Employers allowed to monitor employees’ email and internet browsing information
As a result of the enforcement of the Act on Protection of Privacy in Electronic Communications (516/2004) (hereinafter the “APPEC”) in 2004, which implemented the directive 2002/58/EC, and whereby the regime applicable to telecom operators was extended to cover also companies and other corporate and association subscribers, Finland has had one of the strictest privacy legislations. The consequences of the legislation were not totally foreseeable. The provisions of APPEC have been problematic especially as concerns a corporate or association subscriber’s possibility to detect and bring into criminal investigation misuses targeted towards or exploiting the corporate or association subscriber’s own communications network. In practise corporate and association subscribers were not allowed to collect identification data (such as email or internet browsing information) to present evidence on suspected misuse of their communication network.
By amendment to the APPEC, which will enter into force on 1 June 2009 (called as “Lex Nokia”), corporate or association subscribers (hereinafter “corporate subscribers”) will be allowed to process identification data in their own communications networks for the purposes of detecting unauthorised use of paid information society services or a communication network or detecting the use of communication services against instructions which use is likely to cause significant damage to the corporate subscriber. In addition, corporate subscribers will be allowed to process identification data for the purposes of detecting unauthorised disclosure of the corporate subscriber’s (or his cooperation partner’s) essential business secrets. The new regulations will in addition improve the possibilities of telecompanies, value added service providers and corporate subscribers to process identification data for the purposes of technical development or statistical research.
Corporate subscriber is a concept specific for the APPEC and includes private and public organisations, such as companies, universities, libraries and housing companies which provide communications services for their employees or other users. For instance, a company having a mail server is a corporate subscriber.
The right to process identification data should be used only as the last resort. Corporate subscribers should primarily aim to protect their communications networks and services as well as business secrets with appropriate user administration, information security measures and by giving instructions to the users on the use of the networks.
The rights provided to a corporate subscriber do not apply to identification data for fixed line and mobile phone services, including text messages. The new legislation does not, however, prevent a corporate subscriber to use other means to prevent misuse of electronic communications network, such as controlling user log information, camera surveillance, access control, non-disclosure agreements, security checks (subject to specific rules).
According to the new regime, the processing of identification data should (after the data security and instructive measures have been properly taken care of) be made primarily automatically according to predetermined criteria, such as the size, type, amount, means of connection or destination of communication. The right to automatically process identification data is a continuing right and does not require any suspicion of a concrete misuse case, whereas identification data may be processed manually only in individual circumstances, provided that the requirements set by the APPEC are fulfilled: the corporate subscriber has a justifiable reason to suspect that communications network or services or paid information society services are used against given instructions, or, that a business secret has been divulged to a third party.
By processing the identification data the corporate subscriber will only be able to obtain identification data on messages that have been sent or received through the subscriber’s own communication network. Identification data comprises of information on the sender or recipient of communication, information on the routing, duration or time of communication, as well as information on the amount of data or protocol used. The right to process identification data does not apply to the contents of the communication.
Corporate subscribers do not need to obtain any permission for the processing of identification data for the purposes set by the new legislation. However, they must notify the Finnish Data Protection Ombudsman (DPO) of the processing prior to the processing and file annual reports to the DPO on the processing and the purposes for such processing of identification data. The notifications and filings will be subject to a fee. Furthermore, a corporate subscriber shall inform users of the procedures and practises applied in the processing of identification data, and if the subscriber is an employer, also abide by the information and consultation formalities set forth by the employment legislation. The processing of identification data outside the scope of the law is illegal and is subject to criminal sanctions.