Digital constitutional rights in Finland
Legal / Constitutional Basis in Finland
Before the cases, to understand what rights exist and under what constraints:
The Constitution of Finland protects privacy, the secrecy of communications (telephony, correspondence, etc.), honor, and sanctity of home. (Constitution, Article 10)
There is also a constitutional guarantee of freedom of expression.
Finland is bound by the European Convention on Human Rights (ECHR), especially Article 8 (private and family life, secrecy of communications) and Article 10 (freedom of expression).
At the EU level, Finland is subject to the EU Charter of Fundamental Rights, especially Articles 7 (privacy & family life), 8 (data protection), 11 (freedom of expression & information).
The GDPR and national Data Protection Act(s) implement detailed rules on processing, retention, rights of data subjects, transparency etc.
Limitations on these rights are possible, but must satisfy key criteria: prescribed by law, necessary, proportional, serving legitimate aims (e.g. public safety, prevention of crime), respect essence of rights, etc.
Key Case Law Examples
Here are more than four cases illustrating how Finnish courts (or Finnish administrative bodies/ECHR) have applied digital rights / privacy / expression in practice.
Case 1: Supreme Administrative Court, Finland — “Google Removal / ‘Right to be Forgotten’ Case” (KHO:2018:112; decision no. 3774; 173/1/17)
Facts:
A person ("X") requested removal of two links from Google search results (when someone searched his name). These links concerned his state of health, that he had been subject to a psychiatric assessment, and that he was convicted of murder with diminished responsibility.
Google refused. The Data Protection Ombudsman ordered removal. Google appealed.
Legal Issues:
Does the right to privacy, including protection of sensitive personal data (health, criminal convictions) outweigh the public interest / freedom of expression / right to access information in this case?
Under Finnish law (then Personal Data Act incorporating EU Data Protection Directive), do controllers have duty to remove links when processing (search engine indexing) is unnecessary / proportionate?
Decision & Reasoning:
The Supreme Administrative Court held that the personal data regarding health and criminal matters is sensitive. Even though X had committed a serious crime, he could be considered to have a public role due to nature of the crime.
But health data is in the “inner core” of privacy. The Court found that the public interest in having access via name‑search did not override X’s right to privacy in this case.
The two links were deemed unnecessary within meaning of the law (Personal Data Act), so Google must remove them.
Significance:
Establishes concrete test / balancing between public interest and privacy rights in “name search + sensitive data” cases.
Affirms that search engine indexing is subject to legal constraints and not absolute.
A Finnish example of the “right to be forgotten / erasure” doctrine in practice.
Case 2: Supreme Administrative Court & GDPR Fines – Posti Oy Transparency Case (KHO:2023:81)
Facts:
Posti Oy, the Finnish postal service, had a “change of address service.” When people changed address electronically, information processing was involved and some data protection obligations applied (e.g. informing people how their data would be used).
The Data Protection Ombudsman imposed a fine (100,000 EUR) for deficient transparency / failing to provide sufficient, easy to find privacy notices.
Legal Issues:
What obligations does GDPR place on data controllers regarding transparency, i.e. how information (privacy notices) must be provided?
Is a controller allowed to rely on passive or buried notices vs active measures?
Decision & Reasoning:
The Supreme Administrative Court upheld the fine. The Court emphasised that transparency obligations are active: the controller must take measures so data subject is actually informed, notices should be easy to find, clearly written etc.
It is not sufficient for privacy information to be hidden in a long terms & conditions, or where people have to dig; the requirement is that the controller must furnish or actively direct the data subject to that information.
Significance:
Clarifies how constitutional/digital rights (privacy, data protection) require active steps by data controllers.
Reflects increasing enforcement under GDPR in Finland.
Case 3: Supreme Administrative Court & GDPR Fines – Job Applicants’ Data Case (KHO:2023:82)
Facts:
A company collected personal data from applicants (and perhaps rejected applicants) more than necessary, according to the Data Protection Ombudsman. A fine was imposed (12,500 EUR).
Legal Issues:
What is required for “necessity” in collecting personal data: what is “data minimization”?
What standard of proof / evidence is required for imposing fines for violations under GDPR / national law?
Decision & Reasoning:
The Court overturned that fine. It found that the evidence produced by the Ombudsman was insufficient to show beyond doubt that data collection was unlawful beyond necessity. There was a burden of proof. Also, procedural fairness (presumption of innocence etc.) matters even in administrative sanction cases.
Significance:
Shows that constitutional / fundamental right of privacy (and GDPR protections) also require rigorous procedural standards – not just substantive rules.
Supports data minimization, but also protects controllers from arbitrary enforcement without evidence.
Case 4: Information Society Code / Data Retention Debates & Constitutional Law Committee Opinion (2014‑2015)
While not a single court case, but an important legislative / constitutional review decision with implications for digital constitutional rights.
Facts:
When Finland was preparing a new Information Society Code (which included provisions on mandatory data retention by telecom providers: retention of traffic data, location data etc.), the CJEU in Digital Rights Ireland declared the EU Data Retention Directive invalid.
The Finnish Constitutional Law Committee reviewed the draft legislation in light of that decision and Finland’s Constitution and the EU Charter.
Legal Issues:
What is the constitutional level of review for metadata (traffic data, location data) vs content?
Under what conditions can metadata be retained by law? For what period, for what crimes, what access?
How must the legislature ensure proportionality, specificity, necessity etc.
Outcome / Reasoning:
The Committee required that retention periods be limited, that only serious crimes be eligible for data use, that access and processing must be carefully regulated, and that metadata not be treated automatically as a peripheral / low‑impact privacy issue.
The legislation (Information Society Code), when finally passed, included retention periods (12 months (mobile phone/SMS), 6 months (internet‑based voice), 9 months (internet connection service)), with limits on usage (only for serious crimes), in line with these constitutional requirements.
Significance:
Important example of ex ante constitutional review / balancing in Finland, especially with regards to digital surveillance / retention.
Shows metadata (how, when, from whom) is not negligible; metadata can implicate privacy heavily.
Case 5: Supreme Administrative Court — Search Result Removal, 2024 Case (No. 3/2022)
Facts:
A data subject requested removal of certain search results (in Google) containing personal info linked to a past drug conviction (from 2010). Google refused. The Deputy Data Protection Commissioner ordered removal. Administrative Court reversed. The matter went to the Finnish Supreme Administrative Court.
Legal Issues:
Balance between public’s right to information / freedom of expression vs privacy / protection of personal data.
Whether data subject’s privacy interest had become stronger over time because of lapse of time, nature of information, sensitivity etc.
Decision & Reasoning:
The Supreme Administrative Court annulled the Administrative Court’s decision, and reaffirmed that the DPA’s order to delete (remove) the search results should stand.
The court emphasized that under GDPR Article 5 (storage limitation, purpose limitation, etc.) and other relevant rules, data that is no longer needed for original purpose must be deleted. Public interest in freedom of expression / access to information was weighed, but found not to override the privacy interests of the data subject.
Also examined whether the content is still relevant / actual, whether the subject plays a public role etc.
Significance:
Reinforces the “right to erasure” / deletion / removal of search engine links in Finland.
Demonstrates that past convictions, even if public in the past, may not always justify indefinite presence of links, especially when harm remains.
Case 6: Supreme Court Decision KKO 2022:47 — Subscriber Information Disclosure in Copyright Infringement Context
Facts:
A company (B) demanded that an Internet Service Provider (ISP, A) disclose subscriber info tied to specified IP addresses, because those accounts allegedly distributed copyrighted works via BitTorrent. Under the Finnish Copyright Act, there is a provision that allows rights‑holders to request disclosure of subscriber info under certain conditions (section 60a).
Legal Issues:
Does ordering disclosure of subscriber information violate data protection / privacy rights? If so, when is it permissible: what thresholds must be met (significant infringement? seriousness? specificity?)
What is “significant extent” in copyright infringement contexts? What is proportional disclosure?
Decision & Reasoning:
The Supreme Court considered whether the claims of copyright infringement were sufficiently serious and whether the request meets legal thresholds under section 60a. The court also examined privacy, data protection law implications.
The Court set out criteria (inter alia seriousness, specificity, evidence, nature of the rights holder’s interest vs privacy interest) for when subscriber data may be disclosed.
Significance:
Clarifies how digital rights in copyright enforcement intersect with constitutional protections of privacy and data protection.
Important precedent for ISPs, rights holders, privacy advocates to understand limits of disclosure.
Doctrinal / Legal Principles & Patterns
From these cases, you can see some important recurring legal ideas and how Finland handles digital constitutional rights:
Balancing test: Privacy / data protection rights vs. public interest / freedom of expression / necessity of law enforcement are repeatedly balanced. The more sensitive the data, the stricter the justification required.
“Sensitive data” get special protection: Health records, psychiatric assessments, criminal convictions especially when combined with health, etc., are treated as highly sensitive.
Right to erasure / removal / “right to be forgotten” is not theoretical: Finnish courts and regulators enforce removal of search engine links under privacy laws when conditions are met.
Transparency and active information obligations: Controllers must actively inform data subjects, not just via buried notices. Constitutional/digital rights require clarity, accessible information.
Procedural protections: Even in administrative or regulatory enforcement, principles like presumption of innocence, proper burden of proof, due process are essential.
Legislative / constitutional oversight: Bills involving digital rights (like data retention) are reviewed ex ante by the Constitutional Law Committee to ensure compliance with both the national constitution and EU law.
Metadata is not trivial: The legislature and courts increasingly recognize that metadata (who contacted whom, when, from where, duration etc.) can reveal much and thus deserves constitutional level scrutiny.
RELATED Blog
0 comments