As with all work, prioritising AI-related legal tasks is essential to ensure you focus your time where it is most needed. Even knowing this, the constant overflow of to-dos can be overwhelming – especially when every task is accompanied by a request to complete it yesterday. In this D&I Quarterly series, Iiris Kivikari, our Head of IP, Media and AI, gives you a peek into what is taking up space on our team members’ (virtual) desks in order to help you figure out what AI work you might want to be focusing on right now.
Confidentiality of communications is king
Many of the AI tools our clients are currently looking into and/or actually using aim to keep them cyber safe, help their employees manage their workflow better and/or automate some of the more menial tasks they face daily. Given the amount of time an average office worker spends in Teams meetings, sending and receiving emails, and otherwise communicating through the IT systems available to them, many such streamlining initiatives entail tapping AI into employee communications.
In many countries, this might not seem like a red flag issue. For example, some of the comments we have heard from our international colleagues over the years when it comes to employee communications include: “confidentiality of communications does not apply to work emails” and “it’s not an employee’s communication as such if it is sent from a company provided device”. Although this might be the case in other jurisdictions — as a Finnish lawyer, I will leave it up to you to research and decide — it is definitely not the case in Finland.
In Finland, the constitutional right of confidentiality of communications is king and any exceptions are few and far between.
In Finland, the constitutional right of confidentiality of communications is king and any exceptions are few and far between. As a result, the starting point is that even work-related communications sent from a company provided device are confidential, regardless of what size or form they come in. This is not to say that AI tools can never collect or process communications data, it just means that we as lawyers have homework to do so that we are able to properly identify and apply the exceptions available to us.
When implementing AI solutions in the context of communication, it is therefore important to carefully identify the specific requirements arising from Finland’s exceptional regulations. To give you a picture of what this entails, here are two examples of what our team at D&I has been working on recently.
Data security AI tools
When it comes to electronic communications in a work environment, Finnish law recognises a few exceptions to the main rule of confidentiality of communications. The idea is to allow employers to process employee communications in the rare situation where this can be seen as “acceptable” when balancing the interests of the employer with those of the employee. As a result, there are provisions in place that allow companies to collect, analyse and even read employee communications or parts thereof in order to, for example, ensure data security, protect trade secrets and/or open employee emails when an employee is absent. Although the scope of each exception is rather narrow, and many of them require companies to jump through quite a few procedural hoops in order to apply them, they have traditionally provided solutions to many — even the majority — of the issues companies face in the course of their business.
When it comes to AI, the reoccurring challenge is the fragmented nature of these exceptions. While the same AI tool might be able to tackle several different types of communications data processing all at once, Finnish law often sets out a different set of rules for each purpose the AI tool is used for.
Therefore, in order to get an AI system up and running, start by taking a look at why (i.e., the purpose), what types of communications and how they are processed — and start working your way up from there.
When implementing AI solutions in the context of communication, it is important to carefully identify the specific requirements arising from Finland’s exceptional regulations.
AI assistants
When it comes to GenAI tools aimed at helping employees in their day-to-day work, a lot of the data collected by such tools is data created by or on each user themselves — or data on their communications. This is good news, as the confidentiality of communications set out in Finnish law is meant to provide protection against third parties — not the correspondents themselves. Therefore, in general, each sender and recipient of a message may do with it as they please, including subject it to processing by an AI tool.
Naturally, these communications come in many shapes and sizes: Teams calls, emails, instant messaging, web browsing and text messages are all included, not even mentioning face-to-face conversations and telephone calls. With some mediums it is easy to tell who a message is sent to or who is a true participant in a conversation — and who is therefore able to process it as a party to the correspondence — while with others this requires more investigation and reasoning.
As a result, an efficient way to mitigate the risks involved with AI assistants is to take a close look at all the communications available to an AI tool and ensure that each employee is only tapping into communications that they are the proper sender and/or recipient of or that they otherwise have lawful access to. This will not mitigate all the risks involved, but it will likely get you a lot further than you perhaps thought.