Finland
NATO’s newest frontline state, whose C-Lion1 submarine cable was severed twice in five weeks, whose intelligence legislation required a constitutional amendment to enable cross-border traffic interception, and whose Data Protection Ombudsman chairs the European Data Protection Board
Finland is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Finland’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, cable infrastructure, and international data sharing agreements.
Overview
Finland’s privacy landscape is shaped by its dual position as a country with strong data protection institutions and an increasingly urgent national security posture driven by its 1,340 km border with Russia. The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) is headed by Anu Talus, who simultaneously serves as Chair of the European Data Protection Board since May 2023. Finland’s Data Protection Act sets the children’s digital consent age at 13 and — unusually among EU member states — exempts all state authorities from GDPR administrative fines.[1][2]
In 2019, Finland enacted Intelligence Acts enabling cross-border traffic interception by the Finnish Security and Intelligence Service (Supo) and the Finnish Defence Intelligence Agency — legislation that required a constitutional amendment passed by two-thirds supermajority across two parliamentary terms. Finland joined NATO on April 4, 2023, nearly doubling the alliance’s border with Russia, and signed a Defense Cooperation Agreement (DCA) with the United States granting US forces access to 15 Finnish military bases. The C-Lion1 submarine cable connecting Finland and Germany was severed twice in five weeks (November and December 2024), while a separate incident on December 25, 2024 saw the Russia-linked tanker Eagle S damage five undersea cables including the Estlink 2 power cable.[3][4][5]
Data Protection Authority: Office of the Data Protection Ombudsman
The Tietosuojavaltuutetun toimisto is Finland’s independent supervisory authority, based in Helsinki with approximately 50 staff. Current Ombudsman Anu Talus took office on November 1, 2020, was reappointed for a second five-year term starting November 1, 2025, and was elected Chair of the European Data Protection Board (EDPB) on May 25, 2023, with 19 of 27 votes. GDPR fines are imposed by a Sanctions Board composed of the Ombudsman and two Deputy Ombudsmen. Under Finnish law, administrative fines may not be imposed on state authorities, public utilities, municipal authorities, or religious institutions.[1][2]
Notable Enforcement Actions
| Date | Entity | Fine | Details |
|---|---|---|---|
| Nov 2024 | Posti Group Oyj | EUR 2.4M | OwnPost service automatically created electronic mailboxes without user request; over 2 million users affected. Administrative Court later reversed this fine[6] |
| Sep 2025 | S-Pankki | EUR 1.8M | Security flaw in S-Mobiili banking app allowed unauthorized access to other customers’ accounts (April–August 2022); Article 32 violation[7] |
| Mar 2024 | Verkkokauppa.com Plc | EUR 856K | Failed to define data retention periods for customer account data; required customer account creation for online purchases[8] |
Key Legislation
Data Protection Act (Tietosuojalaki, 1050/2018)
Finland’s GDPR supplementary legislation, applied since January 1, 2019. Sets children’s digital consent age at 13 years (below the GDPR default of 16). A data protection offense is punishable by fine or up to one year imprisonment under the Criminal Code. Repealed the former Personal Data Act (523/1999).[9]
Intelligence Acts 2019
Entered into force on June 1, 2019, described as “the most profound change ever made in the Finnish security sector.” The legislation required a constitutional amendment passed by two-thirds supermajority across two parliamentary terms. Comprises two acts:[3]
- Act on Telecommunications Intelligence (582/2019) — amends the Police Act to authorize Supo to conduct intelligence interception of cross-border cable-bound traffic
- Act on Military Intelligence (590/2019) — grants the Finnish Defence Intelligence Agency authority for military signals intelligence and foreign intelligence operations
Coercive Measures Act (806/2011)
Defines investigative powers during criminal proceedings: seizure and copying of documents, search of data in devices, traffic data monitoring, telecommunications interception, and technical surveillance. Governed by the proportionality principle (seriousness of offense vs. degree of rights infringement) and the minimum intervention principle.[10]
Act on Electronic Communications Services (917/2014)
Comprehensive act covering electronic communications, privacy, data security, and information society matters. Entered into force January 1, 2015. Includes extraterritorial application to companies outside the EU offering services in Finland.[11]
Surveillance and Intelligence
Suojelupoliisi (Supo)
The Suojelupoliisi (Supo) is Finland’s primary national security and intelligence service, with approximately 584 employees, reporting to the Ministry of the Interior. Supo is the only agency in Finland permitted to conduct civilian intelligence. Its 2024 National Security Assessment identifies Russia as the greatest threat to Finland’s national security, treating Finland as a “hostile country.” Russia has used weaponized immigration to signal dissatisfaction with Finland’s NATO membership. China and Iran also conduct espionage against Finland.[12]
Finnish Defence Intelligence Agency (FDIA)
The Finnish Defence Intelligence Agency (Puolustusvoimien tiedustelulaitos) is the combined SIGINT, GEOINT, and IMINT agency of the Finnish Defence Forces, operational since 2014. It houses the Viestikoekeskus (Finnish Intelligence Research Centre), responsible for monitoring Russian Armed Forces electromagnetic emissions. A 2017 Helsingin Sanomat exposé revealed the extent of the Viestikoekeskus’s operations.[13]
Oversight
Finland established two dedicated oversight bodies when the Intelligence Acts were passed:
- Intelligence Ombudsman (Tiedusteluvalvontavaltuutettu): Kimmo Hakonen, first appointed May 1, 2019, reappointed for a second five-year term starting May 1, 2024. Supervises the legality of civilian and military intelligence. Has extensive access to information and can conduct inspections of authorities[14]
- Parliamentary Intelligence Oversight Committee (Tiedusteluvalvontavaliokunta): exercises parliamentary oversight and must be consulted before the Intelligence Ombudsman is appointed[15]
Internet Infrastructure
FICIX (Finnish Communication and Internet Exchange)
FICIX, founded in 1993, is one of the world’s oldest internet exchange points. Originally the “Finnish Commercial Internet Exchange,” it was established by Eunet Finland, Helsinki Telephone Company, and PTT. FICIX operates three exchange points: FICIX-1 (Espoo, 1993), FICIX-2 (Helsinki, 1999), and FICIX-3 (Oulu, 2008). FICIX also operates three DNS root nameservers in Finland and administers the .FI country code top-level domain.[16]
C-Lion1 Submarine Cable
The C-Lion1 is a 1,173 km submarine cable with eight fiber pairs connecting Helsinki, Finland to Rostock, Germany, with a design capacity of 120 Tbps. Owned and operated by Cinia Oy, it is the first direct communications cable between Finland and Central Europe. C-Lion1 was severed twice in five weeks:[5][17]
- November 18, 2024: fault detected at 4:04 a.m. in the Swedish EEZ east of Oeland, near-simultaneously with the BCS East-West Interlink cable disruption. Chinese bulk carrier Yi Peng 3 (with Russian captain) identified as vessel of interest. Repaired November 28
- December 25, 2024: second fault detected at 6:44 p.m. in the Gulf of Finland, approximately 60 km from Helsinki. Separate incident. Repaired January 6, 2025
Other submarine cables include FEC-1 and FEC-2 (Finland-Estonia connections), both damaged in the December 25 Eagle S incident.[18]
Data Center Infrastructure
Finland’s data center market was valued at USD 1.69 billion in 2024, projected to reach USD 3.25 billion by 2030. Google’s Hamina data center represents over EUR 4.5 billion in cumulative investment through seven expansions, with a heat recovery partnership supplying approximately 80% of the municipality’s district heating. Microsoft is building cloud facilities in Espoo, Vihti, and Kirkkonummi (USD 250 million+).[19]
Data Retention
Finland’s data retention framework is set out in the Information Society Code (Section 157). Retention periods vary by service type:[20]
| Data Type | Retention Period |
|---|---|
| Telephone and text messaging services | 12 months |
| Other electronic communications services | 9 months |
| Internet access services | 6 months |
Retention does not cover content data or data exposing servers accessed by the user. Finland has nominated four designated providers based on aggregate market share and geographic coverage; providers of “small significance” may be exempt. Following the CJEU’s 2016 Tele2 Sverige ruling, Finland revised the Information Society Code to require individual case-by-case reviews of access requests.[20]
International Data Sharing Agreements
NATO Membership
Finland joined NATO on April 4, 2023, as its 31st member, nearly doubling the alliance’s existing border with Russia. Membership followed Sweden’s simultaneous accession process (Sweden joined March 7, 2024 as the 32nd member).[21]
US-Finland Defense Cooperation Agreement (DCA)
Signed on December 18, 2023 by Finnish Defence Minister Antti Haekkaeaenen and US Secretary of State Antony Blinken. Approved by Finnish Parliament on July 1, 2024, and entered into force on September 1, 2024. The DCA grants US forces access to 15 Finnish military bases and enables the presence, training, and prepositioning of US defense material on Finnish territory.[4]
NORDEFCO (Nordic Defence Cooperation)
Five-nation defense cooperation framework (Denmark, Finland, Iceland, Norway, Sweden) with an MoU signed in Helsinki on November 4, 2009. Finland assumed the NORDEFCO chairmanship in 2025. A revised MoU was signed on May 6, 2025 — the first revision since Finland and Sweden joined NATO.[22]
X-Road and Estonian Interoperability
Finland and Estonia’s X-Road data exchange layers were connected on February 7, 2018, enabling organizations in either country to transfer data across the Gulf of Finland. The Nordic Institute for Interoperability Solutions (NIIS), founded jointly by Finland and Estonia in June 2017, manages X-Road development and auditing.[23]
EU Law Enforcement Cooperation
Finland has been an EU member since January 1, 1995 and participates in the Schengen Information System (SIS II), European Investigation Order (EIO), Pruem Convention, and Europol.[24]
US-Finland MLAT
The US-Finland MLAT was signed at Brussels on December 16, 2004 (as part of the US-EU MLAT framework) and entered into force on February 1, 2010.[25]
NSA Tier B Cooperation
Snowden-era documents list Finland among Tier B countries with “Focused Cooperation” on certain intelligence matters. Finland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes alliances.[26]
Recent Developments
Eagle S Tanker / Estlink 2 Incident (December 25, 2024)
Oil tanker Eagle S (Cook Islands-flagged, part of Russia’s “shadow fleet”) allegedly dragged its anchor over 100 km across the Gulf of Finland, damaging five undersea cables including Estlink 2 (reducing Estonia-Finland power capacity from 1,016 MW to 358 MW) and four telecom cables (FEC-1, FEC-2). Finnish Police Rapid Response Unit Karhu boarded the vessel by helicopter. Captain and two officers charged with aggravated criminal mischief; repair costs at least EUR 60 million.[18]
C-Lion1 Cable Severed Twice (November–December 2024)
First incident November 18 in Swedish EEZ (Chinese vessel Yi Peng 3 investigated); second incident December 25 in Gulf of Finland, 60 km from Helsinki. Both repaired within 10–12 days.[5][17]
NATO Baltic Sentry Launched (January 14, 2025)
Multi-domain vigilance activity to increase maritime situational awareness in the Baltic Sea, with frigates, maritime patrol aircraft, and 20+ naval drones. Deployed in direct response to the cable incidents.[27]
NIS2 Transposition (April 8, 2025)
Finnish Cybersecurity Act (124/2025) entered into force, expanding scope from approximately 1,100 entities (NIS1) to approximately 5,500. Traficom designated as coordinating supervisory authority. European Commission nevertheless sent a reasoned opinion on May 7, 2025, for failure to notify full transposition (secondary legislation pending).[28]
S-Pankki GDPR Fine (September 2025)
EUR 1.8 million fine for security flaw in S-Mobiili mobile banking app that allowed unauthorized account access.[7]
Eastern Border Remains Closed
All Finland-Russia land border crossing points have been closed since December 15, 2023, triggered by Russia directing undocumented migrants to the Finnish border as hybrid warfare. A temporary “Pushback Law” enacted July 22, 2024 allows turning people back without asylum assessment, drawing criticism from legal experts regarding international human rights obligations.[29]
US-Finland DCA Enters Force (September 1, 2024)
US forces granted access to 15 Finnish military bases for presence, training, and prepositioning of defense material.[4]