Who is a communications provider? – New interpretations from the Finnish Communications Regulatory Authority
At the start of last year, a new group of operators, collectively referred to as ‘other electronic communications providers’, became subject to information security and data protection regulation under the Information Society Code. The law requires all electronic communications service providers to ensure the privacy and information security of user communication.
The obligation to ensure the privacy of users has been extended to encompass all services that enable users to communicate with each other, even when communication between users is just one feature of the service.
According to a recent statement by the Finnish Communications Regulatory Authority (FICORA), online dating websites that offer a messaging feature between users as part of their service are an example of operators that would be regarded as communications providers.
The provision and maintenance of communications solutions, such as Wilma – which enables communication between teachers and parents – would also be classified as communications providers, according to FICORA. Similarly, parties that offer applications or services to sports clubs or teams through which team members, guardians and coaches can send messages or newsletters to each other are considered communications providers. According to FICORA, the communication between users does not have to be two-way (i.e., users may not be able to directly respond to messages).
What is perhaps most surprising is that, according to FICORA, individual cafés that provide a Wireless Local Area Network (WLAN) would be classified as communications providers in the same way as telecommunications operators.
It is often necessary for a communications provider to process messages and traffic data in order to provide a functioning service and resolve any technical problems. In practice, a communications provider can only access communication between users and the associated traffic data with the permission of the user or on legal grounds. In addition, user communication and information relating to it must be secured against access or editing by external sources.
It remains to be seen how businesses cope with this red tape and the new information security and data protection requirements it brings. It should be noted that this expansion of information security and data protection regulation to other communications providers is, for the time being, only in place in Finland.