E-Commerce - A Global Competition Review - Special Report

Article by Craig Thompson, Martina Ehrstrom, Heidi Ketolainen and Anna Savolainen

The government of Finland can generally be considered to be Internet-friendly. It is expressly stated in the government’s current agenda that the development of a high-tech information society enjoys top priority in Finland.

The Finnish Communications Regulatory Authority (Ficora) monitors the compliance of Finnish e-commerce participants with the obligations set forth under Finland’s 2002 Act on the Offering of Information Society Services. Said Act harmonises Finnish law with the EU E-Commerce Directive (2000/31/EC). Ficora, which operates administratively under Finland’s Ministry of Transport and Communications, also supervises communications networks, services and equipment in Finland and the implementation of Finland’s 1997 Communications Market Act and other communications regulations. The aim of Finland’s communications regulations is to secure a market structure for reliable, efficient, interoperable, low cost, and technology advanced communications. The regulations promote fair competition between operators, network and services interconnection and access, and communications equipment compliance with the applicable requirements and standards. The provision of Internet access services as such is not subject in Finland to any licensing or notification requirements. The monitoring of network security and communications privacy and the administration of fiTLD domain names are vested with Ficora.

Finland’s Consumer Ombudsman monitors e-commerce prices and terms and other market practices directed at consumers in Finland as well as monitoring the provision of information by service providers to consumers. Ficora and the Consumer Ombudsman collaborate with each other in their supervision duties.

The Finnish Competition Authority investigates restrictions of competition and seeks to promote competition to increase the efficiency of the economy. The Competition Authority has intervened in the restrictive practices of private sector Internet service providers which are harmful to competition. For example, the discriminatory Internet access pricing of dominant local loop providers and the interoperability of Internet services platforms have been scrutinised by the Competition Authority. Finland’s Data Protection Ombudsman oversees the implementation of Finland’s 1999 Personal Data Act and issues opinions on the application of the Personal Data Act to ecommerce and Internet activities.

Finland’s 2002 Act on the Offering of Information Society Services harmonises Finnish law with the EU E-Commerce Directive (2000/31/EC). The Act entered into force on 1 July 2002. Further, Finland’s Act on Electronic Signatures, which harmonises Finnish law with the EU Electronic Signatures Directive (1999/93/EC) entered into force on 1 February 2003.

Finland’s laws applicable to traditional forms of business are also generally applicable to business on the Internet. Such laws include, for example, the 1997 Trade Act, the 1978 Consumer Protection Act, and the 1999 Personal Data Act. More recent legislation, such as that harmonising Finland’s Consumer Protection Act with the Distance Contracts Directive (1997/7/EC), also expressly applies to business conducted on the Internet.

A government bill was submitted in October 2002 to the Finnish Parliament to harmonise Finland’s 1961 Copyright Act with the Digital Copyrights Directive (2001/29/EC). The laws proposed by the bill were expected to enter into force during the spring of 2003. However, due to constitutional law concerns, users’ concerns about overly broad rights protection provisions, and time restraints, the Finnish Parliament has allowed the bill to lapse. At this time there is no indication as to when the next bill will be presented for legislation.

In the absence of an effective submission to jurisdiction, Finnish courts would determine the issue of jurisdiction according to the criteria set forth in the Council regulation (EC/44/2001) on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters and the Lugano Convention, where applicable, or by analogous application of the Finnish procedural rules. In such cases, the court of the defendant’s domicile would, as a general rule, have jurisdiction. In addition, a number of alternative criteria are set forth both in Finland’s Procedural Code and the aforesaid Council regulation and the Lugano Convention. The applicable criteria would, as a rule, be limited to the domicile or location of the parties (eg, contract forum, the place of fulfilment of the relevant obligation, the consumer’s right to sue in his/her own domicile). The aforesaid Council regulation explicitly recognises the right of the contracting parties to designate the non-exclusive jurisdiction of a Member State court.

The location of the server through which an online contract is entered into has not been considered in Finland to be a relevant factor with respect to jurisdiction.

Finnish contract law adheres, as a rule, to the general principle of the freedom of contract. The contract formation procedure in Finland is a traditional offer-and-acceptance system. Finland’s 1929 Contracts Act provides for certain criteria that justify the avoidance of a contract. These criteria include compulsion, deceit, dishonourable behaviour, forgery and a commitment known to be erroneous to the opposite party. The rationale behind these provisions is to ensure that the parties enter into a contract of their own free will. In addition, the Contracts Act includes a specific provision expressing the principle of reasonableness and fairness in contracting. Accordingly, a contract term or the contract in its entirety may be mitigated or rendered ineffective if it is considered unreasonable or if, when implemented, it may lead to an unreasonable outcome. For standard terms and conditions to become incorporated in the contract, the contracting party must have an actual opportunity to familiarise itself with the contract. Onerous and surprisingly harsh terms may, nevertheless, be considered null and void, particularly in consumer contracts.

As a general rule, contracts are not subject to any particular form requirements and online contracting is permissible. The party claiming that an online contract has been effectively concluded has the burden of proof that the other party has actually intended to enter into the contract and has had the opportunity to review the relevant terms and conditions. According to the 2002 Act on the Offering of Information Society Services, online contracts are generally to be recognised as valid and binding contracts. The Council regulation (EC/44/2001) on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters also recognises that any electronic communication that provides for a durable record of the agreement satisfies the formal requirement of a ‘written’ contract.

Certain contracts may not be effected online or are otherwise incompatible with online contracting. For example, the sale of real estate cannot be effected online, as such sales must be publicly notarised. Motor vehicle sales are incompatible with online contracting as the registration of a motor vehicle in the name of a new owner requires that a particular form signed by the seller in hard copy be delivered to the registration authority.

Under Finnish contract law, a commercial website could be seen as an offer unless it is expressly designed to be an invitation to place an offer. A service provider may affect this assessment, for example, by constructing the site so as not to provide an automatic acceptance and delivery system, or by appropriate disclaimers.

Finland’s 2002 Act on the Offering of Information Society Services provides general provisions on electronic contracting. The Act defines the information society services and has adopted the ‘place of establishment principle’ of the EU E-Commerce Directive, meaning that no restrictions that fall within the harmonised fields may be placed on service providers established in another EEA country who offer their services in Finland. Additionally, the Act obliges Internet service providers to provide certain pre-contractual information about themselves and their operations.

Finnish consumer protection legislation contains a number of restrictions as to the efficacy of contract terms. For example, the general principle of reasonableness and fairness in contractual relationships sets limitations. Finnish courts will not usually uphold disclaimers that limit a party’s liability in cases of wilful misconduct, gross negligence or personal injury. Consumer contracts should be unambiguous as unclear terms are interpreted as a rule to the detriment of the vendor. Consumer contracts should be available in both official languages, Finnish and Swedish, although this is not mandatory. Compulsory provisions in the 1978 Consumer Protection Act cannot be excluded or deviated from to the detriment of the consumer and are therefore implied as part of the consumer agreement. If a contract violates consumer protection legislation, a desist order enforceable by a fine may be imposed on the vendor.

Contracting parties should be given the chance to familiarise themselves with the contract terms before entering the contract. Onerous or surprisingly harsh terms should be expressly brought to the other party’s attention. For the Internet, the minimum requirement would arguably be to provide a hyperlink by which the contract terms can be accessed by the other party prior to acceptance. Transparent contract terms would decrease the risk of ineffective incorporation. To minimise the risk of harsh terms becoming ineffective, the vendor should highlight such terms and consider providing for separate acceptance of the terms online. It is recommended that an express acceptance of any standard terms be provided, for example, by way of clicking to acknowledge having reviewed the terms. Making the customer scroll through standard terms prior to acceptance would arguably increase the likelihood that such terms would be effective.

The Act on Electronic Signatures, which harmonises Finnish law with the EU Electronic Signatures Directive entered into force on 1 February 2003. The Act clarifies the legal effects of electronic signatures by declaring that an electronic signature based on a qualified certificate and created by a secure signature-creation mechanism satisfies the requirement that a document be signed. Consequently, such electronic signatures would have the same legal effect as traditional handwritten signatures.

According to the aforesaid Act, an electronic signature is defined to mean data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of authentication of the identity of the signatory. An advanced electronic signature, on the other hand, is defined as an electronic signature that is unambiguously linked to the signatory, capable of identifying the signatory, created using means that the signatory can maintain under his sole control and is linked to other electronic data in such a manner that any change made to the data is detectable. The new provisions also clarify liability issues relating to certification services and create a legal basis for the provision of certificates to be used in the public and private sectors. The Act on Electronic Government Services was passed by the Finnish Parliament along with the Act on Electronic Signatures. This new Act will replace the 1999 Act on Electronic Service in the Administration and the 1999 Act on Electronic Service in Court Proceedings. The Act on Electronic Government Services entered into force on 1 February 2003. The Act will apply to the handling of matters involving courts, debt execution authorities, and other administrative officials. The Act establishes rights and obligations regarding the electronic formation of documents. Certification services will, however, be regulated fully under the Act on Electronic Signatures.

According to the Act on Electronic Signatures, a service provider that issues a qualified certificate is obliged to retain information concerning such certificate in a certification database for 10 years after the expiration of the certificate. Under Finland’s Bookkeeping Act, all documents supporting a bookkeeping entry must be stored for six years.

The Act on the Protection of Privacy and Data Security in Telecommunications entered into force on 1 July 1999. It aims to promote data security within public telecoms and to protect the privacy and other legitimate interests of users. The Act is applicable, as a rule, to public telecoms and telephone directories. In addition to the more traditional telecoms services, the Act applies to e-mail and other Internet communications. The Act allows users of telecoms services to protect their messages by any technical means and telecoms messages are viewed, as a general rule, to be confidential. Privacy and the inviolability of communications confidentiality are protected as constitutional rights in Finland.

The Act obliges operators to ensure the security of their services technically and to inform users about risks, as well as how such risks can be remedied. Under the Act, the operators’ right to process identification information generated in their networks has been limited and the obligation of confidentiality imposed on the operators’ personnel has been extended to those offering only Internet-related services. The Act contains provisions concerning, for instance, the use of telecoms services for direct marketing purposes.

The Finnish government has initiated a public hearing process addressing a government bill for an Act on Data Security in Electronic Communications that is to implement the EU Directive (2002/58/EC) on data security in electronic communications and replace Finland’s 1997 Act on the Protection of Privacy and Data Security in Telecommunications. The proposed Act is expected to enter into force in October 2003. The new legislation is expected to clarify the position of the law with respect to, among other things, the use of cookies.

Finland’s 1999 Personal Data Act imposes an obligation on file controllers to implement technical and organisational measures necessary to protect personal data bearing in mind, for example, the file controller’s strict duty of care, the nature of the personal data, the significance of the data to privacy and the cost of the measures. To the extent that an employer wishes to monitor the Internet and e-mail usage of its employees, such monitoring must be arranged in accordance with the transparency and information requirements of Finland’s 2001 Act on Privacy in Employment.

There is currently no law or case guidance as to whether the authorities can require the release of private keys. Finnish law enforcement officials do, however, have broad powers under Finland’s 1987 Coercive Measures Act in specific circumstances to intercept telecoms traffic and to obtain call traffic data. Also, operators are required to facilitate the efforts of the law enforcement officials in those circumstances. Arguably, this obligation could extend to the release of private encryption keys in the possession of an operator. Further, under Finland’s Procedural Code, a Finnish court could arguably compel a defendant to grant access to encryption keys under an injunction.

The Act on Electronic Signatures entered into force on 1 February 2003 in Finland. The Act recognises certification authorities by defining a ‘certifier’ as a reliable natural or a legal person that issues certificates. It is noteworthy that Finland was the first country in the world to bring into use personal electronic identity cards. The electronic ID card was launched in December 1999 and it is intended for use in connection with public sector services (eg, applications for day-care or change of address notifications). The card includes a microchip containing the user’s secret keys, which are stored only on the card’s microchip for security reasons. The Finnish Population Register Centre serves as the certification authority for the cards. Administratively, the Centre is responsible for providing the government certificate services and creating and maintaining the infrastructure required for the system. It may be possible in the future to use the ID card for private sector services.

The Act on Electronic Signatures provides that a certifier offering qualified certificates must act in a careful, trustworthy and appropriate manner without discriminating against its customers. The Act also provides that the certifier must have adequate technical and financial resources with respect to its operations. The certifier is liable for the reliability and functionality of the services and products it offers, even when provided by others on a subcontracting or agency basis. In addition, the certifier must ensure that its personnel have adequate expertise, experience and qualifications. The certifier must keep the documentation regarding the certificate and the certification available to the public and secure the confidentiality of the signature-creation data when creating the data itself. Finally, the certifier may not store or copy any signature-creation data assigned to the signatory.

The Act on Electronic Signatures provides that the certifier is liable for any loss incurred by the person relying on the qualified certificate, if the data in the certificate has been erroneous at the time the certificate was issued or the certificate lacks the information required by the Act. The certifier is also liable in cases where the signature-creation and verification data does not match or when the certifier has not, in certain circumstances specified in the Act, revoked the qualified certificate. If it can be proved that the certifier and the persons assisting the certifier have acted diligently or the certificate has been used against its use restrictions, the certifier will not be liable for any losses.

The Act also provides that the general guidance and development of the certification operations is the responsibility of the Ministry of Transport and Communications. Ficora will be charged with supervising the compliance of certifiers with the Act. Additionally, Finland’s Data Protection Ombudsman is responsible for supervising compliance with the data protection provisions included in the Act.

The new Act on the Electronic Government Services, passed by the Finnish Parliament along with the Act on Electronic Signatures, replaced the Act on Electronic Services in the Administration and the Act on Electronic Communications in Court Proceedings. This Act entered into force on 1 February 2003.

The administration of fiTLDs is the responsibility of Ficora, which is also the issuing authority. As a general rule, domain names can only be granted to Finnish companies, Finnish branch offices of foreign companies, Finnish associations and foundations as well as individual entrepreneurs registered with the Finnish Trade Register. FiTLDs must be based on the registered trade name of the applying entity, its auxiliary or parallel trade name, a Finnish registered trademark or a registered European Community trademark. Under the Madrid protocol, a legal entity cannot be granted a fiTLD based on its international trademark registration.

Some differences between the registered fiTLD and the trademark or company name in question are presently allowed. For example, Scandinavian letters may be replaced by corresponding letters recognised by the Internet Protocol. Only one fiTLD per registered name or trademark is allowed. Moreover, fiTLDs may not be an abbreviation and must include at least three characters. Public corporations may, however, be granted an abbreviation of their name or a name depicting their public tasks. Only trademarks consisting entirely of letters, digits or words entitle their holders to the registration of the corresponding fiTLD. Figure trademarks containing, for example, a word, would not entitle their holders to a fiTLD registration.

A government bill for the Act on Domain Names has been presented to the Finnish Parliament. The Act is expected to enter into force 1 September 2003 at the earliest. The new Act proposes a loosening in the conditions for granting domain names to legal entities. According to the government bill, the applying entity may, with certain exceptions, freely choose the domain name. Additionally, Ficora will not examine in advance possible trade name or trademark infringements with respect to domain names.

There is no statute or case law that confers any such additional rights.

FiTLDs can only be granted to a legal entity registered in Finland on the basis set out above. It should not, under the present law, be possible to register a ‘pirate’ domain name similar to a registered trademark.

There are no specific rules on Internet advertising, so the rules generally applicable to marketing are also applicable to Internet marketing. Rules relating to advertising are contained in the provisions of Finland’s Consumer Protection Act, Unfair Business Practices Act and Broadcasting Act. Rules on the marketing of goods and services exist also in Finland’s Act on Measures to Reduce Tobacco Smoking, Alcohol Act, Medicines Act, Act on Food Supplies, Package Travel Act, Securities Market Act and Act on Credit Institutions.

In addition, the recommendations of the Nordic Consumer Ombudsmen and the recommendations of the Finnish Direct Marketing Association can be applied to advertising on the Internet, although such recommendations are not legally binding and serve more as guidelines. Specific rules regarding electronic consumer trade have been prepared by the Finnish Direct Marketing Association together with the Federation of Finnish Commerce and Trade, the Finnish Federation for Communications and Teleinformatics (FiCom) and the Central Chamber of Commerce. The guidelines were published on 1 December 2002.

The advertisement of tobacco products on the Internet is prohibited under the Act on Measures to Reduce Tobacco Smoking. The marketing on the Internet of obscene materials such as child pornography is criminalised under the Finnish Penal Code. Goods and services that may be advertised on the Internet if the applicable laws are followed include alcohol, consumer loans, foodstuffs, medicines, package tours, securities, and services provided by credit institutions. In addition minors are extensively protected under Finland’s advertising laws.

Placement on a website of any content that incites racial hatred, is deemed to be unauthorised gambling, depicts unapproved violence or obscene or defamatory material is criminalised in Finland.

The offering and marketing of investment services in Finland is subject to the requirements of the Finnish Act on Investment Firms (IFA) and the Finnish Act on Foreign Investment Firms (FIFA) based on the EC Investment Services Directive (ISD). The offering and marketing of securities is subject to the provisions of the Finnish Securities Market Act (SMA). The offering and marketing of banking services in Finland is subject to the provisions of the Finnish Credit Institutions Act (CIA) and the Finnish Foreign Credit Institutions Act (FCIA), which are based on the EC credit institutions directives.

A foreign investment firm or credit institution authorised in a Member State of the European Economic Area (EEA) to offer investment and/or banking services may, in accordance with its local authorisation, establish a branch office or otherwise offer investment and/or banking services in Finland on a cross-border basis upon notification to the Finnish Financial Supervision Authority (FSA).

A non-EEA authorised investment firm may under the FIFA apply for authorisation from the Finnish Council of State to provide investment services cross-border into Finland. Non- EEA credit institutions may not offer services into Finland on a cross-border basis.

In the absence of any specific legislation on the provision of investment services over the Internet matters such as, whether an offer of securities through the Internet is considered to be made in Finland, and whether the availability of marketing material on investment services through the Internet constitutes provision of investment services or banking services in or into Finland are still open to interpretation by the Finnish supervisory authorities.

The FSA has issued unofficial reports on the provision of investment services on the Internet recording discussions within the FSA regarding Internet related issues.

According to the views expressed in such reports, the Internet constitutes a marketing channel in the same way as newspapers or the telephone, to a certain extent.

Investment services can be considered to be marketed in Finland if the promotion thereof can be viewed to be targeted into Finland. Although no definite rules are available in respect of the Internet, the following circumstances may lead to the conclusion that the service is targeted into Finland: the marketing material is in Finnish (or in some cases in Swedish), the domain name of the relevant Internet site is under a fiTLD, the contact information refers to Finland or the Internet site is otherwise marketed in Finland.

If the investment services provided over the Internet in accordance with the above are considered to be marketed/provided into Finland the licensing and notification procedures for the provision of investment services in Finland will apply.

The general legal principles established in Finnish jurisprudence and legislation regarding copyright infringement apply to Internet activities. Finland’s laws impose criminal and civil liability on persons for aiding or abetting each other in the commission of a wrongdoing. The imposition of such liability requires that the person’s action or omission was willful or negligent and that, in a criminal matter, the person had prior knowledge of the probable effect of the action. It is opined that actions or omissions that could give rise to liability for aiding or abetting include the provision of an instrument, substance or advice that aids in obtaining intended results or the neglect of a supervisory or oversight obligation. It must be pointed out, however, that such action or omission does not of itself give rise to criminal liability. The person to whom such an action or omission is attributable must have knowledge of the intended results. It is therefore possible that an ISP aware of infringing content on a website which does not actively seek to take it down could face criminal liability or liability for tort damages. It is furthermore noteworthy that ISPs may under certain circumstances be found guilty of, eg, a copyright crime as an offender (as opposed to being an accessory to the crime).

The 2002 Act on the Offering of Information Society Services establishes a safe harbour from liability for certain activities. The said Act is in line with the E-Commerce Directive with respect to the application of the safe harbour mechanism to caching and mere conduit services. As regards hosting services, the Act goes further by regulating the conditions and procedures for taking down material hosted on a server. ISPs providing hosting services are exempted from liability, if they, after receiving a takedown notice or otherwise becoming aware of the illegal content, disable access to the content without delay. If ISPs do not fulfil the obligations under the proposed Act, their possible criminal or civil liability would be assessed in accordance with other legislation.

Authority to shut down web pages is almost wholly dependent on the contract between the ISP and its customer. As a rule, Finnish ISPs have a clause in their service provider agreements permitting them to shut down a site displaying unlawful or defamatory materials. The definition of defamatory material is somewhat unclear since ISPs can usually unilaterally define it. Usually a third-party claim is necessary for the ISPs to act since ISPs usually lack the ability to monitor the content. However, no court decisions are required to permit actions based on contract.

To be exempted from liability for defamatory content on its service, an ISP is obliged to disable access to such content if it receives a take-down notice from the offended party or circumstances exist from which the defamatory nature of the content should have come to the knowledge of the ISP.

Website owners may be held to have infringed copyrights, trademarks, or company names or even engaged in unfair business practices if they use third-party content on their websites without proper authorisation. It is advised therefore that website providers obtain authorisation from content providers prior to using their material. It is necessary to obtain authorisation prior to using marks or symbols enjoying trademark or trade name protection for commercial purposes. According to Finnish case law, protected trademarks and trade names may not be included without authorisation in metatags as they may be indexed by Internet search engines.

As a general rule, website providers may link their websites to those of third parties, provided that the graphical representation of the link does not infringe the copyright, trademarks or trade names of third-parties. However, it is advisable to obtain permission when linking to websites containing copyrighted material, as there is a risk that it could be considered a distribution of copyrighted material. Should no permission for linking be obtainable, it is advisable to carry out the linking in a manner that does not give the impression that the provider of the linked website has consented to the linking or that there exists some type of commercial or other relationship between the website providers. Failure to carry out linking in this manner may be considered a trademark infringement or an engagement in unfair business practices. It is always advisable to obtain permission when using frames containing material from third-party websites instead of links. Linking issues are somewhat unclear under Finnish law, as no specific rules regarding linking exist and there is a dearth of cases on point.

Whether a website provider can exploit non-proprietary software used for a website by licensing such software to third parties depends on the website provider’s licence for the software. Typically, software licences do not permit sublicensing, although many licences regarding Internet applications explicitly allow such sublicensing when the licensed software is required for accessing and using a website.

Even though a website provider has no direct control over the material contained on linked websites, the website provider may still commit trademark, trade name or copyright infringement as a result of material found on the linked website. According to Finnish case law, linking to sites containing copyright-infringing material may constitute copyright infringement. Even though there is no case law regarding links to sites containing material infringing trademark and trade name rights, it is always advisable to observe caution when linking to sites containing trademarks or trade names. Website providers may also be guilty of defamation or other crimes under Finland’s Penal Code, such as the distribution of illegal pornography.

The Data Protection Directive was transposed into Finnish law with effect as of 1 June 1999 when the Personal Data Act entered into force. There are no significant differences between the Finnish Personal Data Act and the Data Protection Directive.

The Personal Data Act applies to the processing of personal data where the data controller has a place of business in Finland or where Finnish jurisdiction otherwise extends to the data controller. If the data controller does not have a place of business within the EU but makes use of equipment located in Finland for purposes other than the mere routing of data through Finland, the Personal Data Act would apply and the relevant filing and registration obligations must be met. In such case a representative must also be appointed in Finland for the purpose of data protection laws. It is likely that Finland’s Data Protection Ombudsman would view the use of cookies as constituting the use of equipment in Finland for purposes other than mere routing.

Personal data comprises any information on a private individual or his/her personal characteristics or way of life, which can be identified as concerning this person, his/her family or others living in the same household.

In addition, Finland’s 2001 Act on Privacy in Employment regulates the processing of personal data of employees and job applicants.

As a general rule the automatic processing of personal data specified in the Personal Data Act must be notified to Finland’s Data Protection Ombudsman in sufficient time, but not less than 30 days prior to collecting personal data for the processing. There are a number of grounds on which data controllers are exempted from the notification requirements. As a general rule, data controllers that outsource personal data processing to others must notify the Data Protection Ombudsman of such outsourcing prior to transferring the personal data.

As a rule, a website provider may sell personal data about its users only to persons that otherwise have a right under Finland’s Personal Data Act to process such personal data and any such sale must be done in accordance with the file controller’s information obligations and otherwise in comport with the law. Data controllers in Finland must comply with good data processing practices and take the initiative to ensure their processing activities comply with the duties set forth in the Personal Data Act. Unlawful processing triggers strict liability for damages as well as criminal liability under the Penal Code. To assist data controllers with compliance, the Data Protection Ombudsman issues guidelines on good data processing. The general duties imposed on data controllers are outlined below.

Personal data may be processed only in accordance with strict provisions of the Personal Data Act. As a rule, the sale of personal data collected from website users would be prohibited unless unambiguous consent had been obtained from the users.

It is permitted to transfer personal data to third parties in the EEA, provided that the transfer of personal data in the EEA is not incompatible with the defined purpose of processing and that at least one of the general prerequisites for processing of personal data is fulfilled. Limited personal data used for direct marketing may be transferred within the EEA only if the customer has not objected to the transfer and it is apparent that the customer knew of the transfer.

The transfer of personal data to a non-EEA country is subject to the general processing rules under the Personal Data Act. Accordingly, such transfer is only permitted as a general rule if an adequate level of data protection is guaranteed in the country to which the transfer is to be made. Personal data may be transferred to a non-EEA country that does not guarantee adequate data protection only if for instance the data subject has unambiguously consented to the transfer.

According to the Finnish Act on Privacy in Employment, an employer may process the personal data of employees and job applicants only to the extent directly necessary for the employment relationship. Not even an employee’s or job applicant’s consent entitles to deviate from this requirement of direct necessity.

The processing of personal data for profiling purposes is not expressly proscribed in Finnish law. However, Finland’s Personal Data Act expressly requires that all processing must be done for a predefined purpose and that data subjects are informed about such predefined purpose. Processing that is incompatible with the predefined purpose is, as a rule, unlawful. This would arguably rule out any profiling of personal data that was not contemplated at the time the personal data was collected or which profiling was not notified to the data subject affected. Finland’s Data Protection Ombudsman has adopted a restrictive approach towards the processing of personal data for the purpose of profiling consumers.

Data subjects should also be informed that they have the right to change their mind on the use of their personal data. This information along with information on how to exercise one’s rights with respect personal data should, as a rule, be provided at the time of collection and recording of the data.

There are various preconditions for the use of personal data for marketing purposes. The automatic processing of personal data for direct advertising, distance selling, or for market or opinion research must be notified to the Data Protection Ombudsman. Additionally, persons engaged in Finland in market or opinion research as a trade are required to notify their activities to the Data Protection Ombudsman. Personal data used for marketing purposes may be released from a personal data file or used as a sampling for direct marketing purposes provided that the data subject has not prohibited such release, and provided that it is apparent that the data subject is aware of such release.

Certain types of personal data may be used for marketing provided that the data subject has not prohibited the collection or processing of such data for marketing and further provided that:

• the personal data files are used for marketing campaigns that are specified in advance and short in duration, and such use, bearing in mind the personal data involved, does not jeopardise the protection of the data subject’s privacy; or
• the personal data files contain only data concerning the data subject’s name, rank or profession, age, gender and native language, one identifying characteristic, and the data subject’s contact information; or
• the personal data files contain only data concerning the data subject’s duties and position in business or public office, and such data is used only for sending information related to the data subject’s work duties.

The use of sensitive personal data and personal identification numbers is, as a general rule, prohibited. Data subjects may prohibit the use of their personal data for the purpose of direct advertising, distance selling, or other forms of direct marketing or for market or opinion research. With respect to these uses of personal data, the marketer must provide the data subject with the name of the data file from which the personal data was obtained, and the name and contact information of the controller of the file. In addition, the use of the Internet or e-mail for direct marketing to a private person is prohibited without that person’s consent.

The Personal Data Act applies to the processing of personal data where the file controller has a place of business in Finland or where Finnish jurisdiction otherwise extends to the file controller. If the file controller does not have a place of business within the EU but makes use of equipment located in Finland for purposes other than the mere routing of data through Finland, the Personal Data Act would apply and the relevant filing and registration obligations must be met. The Finnish authorities would likely view that the use of cookies constitutes the use of equipment for purposes other than mere routing. Additionally, the transfer of employees’ and job applicants’ personal data has to be directly necessary for the employment relationship.

The income received from electronic commerce is taxed as income in Finland in the same manner as income derived from customary commerce is taxed. However, the crucial question in crossborder electronic commerce is which of the countries involved has the taxing power. When determining this, the relevant issues are the definition of the concept of a permanent establishment (eg, does a server located outside the seller’s country of domicile constitute a permanent establishment in the country where the server is located) and the type of the income derived from electronic commerce, as the country having taxing power is determined differently, eg, for business income and for royalty income.

With respect to indirect taxation, current Finnish VAT practice defines electronically delivered products as services. The Finnish VAT Act includes several place of supply rules regarding the sale of services. Today, electronic products are generally treated as immaterial services for VAT purposes. Hence, according to the Finnish VAT Act, immaterial services are deemed to be sold in Finland and, thus, are subject to Finnish output VAT, if the buyer is an entrepreneur and the service is delivered to the buyer’s permanent establishment in Finland or, if the service is not delivered to the buyer’s Finnish or foreign permanent establishment, the buyer has its domicile in Finland. Thus, also a foreign buyer can be charged with Finnish output VAT if the digital product is delivered to its Finnish permanent establishment. In case the seller has not been registered for VAT purposes in Finland, the buyer is liable to pay VAT in Finland (‘reverse charge liability’). In addition, the delivery of digital products via the Internet from Finland abroad is subject to Finnish output VAT, if the buyer is an individual domiciled in the EU.

On 1 July 2003 the Finnish VAT Act will be harmonised with the Directive (2002/38/EC) and Regulaion No. 792/2002 amending the Sixth VAT Directive (77/388/EEC). According to the upcoming amendments, ‘electronically supplied services’ are deemed to be sold in Finland and, thus, are subject to Finnish output VAT, also if the services are supplied from outside the EU to consumers domiciled in EU. Thus, these non-EU sellers will be obligated to VAT register in one EU country when supplying digital products to consumers in the EU. However, supplies to EU VAT registered entities will not trigger this VAT registration requirement, as the reverse charge liability will apply.

Income received from electronic commerce by a person generally liable for taxation purposes in Finland is taxable income in Finland regardless of whether the products have been sold to a Finnish or to a foreign purchaser. Further, the location of the server through which trade is directed has generally no influence on the income taxation of persons generally liable for taxation in Finland. However, depending on the applicable tax law in the country where the server is located, the server may constitute a permanent establishment. This in turn may trigger for liability and thus, entitle the country in which the server is located to levy taxes on income derived from the server.

The question whether a server located in one country creates a permanent establishment in that country is open to various interpretations. For the purposes of direct taxation, if the permanent establishment concept is interpreted traditionally in accordance with the OECD model tax treaty, the server itself in the absence of other activity is unlikely to give rise to a permanent establishment. However, if the server satisfies the geographical permanency and the time requirement implied under the concept of permanent establishment, it may be possible that Finnish tax authorities would broaden their interpretation of the permanent establishment concept to cover the server.

It should be noted that a fixed establishment can be deemed to exist more easily for VAT purposes than a permanent establishment for income tax purposes in Finland. Only a web site maintained in a server of a Finnish operator should not constitute a permanent establishment to a foreign entity, but if a foreign company locates its own server and employees to carry on those activities in Finland, the server can create a fixed establishment for Finnish VAT purposes. It has also been discussed that a leased server with necessary software could constitute a permanent establishment if the company has personnel in Finland. However, there is no public case law in this area.

Finnish sellers and foreign sellers with a fixed establishment in Finland may be subject to VAT in Finland and thus must register for VAT with the regional tax office with jurisdiction over the region where the fixed establishment or real property is located. Foreign sellers without a fixed establishment in Finland must register with the Uusimaa regional tax office for VAT, if the buyer is a foreign company without a fixed establishment in Finland and which has not been registered for VAT purposes in Finland, if the buyer is an individual, or if the on-line services comprise teaching, scientific services, cultural, entertainment or sports events or other similar services performed in Finland as well as services related directly to the arrangement of the aforementioned, as the reverse charge liability is not applicable in these situations. However, a foreigner may also otherwise on application be registered as a person liable to tax in respect of his sales in Finland. Moreover, as of 1 July 2003 digital service providers located outside the EU will be obligated to VAT register in one EU country when supplying digital products to consumers in the EU. However, supplies to EU VAT registered entities will not trigger this VAT registration requirement, as the reverse charge liability will apply.

An application for VAT registration must be submitted prior to the commencement of business operations in Finland. Foreign companies that are subject to zero tax rates should register to be eligible for a refund of the VAT included in purchases made in Finland.

Domestic Internet sales are subject to a VAT of 22 per cent. However, there are also three reduced rates: 17 per cent, which is applied to foodstuffs and animal feed (excluding restaurant services, alcoholic beverages and tobacco products), 8 per cent, which is applied, eg, to passenger transportation services, books and medicines and 0 per cent, which is applied to subscribed magazines and newspapers. While online sales are taxed as service sales there is no certainty as to whether online sales could be subject to the lower tax rates applicable to sales by conventional means.

With respect to VAT, the return of goods by a Finnish customer in exchange for a refund by a company located in the European Union is treated as an adjustment item to an intra-Community acquisition of goods or so-called ‘distance’ supply of goods. If the seller is an offshore company located outside the European Union, VAT related to the import of goods in Finland would not be refunded by Finnish customs if the offshore company would be eligible for a refund or deduction of VAT included in purchases made in Finland. The offshore company would make the aforementioned refund of VAT, which is included in purchases in Finland, on the basis of an application to the Uusimaa regional tax office.

According to Finland’s 2001 Gambling Act, only a registered association, an independent foundation or other non-profit organisation domiciled in Finland may run a lottery or gambling operation. Any lottery or gambling operation in which a player may win money requires a licence from Finland’s Council of State. Only one licence is valid at a time for each type of ‘gaming’ (eg, slot machines, toto games, lotteries). Currently, three organisations hold licences. The National Lottery of Finland, Oy Veikkaus Ab, may organise lotteries. Casinos are operated by Raha-automaattiyhdistys (RAY), the Slot Machine Association, and toto games may only be organised by Fintoto Oy. Revenues from lotteries and gambling operations are used for funding non-profit activities. In addition to the lottery and gambling monopoly on the Finnish mainland, Finland’s Åland Islands region has its own lottery and gambling laws and even its own gambling association, Ålands Penningautomatförening (PAF), which is operated under the supervision of the provincial government of the Åland Islands. The Åland Islands, which are located southeast of the Finnish mainland, form an autonomous province of Finland with a population of 25,000 Swedishspeaking inhabitants. The autonomy of the Åland Islands is protected under the Finnish Constitution and is governed by the 1991 Autonomy Act.

PAF launched its first online gambling service in 1999. The Åland government gave PAF the right to open the online gambling website stating that the location of online gambling takes place where the gaming licence, the game administration and the server are located, independent from the location of the player. This view was questioned in Finnish courts by the Finnish government and Veikkaus, but the dispute was decided in favour of the Åland Islands by the Finnish Supreme Court.

An amendment was proposed to the Gambling Act in 2001 imposing that any person offering or running a gambling operation or a lottery over the phone, the Internet or over any other similar technical means from the Åland Islands has to ensure that a person permanently domiciled on the Finnish mainland can not participate in such gambling operation or lottery. The Finnish President decided not to ratify the amended law as the law was criticised as violating the Autonomy Act. The President requested an opinion from the Finnish Supreme Court who also viewed that the law violated the Finnish Constitution.

The new Gambling Act was, however, passed by the Finnish Parliament after amending it to allow the provincial government of the Åland Islands to control the fulfilment of the obligation to prevent individuals resident on the mainland from participating in the online gambling and to impose a conditional fine, if necessary. Presently, PAF continues to offer an online lottery to the residents of the Finnish mainland.

There are no specific rules concerning the right to use online casinos and betting websites in Finland. In practice, a personal identity code and account with a Finnish financial institution is required for restricting persons with no ties to Finland from gambling in the Finnish online gambling services. It should also be noted that gambling on credit is prohibited in Finland. Therefore, in order to pay the gambling fees, a player is required to deposit money into a playing account before commencing the gambling.

It should be noted that, depending on the field of business, there may be specific regulations that should be taken into account in an outsourcing situation. For example, the outsourcing of data processing activities does not relieve the data controller, ie, the outsourcing company, from its duty of care and liability with respect to the obligations under the Data Protection Act.

When considering the outsourcing of services, it should be noted that an agent performing outsourcing services may constitute for tax purposes a permanent establishment. For instance, under Finnish tax laws, an enterprise is deemed to have a permanent establishment in a state where a person is acting in that state on behalf of the enterprise and has, and habitually exercises, an authority to conclude contracts in the name of the enterprise. An Internet page or a server without more should not, however, qualify as a person that could give rise to a permanent establishment.

Generally, the outsourcing of a service is not considered to be a business transfer. However, when certain prerequisites are met, the outsourcing of a service may be viewed to be a business transfer, even if no other assets than labour are transferred. Finland adheres to EU Directive (77/187/EEC) on business transfers and provides substantial protection to employees in such transfers. For instance, in a business transfer the employees of the outsourced unit are transferred as ‘old employees’ to the new business. If an employer has given termination notice to its employees, the employer is obliged to rehire these employees if, within a ninemonth period commencing after the notice, similar tasks become available. It should be noted that this obligation concerns the transferee of the business as well, if the employee has been given termination notice before the date of the business transfer.

According to Finland’s 1978 Codetermination Act, codetermination negotiations with employees must be commenced in preparation of a business transfer if the company has more than 30 employees.

The right to the freedom of speech is protected under Finland’s 1999 Constitution and includes also the right to receive information. Currently, there are no specific regulations concerning the liability of the website provider in Finland with respect to informational mistakes, as Finland’s 1919 Act on the Freedom of the Press is only expressly applicable to printed publications. Therefore, Finland’s general laws concerning criminal acts, such as defamation, and indemnification are applicable.

A government bill proposing a new Act on the Freedom of Speech in Mass Communications has been submitted to the Finnish Parliament and is expected to enter into force in autumn 2003, at the earliest. The new Act aims to be applicable to all forms of communications regardless of the means of storage, publication or distribution. The new rules also clarify the rights, obligations and liability of publishers and contain provisions regarding the right of an infringed party to have a rejoinder or a rectification published.

Finland has harmonised its laws with EU Directive (96/9/EC) on the legal protection of databases. According to Finland’s 1961 Copyright Act, the creator of a database has an exclusive right to control all or a significant part of the content of its database by restricting the right to produce or distribute copies of the database. This exclusive right vests for a period of 15 years from, as a general rule, the publication of the database. However, the creator of the database cannot prohibit or restrict a legitimate user from, as a rule, using an insignificant part of the database for any purpose. Any contractual term to such effect is deemed to be ineffective.

If access to a database is restricted by technical means, unauthorised access to the database may constitute breaking into a computer system and hence be criminalised under Finland’s Penal Code. The sentence for such crime is a fine or imprisonment for up to one year.

The law that harmonises Finnish law with EU Directive (2002/58/EC) on data security in electronic communications is expected to enter into force in October 2003. Also, the new Act on Domain Names is expected to enter into effect during the summer of 2003.

During 2003 the proposed Act on the Freedom of Speech in Mass Communications and the second phase of the revision of Finland’s 1997 Communications Market Act are expected to enter into force.

Additionally, a government bill was submitted in October 2002 to the Finnish Parliament to harmonise Finland’s 1961 Copyright Act with the Digital Copyrights Directive (2001/29/EC). The laws proposed by the bill were expected to enter into force during the spring of 2003. However, due to constitutional law concerns, users’ concerns about overly broad rights protection provisions, and time restraints, the Finnish Parliament has allowed the bill to lapse. At this time there is no indication as to when the next bill will be presented for legislation.

www.globalcompetitionreview.com