On data retention and Estonia

The government of Estonia like to promote it as a digital society. There is much to be happy with: many state services are delivered with minimal hassle and projects like the so-called e-residency and internet voting are innovative and potentially transformative. However, unlike Estonia’s Nordic neighbour Sweden, the e-state is built upon a foundation that does not fully take into account basic human rights such as protection of personal data.

Consider the case of the data retention directive, which was introduced to the Estonian legal order with no debate whatsover. Estonia’s version of the data protection laws are a privacy nightmare: any government agency with an investigative function, from tax authorities to environmental protection officers have access to the retained data. Also, a direct access system is used by the authorities to access the mobile operators’ networks, which means that even the ICT companies themselves have to rely on the state authorities for statistics.

Even though the Court of Justice of the European Union has declared the data retention directive invalid, Estonia’s overbroad law remains. In last December’s Tele2 Sverige and Watson judgment the CJEU clarified such laws are incompatible with EU law. In Estonia, this caused no discussions or debates until up to a few weeks ago when two lawyers raised the issue in a daily newspaper. Even with the support of prominent legal scholars such as Estonia’s former judge in ECHR, the discussion was met with delaying tactics by the government.

The Minister of Justice Urmas Reinsalu deflected the criticism by stating that the case was about so-called meta-data (i.e. location, etc data) and not the content of phone calls. He also implied that CJEU required racial or other types of discriminatory profiling if mass-surveillance of all cannot take place. Finally he brought out the argument that it means less tools for the police to ensure safety. None of the arguments are valid in light of the CJEU decision.

Estonian Human Rights Centre has written to Estonia’s three big telecom service providers (Telia, Elisa, Tele2) to ask for further information regarding their practices regarding data retention in light of the CJEU case law. So far just one has responded with a short one-paragraph message that it follows Estonian law in this case.

The success or failure of the Estonian democratic e-state depends ultimately on whether the government can take human rights, including the right to privacy seriously. The data retention case seems to indicate it does not.

#privaatsus-en