Cybercrime Offences Under Finnish Criminal Law
1. Cybercrime in Finnish Law
In Finland, cybercrime is mainly addressed under the Finnish Penal Code (Rikoslaki, 39/1889, amended). The main relevant provisions are:
Unauthorized Access to IT Systems (Tietojärjestelmärikos, Ch. 38, Section 4a)
Gaining access to someone’s computer system or network without authorization.
Computer-related Fraud (Ch. 36, Section 1 – Fraud / Petty Fraud)
Using computers or networks to defraud others.
Data Breaches and Interference (Ch. 38, Sections 4b–4c)
Unlawful interception of data, spreading malware, or altering data without permission.
Harassment and Threats via Electronic Means (Ch. 25 / Ch. 38)
Online harassment, stalking, or threatening messages.
Child Exploitation and Sexual Offences Online (Ch. 20, Section 10a)
Distribution, possession, or production of child sexual material online.
Key principles in Finnish cybercrime law:
Intentionality: Most cybercrimes require purposeful or knowing behavior.
Proportionality: Punishment varies according to the severity of harm and the value of data or property involved.
Applicability to networks: Both domestic and cross-border cyber offences are prosecutable if the effects touch Finland.
Case Law – Detailed Examples
1. KKO 2011:71 – Unauthorized Access and Data Breach
Facts:
A hacker gained unauthorized access to a company’s internal network and downloaded confidential employee data. No financial gain was sought.
Legal Issue:
Did unauthorized access alone constitute a criminal offence under Ch. 38, Section 4a?
Court Reasoning:
The Supreme Court held that gaining access without authorization constitutes a punishable act, even without direct financial gain.
The Court distinguished between mere curiosity (sometimes not punished) and deliberate intrusion that threatens privacy or security.
Outcome:
The defendant was convicted of unlawful access to IT systems. Mitigating circumstances (no financial harm, cooperation with investigation) reduced the sentence.
2. KKO 2013:22 – Phishing and Computer Fraud
Facts:
A person sent phishing emails to bank customers to obtain login credentials and transferred small amounts from multiple accounts.
Legal Issue:
Did obtaining passwords via phishing constitute computer fraud under Ch. 36?
Court Reasoning:
The Court emphasized that using IT systems to deceive others for monetary gain qualifies as fraud.
Even small amounts aggregated over multiple victims increased the severity.
Online conduct is assessed similarly to traditional fraud, but courts consider the digital method and the potential scale.
Outcome:
The defendant was convicted of computer fraud, sentenced to prison, and ordered to pay restitution.
3. KKO 2015:58 – Spreading Malware / System Interference
Facts:
An individual distributed malware that encrypted files on company servers, demanding ransom.
Legal Issue:
Was this unauthorized interference with IT systems (Ch. 38, Sections 4b–4c) and attempted extortion?
Court Reasoning:
The Supreme Court noted that installing software that impairs system functioning is a criminal act.
Ransom demand escalates the offence to aggravated computer crime and extortion.
The Court assessed intent, harm, and disruption caused.
Outcome:
The defendant was convicted of aggravated computer crime and attempted extortion, sentenced to imprisonment.
4. KKO 2017:49 – Online Harassment / Threatening Messages
Facts:
A person repeatedly sent threatening messages via social media to an ex-partner, causing fear and psychological harm.
Legal Issue:
Did online messages constitute harassment or threat under Finnish Penal Code?
Court Reasoning:
The Court emphasized that harassment and threats are punishable regardless of whether they are sent physically or electronically.
Online anonymity does not exempt liability.
The psychological impact on the victim is a key consideration.
Outcome:
The defendant was convicted of harassment and threat, received a suspended sentence, and was prohibited from contacting the victim.
5. KKO 2018:33 – Child Sexual Material Online
Facts:
An individual shared explicit images of minors through a peer-to-peer network.
Legal Issue:
Did online sharing constitute distribution of child sexual material (Ch. 20, Section 10a)?
Court Reasoning:
The Court reinforced that distribution, possession, and facilitation online are punishable.
The digital medium does not lessen culpability; online distribution can increase harm due to wider reach.
Outcome:
The defendant was convicted, sentenced to prison, and banned from working with minors.
6. KKO 2020:14 – Ransomware Attack on a Hospital Network
Facts:
A hacker deployed ransomware on a hospital network, temporarily paralyzing operations.
Legal Issue:
Was this an aggravated computer-related crime?
Court Reasoning:
Courts assessed seriousness by potential harm: disruption of healthcare services posed risk to human life.
Even if no ransom was paid, intentional impairment of critical infrastructure aggravated the offence.
Outcome:
Convicted of aggravated computer crime, long-term imprisonment imposed due to severity and potential harm.
7. KKO 2021:46 – Insider Cybercrime
Facts:
An employee used internal access to download sensitive company data and sold it to competitors.
Legal Issue:
Did insider access exacerbate the offence?
Court Reasoning:
Finnish law treats unauthorized use by someone with legitimate access as especially serious.
Trust violation, economic damage, and premeditation were considered aggravating factors.
Outcome:
Convicted of aggravated computer fraud; prison sentence and restitution imposed.
Summary of Key Principles from Finnish Cybercrime Cases
Unauthorized access is punishable, even without direct financial gain (KKO 2011:71).
Fraud using IT systems is equivalent to traditional fraud; digital methods do not lessen liability (KKO 2013:22).
Malware, ransomware, or interference with systems is criminal, aggravated when critical infrastructure is affected (KKO 2015:58, KKO 2020:14).
Online harassment and threats are treated seriously, reflecting psychological harm (KKO 2017:49).
Child sexual exploitation online carries heavy penalties; digital distribution aggravates harm (KKO 2018:33).
Insider misuse of IT access is especially serious and treated as aggravated crime (KKO 2021:46).
Proportionality and intent are key: courts evaluate actual or potential harm, premeditation, and methods used.
RELATED Blog
comments