fourth paragraph:

12 months regarding services mentioned in point 1 above,
6 months in respect of services mentioned in point 2 above,
9 months in respect of services mentioned in point 3 above.

The storage time commences when the “the transaction” begins.

7.4 Provider

The Ministry of the Interior decides who shall retain data (FECA § 157 first para.), who then gets status as “lagringsskyldigt företag.” However, only “teleföretag” may be designated, i.e., providers of publicly available electronic communications networks or -services (FECA § 3 no. 27). Providers of “small significance” (ringa betydelse) may not be subject to an obligation to retain (§ 157 second sentence). Prior to the entering into force of the retention obligation, the provider and the Minister of Interior shall negotiate the “authorities’ needs” regarding data storage (FECA § 158). As per August 2023 there are 4 lagringsskyldige företag, selected according to their aggregate market share and geographical coverage of the services.

E-mail 4 August 2023.

7.5 Access to data

Retained data may be used only in the investigation and prosecution of offences that may give basis for teleövervakning and the same procedure as for teleövervakning is applicable (FECA § 157 first para., last sentence, in conj., with tvml. 10:9). The decision is made by the court (in exigent circumstances by a police officer, to be reviewed by the court within 24 hours). The offences that may give basis for use of teleövervakning were described in Section 5.4.2.