This chapter will focus on data protection and privacy, other aspects of right to private life (such as rights of the child and the situation of LGBTI persons) are discussed in appropriate chapters of this report.
It would probably be wrong to claim that data protection and privacy have been of secondary importance since the events of 2013 and 2014. And yet a large portion of the work as well as changes are made quietly and not through fresh acts of law, court practice or heated public debates. The Ministry of Justice, the Data Protection Inspectorate, larger data processors including information and communication service providers as well as the media are preparing for the spring of 2018 when the General Data Protection Regulation will come into force. Therefore, data protection and privacy have not become any less important, but rather the trends, which began in 2014 have once again been confirmed and they generally refer to greater control of private persons over whether, who and how can view and use their data. However, it is not certain whether resolute restriction of blanket data collection and the coming into force of the data protection framework will actually bring on the golden era of privacy rights. Parallel to raised awareness and citizen-friendly court judgments another process is taking place, where the data being observed together, is becoming something unprecedently powerful, which as an abstract sum can reveal astonishing details and predict the future, and as we know, technological opportunities always move faster than legislation.
Legislative, political and institutional developments
In spring of 2018 the EU’s General Data Protection Regulation[1] will come into force, invalidating the Personal Data Protection Act, which will be replaced by the legislative provisions of the General Data Protection Regulation. In this report, however, it is too early to talk about which shape these amendments will assume in our legal, institutional and political sphere in practice.
On April 1st, 2017 the amendment of the Taxation Act came into force giving the Estonian Tax and Customs Board access to large databases for the purpose of risk assessment or tax intelligence. Director General of the Data Protection Inspectorate expressed concern that this amendment may by default lead to mass profiling.[2] A similar effect could be had in case of careless and improper use of the Ministry of the Interior initiated idea to make hotel guest books electronic so that law enforcement authorities could detect hotel guests associated to terrorism or crime by analysing this data.[3]
The latter plan has not been written into a law just yet. The great danger with these initiatives is that computer programmes carry out mass data proceedings, and therefore the decisions based on them are influenced by technical processes, which the people administering them or being influenced by them often do not understand. Such mass data processing may lead to premature and erroneous conclusions about individuals as well as groups of people. The press representative of the Ministry of Justice Riina Solman commented that mass profiling is certainly not a general direction consciously chosen by the legislator.[4] This is entirely believable, however, the potential of acts of law regarding mass data proceedings and all other acts of law being capable of breaching fundamental rights often lies in the created possibilities of veering away from the general direction chosen by the legislator.
On 27 April 2016 the Directive 2016/618 of the European Parliament and of the council on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes (the PNR Directive) came into force. The PNR Directive had been predicted to share the same fate as the Data Retention Directive, that is, to be declared invalid on the grounds of it conflicting with the fundamental rights – this has also been called a painful déjà vu. Estonia was among the first to build a separate database for collecting and storing passenger name record data and started collecting data already in the beginning of 2016 (that is a little before the Directive came into force, and about 2.5 years before the transposition deadline), when the appropriate amendments to the State Borders Act came into force. The passenger name record data contains information about the reservation and actions associated with it, the personal data of the air passenger and the person travelling with him or her, the general data about the flight, contact details of the air passenger and data regarding payment for the reservation.[5] The State Borders Act states that this data is to be forwarded to the Police and Border Guard Board, the Estonian Internal Security Service, the Estonian Tax and Customs Board, the Estonian Competition Authority, the Military Police, the Environmental Inspectorate and the Ministry of Justice’s Department of Prisons.[6] The use of passenger name record data is allowed for prevention of serious crimes and terrorist offences, based on the definition stated in subsection 2 of section 1262 of the Code of Criminal Procedure, which is relatively broad.
After the Court of Justice opinion[7] in June of 2017 invalidating the agreement between Canada and the European Union regarding processing of Passenger Name Record data the analogies with storage of contact details seem increasingly timely.[8] The ruling applies directly only to the aforementioned agreement, because serious questions regarding storing the Passenger Name Record data arose in general, for example:
Has the storing period been determined arbitrarily or based on certain considerations?
What does the passenger name record data reveal about a person’s private life and is it proportionate?
Has the circle of concerned data subjects been determined with sufficient accuracy?
Court practice
Relatively immediately before “Human Rights in Estonia 2014–2015” was published the Court of Justice invalidated in its judgment Schrems the Safe Harbour agreement between the EU and the US as it wasn’t sure in the light of the blanket surveillance scandal, whether the US was actually able to guarantee that EU citizens’ data is protected while in possession of the US digital giants.[9] Especially considering the fact that the Safe Harbour agreement significantly curtailed the opportunities of the EU data protection surveillance agencies to evaluate this and put the citizens as well as data protection commissioners in the position where they were left with mere blind trust for the regime, which had previously clearly proved their hostility or at least indifference towards privacy.
The Supreme Court rendered no breakthrough judgments regarding data protection and surveillance in the observable period. The most important court decision came from the Court of Justice at the end of 2016 and left a strong and decisive impression on the statements made in the case Digital Rights Ireland[10] in 2014 and the Schrems case [11] in 2015. In the joined cases of Tele 2 Sverige and Watson (Tele 2 Sverige) the Court indicated even more firmly than before whose side the court is on regarding the privacy issue – on the side of the citizens and probably also the ICT service providers. According to several Member States the case Digital Rights Ireland allowed for various interpretations, including such, where the obligation to indiscriminately collect data, store it and later also share with security authorities can be considered proportionate when the state provides reasonable guarantees elsewhere – for example, has stated with sufficient precision the purpose of storing data and the period of storage, set rules for access, and created an efficient monitoring system.[12] Therefore, the question remained whether the act of law, which requires storage of metadata for large and undefined groups of people, most of whom pose no threat to security, is disproportionate always or only when there is no sufficiently precise regulation?
The judgment of Tele 2 Sverige[13] answers this question unequivocally and exhaustively: ICT service providers (such as Tele 2) cannot be required to collect data about undefined groups of people for security purposes and the basis for collecting data always has to be an objectively justifiable suspicion.[14] The Court also firmly stated that also in situations, where ICT service providers and security authorities or investigative bodies play an equal part in prevention and investigation of criminal offences, the duty of confidentiality established by the e-privacy Directive applies to all data that has been collected in relation to citizens’ use of service.[15]
While being extremely resolute, the Court of Justice left a few doors open this time as well: the judgment does not have to do with collection of data regarding, for example, when drawing up invoices and for the purpose of evaluating the quality of service. Therefore, it is likely that in reality the service providers will still keep hold of vast amounts of data for understandable reasons, their storing practices varying even more than the regulation on storage of data in various states. The question of whether and on which conditions the service providers wish to or are obliged to share this data with security authorities and investigative bodies also remains without a certain resolution. Therefore, even though a remarkable step has been taken towards protection of privacy, the other important purpose – harmonising surveillance and making it more transparent, has not been done much about with this judgment. The latter, however, gives no reason to underestimate the importance of Tele 2 Sverige case.
The judgment in Tele 2 Sverige ought to also send Estonia a stronger signal that a relatively apathetic reaction to the 2014 judgment in Digital Rights Ireland is not enough. The Chancellor of Justice admitted in 2014 already[16] that the system at the time needs reviewing, yet § 1111 of the Electronic Communications Act is still in force in its unamended form. However, larger amendments are to be expected there as well once the data protection framework comes into force. The European Commission is also currently preparing a new Regulation on e-privacy. Although the media reported that the Ministry of Justice had initiated a more thorough analysis of the order of storing data as well as revaluation[17] of it already after publication of Digital Rights Ireland and the Tele 2 case, the outcomes of these processes have not yet been published. The only thing available is the aforementioned statement of the Chancellor of Justice. The jurisdiction of Chancellor of Justice in protection of privacy rights was reaffirmed in 2015 when the amendment to the Chancellor of Justice Act gave her the express opportunity to carry out monitoring over security authorities. Since then the Chancellor of Justice along with the Data Protection Inspectorate have been the most active institutions, which protect the citizens’ rights to privacy; there have been no institutional changes of note in the observed period.
Chancellor of Justice’s activities
The Chancellor of Justice carried out control visits in 2015 and in 2016 for the purpose of making sure that law enforcement authorities are carrying out covert investigations only based on sufficiently reasoned permits and that persons are notified of surveillance activities once the reasons precluding notification have ceased. Most of the issued permits that were checked in the course of control visits were substantiated and covert investigation was indeed carried out as the last resort in situations, where collection of evidence in some other way that violated fundamental rights to a lesser extent would not have been possible. At the same time, Chancellor of Justice pointed out that there were permits issued, where the unavoidable need for covert investigation was not at all apparent, and instances, where permits were issued for covert investigation, which was not at all allowed for the offence under investigation according to the Code of Criminal Procedure.[18] The importance of duty to notify was discussed more thoroughly in the previous annual report of the Estonian Human Rights Centre. Subsection 1 of section 12613 of the Code of Criminal Procedure requires law enforcement authorities to notify each person with respect to whom the surveillance activities were conducted or the person whose private or family life was significantly violated by the surveillance activites, of the time and type of surveillance activities that were carried out.[19]
Chancellor of Justice’s control visits proved that timely notifications are still a problem for investigative bodies, which significantly limits the concerned persons’ opportunities to file a timely complaint about violations and thereby protect their rights, which includes having the data that has been gathered in the course of surveillance activities destroyed.[20] This would allow to stay in concordance with the principle of minimality in processing personal data, according to which the data registers should have just the right amount of data and certainly no more.
The Chancellor of Justice also acquainted herself with the security authorities’ information files regarding permits issued for collection of information activities in 2014–2016 and despite the positive general appraisal made some propositions for better guaranteeing fundamental rights. In the 2017 report the Chancellor of Justice recommends the security authorities define the basis for postponing notification more precisely (in general work instructions as well as in case of each individual instance).[21] Here it is important to remember the fact that according to the Chancellor of Justice Act the Chancellor of Justice does not have access to confidential foreign data or state secrets concerning classified or classified as top secret methods, international multinational joint operations or information transmitted by a foreign or international organisation if the transmitter has not given permission to access data, neither does she have access to information regarding current collection of information activities.[22] In addition to the earlier raised need to specify the conditions and the extent of data retention obligation the Chancellor Justice recommended in the same report to word more precisely the §113 of the Electronic Communications Act, which in its current form does not provide a clear enough understanding of how surveillance activities of communications network are permitted and therefore it is not possible to review lawfulness of such surveillance activities.[23]
Statistics and surveys
It became apparent from the Eurobarometer survey on e-privacy that Estonians are slightly above average in their internet and social media use activity. At the same time, the Estonian respondents’ awareness of their rights to privacy in e-environment and requirements to service providers are below average. Therefore, it could be said in generalisation that Estonians are active, trusting and optimistic digital people, who at the same time, have no strong suspicions regarding moderation and legitimacy of state’s surveillance programmes. For example, the opportunity to crypt their electronically sent messages so that only the addressee can read them, was considered very important by 47% of the Estonian respondents, while the EU average was remarkably higher – 65%. Use of cookies and other monitoring devices only at direct and conscious knowledge was considered very important by 39% of Estonian respondents and 56% of all of the EU respondents. It was also apparent that the Estonian respondent rarely chose the answer variant expressing the strongest opinion.
Noteworthy public discussions
Naturally, public discussions focus on the near future, focusing on the spring to come. There have been questions raised such as: how does the by default principle of data protection (that is, integration of solutions promoting data protection and privacy into the first stages of communication technologies) influence development of software, which authorities need to recruit a data protection expert on their team, what does the right to be forgotten mean in practice and is the Estonian surveillance system ready to monitor fulfilling technically complicated requirements. Similarly to earlier years the public statements and discussions on security and terrorism have not gone into issues of data protection in depth. Therefore, the PNR Directive that has received a lot of criticism from advocacy organisations and think tanks on European level, has not received noticeable attention in the public sphere.
Several other discussions on state level data protection did surface. The Minister of Health and Labour Jevgeni Ossinovski had the plan to work out a technical solution based on various registries, which display a list of inactive young people to the local governments. The Data Protection Agency, however, deemed the plan to breach the right to privacy, although it was meant to facilitate voluntary and local government welfare services as stated in § 28 of the Constitution. In June the National Audit Office revealed that the Health Information System as well as the Register of Social Services and Benefits (STAR) contain security risks. Access to the sensitive personal data in the Health Information System is too easy – there is no two-factor authentication in place.[24] STAR does not allow systematic overview on data processing and therefore makes it difficult to detect any misuse.[25] The second discussion took place at the end of 2015 and the beginning of 2016, when the Minister of Defence at the time, Hannes Hanso, submitted to the government a draft, which would have given medical commission of the Defence Forces access to data of the Health Information System.[26]
Great controversy was also caused by the Background Check Act[27] that is being approved at the moment, which was criticised by the Data Protection Inspectorate[28] as well as the Chancellor of Justice.[29] So far, the backgrounds checks are carried out either in the course of proceedings for a state secret permit according to the State Secrets and Classified Information of Foreign States Act, or regarding all the employees of defence and law enforcement structures according to specific acts of law. In both cases the contents of application form as well as persons investigated is strictly limited and the latter does not include anyone but the person about to start work. The draft act allows checks to be carried out regarding partners of public procurement and volunteers (assistant police officers, voluntary rescuers) as well as backgrounds of family members of persons about to start work. The attempt to unify the extent and intensity of background checks is certainly commendable, but the draft act in its current form: does not limit the right of the entity carrying out the background check to receive data from state databases according to the specific content and purpose of the background check, interferes with sensitive personal data, such as religious beliefs and medical data, and attributes great weight to abstract and legally unexplained terms such as “faithfulness to the Republic of Estonia” and “economic difficulties”.[30] Neither is the part concerning access to contact details in concordance with the Court of Justice’s judgment in the case Tele 2 Sverige discussed in the third subchapter. The criticism of the Data Protection Inspectorate and the Chancellor of Justice is founded and shows that the watchdogs of our fundamental rights are informed, modern and progressive in this matter.[31]
Trends and good practices
The fact that while previously it was unclear as to who and to what extent carries out monitoring over surveillance and collection of information activities, the Chancellor of Justice has now firmly taken on this role. This means that apart from non-governmental organisations whose access to official information is often limited there is a strong watchdog with special knowledge in the field of protection of fundamental rights as well as the mandate (although a limited one)[32] to investigate law enforcement and security authorities. Although Chancellor of Justice essentially had this opportunity before as well, it is clear, looking at the reports of the last two years that this sphere is of much higher priority after the 2015 amendment came into force. Eurobarometer’s e-privacy survey results indicate that although our results are below the EU average, more than half the Estonian respondents are aware of their rights to e-privacy and are prepared to demand technical solutions to protect it. Certainly, it is also a welcome occurrence that ahead of the coming into force of the data protection framework and huge fines being administered the data processors are displaying an active interest in how the personal data in their possession can be processed in a way that is better and beneficial to all. The latest growing trend is the critical handling of the topic of big data and mass profiling, with the Data Protection Inspectorate’s statements positively standing out. In the opinion of this chapter’s author, in a state, where such importance is placed on interoperable electronic databases, these questions should be paid particularly great attention to and all kinds of programmes making decisions as a result of automated mass data processing should be approached with extreme caution. This is because the problems associated with processing of big data and mass data processing will not be solved even by the long-awaited (or feared) data protection framework.[33]
Recommendations
- Immediately critically review the regulation in Estonia regarding retention of data and providing access to data considering that ICT service providers cannot be required to store data about undefined groups of people whose connection to crime or security risks is not objectively justifiable.
- Exclude at outset the opportunity of mass profiling by being extremely careful with all kinds of initiatives and draft acts, which grant access to several official databases without a specific basis, heightened security requirements and a very strict system of permits.
- Increase the Data Protection Inspectorate’s competence so that it can effectively investigate technically complicated questions of data protection, which require understanding various aspects of software development processes.
- Do not adopt the Background Check Act in the form that is presented in the 2017 February draft Act.
——————-
[1] EU 2016/679 General Data Protection Regulation. Available at: https://gdpr-info.eu/
[2] Eesti Päevaleht. Andmekaitse: riigiametid jagavad liiga lahkelt ja rohkesti isikuandmeid laiali [Data Protection Inspectorate: state agencies too generous with personal data]. 21 April 2017. Available at: http://digileht.epl.delfi.ee/arileht/andmekaitse-riigiametid-jagavad-liiga-lahkelt-ja-rohkesti-isikuandmeid-laiali?id=77951274
[3] Ibid.
[4] Ibid.
[5] State Borders Act. State Gazette I. 16.06.2017, 27, § 97.
[6] Ibid.
[7] The Court of Justice of the European Union. Grand Chamber. Opinion 1/15. Available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=193216&doclang=EN
[8] The parlament magazine. Will PNR be a humiliating déjà vu for EU policymakers? 30 May 2017. Available at: https://www.theparliamentmagazine.eu/articles/opinion/will-pnr-be-humiliating-d%C3%A9j%C3%A0-vu-eu-policymakers
[9] The Court of Justice of the European Union. Judgment in case C-362/14: Maxmillian Schrems v. Data Protection Commissioner. 6 October 2015.
[10] The Court of Justice of the European Union. Judgment in joint cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others. 8 April 2014.
[11] The Court of Justice of the European Union. Judgment in case C-362/14: Maxmillian Schrems v. Data Protection Commissioner. 6 October 2015.
[12] European Union Agency for Fundamental Rights. Annual Report 2015 and Annual Report 2016. Available at: http://fra.europa.eu/en/publications-and-resources/publications/annual-reports/fundamental-rights-2016#data-protection ja http://fra.europa.eu/en/publications-and-resources/publications/annual-reports/fundamental-rights-2017#data-protection
[13] The Court of Justice of the European Union. Judgment in joined cases C‑203/15 and C‑698/15 , Tele 2 Sverige and Watson and Others. 21 December 2016.
[14] Ibid, 107-112.
[15] Ibid, 74-78.
[16] See also “Chancellor of Justice’s Annual Report 2014-2015”. Sideandmete kogumine vs eraelu kaitse [Collection of communication data v. protection of privacy]. Available at: http://oiguskantsler.ee/ylevaade2015/andmekorje
[17] Postimees. Eesti ei tohi enam inimeste internetiajaloo massilist talletamist nõuda [Estonia can no longer require mass storage of people’s internet history]. 9 January 2017.
Available at: https://tehnika.postimees.ee/3972909/eesti-ei-tohi-enam-inimeste-internetiajaloo-massilist-talletamist-nouda
[18] Chancellor of Justice. Ülevaade 2016 [Overview 2016]. Õiguskaitseasutused [Law Enforcement Authorities]. Available at: http://www.oiguskantsler.ee/ylevaade2016/oiguskaitseasutused
[19] Ibid.
[20] Human Rights in Estonia 2014-2015. Õigus austusele perekonna- ja eraelu vastu [Right to respect for family and private life]. Available at: https://humanrights.ee/teemad/inimoigused-eestis/inimoiguste-aruanne/inimoigused-eestis-2014-2015/oigus-austusele-perekonna-ja-eraelu-vastu/
[21] Chancellor of Justice. Ülevaade 2017 [Overview 2017]. Õiguskaitseasutused [Law Enforcement Authorities]. Isikuandmete varjatud töötlemine [Covert processing of personal data]. Available at: http://www.oiguskantsler.ee/ylevaade2017/isikuandmete-varjatud-tootlemine ; Chancellor of Justice. Ülevaade 2016 [Overview 2016]. Õiguskaitseasutused [Law Enforcement Authorities]. Õiguskaitseasutused töötlemine [Processing]. Available at: http://www.oiguskantsler.ee/ylevaade2016/oiguskaitseasutused
[22] Õiguskantsleri seadus [Chancellor of Justice Act] 06.04.2016, 23, § 111 (6).
[23] Chancellor of Justice. Ülevaade 2017 [Overview 2017]. Õiguskaitseasutused [Law Enforcement Authorities]. Isikuandmete varjatud töötlemine [Covert processing of personal data]. Available at: http://www.oiguskantsler.ee/ylevaade2017/isikuandmete-varjatud-tootlemine
[24] Delfi Ärileht. Riigikontroll: kaks suurt riiklikku andmebaasi on ebaturvalised [National Audit Office: two large national databases are unsafe]. 1 June 2017.
Available at: http://arileht.delfi.ee/news/uudised/riigikontroll-kaks-suurt-riiklikku-andmebaasi-on-ebaturvalised?id=78421161
[25] Ibid.
[26] See for example: Postimees. Kaitsevägi hakkab nägema inimese andmeid e-tervises [Defence Forces to be able to see a person’s data on e-health]. 21 January 2017.
Available at: https://tervis.postimees.ee/3476479/kaitsevagi-hakkab-nagema-inimese-andmeid-e-tervises
[27] Taustakontrolli seaduse eelnõu [draft act of the Background Check Act]. 17 February 2017. Available at: http://eelnoud.valitsus.ee/main#4u9aVOUG
[28] ERR. Amet: Taustakontrolli seadus jätab tööandjaileliialt vabad käed [The Background Check Act to leave employers much too much leeway]. 16 March 2017. Available at: http://www.err.ee/584428/amet-taustakontrolli-seadus-jatab-tooandjaile-liialt-vabad-kaed; Chancellor of Justice. Arvamus taustakontrolli seaduse eelnõu kohta [Opinion on the draft act of the Background Check Act]. 16 March 2017. Available at: http://www.oiguskantsler.ee/sites/default/files/field_document2/Arvamus%20taustakontrolliseaduse%20eeln%C3%B5u%20kohta.pdf
[29] Ibid.
[30] Ibid.
[31] Ibid.
[32] See 3rd subheading.
[33] Press release. European Parliament’s resolution on big data. March 2017. Available at: http://www.europarl.europa.eu/EPRS/EPRS-AaG-599312-Big-Data-FINAL.pdf