Kari Käsper, Marianne Meiorg
Remarkable events that occurred in the sphere of privacy law in 2012 can be divided in two thematic groups: data protection and surveillance. There were no major changes on other topics within privacy law. There’s work being done at the Ministry of Justice to amend the Family Law Act, however, these amendments have to do with right to respect for family life only briefly.
There were developments in two of the draft acts of smaller volume mentioned in the human rights’ annual report of 2011. Riigikogu adopted the draft enabling sexual criminals and drug addicts to choose treatment as partial alternative to imprisonment 30 May 2012. As was mentioned in the previous report, this is a positive development. 5 December 2012 Riigikogu adopted the draft act which had to do with personal belonging of prisoners and short and long term visits. The main difference was bringing the regulation on visits from the level of minister’s regulation to the level of an act of law, which is an important development from the viewpoint of human rights, as it is a regulation limiting person’s human rights. Another addition was the obligation to bring reasons for denying visits, which is another positive development in the protection of human rights of prisoners.
One of the most important acts of law regulating privacy law is the Personal Data Protection Act – a topic which has seen remarkable changes in recent times, however, the act itself had remained unchanged since 1 January 2011. The text of the act has been accused of being too general, which is why this relatively new regulation area is still very unclear in Estonia. This legal provision takes over the EU directive 95/48/EU on data protection, however, it adopts the similar general nature, although, it could have been assumed that the rules would be made more specific to suit Estonia’s context.
25 January 2012 the European Commission published a package of draft acts to update EU data protection rules with. There is also a plan to replace the current data protection directive with a directly applicable regulation, which would also mean the legal acts of member states (including the Personal Data Protection Act) would be replaced with detailed pan-European rules to guarantee a universal and more efficient protection of personal data and facilitate cross-border trading (especially in the digital area). The current directive that was adopted in 1995 cannot keep up in several areas. The reform would bring the rules up to date with current needs, but general principles would remain unaltered.
The attitude of Estonian agencies towards the reform has rather been dismissive and critical. The Data Protection Inspectorate (DPI) published an analysis on its homepage, which identified the shortcomings of the proposed reform.
The analysis claimed, among other things, that it would constitute over-regulation, reasoning it by the difference in the length of the current text of the rules and the proposed text of the regulation (the draft regulation proposed by the Commission is 94 pages, the Estonian Data Personal Data Protection Act is just 11 pages). According to the analysis of the DPI the use of regulation’s form makes “the protection of personal data a thing in itself and does not favour weighing of different values (privacy versus freedom of speech, innovation, transparency of society etc).” The analysis also comes to the conclusion that “[t]he regulation creats a rigid set of standards, which has been oriented on today, but will get in the way of tomorrow’s developments of the information society.” On the other hand, the DPI has not provided a more detailed reasoning of its views, nor has it elaborated on the criticism that the current regulation in force in Estonia is too general and therefore creating vagueness.
The DPI also points out the shortcomings in the European Commission’s analysis of the effects, claiming, for example, that the draft act did not meet the commission’s internal rules of procedure. The DPI also claims that “appraisals regarding business are a fantasy,” and that the administrative work load would actually increase. The statements in the analysis have mostly remained verbose, as it is not possible to glean information about what the DPI’s appraisal about increasing of administrative work load is based on. The DPI does name new obligations, which the operators who deal with data in large quantities do face, but does not explain whether and how the administrative work load would significantly increase because of them, or if the administrative work load does increase how it is disproportionate or how the same aims could be achieved by other methods.
According to the DPI’s analysis the openness of the society would decrease because of the reform, because: “[t]there is a reason to presume that in case of national differences all would be forced to adopt the strictest possible data protection strategy” and that would increase bureaucracy. Yet there is no precise explanation provided for what would take the data protection reform proposed by the European Commission to opposite results that are intended. The DPI advises to focus on perfecting the current directive instead. The DPI’s critical views on necessity of the data protection reform have remained by the beginning of 2013.
The viewpoint of the Estonian government on the data protection reform is also critical regarding balancing of various constitutional values of member states’, including access to data and freedom of expression. The Estonian government was also worried that the new rules may get in the way of advancement of science and innovation, access to services of the information society and recording the historical memory in the internet. Similarly to the DPI the government’s opinion also refers to increased administrative work load and greater role of the European Commission, the opinion is especially doubtful of the need to harmonise in the criminal law and punishments. The government’s views have mellowed in the course of later negotiations.
The discussion on the data protection reform is presumed to continue in 2013. The strong opposition of the Estonian agencies, especially the DPI, which is responsible for monitoring of personal data protection to a more effective protection of privacy is somewhat surprising, especially as Estonia’s small and medium size businesses would benefit from uniform data protection regulation for increased trust for e-services and e-goods. Neither is there any reason to claim that the proposed rules would significantly endanger privacy laws’ balance with other human rights, especially the freedom of expression.
Two amendments took place in legislative developments 6 June 2012. The first of them was a small development regarding electronic delivery of procedural documents. The act amending the State Fees Act, the Code of Civil Procedure and other acts that was adopted enables the court to notify of availability of procedural documents also via phone numbers, e-mail address, on the page of the presumed user account or on other virtual networking pages, which, based on the data published on the internet, the addressee may presumably use or which may presumably reach the intended person. The court may publish on the social network user’s page or via another communication environment’s page in a way that the notification is not visible to other persons aside from the addressee, however, with this method there is a great chance that the information is published to persons with the same name. The effect to privacy is rather small, especially compared to the potential advantage that increased speed of delivering procedural documents brings.
The second amendment that was adopted 6 June 2012 that might even be of more importance from the point of view of human rights had to do with surveillance. An act amending the Code of Criminal Procedure and other relevant acts was passed, which significantly changes the regulation on surveillance. This had to do with one of the main topics of the annual report on human rights of 2011 as it received widespread criticism from society. The saga is still not over as Keskerakond introduced a draft act 16 October 2012, which in turn proposes amendments to the regulation.
The act adopted in June does not differ too much from the version described in the 2011 report. The whole criticism, which was summarised then, is also valid for the adopted act as a large part of these comments were not taken into consideration. These comments broadly touch upon six aspects: query of ownership and the itemized calls overview, the basis of surveillance activities, use of data obtained in the course of surveillance, granting permission for surveillance, monitoring surveillance activities and notification the person of ending the surveillance activities. The problem raised by the bar association should also be mentioned – that the new regulation does not provide sufficient protection for the communication between the client and the lawyer. The bar association is of the opinion that § 1267 of the Code of Criminal Procedure, which forbids the use of information communicated in such way as evidence, does not constitute sufficient protection. The act adopted in June did not provide any amendments in that regard. However, the draft act initiated by Keskerakond does provide several provisions on the matter.
One common criticism from all parties about the act adopted in June (which was also expressed during processing the draft act) involved amendments regarding query of ownership and demanding the itemized calls overview. Firstly, they were left out of the list of surveillance activities. This means that persons lack the guarantees for protection of these rights, which apply to surveillance activities. Secondly, the concern over the widened circle of authorities that can demand this information from communication companies expressed by the Estonian Association of Information Technology and Telecommunications was discarded. The comments made in the draft act that was sent to Riigikogue were ignored and no amendments were made as a result of Riigikogu’s procedure, even though the Research Department of the Chancellery of the Riigikogu did advise to take the criticism into consideration. However, Riigikogu went the other way and, contrary to recommendations, increased the circle of authorities even further (point 6 of subsection 11 of paragraph 1111 of the Electronic Communications Act). Therefore, in addition to the simplified procedure of query of ownership and the itemized calls overview the circle of authorities entitled to demand them from communication companies is also wider.
An equal criticism was delivered to the definition of bases of surveillance activity in the new regulation. Although there have been significant improvements in comparison to the initial regulation, the critics believe the development was still not adequate enough to meet the modern standards of human rights. A basis for surveillance activity remained in the amendment despite Riigikogu’s oppositition, which was “the need to gather information about preparation of a criminal offence” (Code of Criminal Procedure, § 1262 (1) 1)). The Supreme Court had found that preparation of an offence should be the object of surveillance only if the preparation itself is punishable, but the Ministry of Justice did not agree with this point of view. Nevertheless, a specifying clause was added to the draft act that was sent to Riigikogu in the beginning of 2012, that gathering of information should take place for the purpose of “discovering or stopping” a criminal offence. However, the circle of persons who are allowed to be under surveillance remained the same – an aspect, which was also criticised by the Supreme Court. The draft act that was sent to Riigikogu from the government contained the same catalogue of offences, which allowed surveillance to be carried out. This catalogue was extended despite the criticism from the bar association. According to the chairman of the Legal Affairs Committee of the Riigikogu the extension was due to the interest from the Ministry of Justice and the Ministry of Internal Affairs. Thereby bypassing the decisions made in the working group that was gathered for drawing up of the draft act (see Human Rights in Estonia 2011, page 52), which had already been criticised.
One of the most remarkable amendments in the field of surveillance activities is the one made by the Ministry of Justice, which does not allow initiation of surveillance activities on the permit of the body carrying out the surveillance alone (in the current instance the Police and Border Guard). Indeed, the amendment to the act that was adopted in June now requires a permit from either the prosecutor’s office or the court to initiate surveillance activities. In the draft stages the bar association criticised the fact that a part of surveillance activity is now solely up to the discretion of the prosecutor’s office. In actuality a rather large portion of surveillance activities are the discretion of the prosecutor’s office – covert surveillance of persons, things or areas, covert collection of comparative samples and conduct of initial examinations and covert examination or replacement of things (Code of Criminal Procedure, § 1265 (1)). Only examination of postal items, wire-tapping or covert observation of messages or other information transmitted by a public electronic communications network or by other means (for example wire-tapping phone calls) and staging a criminal offence require a permit from the court (Code of Criminal Procedure, § 1266 and [GA1] § 1267).
At the same time the catalogue of criminal offences constituting the bases for surveillance actitivies which require the permit of the court is rather limited in comparison to the catalogue of criminal offences which require the permit of just the prosecutor’s office. A provision was added to the act in Riigikogu, according to which a separate permission must be received to conduct surveillance activities exceeding one year (Code of Criminal Procedure, § 1264 (6)). On one hand it is a positive amendment as it limits the duration of surveillance activities, which could otherwise be extended (usually by two months at a time) infinitely (Code of Criminal Procedure, § 1265 (1), § 1266 (5), § 1267 (3), § 1268 (3)).
On the other hand the Chief Public Prosecutor may extend the duration of surveillance when the initial permit was not granted by the court, in which case the extension can also only be granted by the court. The former Minister of Justice’s statement in Riigikogu, where he emphasised the increased control by the court, especially in granting permission for surveillance activities in urgent cases, is incomprehensible because of the court’s and the prosecutor’s office’s ability to grant permissions. The court’s permission in urgent cases is necessary only in actions where the court’s permission would have been necessary, even if it hadn’t been an urgent case. In other instances an urgent permission can be given by the prosecutor’s office (Code of Criminal Procedure, § 1264 (2) and (3)). Granted, in comparison with the previous regulation on surveillance activities where the court’s role was small, it is a positive development, however, there is no change in comparison to the original version of the new regulation. From critics’ point of view this change is not yet sufficient.
According to the amendment adopted in June the court’s role is limited also in supervising over surveillance activities. The Supreme Court’s opinion was that the carrying out of supervision over surveillance activities according to § 12615 of the Code of Criminal Procedure centres far too much on the prosecutor’s office. According to this provision supervision over compliance of surveillance activities with the permission granted is exercised by the Prosecutor’s Office. Despite criticism from the Supreme Court this provision was added to the adopted amendment in its unaltered form. Therefore, supervision over surveillance activities granted by the permission of the prosecutor’s office is exercised by the prosecutor’s office itself. Riigikogu only added the provision, which obliges the Ministry of Justice to annually publish data about supervision over surveillance activities (§ 12615 (4) of the Code of Criminal Procedure). In conclusion, the prosecutor’s office and not the courts or the parliamentary power, is also largely in charge of the supervision over surveillance activities.
Despite criticism from the Chancellor of Justice and the Bar Association the provision regarding notifying the person of conclusion of surveillance activities also remained unchanged. Once again, the situation has significantly improved in comparison to the original regulation, however, not in enough in the opinion of the critics. The prosecutor’s office has the discretion to withhold certain information obtained in the course of surveillance activities (Code of Criminal Procedure, § 12614). However, the preliminary investigation over non-notification of the person by the prosecutor’s office is supplemented with a final investigation by the court, but the court does not get involved until one year has passed from the ending of surveillance activities (Code of Criminal Procedure, § 12613 (4)). Riigikogu added a provision according to which the permission granted by the court for non-notification upon passing of a year can be extended for one more year (Code of Criminal Procedure, § 12613 (5)). This addition further extended the period of non-notification of the person about the surveillance activities that have been carried out regarding him. Permanent non-notification is still possible, and this was harshly criticised by the Legal Chancellor as well as the Bar Association. The seriousness of this deficiency was discussed in further detail in the last year’s human rights’ report.
In addition to the previously mentioned Riigikogu also made a positive amendment to the act – by adding the creation of surveillance activities information system (Code of Criminal Procedure, § 12617). This provides some sort of statistical overview, which is lacking at the moment, as was also stated in the speech of the Minister of Justice at the presentation of the amendment to the act in Riigikogu. At the moment there is, for example, no overview of how many persons have not been notified of surveillance activities that have been carried out about them. An overview would undoubtedly help increase the efficiency of regulation on surveillance activities and its surveillance.
A few observations can be made about processing the amendment to the act adopted in Riigikogu in June. Firstly, none of the recommendations of the Bar Association and the Estonian Association of Information Technology and Telecommunications were taken into consideration, and only one recommendation made by the Supreme Court and the Chancellor of Justice was taken into consideration. And just one comment made by the Public Prosecutor’s Office was disregarded. Also the opinions of the Research Department of the Chancellery of the Riigikogu were largely ignored in processing the amendment to the act. This observation sets the comment made by the Bar Association in a new light, according to which “several proposals were made in the working group by representatives of the Bar Association and other institutions (especially the Supreme Court) regarding principal questions as well as details of the regulation, many of which were unfortunately not paid attention to as the majority of the working group did not support them.
Such surrendering to the will of the majority is not suitable for solving legal problems, especially in a situation where the constitution of the working group predetermined that the opinion of officials of the Ministry of Justice would prevail in case of disagreement.” Secondly, the second round of renewing the regulation on surveillance activities (since founding the working group) was used to further tilt it in favour of the prosecutor’s office and the surveillance bodies (see for example the Code of Criminal Procedure, § 1262 (1) 1), § 12612 (3)). Also the amendments made in Riigikogu were rather in interest of state authorities and discarding the arguments based on human rights (except perhaps one amendment – § 1264 (6) – but even the effect of this amendment is questionable, see above). The game of tug of war with the Supreme Court is extremely regrettable. The probability of dispute regarding this regulation reaching court or the Supreme Court is small, which means this act may never come under surveillance of the Supreme Court.
The right to private and family life was touched upon by three major court judgments in 2012. The first was made about Estonia by the European Court of Human Rights and had to do with access to evidence gathered in the course of surveillance activities. As this was already discussed more thoroughly in the chapter on right to a fair trial we shall not discuss it again here. The second judgment, also made by the European Court of Human Rights, had to do with a case that was also covered in the media, where the mother had left Italy with her daughter. The Italian father filed an application for return of the child with Estonia according to the Convention on the Civil Aspects of International Child Abduction. The Estonian courts satisfied the application. The girl’s mother filed a complaint against Estonia with the European Court of Human Rights contesting the decision of Estonian courts to return the child to Italy. The European Court of Human Rights found that Estonian courts had correctly applied the provisions of the Hague convention and that the child does have to be returned to Italy. Therefore the court found that the mother’s application to the European Court of Human Rights was unfounded and therefore inadmissible and not eligible for a substantive hearing. The third judgment regarding private and family life was made by the Supreme Court and had to do with data protection. The Supreme Court found in case no 3-3-1-3-12 that a repeated publishing of previously published personal data needs a separate legal basis. The dispute had to do with publishing quotes from the diary and phone conversations of the prisoner (that had been published previously in the course of judicial proceedings) in the Ministry of Justice’s publication Vangla Ekspress without the consent of the prisoner. The court specified that the state itself could not rely on the constitutional freedom of speech and press in publishing personal data.
Statistics and surveys
The statistics on surveillance permits of 2011 was published in May of 2012. According to the statistics the number of surveillance permits granted by courts as well as the prosecutor’s office decreased by 4% in comparison to 2010, and the number of criminal cases which involved granting permits for surveillance decreased by 9%. Most permits were granted for the purpose of receiving an itemized calls overview and ownership queries, which is not considered surveillance activities as of June of 2012 (see legislative developments). The statistics for 2012 has not yet been published by the drawing up of the report on human rights.
There was no significant progress in the privacy law during the period under discussion. The regulation on surveillance activities continues to be worrying, not enough effort is made to guarantee the protection of human rights. Surveillance activities, as an important breach of right to privacy should be clearly regulated an not exceed what is necessary.
- Review the regulation on surveillance activities in the light of persons’ human rights and abandon the adoption of relevant European Union regulation in a way that has earned the disapproval of the European Commission.
- Start gathering statistics on surveillance permits, which would show figures on notification of persons about surveillance activities after the fact.
- Facilitate objective discussion about content and possible effects of the European Union data protection reform.
 Available at: https://www.riigiteataja.ee/akt/115062012002.
 Available at: https://www.riigiteataja.ee/akt/120122012003.
 Available at: https://www.riigiteataja.ee/akt/130122010011?leiaKehtiv.
 This has also been drawn attention to by Olev Kirst, for example, in the context of employment relations in the article “Sõnumisaladuse kaitse tööandja sidevahendite kasutamisel” [Protection of confidentiality of messages in using employer’s means of communication] JURIDICA VI/2012. Pages 421-431.
 See morea at: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.
 Andmekaitse Inspektsioon Euroopa Komisjoni algatatud andmekaitsereformist [The Data Protection Inspectorate on the data protection reform initiated by the European Commission]. 7.6.2012. Available at: http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Andmekaitse%20Inspektsioon%20Euroopa%20Komisjoni%20algatatud%20reformist%208.6.2012.rtf.
 Andmekaitse Inspektsioon Euroopa Komisjoni algatatud andmekaitsereformist. 7.6.2012.
 Available at: http://www.aki.ee/et/uudised/meediakajastus/euroopa-andmekaitsereform-suurendab-ettevotete-kulusid.
 Estonia’s viewpoint on initiatives of the European Commission regarding protection of personal data. 29 March 2012.
 Estonia’s viewpoint at 6-7 December 2012 sessions of European Union’s Justice and Home Affairs Council.
 Available at: https://www.riigiteataja.ee/akt/129062012003.
 Available at: https://www.riigiteataja.ee/akt/129062012002.
 Available at: http://www.riigikogu.ee/?op=ems&page=eelnou&eid=66a76170-3752-4d7d-a26d-c49091327918&. More on that in next year’s human rights report when the fate of the draft act has become clear.
 Opinion. 23.03.2012. no. 087.
 According to the Electronic Communications Act § 1111 subsection 11 point 6 this data will be forwarded to: 1) investigative bodies, surveillance bodies, the prosecutor’s office and the court according to Code of Criminal Procedure: 2) security authorities; 3) the Data Protectin Inspectorate, the Financial Supervision Authority, the Environmental Inspectorate, the Police and Border Guard Board, the Estonian Internal Security Service and the Estonian Tax and Customs Board according to the Code of Misdemeanour Procedure; 4) the Financial Supervision Authority according to the Securities Market Act; 5) the court according to the Code of Civil Procedure; 6) the surveillance bodies in circumstances specified in the Defence Forces Organisation Act, the Taxation Act, the Police and Border Guard Act, the Weapons Act, the Strategic Goods Act, the Customs Act, the Witness Protection Act, the Security Act, the Imprisonment Act and the Aliens Act.
 Generally the introduction of the Chief Public Prosecutor is odd, as elsewhere in the code the permission is granted and surveillance carried out by prosecutor’s office and the Chief Public Prosecutor is mentioned only on rare occasions and in relation to Witness Protection Act.
 Riigikogu. 6.03.2012.
 Whereas, strangely enough ‘an urgent case’ is defined only in regard to court’s permission, but not in regard to permission given by prosecutor’s office. Requesting a permission of the court in cases of urgency only “in case of immediate danger to the life, physical integrity or physical freedom of a person or to proprietary benefits of high value and requesting a permission or execution thereof on time is impossible” (Code of Criminal Procedure, § 1264 subsection 3).
 K. Käsper and M. Meiorg (ed.). Inimõigused Eestis 2011, Eesti Inimõiguste Keskuse aastaaruanne [Human Rights in Estonia 2011. Annual Report of the Estonian Human Rights Centre]. Tallinn 2012. Page 29.
 Riigikogu. 6.03.2012.
 Estonian Bar Association. ARVAMUS Kriminaalmenetluse seadustiku ja sellega seonduvalt teiste seaduste muutmise seaduse eelnõule [Opinion on the draft act amending the Code of Criminal Procedure and other relevant acts]. 27 December 2011, no. 1-8/648.
 Leas v. Estonia. Application no. 59577/08.
 Available at: http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-111198.
 Ahven, A., Klopets, U. et al (2012) Kriminaalpoliitika uuringud 16. KURITEGEVUS EESTIS 2011. Ministry of Justice. Tallinn. Available at: http://www.just.ee/orb.aw/class=file/action=preview/id=57202/Kuritegevus_Eestis_2011.pdf.