Key issues
- Although court’s permission is now needed to request communications data within the framework of criminal proceedings, §1111 of Electronic Communications Act, which obliges telecommunications companies to retain communications data of all Estonian residents indiscriminately, still remains unchanged, contrary to the case law of the European Court of Justice and the Estonian Supreme Court.
- The protection of fundamental rights holds an important place in the regulation of digital services and artificial intelligence.
- Personal data is freely and publicly accessible through the Business Register as open data.
- The imposition of fines related to data protection has been simplified.
- Access to the internet and mobile phones must be ensured in the detention centre.
Political and institutional developments
During the period under review, several significant changes took place in Estonia and the EU that impact the inviolability of family and private life. One of the priority trends for the Estonian state has been more effective use of open data and big data.[1] As of 1 October 2022, Estonia made Business Register data freely accessible to everyone. Among these open data sets are often personal data, such as personal identification codes, phone numbers, email addresses and/or home addresses of board members, ultimate beneficiaries, or sole proprietors.[2] At the same time, the European Court of Justice[3] analysed the disclosure of data of beneficial owners in business registries and concluded that the obligation to make such data freely available to the public is unlawful, disproportionately infringes on individuals’ right to privacy, and decided that not everyone needs to have such open access to personal data.
In addition to open data, the use of biometric data has also been enhanced both in the work of the Police and Border Guard Board and in the fulfilment of other public tasks. On 3 January 2022, the regulation on the Automatic Biometric Identity System (ABIS) entered into force, establishing the principles and foundations for data processing in the ABIS database.[4] ABIS is an electronic interoperable database that contains biometric data collected by various public authorities for different purposes. The biometric data in ABIS includes facial images, fingerprints, and palm prints. Although ABIS can be considered more transparent and regulated than the previously fragmented system, where biometric data was collected in databases under the jurisdiction of various ministries and these databases were not sufficiently regulated, ABIS entails security and confidentiality risks due to the centralisation of sensitive data. From the perspective of the rule of law, it is problematic that the conditions for data processing are established at the executive level through a government regulation (rather than at the legislative level[5]).[6]
Due to the advance of new technology in recent years, including the popularisation of artificial intelligence solutions (such as image generators and chatbots), important political steps have been taken to regulate such automated and predictive systems. In 2023, discussions in the European Union intensified regarding the regulation of artificial intelligence. As an important step towards making artificial intelligence systems used in the EU safer, more transparent, environmentally friendly, and less intrusive on fundamental rights, in June, the European Parliament adopted its negotiating position on the Artificial Intelligence Act initiated by the European Commission in 2021.[7] The regulation is a comprehensive legal act regulating artificial intelligence, based on the risk level of systems, and additional obligations for service providers are established according to the risk level. Systems that significantly affect the safety and fundamental rights of users are classified as high-risk artificial intelligence systems. Artificial intelligence systems that pose unacceptable risks, endangering individuals, are prohibited.[8], [9], [10] The EU artificial intelligence regulation is currently in trilogue negotiations, and the adoption of the regulation is expected by the beginning of 2024.
Legislative developments
As of 1 November 2023, imposing fines for data protection violations has been simplified. The new provisions of the Penal Code allow for larger fines, longer prescription periods, and make it easier to hold companies accountable for violations of the General Data Protection Regulation (GDPR).[11] According to the amendments, a legal entity is responsible also if the misdemeanour is committed by any person at the direction of the legal entity’s body, its member, executive employee, or authorised representative, or if the violation is caused by inadequate organisation or supervision by the legal entity.[12] This amendment enables the Data Protection Inspectorate to impose so-called giant fines stipulated in the GDPR and to deter companies in accordance with the requirements of the GDPR.
A long-standing practice that violates fundamental rights has been the collection and use of the communications data of all residents of Estonia by telecommunications companies based on the Electronic Communications Act.[13] The amendment to the Code of Criminal Procedure that entered into force in the beginning of 2022 can be considered a positive small step, according to which the court now grants permissions for requesting communications data during criminal proceedings (previously permission was granted by the prosecutor).[14] However, Electronic Communications Act § 1111 Sections 2 and 3 are still unchanged and unlawfully infringe on fundamental rights by obliging telecommunications companies to retain the communications data of all residents for a year, which the state authorities listed in the act can request in cases other than criminal proceedings. As explained in the previous report[15], the indiscriminate retention of communications data has been declared incompatible with EU law and a breach of the right to privacy by the Supreme Court[16] and the European Court of Justice[17]. The action plan of the Ministry of Justice does not include plans to amend the law.[18]
A breakthrough step in holding tech giants accountable is the entry into force of the EU Digital Services Act (DSA) on 16 November 2022, aimed at curbing the use of hidden systems by technology giants (social media platforms, online stores, search engines) such as tracking ads, more effectively restricting the spread of illegal online content, and ensuring users have better control over the use of their personal data in online advertising, along with stronger protection of fundamental rights on the internet.[19] The DSA introduces additional transparency obligations and clearer rules for marking advertising and sponsored content. Targeted advertising based on a person’s sexual orientation, religious beliefs, ethnic origin, or political convictions is prohibited. The act also enhances the protection of minors and prohibits targeted advertising to minors.[20]
Case law
In 2023, the Constitutional Review Chamber of the Supreme Court found that the prohibition on communication devices, including the restriction on the use of mobile phones and the internet, in asylum-seekers’ detention centre is in contradiction with the Estonian Constitution and violates the right to private and family life. The court declared the provision restricting fundamental rights invalid.[21] Taking into account the court case initiated by the Estonian Human Rights Centre[22], the Ministry of the Interior must make changes, implementing only necessary and proportionate restrictions.[23] According to the amendment to the detention centre’s internal rules, detainees are now allowed at least one hour of mobile phone and data service use during scheduled free time, provided that it does not allow for photo or video recordings and does not jeopardise the internal order of the detention centre or hinder the execution of deportation.[24] Although this is a positive development, this limited use of the internet and mobile phones still continues to restrict the family life, privacy, and freedom of expression of asylum-seekers.
Promising practices
In 2022, the Data Protection Inspectorate failed to respond to applications in a timely manner or did not respond at all due to a lack of resources, thereby violating the requirements of the GDPR.[25] As a promising trend, in February 2023, the Data Protection Inspectorate expanded significantly after its budget was almost doubled (increasing the number of positions and salaries).[26] This emphasises the important role of data protection supervision, enabling the inspectorate to more effectively fulfil its legal obligations and develop the field.
Noteworthy public discussions
In August 2023, Pere Sihtkapital foundation’s request for data on 24,000 women from the Population Register triggered a wide-ranging discussion on personal data protection and ethics issues[27], [28], [29], [30]. The foundation asked, on behalf of the University of Tartu, for the data of thousands of Estonian women for the purpose of a childlessness survey (including contact information to pressure those who refrained from participating in the study) and sent them a questionnaire, the content of which received sharp feedback from the public due to sensitive issues (such as same-sex relationships, political preferences, number of children).[31] The study did not have the permission of the ethics committee (or Data Protection Inspectorate) nor the approval of the University of Tartu.[27], [32], [33] As a result of the scandal, thousands of Estonians hid their data in the Population Register from private companies.[34] In addition to everything, the public also became aware of the fact that giving consent for data processing in the Population Register is contrary to the concept of consent in the GDPR, which stipulates that individuals should explicitly consent to the transfer of their data, and consents should not be pre-selected (an illegal opt-out consent system was in place).[35] The question was also raised whether, in the case of such a large-scale database, it should be ensured that the recipient has a legal basis for data processing and the necessary permits.[36]
Trends and future outlook
In the rapidly evolving information and data society, where data has become a currency for both businesses and countries, the right to privacy and data protection holds particular significance in safeguarding individuals’ interests. The development of this field, including raising awareness and harmonising data protection rules, has been influenced to a considerable extent by the GDPR. In Estonia, one significant challenge for implementing the penalty mechanisms stipulated by the GDPR is the absence of administrative fines. However, recently, both domestically and within the EU, there has been a noticeable trend of taking data protection violations and their enforcement more seriously.[37], [38] This positively impacts the rights of data subjects, as the vigilance of supervisory authorities in enforcing data protection encourages companies to better respect the personal data of individuals, leading to increased protection of privacy and personal data.
Case description
The case involves a data protection breach where an individual was photographed at their workplace, and later the picture, along with personal data of the individuals in the photo, was published in the media and displayed at a national exhibition as part of a photo contest without the consent of those photographed. However, the person understood that the photo would be used by the employer for work-related purposes (employee photos), and neither the photographer nor the employer explained otherwise. The individuals in the photo were surprised to discover images along with their names, ethnicity, refugee status, occupation, and workplace information in the media and public space.
With the assistance of the Estonian Human Rights Centre, the person in the photo turned to the photographer, the Data Protection Inspectorate, and later to the administrative court to cease the processing of their personal data, but the authorities did not find a data protection violation. In decision no. 3-23-1054, the court found that due to freedom of art and freedom of the press, the photographer could indeed publish the photo in the media and submit it to a competition later. The complainant argued that the photographer should have informed the individuals in the photo about being a press photographer and the purpose of using the photos (publication in the media and exhibition) so that they could make an informed choice about participating in the photo shoot. The court found that since the photographer removed the names and refugee status of the individuals from some publications after the complainant’s request, the breach of the individuals’ privacy had been mitigated. Although freedom of the press and art is undoubtedly important in society, the resolution is worrisome from personal data protection perspective, as it implies that the data subject should be able to foresee possible data protection violations, which is not practically possible and does not align with the principle of data protection law (GDPR) that the obligation to explain lies with the data controller.
Recommendations
- Data Protection Inspectorate, as an independent supervisory authority, should strategically, systematically and proactively supervise the protection of personal data and develop the field.
- The protection of individual rights should be thoroughly weighed against providing social benefits and exercising rights (e.g. national security or freedom of speech and information vs. the protection of personal data). A measure restricting fundamental rights should not only be purposeful but also appropriate, necessary, and proportionate.
- The retention of communications data must be aligned with national and EU case law and legislation.
- Access to the internet and mobile phones must be ensured in the detention centre.
Any opinions and assessments expressed in this chapter are personal and do not reflect the official position of any institution.
[1] Vabariigi Valitsus. 2022. Eesti Vabariigi strateegia “Eesti 2035”. Materjalid, 07.10.2022.
[2] Keskel, A-J. 2022. Äriregistri andmed on homsest tasuta kättesaadavad, Postimees, 30.09.2022.
[3] Euroopa Kohtu 22.11.2022 otsus liidetud kohtuasjades C-37/20 ja C-601/20.
[4] Riigi Teataja. 2022. Automaatse biomeetrilise isikutuvastuse süsteemi andmekogu põhimäärus, RT I, 03.10.2023, 17.
[5] Riigi Teataja. 2021. Isikut tõendavate dokumentide seaduse muutmise ja sellega seonduvalt teiste seaduste muutmise seadus, RT I, 08.07.2021, 1.
[6] Sarv, H. 2021. Õiguskantsler näeb ABIS-es mitut tõsist probleemi, ERR, 29.06.2021.
[7] Euroopa Parlament. 2023. Euroopa Parlament on valmis alustama nõukoguga läbirääkimisi esimeste tehisintellekti reeglite üle, 14.06.2023.
[8] Euroopa Parlament. 2023. Tehisintellekti määrus: ELi plaan reguleerida tehisintellekti, 14.06.2023
[9] Euroopa Parlament. 2023. Euroopa Parlament on valmis alustama nõukoguga läbirääkimisi esimeste tehisintellekti reeglite üle, 14.06.2023.
[10] Euroopa Parlament. 2023. Parliament’s negotiating position on the artificial intelligence act, juuni 2023.
[11] Kärner, M. 2023. Muudatused juriidilise isiku süüteovastutuses, Juridica 2023/4-5.
[12] Kuuskmaa, L. M., Miidla, M. 2023. Eesti lihtsustab karistusseadustiku muudatustega andmekaitsealaste rikkumiste eest trahvide määramist, Sorainen, 15.05.2023.
[13] ERR. 2023. Eesti kogub jätkuvalt kõigi inimeste sideandmeid, 04.08.2023.
[14] Riigi Teataja. 2021. Riigi Teatajas avaldati kriminaalmenetluse seadustiku muutmise seadus, 22.12.2021.
[15] Väljataga, A. 2021. Inimõigused Eestis 2022: Õigus perekonna- ja eraelu puutumatusele, Eesti Inimõiguste Keskus.
[16] Riigikohus. 2021. Riigikohus: riik ei saa sidefirmade kogutud andmeid kuritegude uurimiseks välja nõuda, 18.06.2021.
[17] ERR. 2022. Euroopa Kohus: sideandmete lausaline säilitamine on õigusvastane, 05.04.2022.
[18] Justiitsministeerium. Strateegilised alusdokumendid.
[19] Euroopa Komisjon. 2023. Digiteenuste seadus: Küsimused ja vastused.
[20] Euroopa Parlament. 2022. Digiteenuste õigusakt: murranguline kokkulepe turvalise veebikeskkonna loomiseks, 25.04.2022.
[21] Riigikohtu põhiseaduslikkuse järelevalve kolleegiumi 20.06.2023 otsus asjas 5-23-16/15.
[22] Tallinna Halduskohtu 20.03.2023 otsus haldusasjas 3-22-2355.
[23] Vähi, M-L., Tuuling, K., Ponomarjova, U. 2023. Riigikohus: varjupaigataotlejate suhtlusvõimaluste piiramine on vastuolus Eesti põhiseadusega, Eesti Inimõiguste Keskus, 20.06.2023.
[24] Riigi Teataja. 2023. Siseministri 16. oktoobri 2014. aasta määruse nr 44 „Kinnipidamiskeskuse sisekorraeeskiri” muutmine, RT I, 10.10.2023, 9.
[25] Palgi, G. 2023. Andmekaitse inspektsiooni peadirektor kaadri voolavusest: peame tegelema eraisikute vaidlustega hoovikaamera pärast, Eesti Päevaleht, 05.02.2023.
[26] Andmekaitse Inspektsioon. 2023. Aastaraamat 2021–2022.
[27] Pärli, M. 2023. Pere Sihtkapital küsis uuringu jaoks TÜ nimel tuhandete naiste andmeid, ERR, 11.08.2023
[28] Kuulpak, K. 2023. Tartu ülikool vallandas Raul Eametsa, kes ebaausalt hankis lastetute naiste andmeid. Rektor Asser: mõistan hukka. Jätkata on mõeldamatu! Õhtuleht, 14.08.2023
[29] ERR. 2023. AKI alustas menetlust Pere Sihtkapitali tellimusel tehtud uuringu osas, 14.08.2023
[30] Muraveiski, K. 2023. „Kas teil on olnud seksuaalkogemusi samast soost partneritega?“ Loe, milliseid isiklikke küsimusi küsiti naistelt skandaalses uuringus, Delfi, 13.08.2023.
[31] Himma, M., Libe, T. 2023. Lastetute naiste uuringu küsimuste autor Allan Puur: nii terav tagasiside üllatas, ERR, 15.08.2023.
[32] Orav, A. T. 2023. Pere Sihtkapital tegi esimese katse uuringuks juba kevadel, kuid ei saanud inspektsioonilt luba, Eesti Ekspress, 15.08.2023
[33] Liive, R. 2023. Kõmulise lastetute naiste uuringu tellis Isamaaga seotud sihtasutuselt Isamaa minister Riina Solman, Digigeenius, 12.08.2023.
[34] ERR. 2023. Ministeerium: Pere Sihtkapitali juhtum on üks õnnetu lugu, 16.08.2023.
[35] Ratnik, H. 2023. Vandeadvokaat: rahvastikuregistri seadus on Euroopa Liidu õigusega vastuolus, Eesti Ekspress, 16.08.2023.
[36] Andmekaitse Inspektsioon. 2023. Andmekaitse Inspektsioon alustas menetlust Pere Sihtkapitali SA tellimusel tehtud uuringu osas, 14.08.2023.
[37] ERR. 2023. EL trahvis Metat 1,2 miljardi euroga, 22.05.2023
[38] CMS Law. GDPR Enforcement Tracker.
[39]
