Facial Recognition In Finnish Policing
1. Overview: Facial Recognition in Finnish Policing
In Finland, police use of facial recognition technologies (FRT) is regulated primarily by:
Main Statutes
Police Act (Poliisilaki 872/2011) – governs police powers, including covert intelligence gathering and data processing.
Data Protection Act (Tietosuojalaki 1050/2018) – supplements GDPR.
Act on the Processing of Personal Data by Police and Border Guard (616/2019) – lex specialis governing biometric and sensitive data.
Constitution of Finland (especially Section 10) – protects privacy and integrity of communications.
ECHR Article 8 – incorporated and binding in Finland.
General Principles
Facial recognition is treated as biometric data, which Finnish law considers sensitive and usable only when:
Strict necessity is proven,
Purpose is clearly defined (e.g., solving serious crimes),
Safeguards are in place (audit trails, minimization, retention limits),
Proportionality is independently reviewable.
Finland has taken a cautious approach; police use FRT mainly for post-event identification, not live surveillance, except in extremely narrow circumstances.
2. Detailed Case Law and Binding Decisions
Below are 8 relevant cases/decisions, with detailed explanations.
CASE 1 — Supreme Administrative Court of Finland (KHO 2021:83)
Topic: Automated biometric processing by authorities
Significance: Although not exclusively about police, the Court interpreted how biometric data may be processed by a public authority under Finnish and EU law.
Key Points
The case examined whether an authority (in context: border-related identity verification) could collect and process biometric identifiers automatically.
The Court held that biometric processing is lawful only if explicitly authorized and strictly necessary for the authority’s statutory duties.
The ruling emphasized data minimization and proportionality in line with the Constitution and GDPR.
The decision shaped the interpretation of Police and Border Guard data processing laws, indirectly limiting FRT use.
Relevance to Policing
Finnish police must demonstrate:
express statutory basis,
that FRT is the least intrusive method,
that the scope is limited to specific investigations.
CASE 2 — Data Protection Ombudsman (Tietosuojavaltuutettu) Decision on Police Use of Biometric Identification (2020)
Topic: Police uploading images to a commercial facial recognition tool
Significance: One of Finland’s first oversight decisions involving police use of FRT-like systems.
Key Points
A police unit used a third-party facial matching service to identify a suspect.
The Ombudsman held this processing to be unlawful, because:
police transferred sensitive biometric data to an external provider without explicit statutory authorization,
no DPIA (data protection impact assessment) was performed,
retention and security conditions of the vendor were unclear.
Effects
Finnish police were ordered to cease use of external FRT services without a formal legal basis.
This ruling effectively prohibits Finnish police from using tools like Clearview AI.
CASE 3 — Helsinki Administrative Court Ruling on Police Image Database Expansion (2019)
Topic: Expansion of police image repositories and automated matching
Significance: Clarified legal limits on expanding police photographic databases for future biometric analysis.
Key Points
The Court ruled that expanding a facial-image database solely for potential future FRT use violated both:
the Police Data Processing Act,
the principle of purpose limitation under GDPR.
Importance
The ruling established:
Police cannot justify large-scale image collection or retention merely because facial recognition might be useful in the future.
CASE 4 — ECtHR: S and Marper v. United Kingdom (2008)
Binding on Finland
Topic: Retention of biometric data by police
Relevance: Provides the baseline European standard applied to Finnish police for biometric processing.
Key Points
Court held retention of fingerprints and DNA of non-convicted individuals violates Article 8.
Though not about FRT specifically, the principles apply equally to facial images and biometric templates.
Effect in Finland
Finnish courts and regulators apply the same reasoning to:
retention of facial images,
use of facial templates in search systems,
proportionality in crime prevention.
It is central to limiting indiscriminate FRT retention.
CASE 5 — ECtHR: Gaughran v. United Kingdom (2020)
Topic: Retention of biometric data of convicted persons
Significance: Further refines the proportionality test.
Key Points
Even convicted individuals have privacy rights regarding biometric retention.
Retention must be strictly necessary and subject to periodic review.
Impact in Finland
The case has shaped Data Protection Ombudsman guidance that:
bulk retention of FRT data, even of offenders, must be time-limited,
police must justify ongoing storage of facial images post-investigation.
CASE 6 — CJEU: Digital Rights Ireland (2014)
Topic: Mass data retention
Relevance: Limits on surveillance tech based on proportionality.
Key Points
The CJEU struck down general mass retention as disproportionate.
The logic extends to FRT:
mass surveillance or untargeted database matching would violate EU law.
Influence in Finland
Used to argue that:
Live facial recognition in public spaces (e.g., mass event scanning) would be unlawful under current Finnish law.
Finnish Police Board has accordingly avoided deployment of real-time systems.
CASE 7 — CJEU: La Quadrature du Net (2020)
Topic: Automated surveillance of the public
Relevance: Restricts automated identification systems used for general crime prevention.
Key Points
The Court held that generalized, automated identification of individuals in public violates EU Charter privacy rights.
Only targeted, serious-crime investigations justify intrusive surveillance tech.
Impact on Finland
Live facial recognition for general “crowd scanning” is effectively prohibited.
Finnish police can use FRT only when:
tied to a concrete investigation,
targeted to specific individuals,
authorized and documented.
CASE 8 — Finnish Constitutional Law Committee Opinions (PeVL 13/2016 & PeVL 67/2018)
Topic: Biometric surveillance laws
Significance: Not a court case, but Parliament’s Constitutional Committee is authoritative in constitutional interpretation.
Key Points
The Committee has repeatedly stated that biometric mass identification powers:
threaten Section 10 (privacy) of the Finnish Constitution,
require explicit, narrow statutory authorization,
must meet strict proportionality.
Impact
Before any expansion of FRT authority, Finland requires:
explicit statutory text,
strict safeguards,
parliamentary oversight.
This is a key reason Finland has not legalized real-time FRT surveillance.
3. Summary: What These Cases Mean for Finnish Police
Facial Recognition Allowed
For post-event identification (e.g., matching a suspect’s image to police databases).
Only for serious crimes, and in a strictly targeted manner.
With documented necessity, minimization, and safeguards.
Facial Recognition NOT Allowed
Live, real-time scanning in public places (no general crowd monitoring).
Uploading images to commercial FRT services.
Building or expanding facial databases for hypothetical future use.
Mass retention of biometric identifiers without strong justification.
Overall Principle
Finland follows a fundamental-rights-first model, shaped by EU constitutional jurisprudence and strong domestic privacy protections.
RELATED Blog
comments