Finland: A stronger focus on data security and confidentiality of communications

Finland maintains a leading global position in data security, with comprehensive regulations extending across all sectors and encompassing national, economic, and private interests. The national security dimension is being reinforced in 2026 through updated regulation from the Finnish Transport and Communications Agency (Traficom) concerning critical parts of communications networks that will expand the scope of the regulation to 5G network base stations in certain aspects.  At the intersection of private and economic interests, we highlight below heightened attention regarding confidentiality of communications requirements and their implications for trade secret protection capabilities in Finland.

Navigating confidentiality of communications regulation and trade secret protection in Finland

In the digital economy, data is one of the most valuable organisational assets. Organisations increasingly deploy Data Loss Prevention (DLP) tools to monitor, detect, and block critical data from leaving corporate networks.

However, as DLP tools monitor data traffic, the confidentiality of electronic communications may restrict such monitoring. In Finland, the definitions of electronic communications and traffic data have been interpreted very broadly, extending communications confidentiality to various types of data transfer beyond actual message sending. The Act on Electronic Communications Services (917/2014) ("eComms Act") places strict limitations on organisations' ability to monitor and process such data. Although Finnish law has long provided trade secret protection exceptions, relying on these exceptions requires preparatory measures and organisations have not utilised the exception. Only within the past years has traffic data monitoring for trade secret protection received significant attention.

The confidentiality of electronic communications under Finnish law

The eComms Act establishes that electronic communications and associated traffic data are confidential. Therefore, the processing of electronic communications and traffic data is permissible only within the limits expressly provided by statutory law.

Under the eComms Act, an electronic communication means information transmitted or distributed electronically, encompassing telephone calls, emails, text messages, and comparable communications.

Traffic data means information that can be associated to a legal person or natural person that is processed for the purpose of conveying communications in a communications network, including sender and recipient information, communication time, duration and volume, message type, and terminal equipment location.

These definitions extend the protection of electronic communication to scenarios organisations might not recognise as "communication". Based on eComms Act’s preparatory materials, visiting a website or logging into an online service constitutes communication. Therefore, for example, traffic data regarding data transfers to a third-party cloud storage may fall within the scope of communications confidentiality protection, potentially limiting employers' ability to protect trade secrets when employees leak data.

Specific provisions for protecting trade secrets

The eComms Act permits organisations to process communications data for protecting trade secrets. Critically, organisations may process only traffic data, not message content.

Subject to the compliance requirements listed below, organisations may process traffic data automatically to prevent trade secret disclosures. In specific situations, organisations may also process traffic data manually to investigate trade secret disclosures where reasonable cause exists to suspect a breach. This means organisations may identify that an employee has sent a large file to an external email address or uploaded documents to personal cloud storage but cannot examine the content of communication under this provision.

Compliance requirements

The eComms Act includes mandatory compliance obligations for processing traffic data for trade secret protection. The organisation must define which individuals are authorised to process trade secrets, as monitoring may only target these individuals. Further requirements include: written user instructions; defined processing procedures for automated and manual monitoring; annual reporting on monitoring activities and outcomes; cooperation with employee representatives on monitoring practices; and notification to the Data Protection Ombudsman before starting monitoring. Until recently, virtually no notifications had been submitted to the Data Protection Ombudsman. However, the number of notifications has now increased significantly, signalling growing attention to trade secret protection.

Conclusion

Specific rules govern how organisations may process communications data for trade secret protection in Finland. Organisations can monitor only traffic data, not message content, and must comply with strict procedural requirements including notification and reporting obligations. Until recently, organisations paid little attention to these requirements. However, notification numbers have now risen significantly, reflecting growing awareness as organisations implement compliance monitoring practices. This increase will likely prompt the Ombudsman to pay greater attention to traffic data monitoring in its supervisory work.