Finland
NSA Tier B partner whose Intelligence Acts required a constitutional amendment, NATO member that doubled the alliance’s Russian border, with the C-Lion1 cable severed twice in five weeks and a US defense agreement granting access to 15 military bases
Overview
EU Member State: Finland is subject to the GDPR. For the EU framework, see the EU Framework page.
In 2019, Finland enacted Intelligence Acts enabling cross-border traffic interception by Supo and the FDIA — legislation that required a constitutional amendment passed by two-thirds supermajority across two parliamentary terms, demonstrating how even strong constitutional privacy protections are amended when national security demands arise. Finland joined NATO on April 4, 2023 (31st member), nearly doubling the alliance’s Russian border (1,340 km). A US Defense Cooperation Agreement grants access to 15 Finnish military bases (in force September 2024). NSA Tier B partner. The C-Lion1 submarine cable was severed twice in five weeks (November–December 2024); the Eagle S tanker damaged five undersea cables on December 25, 2024.[1][2]
Privacy Framework
The Office of the Data Protection Ombudsman is headed by Anu Talus, who simultaneously chairs the EDPB (since May 2023). Age of consent: 13. State authorities are exempt from GDPR administrative fines. Notable enforcement: S-Pankki EUR 1.8M (banking app security flaw, September 2025). The Data Protection Act (1050/2018) supplements the GDPR; the Coercive Measures Act (806/2011) governs surveillance for criminal investigations; the Act on Electronic Communications Services (917/2014) addresses telecom privacy.[3]
Surveillance and Intelligence
Intelligence Agencies
Supo (Suojelupoliisi, ~584 employees): Finland’s only civilian intelligence service, under Ministry of Interior. 2024 assessment: Russia treats Finland as a “hostile country.” FDIA (Finnish Defence Intelligence Agency, operational since 2014): Combined SIGINT, GEOINT, IMINT. Houses the Viestikoekeskus (Intelligence Research Centre) monitoring Russian Armed Forces electromagnetic emissions.[4][5]
Intelligence Acts 2019
Required a constitutional amendment (two-thirds supermajority across two parliamentary terms) to enable cross-border cable traffic interception by Supo and the FDIA. Oversight: Intelligence Ombudsman (Kimmo Hakonen, since May 2019, reappointed May 2024) supervises legality with inspection powers; Parliamentary Intelligence Oversight Committee provides political scrutiny.[1]
Internet Infrastructure and Cable Security
FICIX (founded 1993, one of world’s oldest IXPs) operates three exchanges (Espoo, Helsinki, Oulu). C-Lion1 (1,173 km, 120 Tbps, Helsinki-Rostock): severed twice in five weeks — November 18 (Yi Peng 3 with Russian captain investigated, Swedish EEZ) and December 25 (Gulf of Finland, 60 km from Helsinki). Eagle S tanker (Russia shadow fleet) dragged its anchor across the Gulf, damaging Estlink 2 power cable and FEC-1/FEC-2 telecom cables (December 25). Finnish Police Karhu unit boarded by helicopter; captain charged. NATO launched Baltic Sentry (January 14, 2025). Google Hamina data centre: EUR 4.5B+ cumulative investment.[6][7]
Data Retention
Information Society Code Section 157: telephony/SMS 12 months, other electronic communications 9 months, internet access 6 months. No content retention. Four designated providers based on market share. Following Tele2 Sverige, Finland revised to require case-by-case access review.[8]
International Data Sharing Agreements
Mutual Legal Assistance
EU Member States (26 countries): EU MLA Convention 2000, Schengen, EIO, Prüm (EU member since January 1, 1995). Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Finland: No separate bilateral MLAT; covered by EU-US MLA instrument only (in force February 1, 2010). Bilateral MLATs also with Canada and Australia. Nordic cooperation: Direct contacts between competent authorities, Nordic Arrest Warrant, independent uniform norms for extradition and sentence transfer. Ministry of Justice serves as Central Authority under the 1959 Convention.[9]
Defense and Intelligence Cooperation
NATO (since April 2023). US-Finland DCA (in force September 2024): US forces access to 15 Finnish bases. NSA Tier B “Focused Cooperation.” NORDEFCO (Nordic Defence Cooperation, 5 nations, Finland 2025 chair, revised MoU May 2025). NB8 (Nordic-Baltic Eight). X-Road: Federated data exchange with Estonia (since February 2018, via NIIS). Europol, Interpol I-24/7, Egmont Group, EU-US Umbrella Agreement, SWIFT/TFTP, PNR.[10]
The Privacy Backdoor Effect
- NSA Tier B: Focused cooperation; Finnish persons targetable
- Intelligence Acts 2019: Cross-border cable interception authorised by constitutional amendment
- US DCA: 15 military bases with US force presence and intelligence-sharing implications
- EU Framework: Finnish data in SIS II, Prüm, EIO accessible to 27 EU states
- Cable vulnerability: C-Lion1 cut twice; Eagle S damaged five cables; hybrid warfare targeting interceptable infrastructure
Recent Developments
Eagle S / Estlink 2 (December 25, 2024): Shadow fleet tanker damaged five cables including Estlink 2 power and FEC-1/FEC-2 telecom. Captain charged. EUR 60M+ repair costs.[7]
C-Lion1 Severed Twice (November–December 2024): Yi Peng 3 incident (November 18) and separate Gulf of Finland incident (December 25).[6]
NATO Baltic Sentry (January 2025): Multi-domain maritime surveillance in response to cable incidents.[11]
Eastern Border Closed: All Finland-Russia land crossings closed since December 2023. Pushback law enacted July 2024 amid Russian weaponised migration.[12]