Information Society Code 2015: Top 5 issues to note
This month, in Finland, fresh legislation has been approved which deals with e-commerce, privacy, data security, communications and the information society in general.
A reform of the Finnish regulation on information society - the Information Society Code ("the Code") - was approved on Friday 7 November 2014 and will take effect on 1 January 2015. The Code updates current regulations on areas such as e-privacy, consumer protection, communications networks and data security and collects the following laws under one umbrella:
Communications Market Act;
Act on the Protection of Privacy in Electronic Communications;
Domain Name Act;
Act on Radio Frequencies and Telecommunications Equipment;
Act on the Measures to Prevent Distribution of Child Pornography;
Act on Television and Radio Operations;
Act on the Prohibition of Certain Measures;
Act on the Prohibition of Certain Illicit Devices for Accessing Protected Services; and
Act on Auctioning Certain Radio Frequencies
Among others, the national laws listed above are based on the European Data Retention Directive (2006/24/EC), E-Privacy Directive (2002/58/EC), Universal Service Directive (2002/22/EC), Framework Directive (2002/21/EC), Authorisation Directive (2002/20/EC), as well as Access Directive (2002/19/EC).
According to administrative sources, the aim of the Code is, among other things, to ensure secure and functioning networks as well as good quality and cost-efficient electronic services in Finland. Further, the Code should promote consumer protection, data security, simplified procedures for permissions regarding communications services and equal opportunities for service providers in the market.
Although some amendments to the current legislation are cosmetic, substantive updates have also been introduced. We have selected some of the key changes which are brought about by the new Code:
Scope revised: A new grey zone?
The territorial scope of the regulation is broader than before. Certain provisions of the Code concerning confidentiality of communications, e-privacy and data security are extended to cover entities which are established outside of the EU but which maintain or use devices for the transmission of communications in Finland or which provide services online, provided that the user of such services is in Finland and such services are clearly targeted at Finland.
Where the territorial scope of the Finnish e-privacy regulation previously followed logic similar to the Finnish Personal Data Act and the European "Data Protection Directive" 95/46/EC, the extension of the scope to cover certain services abroad resembles the approach of the General Data Protection Regulation currently under consideration in the EU. Whether these provisions of the Code can be enforced remains to be seen.
Consumer protection enhanced: Joint liability of service providers and net neutrality
Consumer protection is one of the aspects of the new Code which will introduce a provision on net neutrality. In line with the general European development, the Code provides that internet services may be restricted only under certain specific circumstances. For instance, restrictions may be based on communications services agreements, provided that they do not unreasonably prevent the use of applications or services online or slow down internet traffic. In other words, prioritizing online traffic is permitted to a certain extent for commercial purposes.
Further, to prevent malpractice in the provision of online services and to promote mobile payment services, the Code imposes joint liability on service providers, internet service providers and sellers in situations where (a) an online service has been invoiced by an internet service provider and (b) a consumer is entitled to withhold the payment for such services or has a right to be awarded damages due to a seller's breach of contract. In practice, this idea of liability resembles the established relationship between a creditor and a seller based on joint liability for services paid for by credit card. For example, an internet service provider could be required to pay damages to a consumer when a product ordered online and invoiced by the same service provider has not been delivered.
E-privacy and data security strengthened: The new concept of 'intermediary'
The definition of an intermediary transmitting communications is rewritten and broadened to include all service providers transmitting electronic communications. In practice, the Code extends the requirement for ensuring the confidentiality of communications and related data security obligations to service providers dealing with communications by means other than public communications networks. For example, the Code will apply to instant messaging applications.
The update will clarify the earlier and more limited interpretation of the scope of the regulation and the problematic situation in which confidentiality obligations previously concerned certain services only. However, together with the broadened territorial scope of application, the update could arguably make supervision of compliance with the Code a challenge.
Data retention dilemma
The Code also includes the national provisions on data retention practices. These provisions were originally based on the EU Data Retention Directive which was deemed invalid by the European Court of Justice in April 2014. The rationale behind the directive and the respective national regulation was that communications service providers need to retain certain traffic data which is necessary for the investigation and prosecution of serious crime by authorities. The original wording of the Code proposed more extensive retention of such data than previously required and would have enabled retention of data collected in context of browsing websites, for example.
The Code's approach to data retention was not considered problematic by the Finnish Parliament in light of the aforementioned ruling of the European Court of Justice, however, certain methods proposed in the original wording of the Code and some current data retention practices were limited in the final version of the Code.
The possible need for further amendments to data retention provisions will be reviewed in the future, considering measures taken at EU level.
What is left untouched and what will be updated next?
It is also important to note what is not regulated by the Code. For instance, the debated provisions which enable processing of traffic data by corporate subscribers for the purpose of preventing and investigating misuses related to trade secrets were left untouched. If necessary, they will be updated in the future.
Further, despite changes to the concept and responsibilities of an intermediary and certain general data security-related obligations in the Code, Finland does not have any general data security law yet, even though the need for more detailed regulation has been discussed.
Collating and moderately altering existing laws is a start. However, it should be noted that the Code will be subject to review in the near future. As an extensive package of regulation, the Code needs to address several topical issues that may soon be subject to reform nationally and at EU level. Such issues involve regulation of data protection, e-privacy, data security and communications services in the internal market.
Depending on where you stand, certain amendments introduced by the Code are welcome. However, the added value and challenge of building a new extensive set of regulations lie not only in the bringing together of existing laws, but also in the creation of a uniform approach to the complex, border-crossing and economically significant questions of the digital world. As the summary above shows, the Code covers different regulations originally designed for different purposes. Therefore, the Code not only needs to be kept up-to-date, but also consistent.