8.11.2023

Prepare for the new wave of digital regulation

Artificial intelligence is currently a leading topic in the business world. Many companies are intensively trying to understand the significance of AI for their businesses – both as a risk and an enabler. Legislators have not been idle either. In Finland, the new national legislation on automated decision-making by public authorities entered into force this year already, and in the EU, the AI Act will likely soon follow suit.

Many companies are still trying to figure out what AI means exactly. Legislators have had the same problem: the definition of AI and, consequently, the AI Act’s scope of application have raised a great deal of debate. Under the broadest interpretation, many common present-day software solutions could be labelled `artificial intelligence’. At the moment, however, it seems that the definition included in the Act will be somewhat narrower than the wording in the first draft. Even though the AI Act is not yet in force, every company that produces and uses technology should already find out the extent to which the new regulation could apply to it since the proposal includes obligations to both producers and users of AI solutions.

The AI Act introduces new regulatory techniques

The AI Act introduces regulatory techniques that are somewhat new to the general IT industry. The exact obligations imposed by the Act depend on the risk rating the Act gives to a particular AI solution, and the specific content of the obligations is also determined by standards separate from legislation in the same way as, for example, in product safety legislation. Even though the Act does include a set of obligations, many of them are relatively generally formulated in the Act itself. The idea is that the obligations will be specified in more detail in technical standards, and compliance with these standards creates the presumption of compliance with legislation. Even though it is only a presumption, we have long since learned from product safety legislation that in practice the standards form an integral part of the regulatory framework.

The supervision of AI solutions raises questions

The supervisory solutions related to the Act have also raised a lot of discussion. Since many AI solutions are, in practice, based on the processing of personal data, many issues related to AI, such as the use of customer data to improve the service itself and the transfer of data to third-country cloud services, are already familiar from data protection legislation. To avoid the problem of having several supervisory authorities, some have suggested that data protection authorities would be the natural choice for supervising AI as well. This solution is not, however, without problems.

Under the AI Act, high risk systems subject to the most severe restrictions would also include systems where the related risks do not necessarily concern the processing of personal data. For example, the suggested high risk rating of road transport and electricity supply systems is likely based on concerns other than those related to personal data, even though some personal data is processed in these systems. In addition, it should be taken into account that the regulatory techniques based on product safety and technical standards would be more or less new to data protection authorities. We will keep monitoring the development of the AI Act and its supervision arrangements with great interest. Perhaps some conclusions may be drawn from the fact that the suggested national supervisory authority for the EU Data Governance Act is the Finnish Transport and Communications Agency.

We are also interested in seeing how the contractual practices around AI will develop. For example, Microsoft has already released an update to its terms and conditions, defining liabilities related to AI-generated content. Now is the time to establish contractual and market practices, and many want to take part in steering the development.

The EU is revamping digital regulation

AI is not the only digital regulation project by the EU that provokes discussion among businesses, far from it. There are several ongoing regulatory projects, and the upcoming EU Data Act, for example, is a key aspect in the regulation agenda of many companies. Among other things, the Act will require device manufacturers to increase the transparency and shareability of the data collected by their devices.

We are here to support our clients through the change of digital regulation in terms of both AI and other solutions. If you wish to discuss AI, its regulation or other themes of this blog in more detail, please do not hesitate to contact the authors.

Latest references

We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026. 
Case published 15.8.2025
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025