Key topics
- Focus has shifted from privacy to data protection, as well as towards practicalities regarding coming into force of the General Data Protection Regulation.
- Statistics of the Data Protection Inspectorate indicate that demystification has brought about people’s greater awareness of their rights and how to protect them.
- In sharp conflict with the current international law, the European Court of Justices’ practice as well as the European Court of Human Rights’ practice the indiscriminate storage of communication data of Estonia’s people continues to take place.
- Estonians are rather uninterested in privacy compared to other Europeans.
Political and institutional developments
Estonia’s cyber security strategy 2019–2022 published in spring of 2019 states that new e-services and databases will be built with a view of the principle of security and privacy by design. The strategy differs from its two predecessors by the fact that privacy and cyber security are viewed as one whole, and solutions are being looked for, which would help harmonize the by now rather unstable e-services network and secure against attacks and leaks.[1]
The strategy was prepared as an intersecting cooperation under the leadership of the Ministry of Economic Affairs and Communications. Compilers of the strategy admit, among other things, that the implementation of most public sector IT solutions takes into account the security aspect, but responsibility is decentralised and central support is not sufficiently systemic. In order to implement the architectural principle of security in a more efficient and systematic way, creation of a system of guidelines to ensure the quality of development processes, together with a feedback and control mechanism is planned. The strategy also states: “Despite separate regulations, it is no longer reasonable or feasible to treat data protection and information security as separate disciplines. Therefore, in planning further activities, we will build on the principle that implementation of information security and data protection requirements must, despite separate regulation, be treated as a whole, which ensures reliability of the development and operation process by seeking their consistent and holistic implementation. This requires enabling and supporting judicial and administrative arrangements.”[2]
In general, the goal is to create a uniform system of security requirements in developing the public e-services, which includes minimum requirements for information security and data protection. Such integrated approach is the only solution in the context of cooperating databases and information systems, but achieving that may prove a very complex and resource demanding undertaking – especially considering the complex landscape of public e-services and the plurality of various service providers. This obviously requires a closer substantial cooperation between the Data Protection Inspectorate and Information System Authority.
Similarly to the cyber security strategy the information society development plan, which was published a little later, emphasises that, in the context of increasing data volumes and widespread cross-usage of data, people will be able to cope with a certain loss of privacy by having control over the use of their data. Among other things, creation of both technological and organisational conditions is planned so that people can always know and direct who, when and for what uses the data that that the state possesses.[3]
A lot has been said about the expected significant increase in Data Protection Inspectorate’s workload, yet it can be concluded from the inspectorate’s 2018 yearbook, that neither after coming into force of the General Data Protection Regulation or directly before it, its funding and the number of employees have not significantly increased. However, the published statistics clearly indicate an increase in the workload. This, in particular, concerns the work of the reviewing officer, advising of companies and authorities; responding to requests for clarification, memorandums, written request letters and requests for information. Above all, this practice gives the impression that as a result of the practical change to the data protection law people have actually become more aware and active. This is probably because the General Data Protection Regulation creates a strong basis for protecting one’s data, the issue is mostly with the practical enforcement, and here the protectorate can provide the best advice.
Legislative developments
On May 25th, 2018 the General Data Protection Regulation[4] and the so-called law-enforcement authorities’ directive came into force.[5] However, the first national implementing provision came into force in January of 2019. The regulation and the amendments it introduced on one hand mean a stronger protection of individuals’ rights, but on the other hand, a much more extensive and resource-intensive administrative network.
The format of the yearly report is not the best for retelling the regulation, especially since there are expert summaries and commentaries both in Estonian[6] and in English[7] available, but some of the most important changes or clarifications of the regulation from the perspective of the individual should be pointed out. The regulation does not create brand new rights for the individual, but it does expand and clarify them – they already existed in a less clear and less effective form before.
According to the regulation the data subject has the right to:
– Information. Right to information has been clarified and made much easier to understand and implement in the regulation. Data controllers (companies and organisations) must explain in an understandable manner which personal data is being collected and for what purpose. If a data controller creates profiles for data subjects, the latter has the right to know what is in the compiled profile.
– Safe data processing. According to the regulation, data must be collected and processed according to security requirements, which means the data controller must employ organisational and technical measures appropriate in modern technological context, in order to guarantee confidentiality and prevent leaks. As of May 25th, the data processor also has the obligation to notify the Data Protection Inspectorate of all breaches to do with personal data.
– Right to acquaint themselves with data gathered about them. The person whose data is being processed has the right to control their validity, as well and change and amend the data. Also, if the data is no longer relevant or necessary, he or she has the right to demand their deletion.
– The principle of minimal data processing has been clearly regulated, which means that the person is not obligated to provide any more data about themselves than strictly necessary for providing a particular service.
– Additionally, the data subjects have the right to make objections and demand explanations for automated decision-making processes and, where necessary, a human intervention in them.
An answer was also provided to the question which jurisdiction prevails in cases where the data of data subjects who are in the European Union is processed outside EU’s territory. The regulation applies for all cases, where data of data subjects located in the EU is processed, regardless of the location of processing.
The Personal Data Protection Act regulates, among other things, differences in processing personal data in the context of science, historic studies and journalism. Processing for journalistic purposes was permitted in the original draft in the case of “overwhelming” public interest. Critics interpreted it as a disproportionate restriction on freedom of expression, and the version that came into force simply allows for a matter of public interest.
Even though not a single binding legislation has been drawn up after the regulation was implemented, there is growing hope that Estonia does intend to bring the national law into concordance with the binding European court practice and the international obligations. On October 31st, 2018 the Ministry of Justice published “The Draft Law on Electronic Communications Act and related amendments to other laws”.[8] In 2016, in its judgement Tele 2 Sverige, the European Court stated unequivocally and exhaustively that ICT service providers should not be required to collect data about unspecified amounts of people for security purposes and that data collection must always be based on an objectively explicable suspicion. And this despite the existing remedies and monitoring mechanisms.[9]
In light of this the text of the draft law comes across as relatively cautious, setting as its goal “to establish more precise and clear criteria to situations, where storage of communication data is permitted, as well as their later use in various proceedings, thereby guaranteeing persons’ right to private life and a better protection of personal data.”[10] In Ministry of Justice’s appraisal, the use of communication data in various proceedings in acquiring evidentiary information is vital, however, at the same time the importance of protection of personal data and rights of data subjects is also emphasised. Yet the practice of the European court has taken a clear view that service providers may store communication data only to the extent that it is necessary for provision of the service. The investigative bodies and security authorities will always have the option, which was also available to them before the Retention of Data Directive – of requesting the retention of data of a certain service provider by court order (the so-called quick freeze). What is positive is that even though a clear intent of abolishing the obligation to retain communication data is not announced, the draft act does contain enough clarifications and amendments to monitoring, legal remedies, restriction on access and access permits as well as the nature of retained data. In its opinion the Estonian Human Rights Centre drew attention to the fact that if the direct access regime is maintained the communication enterprises must be able to assess the lawfulness of the requests and be able to challenge them.[11] It was also recommended to gather accurate statistics about access requests and clarify the powers of supervisory authorities and the law enforcement measures, including in the context of international security cooperation.
Even though there is almost no publicly available statistical data about how communication data has been used this far and how it has influenced criminal, misdemeanour or civil proceedings, development can be seen here too. The Chancellor of Justice assessed in 2018 whether the data listed in sections 111 prim (2) and (3) of the current Electronic Communications Act had been requested from Telia, Elisa and Tele2 and whether they had been used lawfully. There it is very important to bear in mind that the assessment did not look at enquiries made in the course of criminal proceedings and the information procurement of the security authorities, and a more thorough analyses was made of use of communication data in civil proceedings. It became apparent that mostly the enquiries had been made according to the purpose and were justified, the surprisingly small number of enquiries also stands out: in misdemeanour proceedings 47 enquiries were made in 2017–2018, with 86 enquiries made in civil court proceedings in a total of 26 cases. The Chancellor of Justice pointed out as the greatest problem area the substantive nullification of the current order (according to which the use of communication data is monitored by Consumer Protection and Technical Regulatory Authority) and recommended it be replaced by a general obligation of state authorities that use communication data to keep track of communication data enquiries. In addition, it was recommended that use of communication data in misdemeanour proceedings be limited to only those cases where the misdemeanour is committed using a means of communication or in regards to it.[12]
Surveillance was also affected by the draft amendments to the Defence Forces Organisation Act, which, for protection of restricted military area of the Defence Forces in cases of urgency, for the purpose of determining and deterring serious danger, provides the Defence Forces the option to covertly verify personal data from the state, local government or other public or private legal person’s database, use shadow data and conspiracy techniques and to monitor a person covertly. In March, President Kersti Kaljulaid did not announce the amendment, on the grounds that granting the Defence Forces such a right is disproportionate and significantly prejudices the fundamental rights of civilians in the restricted military area to family and private life, to integrity of the home and to secrecy of the message. The President drew attention to the fact that the act does not define “covert surveillance” sufficiently clearly, thus leaving the surveillance authorities too large a scope for interpretation and the opportunity to disproportionately infringe the rights of civilians.[13]
Court practice
In February, the Supreme Court referred for a preliminary ruling from European Court of Justice, which is expected to shed even more light on the legality of the current rules for storage and use of communications data.[14] Even though surveillance activities that have taken place according to the Electronic Communications Act have been unsuccessfully challenged in other cases that have concerned more serious necessary elements of a criminal offence, the Supreme court decided to refer for a preliminary ruling in a case concerning smaller criminal offences against property. Thefts committed by the accused cannot probably be classified as serious offences. The current Electronic Communications Act does, however, allow requesting issuing of meta data from the ICT service provider with a permission from an assistant prosecutor working on the case. Contradictions with the practice of the European Court of Justice are apparent. The Supreme Court wanted to know, whether in the view of the European Court of Justice retaining and sharing of meta data with state authorities poses that serious a breach of fundamental rights that it must be reserved to investigation of serious crimes only, regardless of what period of time the observable data concerns.[15] Secondly, there is a question about whether the amount of accessible data (in volume and as to the extent of time) has a connection to the seriousness of the crimes under investigation – so that gathering smaller amounts of data poses a smaller breach and is justifiable also in investigating less serious crimes, larger data in content and time period, however, may only be gathered to combat serious crime.[16] Thirdly, the Supreme Court would like to know whether the prosecutor leading the pre-trial procedure can be considered an independent administrative authority, whose previous permission and surveillance prevails over access to data according to the judgement in Tele2 Sverige.[17] Whatever the answers to these questions, they have to be reflected in the future regulation of retention, access to and use of communications data, which hopefully will be proportionate, humane and reasonable. In reply to the query of the Estonian Human Rights Centre the Ministry of Justice stated that the development of amendments to the Electronic Communications Act is partly delayed because of the expected change to case law of the European Court of Justice.[18]
Statics and surveys
Of the surveys conducted in the observable period the Eurobarometer ad hoc survey on the General Data Protection Regulation deserves a mention.[19] Estonian respondents were digi-friendly and -skilled, as expected, but just 53% of the respondents had heard anything about the regulation. As a comparison, this figure in Sweden was 90% and in Poland 86%. At the same time, the Estonian respondents were probably the most active in standing up for their rights. 39% had taken advantage of the right to look at data collected about them, 36% had demanded rectifying false information about them, 25% had made use of the right to have data deleted, 13% of Estonian respondents had made use of the right to be involved in automated decision processes. Estonians were above average in awareness about data protection monitoring and knew where to turn to in case of suspicion of infringement. If already the 2016–2017 chapter referred to Estonians’ great trust, the current survey confirms this – just 39% of respondents admitted that they are disturbed by the fact that they can’t control processing of their data in internet environment. In comparison – for example, in Ireland the percentage was 75 and in Latvia 50. The results of the survey indicate that the informed groups are very active indeed, but at the same time, in contrast, groups have appeared that don’t know how to (don’t want to?) protect their rights. These figures also speak of the fact that the chasm between the digitally and privacy aware and those unaware of this topic is much wider than in most European countries.[20]
Trends
In general, it can be said that two processes are taking place at the same time. The first refers to popularisation of data protection as a topic – and this is backed up by the Data Protection Inspectorate’s statistics. The other, ironically, refers to normalisation of the surveillance society – this is evident by the remarkably slowly progressing amendments to the order of retaining communications data and the population’s relatively indifferent attitude to possible large-scale surveillance. As is often the case in other areas – solitary cases stand out, but large-scale and systemic discords are not paid attention to. But if we didn’t look at the relatively liberal regulation of surveillance activities hermetically separated from other processes taking place in society, there is every reason to take this seriously in the current political situation.
Recommendations
- Stop the obligation to retain communications data until coming into force of the planned amendments to the Electronic Communications Act.
- Carry out an extensive objective statistical survey on how and to what extent the communications data has this far helped fight crime and threats to security.
- Increase resources allocated to the Data Protection Inspectorate so that it would be possible to hire technical experts who have the necessary expertise to verify compliance with the integrated data protection principle, and monitor, for example, the cross-use of public e-services and systematic analysis of open data.
- Do not create state authorities who have the authority to carry out surveillance activities on widely defined conditions.
Case description
The case description comes from an area, which has not garnered attention in this chapter, but which will become increasingly important in the future and where Estonia has the chance, thanks to University of Tartu Institute of Genomics, to become a positive pioneer as well as a great failure in data protection.
The Data Protection Inspectorate registered a complaint of a private person concerning issuing of personal data. The appellant had issued a request to the University of Tartu Institute of Genomics to receive data about himself, where he asked for the description of his own DNA. The Institute of Genomics did not have the technical ability and procedural rules to comply with the request. According to the Human Genes Research Act § 11(2) the gene donor has among other things the right to personally access the data kept about him in the Genome Centre. The Genome Centre explained that since it had not issued the gene donors their DNA description data in a form that could be read/interpreted without expert knowledge, the so-called preliminary data, the Genome Centre had no finalised procedural rules about which technical solutions would be used to submit such data to the gene donors. It was also unclear at the time the application was submitted what exactly to interpret as a DNA description: whether it is the raw data, quality-reviewed description data or genetic risk reports drawn up on the basis of the description. As a result of the precedent, the Genome Centre has come to the conclusion to allow accessing the latter two, while the first one won’t be issued to the data subject for fear of misinterpretation. The raw data can be accessed only in the course of an expert consultation by appointment. The Data Protection Inspectorate found that regardless of the Human Genes Research Act a person has the right according to the Personal Data Protection Act and the General Data Protection Regulation to access his gene data in his preferred form and in the level of interpretation, which is why the Inspectorate issued the Genomics Centre a precept to publish the data.[21] This is an interesting precedent as it concerns such questions as informed consent in a technologically complicated context that requires expert knowledge, the person’s opportunity to independently interpret his own data and the possible risks that can accompany it.
[1] Ministry of Economic Affairs and Communications. 2019. Küberturvalisuse strateegia 2019-2022 [Cyber security strategy for 2019–2022], page 22.
[2] Ibid, 23.
[3] Ministry of Economic Affairs and Communications. 2019. Infoühiskonna arengukava 2020 [Information society development plan 2020].
[4] Regulation (EU) 2016/679 of the European Parliament and of the Council. 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal 04 May 2016, L 119/1.
[5] Directive (EU) 2016/680 of the European Parliament and of the Council – on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, Official Journal 27 April 2016, L 119/89.
[6] Euroopa andmekaitse reform [European data protection reform].
[7] A guide to GDPR data privacy requirements.
[8] Ministry of Justice. 2018. Elektroonilise side seaduse ja sellega seonduvalt teiste seaduste muutmise eelnõu väljatöötamiskavatsus (sideandmete säilitamine ja kasutamine) [The preliminary draft amending the Electronic Communications Act and other acts], 05 November 2018.
[9] European Court of Justice. Judgment in joined cases C‑203/15 and C‑698/15, Tele 2 Sverige and Watson and Others. 21 December 2016.
[10] n 8, page 4.
[11] Estonian Human Rights Centre. 2018. Arvamus elektroonilise side seaduse ja teiste seaduste muutmise seaduse
Väljatöötamiskavatsusele [Opinion on the preliminary draft for amending the Electronic Communications Act and other acts], 30 November 2018.
[12] Chancellor of Justice. Processing of data in Electronic Communications Act 111 prim section 2 and 3
[13] President of Estonia. 2019. Otsus nr 435 “Kaitseväe korralduse seaduse muutmise seaduse” väljakuulutamata jätmine [Decision no 435 not to announce the act amending the Defence Forces Organisation Act], 07 March 2019.
[14] European Court of Justice. Case C-746/18: Request for a preliminary ruling from Riigikohus (Estonia) lodged on 29 Nomber 2018 – H.K. v Prokuratuur.
[15] Ibid.
[16] Ibid.
[17] Ibid.
[18] Ministry of Justice. Response to inquiry of the Estonian Human Rights Centre. 16 September 2019.
[19] Eurobarometer. 2019. Special report 487a. The General Data Protection Regulation.
[20] Ibid.
[21] Data Protection Inspectorate. 2018. Ettekirjutus-hoiatus isikuandmete kaitse asjas nr 2.1.-6/18/9 [Precept-warning in the data protection case no2.1.-6/18/9].
