The situation has remained the same.
Key issues
- The Supreme Court has declared illegal the undistinguishing storage of communications data regarding Estonian residents.
- For the sixth year in a row, it must be acknowledged with some sadness that in sharp contrast to current international law, and the case law of the European Court of Justice and the Supreme Court, the retention of communications data on the basis of § 111 of the Electronic Communications Act continues.1 The draft amendment to the Electronic Communications Act does not envisage there being any amendments to it.
- The COVID-19 pandemic has led to increased preparedness in terms of restricting fundamental rights, including the right to respect for family and private life.
Political and institutional developments
In a narrow interpretation, it can be said that no significant political or institutional developments within the scope of this chapter have taken place during the period which is under review. However, this does not mean that the right to respect for family and privacy has proved to be marginal in the current pandemic situation; many of the risks and opportunities of the last two years depended directly upon the availability and accessibility of private data. Therefore, the question of whether, and to what extent, the right to privacy and data protection can be restricted has become extremely topical. At the end of March 2020, Estonia joined the list of countries which have informed the Council of Europe that they had activated Article 15 of the European Convention on Human Rights, which provides an opportunity to partially restrict those rights which arise from the convention. Among those rights, the observance of which could not always be ensured during the state of emergency in Estonia, was also the right to respect for private and family life. During the emergency situation, Statistics Estonia analysed the movements of Estonians as well as foreigners who were staying in the country in coverage areas with relation to mobile phone masts, on the basis of anonymous data which was received from telecommunication companies. In addition, the Health Board’s voluntary mobile application, HOIA, was in action,[1]which exchanged non-personalised codes using Bluetooth radio signals and, if the user had registered an illness, informed their close contacts of any possible contact. By October 2021, the application had 272,378 users, with only a small percentage reporting their illness.[2]
Legislative developments
The procedure for storing communications data has been a problem for a total of seven years. This is a notably long period for such a problem not to have been resolved, and it is therefore understandable that, over the last two years, developments in areas and publications which are not directly related to the subject have once again acquired some news value. In reality, it is an almost endless re-running of the same old argument. Fortunately, there are real changes being put in place this time around, especially with regard to case law. The universal obligation which are in force in Estonia with regard to the storage of metadata from network and telephone communications and to transmit this data to various public authorities for the purpose of being able to carry out investigations arises from the repealed EU Data Retention Directive. Until now, such storage of communications data has been continued in Estonia on the basis of national law, which is an implementing provision of the invalid Directive § 111 of the Electronic Communications Act.1 The report from 2018-2019 examined the ‘Intention to develop a draft amendment to the electronic communications act and related acts’ (in Estonian, ‘Elektroonilise side seaduse ja sellega seonduvalt teiste seaduste muutmise eelnõu väljatöötamiskavatsus’), which was initiated by the Ministry of Justice and which promised, among other things, to ‘establish more precise and clear criteria for situations in which communications data may be retained and later used in various procedures, thereby ensuring better protection of privacy and personal data’. The intention to develop the draft did not bring about any rapid changes, partially due to the desire to await decisions on the references for a preliminary ruling which was pending at that time with the European Union Court of Justice. The solutions are now available and are very explicit (see the next subsection), making it all the stranger that the Electronic Communications Act and the bill regarding ‘Amendments to Other Acts’, which was in its third reading in the Riigikogu on 15 September 2021, did not include amendments to § 111.1& [3]
On 29 June, President Kersti Kaljulaid announced the ‘Act Amending the Identity Documents Act and Related Acts’, establishing an electronic database ABIS (or Automatic Biometric Identification System).[4] ABIS is an interoperable database which aggregates biometric data which has been collected by public authorities for various purposes, but does not allow such data to be linked to biographical data. The biggest problem with ABIS is its centralisation and the possibility of it being cross-used, so that in the future a fingerprint which has been issued for applying for a residence permit could in theory be used in criminal investigations, for example. The centralised collection and cross-use of sensitive personal data is problematic, an area which requires very precise rules regarding access, retention periods, deletion, and data subjects’ rights. Therefore ABIS may not be the best and most secure way in which to systematise biometric data which is held by the state. However, the current fragmented system, of which data owners were often unaware and for which there existed a vague set of rules in regards to all procedures, understandably also posed major security and confidentiality risks. Unfortunately, the process of setting up ABIS additionally does not include any precise definitions of which specific areas of data are to be stored in the database or how this should be done or even for how long the date should be kept. Provided that this does not lead to systematisation and clarity in regard to the biometric data which is being collected, or the rules for storage and access, the proposed database will create a favourable environment for breaches of the fundamental right to privacy and data protection rules.
Case law
In October 2020, the European Court of Justice provided clarification in a case which had been brought by the French advocacy organisation, Quadrature du Net,[5] regarding the admissibility of the lawful retention of communications data following the repeal of the Data Retention Directive in the 2014 Digital Rights Ireland decision. In addition to the above, the decision clarifies the issues in terms of the cases involving Tele2 Sverige,[6] and also the Ministry of Fiscal,[7] while moving slightly away from the strictness of the Digital Rights Ireland and Tele 2 Sverige cases. In the Quadrature du Net case, the court explained that the state may oblige providers of electronic communications services to retain traffic and location data for all users of electronic communications equipment for a limited period of time if it faces an immediate and genuine security threat.[8] Therefore the obligation to retain communications data is not fundamentally contrary to EU law, provided that it pursues a sufficiently serious legitimate aim and is supported by an accessible and clear system of restrictions and remedies. As a reminder, the Tele 2 Sverige adjudication stated that the storage of all data is not allowed regardless of any additional conditions. The Quadrature du Net adjudication provides that in the interests of the investigation of a serious crime, it would be possible to request the retention of data from a specific service user and the release of data which had already been collected by the service provider for another purpose, such as ensuring the quality or continuity of the service.[9] The Quadrature du Net adjudication introduced a degree of flexibility into the previous categorical ban and may have caused confusion both for those who consider the retention of all communications data to be useful for some reason and for those who have actively fought against it.
On 2 March, in response to a reference for a preliminary ruling from the Supreme Court, the European Court of Justice announced its views on the procedure for storing and using communications data in criminal proceedings, pursuant to § 111 of the Electronic Communications Act,1 and § 901 of the Criminal Procedure Act.[10] The preliminary ruling clearly returns to the principles which were expressed in the Digital Rights Ireland and Tele 2 Sverige cases, while also reiterating the fact that, despite the invalidity of the Data Retention Directive and that domestic security remains regulated by domestic law, the practice of retaining and using communications data remains subject to EU law because it directly concerns the activity of the service providers and the fundamental rights of EU citizens.
According to the court, Estonian national law is not in line with EU law and case law due to the following:
- it provides for the general and undistinguishing storage of communications data;
- in circumstances in which the prosecutor’s office conducts pre-trial proceedings and, where appropriate, represents the public prosecution, it cannot be considered an independent body which has been empowered to authorise the retrieval of communications data from service providers.
The Court of Justice has provided clarification by stating that a disproportionate obligation to retain the communications data of all service users cannot provide a basis for gathering legitimate evidence. Evidence which is gathered in this way cannot be relied upon in criminal proceedings even if the prosecution has requested information only on data which has been recorded for a limited period of time and regardless of the amount and type of data available. However, if the communications service provider is required to retrieve the data of a highly-identifiable suspect where such data has been collected for any other purpose, this can only be done for the purposes of investigating serious crime or mitigating serious security threats.
On 18 June, the Supreme Court also reached a significant decision in the Estonian criminal case of H K (see also the report for 2018-2019), in which it agreed with all the views which had been expressed by the Court of Justice and concluded that telephone communications data which had been retained by telecommunications companies under the requirements of an unlawful provision may not be requested in criminal investigations.[11] There should therefore no longer be any doubt regarding the unlawfulness of § 111 of the Electronic Communications Act,1 nor could the judgment concerning Estonia be in any way surprising in light of the Court of Justice’s previous case law.
Statistics and surveys
In November 2020, the Ministry of Justice published the results of the survey, ‘People’s privacy rights and the protection of personal data 2020’.[12] According to the survey, Estonians trust the data processing practices of public institutions the most, especially healthcare institutions, and trust far less service providers which belong to the private sector. In the same year, the Data Protection Inspectorate pointed out the fact that most complaints have been related to unauthorised access to health data. At the same time, the survey shows that about two thirds of the Estonian population does not have a clear understanding of which institutions and companies collect data about them.
A 2021 survey of fundamental rights by the European Union Agency for Fundamental Rights shows that 75% of Estonians think that they can change the provisions of web applications, pages, and services so that they do not collect personal data. This is the highest figure in Europe. Regarding concerns about service providers, law enforcement, or surveillance agencies, or national or foreign intelligence agencies or cybercriminals being able to access and misuse their data, Estonians are precisely at the European average, without showing any obvious trust or suspicion. Estonians consider their awareness of legislation to be slightly lower than the average European, with such legislation being the basis for it being possible to find out what data their service providers have collected and how they have used it,. In relations with the public sector, their legal awareness is valued slightly higher. Strangely, according to the respondents themselves, the awareness of Estonians about the general data protection regulation is one of the lowest in Europe. In general, younger people, and those with higher incomes, were more confident and, in their view, more aware of the technical and legal options when it comes to being able to stand up for their privacy. There were no sharp differences between male and female respondents.[13]
Promising practice
The self-reported relatively good awareness of the aforementioned Estonians about the privacy settings of websites and the options they have of being able to adjust those settings in according with their personal preferences can be considered a good, promising practice.[14] It is certainly good practice – albeit one which is still rather new – to expand the scope and opportunities of NGOs and advocacy. For example, from 2021 this is one of the main activities of the Estonian Centre for Human Rights in the field of data protection and digital services, which is providing an advisory service and is also hoping to be able to deal with advocacy and strategic litigation in the future.[15] [16]
Major public debates
The issue of the retention of communications data, as well as the collection and use of biometric data, has often come up in public debates. For the former, the indispensability of such data in the fight against crime is often something which gets emphasised, while it is difficult to find publicly-available statistical evidence about it, such as the relationship between the amount of communications data which is issued at the request of the prosecution and is successfully used to resolved criminal cases. It also needs to be repeated that the retention obligation is already a relic of a rather old and invalid EU directive. It is pointless to assume that the storage of communications data in Estonia can continue in its current form. The retention of biometric data has not received such widespread attention in the past, so critical questions have rightly been asked about the proportionality and necessity of ABIS, while also the possible uses of biometric data for security and safety have been clarified, and the chaotic nature of the current system has briefly been criticised.
Trends and outlook
A trend which can be seen here is the increase in legal awareness, but also the increased readiness to restrict fundamental rights, which is probably something which can be justified by the circumstances of the pandemic. In contrast to greater awareness and positive case law, there is also a real tendency to take a bold and public approach to privacy restrictions – as an example, see ABIS and the draft amendment to the Electronic Communications Act – as well as the increased digital dependence and vulnerability which accompanies the pandemic.
Case study
The most important individual case to be resolved during the reference period is certainly the criminal case which concerned petty theft by a person whom the courts named H K. This H K was convicted in court for thefts which had been committed during the years 2015-2016. The subject H K was convicted in the court of first and second instance, in part on the basis of electronic communications data which had been received from a communications company under the terms of the Electronic Communications Act, which the investigating authority had received from the communications company during various pre-trial proceedings on the basis of various permits which had been issued by the District Prosecutor’s Office. The defence counsel challenged the convictions in the Supreme Court. According to the defence counsel, the data which was collected as a result of the non-distinguishing retention obligation and which had been received from the communications companies must be considered as inadmissible evidence. In November 2018, the Supreme Court referred the matter to the Court of Justice for a preliminary ruling on whether the retention of metadata and sharing such data with a public authority constitutes such a serious violation of fundamental rights that it should be reserved for serious crimes only, regardless of the period covered. Secondly, the question was asked of whether the amount of data available (both in terms of volume and time) is related to the seriousness of the offences under investigation, ie. that collecting smaller amounts of data would be less intrusive and also more justifiable for the investigation of minor offences, while more comprehensive data in terms of content and time can only be collected to combat serious crime. Thirdly, the Supreme Court was interested in whether the Prosecutor’s Office which was leading the pre-trial proceedings could be considered an independent administrative authority to whose prior permission and supervision any access to data must be subjected according to the Tele 2 Sverige decision.[17] The European Court of Justice declared the procedure for the storage of communications data which was currently in force in Estonia to be in conflict with EU law; the adjudication is available to be read in the case law subsection. On 18 June 2021, the Supreme Court also reached a significant decision in Estonian case law, in which it agreed with all the views of the European Court of Justice and concluded that telephone communications data which had been retained by telecommunications companies on the basis of the unlawful § 111 of the ESA cannot be requested in criminal investigations.1 Unfortunately, however, the draft amendment to the Electronic Communications Act does not provide for the abolition of the obligation to retain all data.
Recommendations
- Align the procedure for retaining communications data as a matter of urgency with national and EU law and case law.
- Carry out a comprehensive audit of the current arrangements for the collection and storage of biometric data, covering technical, legal, and wider societal perspectives.
[1] TEHIK. 2020. Telefonirakendus “HOIA” privaatsustingimused, 21.08.2020.
[2] Allik, H. 2021. Ebaõnnestumiste rägastik: kuidas HOIA rakendus on läbi kukkunud, Postimees, 22.02.2021.
[3] Majandus- ja kommunikatsiooniministeerium. 2021. Elektroonilise side seaduse, ehitusseadustiku ja riigilõivuseaduse muutmise seadus.
[4] Riigikogu. 2021. Isikut tõendavate dokumentide seaduse muutmise ja sellega seonduvalt teiste seaduste muutmise seadus 366 SE.
[5] Euroopa Liidu Kohtu 06.10.2020. a otsus liidetud kohtuasjades nr C‑511/18, C‑512/18 ja C‑520/18.
[6] Euroopa Liidu Kohtu 21.12.2016. a otsus Tele2 Sverige AB vs. Watson jt. ühendatud kohtuasjades nr C‑203/15 ja C‑698/15.
[7] Euroopa Liidu Kohtu 02.10.2018. a otsus kohtuasjas nr C-207/16.
[8] Euroopa Liidu Kohtu 06.10.2020. a otsus liidetud kohtuasjades nr C‑511/18, C‑512/18 ja C‑520/18, § 137.
[9] Euroopa Liidu Kohtu 06.10.2020. a otsus liidetud kohtuasjades nr C‑511/18, C‑512/18 ja C‑520/18, § 141.
[10] Euroopa Liidu Kohtu 02.03.2021. a otsus kohtuasjas nr C‑746/18.
[11] Riigikohtu kriminaalkollegiumi 18.06.2021. a otsus kohtuasjas nr 1-16-6179.
[12] Justiitsministeerium. 2020. Inimeste privaatsusõigused ja isikuandmete kaitsmine 2020, 05.11.20.
[13] FRA. 2021. Fundamental Rights Survey, Data Protection and Privacy.
[14] Ibid.
[15] Eesti Inimõiguste Keskus. 2021. Keskuse tegevus laieneb, 25.05.2021.
[16] Eesti Inimõiguste Keskus. 2021. Keskus alustab nõustamis andmekaitse ja privaatsuse vallas, 04.10.2021.
[17] Euroopa Liidu Kohus. 2018. Kohtuasi C-746/18: Eelotsusetaotlus, mille esitas Riigikohus (Eesti) 29. novembril 2018 – H. K. versusProkuratuur.