Artificial intelligence is currently a leading topic in the business world. Many companies are intensively trying to understand the significance of AI for their businesses – both as a risk and an enabler. Legislators have not been idle either. In Finland, the new national legislation on automated decision-making by public authorities entered into force this year already, and in the EU, the AI Act will likely soon follow suit.
8.11.2023
Prepare for the new wave of digital regulation
Kim Parviainen, Eija Warma-Lehtinen & Sakari Salonen
Related services
Many companies are still trying to figure out what AI means exactly. Legislators have had the same problem: the definition of AI and, consequently, the AI Act’s scope of application have raised a great deal of debate. Under the broadest interpretation, many common present-day software solutions could be labelled `artificial intelligence’. At the moment, however, it seems that the definition included in the Act will be somewhat narrower than the wording in the first draft. Even though the AI Act is not yet in force, every company that produces and uses technology should already find out the extent to which the new regulation could apply to it since the proposal includes obligations to both producers and users of AI solutions.
The AI Act introduces new regulatory techniques
The AI Act introduces regulatory techniques that are somewhat new to the general IT industry. The exact obligations imposed by the Act depend on the risk rating the Act gives to a particular AI solution, and the specific content of the obligations is also determined by standards separate from legislation in the same way as, for example, in product safety legislation. Even though the Act does include a set of obligations, many of them are relatively generally formulated in the Act itself. The idea is that the obligations will be specified in more detail in technical standards, and compliance with these standards creates the presumption of compliance with legislation. Even though it is only a presumption, we have long since learned from product safety legislation that in practice the standards form an integral part of the regulatory framework.
The supervision of AI solutions raises questions
The supervisory solutions related to the Act have also raised a lot of discussion. Since many AI solutions are, in practice, based on the processing of personal data, many issues related to AI, such as the use of customer data to improve the service itself and the transfer of data to third-country cloud services, are already familiar from data protection legislation. To avoid the problem of having several supervisory authorities, some have suggested that data protection authorities would be the natural choice for supervising AI as well. This solution is not, however, without problems.
Under the AI Act, high risk systems subject to the most severe restrictions would also include systems where the related risks do not necessarily concern the processing of personal data. For example, the suggested high risk rating of road transport and electricity supply systems is likely based on concerns other than those related to personal data, even though some personal data is processed in these systems. In addition, it should be taken into account that the regulatory techniques based on product safety and technical standards would be more or less new to data protection authorities. We will keep monitoring the development of the AI Act and its supervision arrangements with great interest. Perhaps some conclusions may be drawn from the fact that the suggested national supervisory authority for the EU Data Governance Act is the Finnish Transport and Communications Agency.
We are also interested in seeing how the contractual practices around AI will develop. For example, Microsoft has already released an update to its terms and conditions, defining liabilities related to AI-generated content. Now is the time to establish contractual and market practices, and many want to take part in steering the development.
The EU is revamping digital regulation
AI is not the only digital regulation project by the EU that provokes discussion among businesses, far from it. There are several ongoing regulatory projects, and the upcoming EU Data Act, for example, is a key aspect in the regulation agenda of many companies. Among other things, the Act will require device manufacturers to increase the transparency and shareability of the data collected by their devices.
We are here to support our clients through the change of digital regulation in terms of both AI and other solutions. If you wish to discuss AI, its regulation or other themes of this blog in more detail, please do not hesitate to contact the authors.
Latest insights
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025