Ann Väljataga

Data protection and privacy have remained steadily in focus after the pivotal year of 2013, more articles and news pieces have been published on this topic than in the previous two years put together. Instances of contacting the Data Protection Inspectorate have also increased many times over.[1] The results of 2014 Eurobarometer survey[2] proved that despite Snowden’s disclosures and for example publicising of FinSpy client base Estonians are generally optimistic in digital and privacy matters.

Court practice and legislative developments

2014 brought along two judgments on European level, which had far reaching effects, but in Estonia received rather modest attention. First of these was undoubtedly the Court of Justice of the European Union judgment in Seitlinger and Digital Rights Ireland,[3] where the Court declared Directive 2006/24/EC on retention of data retroactively invalid. The Court’s arguments can be summed up as follows:

Directive on retention of data is invalid because:

  • it does not provide a definition of a serious criminal offence, thereby rendering proportionality assessment of protection of public interest and infringement of fundamental rights impossible;
  • it did not establish a certain procedure for handing over data to surveillance institutions;
  • it did not differentiate between data subjects – those about whom there is reasonable doubt, from those who do not have any connection to crime;
  • it did not grant data subjects sufficient guarantees and legal remedies in case data is misused;
  • the required period for retaining data is not justified.

Directive on retention of data was incorporated into Estonian acts of law with paragraph 1111 of Electronic Communications Act, which, unlike the directive, prescribes a duty to retain data in territory of Estonia (or in some cases in the territory of the EU). It does not contain other additional conditions. European states have had various reactions to the judgment – as of 1 September 2015 the highest court instances[4] have, due to the judgment, declared retaining data a breach of constitution in Austria, Slovenia, Slovakia, Poland, Romania, the United Kingdom, Bulgaria, Belgium and in the Netherlands. In Estonia the petition to evaluate constitutionality of § 1111 of the Electronic Communications Act has reached the Chancellor of Justice and Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs and the Ministry of Justice have started on an analysis of the current regulation. In response to the petition, the Chancellor of Justice conceded in her memorandum[5] that § 1111 of the Electronic Communications Act is not in conflict with the constitution and the current international agreements, as also the Digital Rights Ireland judgment does not indicate that gathering and retaining data is in essence a disproportionate breach of persons’ right to respect for family and private life, the Chancellor did, however, concede that, similarly to the European Union Court of Justice that conditions for retaining data should be regulated more clearly and that data subjects should have access to legal remedies.[6]

Invalidity of the directive on retention of data has been used as an argument in case no. 3-1-1-51-14,[7] where, according to the defendant, the information received as a result of retaining metadata of electronic communication does not belong with allowable evidence in criminal proceedings. Criminal Chamber of the Supreme Court also emphasized that retaining of data as such does not constitute a disproportionate breach and invalidity of the directive does not necessarily result in invalidity of national regulation, as the legislators of the Member States do have certain discretion in achieving the objectives of the directive in national regulation. Therefore, the Digital Rights Ireland judgment did not result in invalidity of the gathered evidence. The necessity for retaining data arose again after the Charlie Hebdo shooting, which took place in Paris on 7 January. In Estonia, the discussion that followed mainly concentrated on multiculturalism and immigration.

In many states, including Estonia, retaining data is the only institution, which, in principle, allows to covertly observe undefined masses of people for safety purposes. Monitoring over the activity of safety institutions is exerted by Security Authorities Surveillance Select Committee of the Riigikogu and – in the extent stated in the Electronic Communications Act – the Technical Surveillance Authority. Since 1 January 2015 the Chancellor of Justice’s jurisdiction to carry out monitoring over state institutions that organise surveillance of phone calls and conversations, observation of mail correspondence and who gather, process and use personal data in other covert ways, is regulated more clearly than before.

The Chancellor of Justice’s annual report 2014–2015 states: „It is the duty of Chancellor of Justice as an independent institution, to find a balance between institutions responsible for the individual’s fundamental rights and freedoms and those responsible for the state’s security. The Chancellor also has to consider that people themselves are not aware of the potential breach of their rights in this area and cannot protect themselves on their own initiative. This means that the Chancellor’s monitoring in this area has to be efficient, systemic and active, placing herself in the situation of those persons whose rights and freedoms have been breached.“[8] At the same time, the monitoring is limited as amendments to acts of law do not give Chancellor of Justice access to state secrets or to confidential foreign data.

Riigikogu’s Commission and the Data Protection Inspectorate do not have access to state secret either, the Data Protection Inspectorate can acquaint themselves with the in-house information, access to which is limited according to § 35 of the Public Information Act, but this information does not have to do with the content of the work of security institutions. It is also questionable whether the expertise and resources of Riigikogu’s Commission are sufficient for carrying out monitoring of content. In actuality, at the moment Estonia does lack objective and sufficient monitoring over the fact whether the local security institutions base their work on principles of necessity and proportionality.

The Chancellor of Justice’s jurisdiction in monitoring has thus been unequivocally and precisely determined by an act of law since 2015, but in essence the Chancellor has always had the authority to check that institutions carrying out public tasks, including security institutions, as well as officials, do not breach persons’ constitutional rights. As a result of application submitted by Chancellor of Justice in 2013,[9] the Constitutional Review Chamber of the Supreme Court declared in its 20 March 2014 judgment no. 3-4-1-42-13[10] the paragraph 25¹ (2[11]) the Code of Criminal Procedure Implementation Act to be in breach of constitution and invalid insofar as it does not set an efficient control system over substance of continuing to not notify of surveillance activities that ended before 1 January 2013. It is an important case as the Supreme Court is interpreting the extremely topical question of whether, to what extent, and on which conditions does a person have the right to be informed of surveillance that has been carried out about him.

Legal remedies meant for persons in the context of surveillance activities are often empty words, as persons who have been under surveillance do not know anything about it. The European Court of Human Rights judgments has been of the opinion in its judgments Klass[12], Ekimdzhiev[13], Weber and Saravia[14] that in order to guarantee everyone access to efficient legal remedy, it is vital that data subjects are informed of the surveillance that has taken place as soon as it no longer compromises the object of surveillance. The court practice so far has allowed for various interpretations, as in the same judgments it has also been said that because of the secret nature of surveillance activities there can be no right to privacy and right to effective legal remedy to the same extent as in other areas of life. The last year’s report on surveillance statistics reveals that in 2014 the surveillance institutions notified 3282 persons of surveillance activities. The state prosecutor’s office gave 1500 permits to delay notification of surveillance. The state prosecutor’s office applied for court’s permit to extend the period until notifying of surveillance on 58 occasions, the court granted permissions to 56 application, denied one application, granted one application partially. Notification of 201 persons was deferred by court’s permission.[15]

On 10 April 2014 the European Court of Human Rights sent Estonia the case Lüütsepp v. Estonia[16] for submitting arguments, the subject of which was notification of surveillance. Privacy International and Article 19, as interested third parties, published a joint statement.[17] In their submission they emphasized the fact that the Court ought to take a step further and admit that duty to notify is an inescapable requirement for proportionality of surveillance today, regardless of other prescribed guarantees, whereas, it is emphasized, that this duty cannot be absolute and risks involved with notifying have to be weighed at each individual case. According to various data, more than half a million Estonians actively use Facebook, which means that their data is retained on the territory of the United States according to the so called Safe Harbour Agreement. Safe Harbour requires that US undertakings involved with it guarantee the protection of data on the same level as the EU law does, whereas this agreement was not binding for US offices, including the intelligence agencies.

Therefore, despite the agreement, undertakings such as Facebook forwarded their data to, for example the NSA, according to national law. The data of European citizens was forwarded to Facebook’s data centres by its subsidiary located in Ireland, while Ireland’s Data Protection Commissioner had no control over this process because it had been approved by the Commission with the Safe Harbour agreement. On 6 October 2015 the European Court of Justice declared the Safe Harbour Agreement invalid in judgment of the case Schrems vs Data Protection Commissioner[18] because it did not provide citizens of the EU protection from breach of privacy such as the NSA mass surveillance programmes. Similarly to the Digital Rights Ireland judgment this judgment also applies retroactively, which opens up opportunities for interesting court practice in Europe as well as in the US.

Noteworthy public discussions

The second important European Court of Justice Judgment in case Google Spain[19] brought along a relatively lively discussion in Estonia as well. The Court said that the search engine has the obligation to remove data. In case of searches made via a search engine the right to protection of private data and protection of private life generally outweigh the economic interest of the manager of the search engine as well as the public’s interest in receiving information. The right to be forgotten is a compelling and controversial concept from legal, sociological as well as cultural point of view, therefore the discussion surrounding it has been theoretical and hypothetical, and court practice nor amendments to acts of law have not followed in Estonia. However, according to the judgment, Estonian citizens also have the right to demand international internet operators to delete information about them. Right to be forgotten is also contained in the European data protection reform package. In 2012 and 2013 it was relatively critically analysed by heads of the Data Protection Inspectorate[20] as well as NGO Estonian Internet Community (MTÜ Eesti Interneti Kogukond).[21] It has been seen as a measure for re-writing the history; whereas the European Union Agency for Network and Information Security (ENISA) has stated that the right to be forgotten is nearly impossible to realize. Yet, the right to be forgotten gives the regular citizen, who so far has been relatively unarmed with tools for defending himself, some control over his identity in cyber space.

Media paid a lot of attention to the FinFisher case. In August of 2014 an unknown hacker broke into servers of Gamma International who produce FinFisher spyware and leaked the information he found in the internet.[22] Among other things it became apparent that Estonia had bought four FinFisher licences. FinFisher spyware is a trojan, which allows to observe activity of the infected computer in real time.[23]

Gamma International has a bad reputation among human rights lawyers – in 2013 Privacy International filed a complaint with the OECD over Gamma International’s activities. In February of 2015 the OECD admitted that since Gamma International’s internal regulation lacks guarantees against breaches of human rights, the producer of spyware has not acted in good faith and has breached the UN Guiding Principles on Business and Human Rights’ and the OECD Guidelines for Responsible Business Conduct. The FinFisher[24] leak was commented on laconically by Peep Aru, the Chairman of Security Authorities Surveillance Select Committee of the Riigikogu, who explained that the Committee lacked data about unlawful surveillance activity and that surveillance activity was protected by Estonian state secret. The same month Eesti Päevaleht wrote that according to the former employee the IT and Development Centre of Ministry of the Interior uses FinSpy spyware in order to observe its employers. Subsequent to this, the Minister of Internal Affairs Hanno Pevkur initiated a special audit, which failed to prove misuse of spyware.

Summary

2014 brought about important court judgment on European level as well as in Estonia, we were faced with the question of whether and how much a person can have a say in forming his or her cyber identity, whose metadata (and on which conditions) can be collected, what constitutes proportionate surveillance in information society. At the same time there is a situation where in essence none of the institutions – neither the Data Protection Inspectorate, Security Authorities Surveillance Select Committee of the Riigikogu or the Chancellor of Justice – have sufficient jurisdiction to monitor activities of surveillance institutions. In a situation where there is essentially no effective monitoring, it is particularly important that persons are informed of surveillance they had been subjected to once the surveillance has ended. The Supreme Court has also published the opinion that the duty to inform is an important guarantee of right to privacy, regardless of the year that surveillance took place.

Recommendations

  • Extend the Chancellor of Justice’s and/or the Data Protection Inspectorate’s jurisdiction conducting monitoring over security institutions, or found a special independent organ comprised of experts.
  • Critically review the order of retaining metadata of electronic communications.
  • Have Security Authorities Surveillance Select Committee of the Riigikogu initiate investigation of buying and using spyware licences.

[1] Postimees. Andmekaitsesse pöördumine on paari aastaga viiekordistunud [Applications to the Data Protection Inspectorate have increased five times within a few years]. 16. June 2014.

[2]Eurobarometer. Special Survey on Safer Internet. Available at: http://open-data.europa.eu/et/data/dataset/S490_64_4_EBS250.

[3] Court of Justice of the European Union. Joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others. 8. April 2014.

[4] FRA’s annual report 2014. Chapter 5.2. Luxembourg. 2015.

[5]Seisukoht vastuolu puudumise kohta [The stance on absence of controversy]. Chancellor of Justice. Available at: http://oiguskantsler.ee/sites/default/files/field_document2/6iguskantsleri_seisukoht_vastuolu_mittetuvastamise_kohta_elektroonilise_side_andmete_kogumine_sideettevotete_poolt.pdf.

[6] Also see Chancellor of Justice’s annual report 2014-2015. Sideandmete kogumine vs eraelu kaitse [Gathering communications data v. protection of pricate life]. Available at: http://oiguskantsler.ee/ylevaade2015/andmekorje.

[7] Criminal Chamber of the Supreme Court judgment no. 3-1-1-51-14. 23 February 2015. Available at: http://www.nc.ee/?id=11&tekst=222577237.

[8] Chancellor of Justice. Annual report 2014-2015. Põhiõigused- ja vabadused isikuandmete varjatud töötlemisel [Fundamental rights and freedoms in covert processing of personal data]. Available at: http://oiguskantsler.ee/ylevaade2015/julgeolekuasutused.

[9] See Right to respect for family and private life. Human Rights in Estonia 2013.

       [10] Judgment no. 3-4-1-42-13. Available at: http://www.riigikohus.ee/?id=11&tekst=222571298.

[11] Kriminaalmenetluse seaduse rakendamise seadus [Code of Criminal Procedure Implementation Act]. RT I. 26.03.2014, 11. Available at: https://www.riigiteataja.ee/akt/126032014011.

[12] ECtHR. Klass and Others v. Germany. 6 September 1978. Application no. 5029/71.

[13] ECtHR. The Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria. 28 June 2007. Application no. 62540/00.

[14] ECtHR, Weber and Saravia v. Germany. 29 June 2006. Application no. 54934/00.

[15]Jälitustegevuse statistika 2014 [surveillance statistics]. Ministry of Justice. Available at: http://www.kriminaalpoliitika.ee/sites/www.kriminaalpoliitika.ee/files/elfinder/dokumendid/jalitusstatistika_aruanne_2014_2.pdf.

 [16] ECtHR. Communicated case of Lüütsepp v. Estonia. Available at: http://hudoc.echr.coe.int/eng?i=001-142949.

 [17] Privacy International. Article 19. Submission. ECHR: Luutsepp v Estonia. Available at: https://www.article19.org/resources.php/resource/37720/en/echr:-luutsepp-v-estonia.

[18] European Court of Justice. Judgment in case C-362/14, Maxmillian Schrems v. Data Protection Commissioner. 6 October 2015.

[19] European Court of Justice. Judgment in case C-131/12: Google Spain SL, Google Inc. v. Agencia de Protección de Datos (AEPD) Mario Costeja González. 13 May 2014.

[20] Häbistatud saavad võimaluse netist kaduda [The disgraced have the chance to disappear from the internet]. Eesti Ekspress’ artikcle on the Data Protection Inspectorate’s web page. 14 March 2013.Available at: http://www.aki.ee/et/uudised/meediakajastus/habistatud-saavad-voimaluse-netist-kaduda.

[21] Loho, E. Tsensuur andmekaitse maski taga [Cencorship behind the mask of data protection]. Õhtuleht. 11 June 2012.

[22]Wikileaks. SpyFiles4. FinSpy Customers. 15 August 2014. Available at: https://wikileaks.org/spyfiles4/customers.html.

[23] Mida suudab FinFisher? [What can FinFisher do?] Eesti Päevaleht. no. 156. 14 August 2014; Inimõiguste kohtu hinnangul on FinFisheri kasutamine õigustatud üksnes äärmisel vajadusel [In the ECtHR’s view use of FinFisher is only justifieble in case of extreme need]. Eesti Päevaleht. Available at: http://epl.delfi.ee/news/eesti/inimoiguste-kohtu-hinnangul-on-finfisheri-kasutamine-oigustatud-uksnes-aarmisel-vajadusel?id=69536239,

[24] SMIT-i audit ei tuvastanud nuhkvara kasutamist [Audit of IT and Development Centre of Ministry of the Interior did not reveal use of spyware]. ERR News. 29 September 2014. Available at:   http://uudised.err.ee/v/eesti/f67bef94-0e84-4d12-a99e-baff776c4b2f.