Data Protection

The legal regulation of data protection in Estonia is in accordance with relevant European Union and international law. EU legislation has been implemented in full and there are no apparent deficiencies in the Estonian law covering this sphere. The area is primarily governed by the Personal Data Protection Act (PDPA),[1] though the right is likewise upheld by the Constitution of the Republic of Estonia.[2] The PDPA implements Directive 95/46/EC[3] in full since its amendment in 2008.

The Estonian Data Protection Inspectorate

The Estonian Data Protection Inspectorate (EDPI) was created by the PDPA as an independent institution working within the scope of governance of the Ministry of Justice. On a general note the EDPI has been seen to be relatively proactive in initiating complaints on its own accord and in trying to increase awareness among the public about the institution itself and data protection rights in general. The latter point is particularly important in light of the fact that public awareness of the rights and principles is notably low. The only survey that was conducted on this topic was in 2006 and it showed a lack of awareness of data protection regulation amongst both the general population and data processors themselves.

Despite the fact that data protection law is of a good standard and that there are no blatant deficiencies some issues still ought to be considered in greater detail. The actual structure and administration of the EDPI raise several concerns. First, the fact that the budget of this institution is approved, amended and the execution assessed by the Minister of Justice. Second, the Director General is appointed to the position for a term of 5 years, appointment is done by the Government based on the recommendation of the Minister of Justice. Third, the EDPI field of competence is not limited to data protection, it is also the supervising authority for the Public Information Act that guarantees access to public information.[4]

The fact that the budget is under the control of the Ministry of Justice is a matter of concern in so far as it is possible that this influence could be used as an instrument of control over the EDPI. If the government were to use this to administer indirect control over the EDPI it could seriously impede its ability to act as an independent institution.

As to the manner in which the Director General is appointed, the selection process is purely in the hands of the Ministry of Justice and Government, which raises two issues. First, the transparency of the process is questionable, as it is dealt with in a purely internal manner. Second, the fact that selection lies in the hands of the government without supervision could lead to further compromise of the independence and impartiality of the institution. An example that demonstrates the fact that such concerns are well founded is the appointment of the new Head of the Estonian Data Protection Agency in 2008, where one of the many requirements for candidates iterated in the public competition was for them to be ‘oriented to the interests of the state’.

Finally, what may be called the dual functionality of the EDPI, namely, the fact that it deals with both data protection and access to public information. Essentially this means that one institution is dealing with two inherently different rights, the interests of which are somewhat opposed. There is a significant danger when one institution with a singular budget, body of staff and limited resources is dealing with two such opposing rights. It is questionable whether one of the rights will be favoured and the extent to which its data protection functions may suffer if it is not treated as being equally important as the other function. This danger is enhanced by the previous two issues regarding government influence over the EDPI.

As previously mentioned, the EDPI has been trying to deal with the lack of public awareness regarding data protection rights and principles. It must however be noted that there have not been any widespread campaigns that would necessarily catch the eye of the general public. The primary activity of the EDPI to this end has been the yearly conferences held on data protection day. Though such conferences are most certainly a step in the right direction, events of this nature are in practice more likely to attract persons already concerned with data protection than the general public. To conclude, in the future as this area of law becomes less of a novelty to Estonia, more serious and widespread measures should be taken to ensure the increase of public awareness.

Sanctions, Compensation and Legal Consequences

There are both criminal and administrative sanctions for the breach of data protection under Estonian Law (within the Penal Code[5] and PDPA respectively). The maximum fines, under the PDPA, for breach of personal data processing rules by legal persons has been increased tenfold from 2007. This ought to act as a rather effective deterrent to companies who consider the breach of data protection rules.

In practice the EDPI has proven to be quite reluctant to make use of sanctions, this is demonstrated in part by the extremely small amount of fines issued. It would seem that they have favoured an approach of ensuring that the data processor comprehends and abides by the rules. Submitting a complaint to EDPI is free of charge: this should encourage individuals to come forward. The only apparent downside of this is the fact that after the complaint has been made the claimant has no influence over the actual proceedings as the EDPI takes the matter entirely into their own hands.

As to criminal sanctions for data protection related breaches there is reason for concern from two aspects. One, the level of expertise in this area within the police force is questionable and this puts the likelihood of effective application of the law under threat. Two, the provision itself is quite broad and without prior court practice there is plenty of room for interpretation, which increases the possibility of unintentional breaches of obligations. The lack of case-law in general in the area of data protection makes it hard to predict how willing the courts are going to be to provide compensation fore-coming cases, in particular compensation for non-material damage. As Estonian courts have proven to be reluctant to provide compensation for non-material damages for all types of claims, this a matter of concern.

[1] Isikuandmete kaitse seadus [Personal Data Protection Act] (RT [State Gazette] I 2007, 24, 127; RT I 2007, 68, 421).

[2] Eesti Vabariigi Põhiseadus [The Constitution of Republic of Estonia] (RT I 1992, 26, 349; RT I 2007, 33, 210), §42 and 44.

[3] European Parliament and the Council Directive 95/46/EC 24 October 1995, on protection of private individuals on processing of personal data and free movement of such data.

[4]Avaliku teabe seadus [Public Information Act] (RT I 2000, 92, 597; RT I 2009, 63, 408), §44.

[5]Karistusseadustik [Penal Code] (RT I 2001, 61, 364; RT I 2010, 8, 34).