Criminal Lawyers Finland 2026: Police Criminal Intelligence, Internal Investigations & Privilege

Finland’s government sent a landmark draft proposal on police criminal intelligence for public comment on 19 February 2026, followed by an Intelligence Ombudsman statement on 25 February 2026 and a further Valtioneuvosto update on civilian intelligence disclosure on 14 April 2026. Together, these spring 2026 proposals would create a standalone police criminal intelligence regime, grant broader information-disclosure powers to intelligence authorities, and reshape how corporate internal investigations interact with state investigatory activity. For general counsel, compliance officers, board members and criminal lawyers Finland-wide, the practical implications are immediate: privilege protocols, forensic-evidence handling and board escalation procedures all require urgent review.

This guide translates the official proposals into actionable practitioner guidance, with checklists, comparison tables and a step-by-step playbook for protecting corporate interests while meeting legal obligations.

What the 2026 Police Criminal Intelligence Proposals Change, Quick Guide

The draft government proposal circulated on 19 February 2026 introduces a standalone legislative framework for police criminal intelligence, distinct from both the existing Coercive Measures Act and the civilian intelligence legislation governing the Finnish Security and Intelligence Service (Supo). According to the Ministry of the Interior’s project page, the aim is to strengthen crime prevention by equipping police with dedicated intelligence-gathering and information-disclosure powers, while establishing clearer procedural safeguards and oversight mechanisms. The Valtioneuvosto announcement of 14 April 2026 confirmed that intelligence authorities would gain more extensive rights to disclose criminal information obtained through intelligence activities.

Key Definitions: Police Criminal Intelligence and Intelligence Material

The draft introduces two foundational concepts that every compliance officer and criminal defence practitioner in Finland must understand:

• Police criminal intelligence (rikostiedustelu). A systematic, proactive process of collecting, analysing and distributing information to prevent, detect or disrupt serious and organised crime, before a formal criminal investigation (pre-trial investigation) is opened. This is a critical distinction: intelligence-gathering operates under different thresholds and procedural rules than traditional pre-trial investigation.
• Intelligence material (tiedusteluaineisto). Any data, document, communication record, digital forensic output or other informational product generated, collected or processed during a criminal intelligence operation. The draft specifies that intelligence material may include communications metadata, system-operation data and analytical reports, categories that can overlap directly with corporate records.

The Ministry of the Interior’s Q&A on criminal intelligence regulations emphasises that these powers are not unlimited; they are subject to necessity, proportionality and purpose-limitation principles. However, the scope is broader than many in-house counsel may expect, particularly regarding access to communications data held by companies.

New Powers, Summary Table

How New Intelligence Powers Intersect with Corporate Privilege and Internal Investigations

The proposed police criminal intelligence bill creates direct tension points with the way companies conduct internal investigations Finland-wide. Industry observers expect this intersection to become one of the most contested areas of Finnish criminal law practice in the coming years, particularly for regulated entities and multinational groups operating through Finnish subsidiaries.

What Counts as Legally Privileged in the Corporate Context

Finnish law recognises legal professional privilege (oikeudenkäyntiavustajan salassapitovelvollisuus) as a procedural right tied to the lawyer-client relationship. For corporate privilege to hold, the communication must satisfy three conditions:

• It must be between a qualified lawyer (whether external counsel or, under limited circumstances, in-house counsel acting in a legal advisory capacity) and the corporate client.
• Its dominant purpose must be the provision or receipt of legal advice or the conduct of litigation.
• It must not have been shared beyond the circle of persons who need it for legitimate legal purposes.

Critically, corporate internal-investigation reports, interview memoranda and forensic-analysis summaries are not automatically privileged. Privilege attaches only where external counsel directs the investigation for the purpose of providing legal advice. Documents created by the company’s own compliance or HR teams, even if prompted by a legal concern, may fall outside the scope of privilege protection. This distinction becomes acute under the proposed criminal intelligence regime, where authorities may access non-privileged corporate material through the new administrative data-access routes.

When Privilege May Be Pierced by Intelligence Powers

The draft proposal does not expressly override legal professional privilege. However, two scenarios create significant piercing risk:

• Crime-fraud exception. Where there is reasonable suspicion that the lawyer-client communication itself furthered a criminal act, privilege does not apply. Under the expanded intelligence-collection mandate, police may identify suspicious communications during a criminal intelligence operation and seek judicial authorisation to access the underlying content.
• Metadata and system-operation data. The draft distinguishes between the content of communications (which remains subject to higher protection thresholds) and metadata or system-operation data (sender, recipient, timing, location, device identifiers). The proposed administrative access routes for metadata do not require a full judicial warrant. For companies, this means that even where the substance of a privileged communication is protected, the fact that it occurred, when, and between whom, may be accessible to police criminal intelligence operations.

Practical Rules for Internal Investigation Setup

Given these risks, the likely practical effect for companies conducting internal investigations Finland-wide is a need to restructure protocols from the outset:

• Appoint external counsel as the directing mind of any internal investigation where criminal exposure is possible.
• Mark all investigation documents with a clear privilege header referencing the legal advice purpose.
• Segregate investigation data from business-as-usual systems to reduce the risk of inadvertent disclosure through administrative metadata requests.
• Limit the distribution of preliminary findings to a defined “legal hold” group, typically the GC, external counsel and designated board members.

Police Access to Company Communications, Forensic Evidence and Data Disclosure, Operational Guide

One of the most frequently asked questions about Finland’s 2026 criminal intelligence proposals concerns the scope of data disclosure police Finland authorities can compel from companies. The draft creates a tiered system of access, and understanding the differences is essential for corporate response protocols.

Types of Requests: Informal, Formal, Urgent Warrants and Secret Surveillance

Forensic Evidence, Handling and Chain of Custody

Where police seek digital forensic evidence, hard drives, server images, email archives, messaging-platform exports, companies face dual obligations: complying with the legal request and preserving the integrity of evidence that may later be needed for the company’s own defence. Key chain-of-custody steps include:

• Create forensic copies (bit-for-bit images) of relevant systems before handing over originals.
• Use write-blocking tools to prevent alteration during the copying process.
• Record hash values (SHA-256 or equivalent) for all forensic images and document the time, location and personnel involved.
• Store forensic copies in a secure, access-controlled environment separate from live business systems.

Data Retention and Preservation Steps

The draft proposal’s administrative access routes for metadata create an obligation for companies to ensure their data-retention policies are defensible. Early indications suggest that authorities will expect companies to have reasonable retention periods and accessible archives for communications metadata. Practical steps include:

• Issue an immediate litigation hold / data-preservation notice upon receiving any form of police request.
• Suspend automated deletion schedules for all relevant data categories.
• Audit existing retention policies against the categories of data specified in the draft (communications metadata, system-operation data, subscriber information).
• Maintain a log of all data produced to authorities, including dates, descriptions and the legal basis cited in the request.

Director and Board Liability: What Executives Need to Know

The expanded police criminal intelligence regime heightens board liability criminal exposure in Finland. Directors and senior executives face personal risk in three principal categories.

Criminal Exposure Types

• Failure to prevent. Where a company lacks adequate internal controls and an employee commits a criminal offence that the proposed intelligence regime was designed to detect, directors may face scrutiny for organisational negligence under the Finnish Criminal Code’s provisions on corporate criminal liability.
• Obstruction and concealment. Destroying, altering or failing to preserve data after receiving a formal request, or after becoming aware that police criminal intelligence operations are underway, may constitute obstruction of justice. The expanded intelligence-disclosure powers make it more likely that authorities will detect concealment.
• Failure to report. Regulated entities (financial institutions, listed companies, entities subject to AML obligations) may have affirmative reporting duties. Failure to file suspicious-activity reports or to cooperate with regulatory referrals can trigger both criminal and administrative sanctions.

Board Minutes, Reporting, Indemnities and Insurance

Board members should ensure that their response to any criminal intelligence or police interaction is formally documented in board minutes. This creates a contemporaneous record demonstrating good-faith compliance and due diligence. Directors should also review:

• D&O insurance coverage for costs arising from criminal intelligence-related proceedings.
• Indemnification provisions in company articles of association and shareholder agreements.
• Whether existing insurance policies contain exclusions for wilful misconduct or regulatory investigations that could leave directors unprotected.

When to Self-Report

Self-reporting to prosecutors or regulators can mitigate liability, but it is not without risk. The decision must be informed by external counsel’s assessment of the specific facts, the likely trajectory of the intelligence operation and the company’s regulatory obligations. As a general principle, self-reporting is most beneficial when the company discovers misconduct before authorities do, when cooperation can demonstrate good corporate governance, and when the potential penalties for non-disclosure outweigh the risks of voluntary disclosure.

Practical Internal-Investigation Checklist and Privileges Playbook

The following 12-step checklist is designed for GCs, compliance officers and criminal lawyers in Finland managing internal investigations in the context of the 2026 proposals. It draws on established best practice in white-collar crime and corporate investigations and adapts it to the expanded intelligence environment.

Step 1–3: Governance and Scope

1. Appoint a lead. Designate external counsel to direct the investigation. Document the appointment in a formal engagement letter referencing the legal-advice purpose.
2. Define scope and mandate. Set clear terms of reference specifying the factual questions to be investigated, the time period covered and the categories of evidence to be reviewed.
3. Establish reporting lines. The investigation lead reports to the GC and, where appropriate, directly to the board audit/risk committee, not to operational management who may be subjects of the investigation.

Step 4–6: Document Protocols

4. Issue a litigation and data-preservation hold. Circulate a written hold notice to all relevant custodians, IT teams and third-party service providers. Suspend automated deletion.
5. Implement privilege markings. All documents created for the investigation must carry a header: “Privileged and Confidential, Prepared at the Direction of [External Counsel] for the Purpose of Legal Advice.”
6. Restrict distribution. Maintain a distribution log showing who received each document and when. Limit access to the legal-hold group.

Step 7–9: Forensic Protocols

7. Engage a certified forensic provider. Use an independent digital-forensics firm operating under external counsel’s direction. This strengthens the privilege wrapper around forensic outputs.
8. Preserve chain of custody. Document every forensic action: imaging, extraction, analysis. Record hash values, timestamps and personnel at each stage.
9. Segregate investigation data. Store all investigation materials on a separate, access-controlled platform, not on the company’s general IT infrastructure. This reduces the risk that intelligence-related metadata requests inadvertently capture investigation files.

Step 10–12: External Counsel Engagement and Privilege Logs

10. Maintain a running privilege log. For every document generated or collected during the investigation, record: date, author, recipient(s), subject description (without revealing privileged content) and the basis for the privilege claim.
11. Conduct witness interviews under privilege. External counsel or their delegate should conduct all interviews. Prepare interview memoranda marked privileged and store them in the segregated investigation repository.
12. Prepare a board briefing pack. At defined milestones, deliver a written briefing to the board (under privilege) summarising findings, risk assessments and recommended next steps. Board discussion and decisions should be minuted with appropriate privilege markings.

This checklist is also relevant when Finnish employment obligations intersect with investigation procedures, for example, where an employee who is a subject of the investigation also has rights under Finnish employment termination law.

Liaising with Authorities and Oversight Bodies

Effective engagement with Finnish authorities requires understanding the distinct roles of the police, Supo and the Intelligence Ombudsman, and knowing when proactive liaison serves the company’s interests.

When to Engage Police

Companies should engage police proactively where they discover evidence of criminal activity by employees or third parties that the company itself may be obligated to report (for example, under AML legislation). Proactive engagement, guided by external counsel, can position the company as a cooperative party and reduce the risk of adversarial enforcement. However, any engagement should be preceded by a privilege review to ensure that internal-investigation materials are not inadvertently disclosed.

Intelligence-Sharing: Supo, Police and Disclosure to Prosecutors

Under the proposed regime, intelligence-sharing Finland’s security landscape becomes significantly more interconnected. The Valtioneuvosto announcement confirmed that intelligence authorities, including Supo, would gain more extensive rights to disclose information obtained through intelligence activities to police for crime-prevention purposes. The Finnish Security and Intelligence Service’s published guidance on intelligence legislation explains that Supo’s intelligence-collection powers encompass both domestic and cross-border information gathering, including digital surveillance and signals intelligence. The practical implication for companies is that information disclosed to one authority (for example, data provided to police in response to a routine production order) may subsequently be shared with Supo, and vice versa, under the expanded disclosure framework.

Companies should treat any disclosure to a Finnish authority as potentially accessible to the broader intelligence community.

Oversight and Remedies, Intelligence Ombudsman and Appeals

The Intelligence Ombudsman issued a statement on 25 February 2026 addressing the draft proposal and outlining the expanded supervisory role. Under the proposed framework, the Intelligence Ombudsman gains jurisdiction to oversee police criminal intelligence operations, a significant expansion from the current mandate, which is focused primarily on civilian and military intelligence. The Ombudsman can examine the legality of intelligence methods used, investigate complaints from individuals or entities who believe their rights have been violated, and issue recommendations that, while not legally binding, carry substantial weight in practice. Companies that believe police criminal intelligence operations have exceeded lawful boundaries or improperly accessed privileged material should file a complaint with the Intelligence Ombudsman as a first remedy.

Separately, judicial review of specific warrants or production orders remains available through the district courts.

Immediate Next Steps for GCs and Corporate Counsel

Criminal lawyers Finland practitioners are advising clients to act now, before the proposals are finalised, to avoid being caught unprepared. The following action plan provides a structured timeline for corporate counsel:

• Week 1–2: Circulate an internal briefing memo to the board and senior management summarising the draft proposals and their implications for the company’s specific risk profile. Map existing internal-investigation protocols against the 12-step checklist above.
• Week 3–4: Commission an external-counsel-led gap analysis of data-retention policies, privilege protections and forensic-readiness capabilities. Identify any areas where the company’s current practices are inconsistent with the proposed intelligence-access framework.
• Month 2: Update the company’s incident-response plan to include specific procedures for responding to police criminal intelligence requests, including escalation triggers, contact lists and template response letters.
• Month 3: Deliver a formal board presentation on the updated compliance framework. Ensure board minutes reflect the discussion, decisions and any approved policy changes. Review D&O insurance and indemnification provisions.
• Ongoing: Monitor the legislative process through the Valtioneuvosto, Ministry of the Interior and Intelligence Ombudsman channels. Adjust protocols as the draft evolves. Consider engaging with the consultation process through industry bodies or directly, particularly on provisions affecting intellectual property and trade secret protections.

Companies facing corporate governance challenges should treat this reform as an opportunity to strengthen board-level oversight structures proactively rather than reactively.

Appendix: Disclosure Thresholds and Legislative Timeline

Disclosure Thresholds by Entity Type

Timeline of Key Legislative Dates

Sources

1. Prime Minister’s Office (Valtioneuvosto), Intelligence Authorities to Gain More Extensive Rights to Disclose Criminal Information
2. Ministry of the Interior, Answers on Criminal Intelligence Regulations
3. Intelligence Ombudsman, Statement on Government Draft Proposal
4. Finnish Security and Intelligence Service (Supo), Intelligence Legislation
5. Police of Finland, Internal Supervision
6. ICLG, Corporate Investigations Laws and Regulations: Finland