In 2007, notable development occurred in the field of legislative drafting regarding the protection of personal data. On 15 February 2007, the Parliament of Estonia passed the Personal Data Protection Act, which, in full extent, came into force on 1 January 2008. The new law better conforms to the European Union acquis, including directive 95/46/EC, by introducing the concept of sensitive personal data instead of private personal data into the domestic judicial area. Pursuant to the law, sensitive personal data will also include biometric data. The new law allows persons to decide on the future use of the data after it is made public. It will be possible to more exactly assess the effect and functioning of the new law in the report for 2008, when the law has fully entered into force.
The Personal Data Inspectorate (PDI) is the governmental institution that monitors the processing of personal data. As of 14 February 2007, the PDI became an agency under the jurisdiction of the Ministry of Justice (previously it operating under the administration of the Ministry of the Interior). In its annual report for 2007, the PDI has highlighted the following as its priorities:
- Forwarding personal data to foreign countries;
- Risks or opportunities in the work of web searches;
- Permissibility of wiretaps;
- Processing of personal data within the framework of the ID-ticket project;
- Children and their rights in the processing of personal data;
- Composition of personal data for the issuance of client cards.
In the field of personal data, increasing public awareness is also important. In its annual report, the PDI has highlighted its activities in this area. The publication of recommended guidelines for the interpretation of the Personal Data Protection Act can be pointed out.
In 2007, there was one court action in the field of personal data protection in which the PDI participated, which comprised AS Hansapank’s dispute of the PDI precept to terminate the publication of Ego credit cardholders’ data on the website of AS Krediidiinfo after the clients had paid their debts. The PDI maintained that the publication of the clients’ data by the bank was unlawful, based on the principle that in the case of a dispute, it is assumed that the data subject did not grant permission for the publication of the data. In its decision of 17 April 2007, the Tallinn Administrative Court found that the precept was substantively justified and in its final judgement legitimate. AS Hansapank filed an appeal and the hearing was assigned to April 2008.