Status regarding Budapest ConventionStatus : Party Declarations and reservations : declarations regarding Articles 2, 24, 27 and 35 and reservations regarding Articles 11 and 14 See legal profile
Finland’s Cyber Security Strategy launched in as a Government Resolution 24 January, 2013 with the new Implementation Programme for Finland's Cyber Security Strategy 2017-2020 published in 2017 (Source: https://www.cyberwiser.eu/finland-fi). The Strategy defines the key goals and guidelines which are used in responding to the threats against cyber domain and which ensure its functioning.
The previous national implementation programme of the Cyber Security Strategy was published 11 March, 2014. A total of 74 measures were put together in the implementation programme to improve cyber security. The Strategy is available in English: http://www.yhteiskunnanturvallisuus.fi/en/materials
The Information Security Strategy for Finland was adopted by the minister of Transport and Communications in March 2016. The strategy sets out the objectives and measures to enhance the level of trust to Internet and digital practices. The strategy also deals with matters that damage trust such as digital security incidents and covers also partly the area of cybercrime.
The National Cyber Security Centre Finland (NCSC-FI) was established within the Finnish Communications Regulatory Authority (FICORA) on 1 January 2014. NCSC-FI will strengthen Finland’s national information security for example by developing the cyber security situational picture. The operational activities of NCSC-FI cover among other things coordinating, responding and resolving of nationally or internationally detected information security incidents and threats (CERT operations).
State of cybercrime legislation
Substantive criminal law provisions are included with one exception in the Criminal Code (39/1889). Unofficial translation is available in English:
- law provisions of the Criminal Code have been amended for the implementation of the Budapest Convention (law 540/2007) and Directive 2013/40/EU on attacks against information systems (law 578/2015).
Investigative measures used in the criminal investigation are mostly covered by the Coercive Measures Act (806/2011):
Other laws related to the provisions of the Budapest Convention:
- The Criminal Investigation Act (805/2011)
- The Police Act (872/2011)
- The Act on International Legal Assistance in Criminal Matters (4/1994)
- The Extradition Act (456/1970)
- The Act on Extradition on the basis of an Offence between Finland and other Member States of the European Union (1286/2003)
- The Act on the Openness of Government Activities (621/1999)
The Criminal Code criminalises the following offences:
- distribution of a sexually offensive picture, aggravated distribution of a sexually offensive picture depicting a child and possession of a sexually offensive picture depicting a child (chapter 17, sections 18, 18(a) and 19),
- forgery, aggravated forgery and petty forgery (chapter 33, sections 1 to 3),
- endangerment of data processing (chapter 34, section 9(a)),
- damage to data, aggravated damage to data and petty damage to data (chapter 35, sections 3(a) to 3(c)),
- fraud, aggravated fraud and petty fraud (chapter 36, sections 1 to 3),
- means of payment fraud, aggravated means of payment fraud and petty means of payment fraud (chapter 37, sections 8 to 10)
- message interception and aggravated message interception (chapter 38, sections 3 and 4),
- interference with communications, aggravated interference with communications and
- petty interference with communications (chapter 38, sections 5 to 7),
- interference in an information system and aggravated interference in an information system (chapter 38, sections 7(a) and 7(b)),
- computer break-in and aggravated computer break-in (chapter 38, sections 8 and 8(a)),
- offence involving a system for accessing protected services (chapter 38, section 8(b)),
- copyright offence (chapter 49, section 1).
Relevant is also copyright violation (section 56(a) of the Copyright Act).
The Coercive Measures Act includes among others the following investigative measures and methods applicable also to the investigation of cybercrime offences:
- seizure and copying of a document (chapter 7, sections 1 and 2),
- search of data contained in a device (chapter 8, section 21),
- data retention order (chapter 8, section 24),
- telecommunications interception (chapter 10, section 3),
- obtaining of information other than through telecommunications interception (chapter 10, section 4),
- traffic data monitoring (chapter 10, section 6),
- traffic data monitoring with the consent of the possessor of a network address or terminal end device (chapter 10, section 7),
- technical surveillance of a device (chapter 10, section 23).
Some relevant provisions are in the Criminal Investigation Act (chapter 7, sections 8 and 9) regarding the obligation to provide evidence and questioning in court and in the Police Act (chapter 4, section 3) regarding obtaining information from a private organisation or person
- deeply interfering with human rights and fundamental freedoms are usually allowed only in investigations of serious offences and a district court decides on the use of these measures. If the measure has been ordered by the police official or the prosecutor on the request of the person concerned in the matter the court shall decide whether the measure is to remain in force. If the measure has been ordered by the court on the request of the person concerned in the matter the court shall reconsider whether the measure is to remain in force. All coercive measure court decisions are covered either by the possibility to make an (ordinary) appeal or by the possibility to make an extraordinary appeal (no time limit and an urgent hearing). When a person subjected to a covert coercive measure is afterwards reported the use of measure he or she may make an extraordinary appeal.
- principles have to be taken into account in the decision making concerning the use of all coercive measures. According to principle of proportionality manifested in Chapter 1, section 2 of the Coercive Measures Act coercive measures may be used only when they may be deemed justifiable with consideration to the seriousness of the offence under investigation, the importance of clarifying the offence, the degree to which the use of the coercive measures infringes on the rights of the suspect in the offence or others, and the other circumstances in the case. According to Chapter 1, Section 3(1) of the Coercive Measures Act (principle of minimum intervention) the use of a coercive measure may not infringe on the rights of anyone beyond what is necessary in order to achieve the purpose for which it is used.
Cybercrime Center of the National Bureau of Investigation was established 2015 to tackle this issue, but also all police districts are responsible for investigation of cybercrime. The Center is responsible for international, organized, technically challenging and larger cybercrime cases. Police Districts are responsible of all offences that have happened in their region.
All police districts have their own IT forensic groups. The ways districts have organised pre-trial investigation of cybercrime vary a lot. In many districts there are no specialised investigators. The Cybercrime Center also supports all police units with investigation of cybercrime, IT forensic examinations, intelligence on Internet and international cooperation.
No prosecutors or courts deal exclusively with cybercrime. A group of prosecutors in local prosecution units prosecute most of such crimes but they have also other tasks.
National Cyber Security Centre Finland (NCSC-FI) - Finnish Communications Regulatory Authority
CERT-FI – merged into National Cyber Security Centre Finland
Competent authorities and channels
Mutual legal assistance is regulated in the Act on International Legal Assistance in Criminal Matters. According to section 1(2) of the act international assistance include
- service of decisions, summonses, notices and other judicial documents relating to a criminal matter, including summonses to appear before an authority of the requesting State;
- hearing of witnesses, experts and parties, obtaining of expert opinions, inspections, procuring and transmitting documents and objects to be produced as as evidence, as well as the taking of any other evidence relating to a criminal matter;
- search, seizure and the use of other coercive measures in order to obtain evidence or to secure the enforcement of a confiscation order;
- institution of criminal proceedings;
- communication of extracts from and information relating to judicial records required in a criminal matter; and
- any other necessary assistance in a criminal matter, provision of information on law as well as any other forms of mutual co-operation.
- Act on International Legal Assistance in Criminal Matters includes provisions among other things on compliance with a particular procedure specified in the request (section 11), mandatory grounds of refusal (section 12), discretionary grounds of refusal (section 13), restrictions on coercive measures (section 15), use of coercive measures to obtain evidence or to secure the enforcement of a confiscation order (section 23) and secrecy, confidentiality and restrictions on the use of information (section 27).
Finland is in the process to implement the EIO Directive which amends the system of mutual legal assistance between EU Member States.
Competent authorities and channels
For the MLA requests to Finland from other EU member states the National Bureau of Investigation is the central contact point. MLA requests to Finland from countries outside the EU shall be sent to the Ministry of Justice as the central authority (Unit for International Judicial Administration). Urgent requests via Interpol channels are accepted in accordance with Article 15 of the European Convention on Mutual Assistance in Criminal Matters.
The leader of the investigation sends requests for MLA when the content of the request has been agreed on with the prosecutor. The LEA and prosecutors have an obligation to act in a close cooperation and the LEA has to comply with orders and instructions by the prosecutor as provided for in Chapter 5 of the Preliminary Investigation Act.
MLA request from Finland to other EU member states are sent directly. The National Bureau of Investigation is the national central contact point for the investigation authorities. The requests are checked by NBI International Affairs unit before they are translated and sent to the concerned country.
For MLA request from Finland to countries outside EU, the Ministry of Justice is the central authority. Urgent requests can be sent also via Interpol channels in accordance with the European Convention on Mutual Assistance in Criminal Matters, Article 15, point 5, if accepted by the addressee.
The prosecution authorities use as a rule direct contacts with judicial authorities in other EU member states. EJN and Eurojust are contacted in need of assistance.
- with Article 35 of the Budapest Convention the National Bureau of Investigation is a 24/7 contact point covering also the extradition matters within the framework of European Arrest Warrant and Nordic Arrest Warrant. Ministry of Justice is a contact point during working hours for other extradition requests.
Practical guides, templates and best practices
The decisions of the Supreme court are an important legal source and precedents for similar cases. However there are no significant decisions regarding cybercrime issues. http://www.finlex.fi/en/oikeus/
Sources and links
Implementation Programme for Finland's Cyber Security Strategy 2017-2020
Information Society Code (917/2014)
Act on the Processing of Personal Data by the Police (761/2003)
National Cyber Security Centre Finland (NCSC-FI)
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.