Key issues
- The use of state surveillance technologies requires a well-considered decision by the legislature and respect for the privacy of all members of society.
- The use of cameras for law enforcement purposes requires more precise regulation in law.
- The development of AI must be carried out responsibly, taking into account everyone’s privacy and the right to personal data protection.
Political and institutional developments
The years 2024–2024 can be described by restrictions on individual freedoms and manifestations of mass surveillance. It became evident that public authorities are using, for example, a nationwide network of number-recognition cameras[1] or the enforcement register,[2] which allows access to bank account data without a clear legal basis. Attention was also drawn to the plan by the Financial Intelligence Unit to create a so-called super-database[3] as well as conceptual developments related to a nationwide network of surveillance cameras with facial and number recognition.[4] The Chancellor of Justice has described the current situation using the term “surveillance society.“[5]
All of these examples share a common feature: while apprehending criminals is necessary to ensure a safe society, the importance of a clear legal basis and the privacy rights of all other individuals cannot be ignored. The legislature has not substantively addressed issues of privacy and personal data protection, a point highlighted by both the Chancellor of Justice[6] and the Legal Affairs Committee of the Riigikogu.[7]
Iga uue meetme, (jälgimis)tehnoloogia kasutuselevõtt ja kasutamise tingimused peavad olema seadusandja läbimõeldud otsus, kus on hinnatud, kas taotletav eesmärk kaalub üles sellega kaasneva privaatsuse riive. Igaühele meist tuleb selliste riivavate meetmete kasutamisel tagada läbipaistvus ja kindlus, et oma andmete töötlemisest on võimalik teada saada ja õiguste rikkumist tõhusalt kaitsta.
The introduction of every new measure, (surveillance) technology, and the conditions of its use must be a carefully considered decision by the legislature, assessing whether the intended objective outweighs the intrusion of privacy. Transparency must be ensured for all of us when such intrusive measures are used, along with certainty that it is possible to know how our data is processed and to effectively protect our rights against violations.
Another important issue that emerged is the surveillance of individuals by investigative authorities. In 2025, a lawyer requested the initiation of official supervision over the Estonian Internal Security Service (KAPO), claiming that KAPO does not inform individuals who happen to be part of conversations that are being surveilled.[8] The Minister of the Interior, however, did not consider the intrusion on an individual’s privacy significant enough to warrant notification.[9] The law indeed states that a secret surveillance measure must be disclosed if it significantly infringes on family or private life. At the same time, arguments suggesting that work-related calls cannot infringe on private life are not consistent with the case law of the European Court of Human Rights (ECtHR).[10]
Legislative developments
For the processing of personal data for scientific, historical research, and statistical purposes, the European Union’s General Data Protection Regulation (GDPR) allows Member States to establish national rules. In Estonia, the corresponding regulation has been in force since 2019 and it is now planned to be amended. In practice, it has become evident that the protection of data subjects’ rights is not sufficiently ensured. Stricter rules are being proposed both for anonymisation of personal data and for obtaining the necessary permissions for research.[11]
In recent years, the use of unmanned aerial vehicles has increased sharply. They are already being used, for example, in rescue operations, environmental monitoring, searches for missing persons, and border surveillance.[12] Camera recordings may also capture people moving on the ground.
The current Law Enforcement Act does not regulate the processing of personal data using drone cameras. For this purpose, a draft amendment to the Law Enforcement Act is planned. According to the legislative intent, it is necessary to regulate the legal basis for processing, retention periods, and to address how citizens should be informed that they may be subject to surveillance.[13]
The European Commission has proposed simplifying the GDPR by allowing certain exemptions for micro, small, and medium-sized enterprises. The aim of these simplifications is to reduce the compliance burden on companies. By redirecting the time and financial resources saved, it is hoped that the competitiveness of European businesses will be increased.
Case law
In cases concerning GDPR-related administrative fines that have been resolved in the Supreme Court, the court has annulled fines imposed by the Data Protection Inspectorate. All of these proceedings share the common feature that the annulment was due to deficiencies in the procedure for handling administrative offences under Estonian law. One key issue was the question of legal-person liability, which proved decisive in both the Pere Sihtkapital SA case[14] and the Asper Biogene OÜ case.[15] The provision regulating the liability of legal persons has now been amended, but it has not yet been applied in practice. A second problem in imposing data protection administrative fines was the short statute of limitations for administrative offences, which led to the annulment of fines in the cases of East Tallinn Central Hospital[16] and Viljandi Hospital[17]. The statute of limitations for data protection offences has since been extended from 2 years to 3 years.
In the practice of the European Court of Justice, the most discussed issue has been the right of the data subject to claim compensation. This requires not only a violation of the GDPR but also demonstrable damage.[18] While the filing of collective actions has been standard practice in other countries for years, Estonian legal culture has not yet embraced the concept of collective actions. Only in the beginning of 2025 was the possibility to bring collective actions first established in Estonian law.[19] This also gives the Data Protection Inspectorate the right to bring collective actions to protect consumers. In practice, however, the willingness to file collective actions may be limited by the fact that, in the event of a loss, the costs must be borne by the person who brought the action on behalf of consumers. It should also be noted that, as this is an entirely new regulation, it remains largely untested in practice.
Promising practices
Over the years, data protection and privacy have been taken increasingly seriously. The year 2025 was particularly notable for the amount of public attention given to the use of public-sector databases[20] and the proceedings of the Data Protection Inspectorate[21]. Fines imposed by the inspectorate for data protection violations have also been on the rise. In 2025, fines imposed by the inspectorate even surpassed a million euros.[22] However, the first million-euro fine has not yet come into force, as it is being contested by the company.[23]
Nevertheless, the motivation to improve data protection should not rest solely on the threat of fines looming over companies. The Data Protection Inspectorate can also clarify this complex field and make it more accessible to the public by issuing clear guidance. Accordingly, the Data Protection Inspectorate has launched a podcast[24] and conducts training sessions[25] to promote knowledge in the field. The inspectorate’s website also provides instructions[26] explaining data processing requirements, but given the rapid development of technology, there is much more work to do.
Considering the close connection between data processing requirements and cybersecurity, and the fact that several new EU-level regulations on cybersecurity have been introduced,[27] closer cooperation with the Estonian Information System Authority (RIA) and the joint communication of guidance or knowledge to the public could significantly contribute to the successful integration of the two fields.
Noteworthy public discussions
The use of cameras in both the public and private sectors continues to attract widespread attention, along with the question of whether individuals’ private lives and right to privacy are adequately protected. For example, the Ministry of the Interior suspended the use of number-recognition cameras after both the Data Protection Inspectorate and the Chancellor of Justice highlighted the need for clearer legal regulation.[28]
In addition to number-recognition cameras, the Chancellor of Justice’s notice cited other examples, including cameras placed in public spaces, body-worn cameras, drones, wildlife cameras, and the mapping application of the Land and Spatial Development Board.[29] Many cameras used for law enforcement purposes require amendments to the law — providing a clear legal basis for their use, as well as conditions for usage and retention.
The widespread use of cameras in public spaces is confirmed by statistics: in the city of Tallinn alone, there are over 800 public cameras,[30] and the national Police and Border Guard Board (PPA) network includes more than 1,600 public cameras.[31] The use of public cameras has sparked public debate year after year. Even in 2024, the Chancellor of Justice again emphasised the need for clearer rules regarding camera usage.[32]
However, the accessibility of city cameras[33] online in real time to everyone is incompatible with the right to privacy. This allows the movement of individuals or vehicles in public spaces to be monitored effortlessly, creating an additional risk rather than increasing safety.
The use of surveillance cameras on private property is also significant. Currently, there is no effective way to determine how much public space or a neighbour’s property falls within the field of view of a private camera. This is important because if a camera records a neighbour’s property or public area, strict GDPR rules apply. The situation is even more complex with unmanned aerial vehicles (drones) flown over private property. For the individual whose rights are violated, it is essentially impossible to even identify the person responsible, let alone secure effective legal protection.[34]
Trends and future outlook
A global trend is the widespread use of artificial intelligence, which is welcome given its broad range of applications, but also raises concerns, for example, due to various ethical issues. For instance, a couple living in the United States filed a lawsuit against OpenAI,[35] claiming that their chatbot ChatGPT had encouraged their son to take his own life. Such ethical questions remain unresolved today, and it can be expected that they will not be the last in this area.
Ensuring data protection and privacy is also one of the greatest challenges in the age of artificial intelligence. The European Data Protection Board generally supports the development of AI and considers that the GDPR promotes its responsible use.[36]
At the same time, AI is constantly trained using data available on the internet, which means that individuals may lose control over their personal data. During both AI training and subsequent deployment, it must be ensured that the processing of personal data has a legal basis under the GDPR.
For example, in 2025, users of the social media platform LinkedIn filed a lawsuit against the platform, claiming that it was training AI models for other companies using the content of private messages, employing a solution in which users could not actively give consent but were deemed to have given consent by default.[37] However, commercial interests in AI development cannot override individuals’ privacy and their right to the protection of personal data.
The role of supervisory authorities is to respond to potential GDPR violations in the training or use of AI models.
Case study
An individual installed four cameras on their property, the field of view of which also covered a public street and neighbouring properties. The Data Protection Inspectorate issued an order requiring the individual to stop filming areas outside their own property and to delete the recordings.
In the court case,[38] it was confirmed that an individual has no legal basis to film a neighbouring property. However, if the person wishes to continue filming public areas, they cannot rely on the personal-use exemption and all strict GDPR rules apply in this context. This means the individual must prepare data protection measures and must conduct a thorough legitimate interest assessment. In the legitimate interest assessment, it must be considered whether the person’s interest in using the cameras outweighs the interests of the data subjects or the interference with their fundamental rights and freedoms. Upon request, these assessments must be submitted to the inspectorate.
Recommendations
- To ensure that significant restrictions on fundamental rights occur only at the legislative level, public authorities must have a clear legal basis in law for processing individuals’ data.
- When using security measures such as number-recognition cameras or the enforcement register, the privacy rights of affected individuals must also be ensured, along with effective mechanisms to protect those rights.
Secret surveillance of individuals always significantly interferes with their private life, and therefore individuals must be informed if they are being surveilled. - Closer cooperation between the Data Protection Inspectorate and the Estonian Information System Authority will further promote the successful integration of data protection and cybersecurity.
- The role of supervisory authorities is to respond to potential GDPR violations in the training or use of AI models.
- Supervisory authorities should respond with equal intensity to data protection violations by both public authorities and the private sector. This is particularly important because it is not possible to impose a data protection fine on a public authority. Therefore, at a minimum, public reactions to violations by the state or local government must be robust.
[1] ERR. 2025. Siseministeeriumi memo: numbrituvastus tuleks seadusesse kirjutada, 13.05.2025.
[2] ERR. 2025. Õiguskantsler: riigiasutused on saanud reegliteta ligipääsu pangasaladusele, 01.07.2025.
[3] ERR. 2025. Rahapesu andmebüroo plaanitav suur andmebaas pälvib kriitikat, 16.06.2025.
[4] ERR. 2025. Riik kavandab üle-eestiliste näo- ja numbrituvastusega valvekaamerate võrku, 17.03.2025.
[5] Õiguskantsler. 2025. Õiguskantsleri aastaülevaade 2024/2025. Jälgimisühiskond, veebis 19.10.2025.
[6] Õiguskantsleri. 2025. Pangasaladuse kaitse ja täitmisregister, 01.07.2025.
[7] ERR. 2025. Õiguskomisjoni liikmete sõnul peaks inimene saama pärida, miks tema kohta andmeid kogutakse, 14.05.2025.
[8] ERR. 2025. Ministeerium ei algata kapo üle seoses kõnede pealtkuulamisega järelevalvet, 23.07.2025.
[9] Ibid.
[10] Euroopa Inimõiguste Kohus. 1990. Huvig vs France, 24.04.1990; Euroopa Inimõiguse Kohus. 1989. Chappell vs United Kingdom, 30.03.1989; Euroopa Inimõiguste Kohus. 1992. Niemietz vs Germany, 16.12.1992.
[11] Eelnõude infosüsteem. 2024. Isikuandmete kaitse seaduse muutmise seaduse väljatöötamiskavatsus, 10.04.2025.
[12] Eelnõude infosüsteem. 2024. Korrakaitseseaduse muutmise seaduse väljatöötamiskavatsus, p 6.1, lk 32, 25.06.2024.
[13] Ibid.
[14] Harju Maakohus. 2025. Harju Maakohtu 13.05.2025 otsus nr 4-24-2473/66, 13.05.2025.
[15] Tartu Maakohtu 26.06.2025 otsus nr 4-25-326/36, jõustus trahvi tühistamisega maakohtus ning Riigikohtu poolt menetlusse võtmata jätmisega.
[16] Riigikohus. 2025. Riigikohtu kriminaalkolleegiumi 20.06.2024 otsus nr 4-23-742, 20.06.2024.
[17] Riigikohus. 2025. Riigikohtu kriminaalkolleegiumi 04.06.2025 otsus nr 4-24-2034, 04.06.2025.
[18] Euroopa Liidu Teataja. Euroopa Kohtu 20.06.2024 otsus C-590/22, 20.06.2024; Euroopa Kohtu 20.06.2024 otsus liidetud kohtuasjades C-182/22 ja C-189/22; 04.09.2025 otsus C-655/23.
[19] Riigi Teataja. 2025. Tarbijakaitseseadus, peatükk 61. Kollektiivne esindushagi, 08.07.2025.
[20] Vt viited nr 1-4.
[21] Vt viited nr 14-17.
[22] Andmekaitse Inspektsioon. 2025. Allium UPI jättis kliendiandmed kaitseta – 3 miljoni euro suurune trahv, 05.09.2025.
[23] ERR. 2025. AKI määras Apotheka kliendiandmete haldajale kolme miljoni eurose trahvi, 05.09.2025.
[24] Andmekaitse Inspektsioon. 2023. Andmekaitse teemaline podcast „Andmehääling“, 06.07.2023.
[25] Andmekaitse Inspektsioon. 2025. Koolitused väikestele ja keskmise suurusega ettevõtetele, 05.11.2025.
[26] Andmekaitse Inspektsioon. 2025. Juhendid, 16.05.2025.
[27] EUR-Lex. 2022. Euroopa Parlamendi ja nõukogu direktiiv (EL) 2022/2555, 14.12.2022; EUR-Lex. 2022. Euroopa Parlamendi ja nõukogu määrus (EL) 2022/2554, 14.12.2022; EUR-Lex. 2024. Euroopa Parlamendi ja nõukogu määrus (EL) 2024/2847, 23.10.2024.
[28] ERR. 2025. Siseminister peatab numbrituvastuskaamerate kasutamise, 14.05.2025.
[29] Õiguskantsler. 2024. Märgukiri isikuandmete töötlemisega ja korrakaitsega seotud küsimuste kohta, 03.05.2024.
[30] ERR. 2022. Tallinnas on üle 800 avaliku kaamera ja nende arv üha kasvab. , 23.08.2022.
[31] ERR. 2024. Politsei võrgus on üle Eesti 1600 avaliku ruumi kaamerat, 06.05.2024.
[32] ERR. 2024. Õiguskantsler: kaamerate kasutamine vajab selgemaid reegleid, 06.05.2024.
[33] Tallinna Linn. 2025. Tallinna liikluskaamerad, veebis 16.11.2025.
[34] Õiguskantsler. 2024. Märgukiri isikuandmete töötlemisega ja korrakaitsega seotud küsimuste kohta, 03.05.2024.
[35] BBC. 2025. Parents of teenager who took his own life sue OpenAI, 27.08.2025.
[36] Euroopa Andmekaitsenõukogu. 2024. Arvamus 28/2024 tehisintellektimudelite kontekstis isikuandmete töötlemisega seotud teatavate andmekaitseaspektide kohta, lk 2, 17.12.2024.
[37] BBC. 2025. LinkedIn accused of using private messages to train AI, 23.01.2025.
[38] Riigi Teataja. 2025. Tallinna Ringkonnakohtu 19.06.2025 otsus haldusasjas nr 3-23-1025, 19.06.2025.
