Urmas Kukk ja Ann Väljataga

2013 was an important year for the information society, which is why this chapter will rather focus on the protection of private life. The change in family life was not that drastic and some of the developments are covered in other chapters (see for example chapters on LGBTI rights and children’s rights). Orwellian inklings and doubts have been replaced with the certain knowledge that we have been reduced to data, measured, counted and recorded. All that was left was to figure out how to react to this unsurprising news – on a global as well as on a national level. Data protection, which had previously been thought the favourite topic of specialized lawyers, activists and conspiracy theorists became a first rate question for every law-conscious and socially aware person. The disclosures of Edward Snowden were followed by an unprecedentedly lively discussion on safety of personal data, encryption, internet freedom and cyber espionage in Estonia as well. The debate went further than (and it is still ongoing) the question of national security, and also involved the topic, which at first glance more innocent – collection and handling of personal data by the private sector. The current era has also been called a digital age of awakening and with good reason – the cyber sphere is no longer seen as something cold, distant and anonymous, one’s own control and responsibility for one’s digital identity is felt more and more. The fundamental right to privacy is not only limited to the internet and has often come up as a topic in other contexts as well. A lot of controversy has been raised by the planned amendment to the law of criminal procedure concerning surveillance activities.

Political developments

Article 8 of the European Convention on Human Rights allows for interference of the right to respect for private and family life for several reasons (It is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.). Essentially the family and private life may be interfered with for any excuse and giving the reservation meaning as well as assessing the proportionality of the interference has been left up to the courts. This, however, leads to the situation where the technology is ahead of the court practice by years or even decades and the current critical issues will be resolved after they have become hopelessly outdated. A citizen advocacy group Privacy not PRISM turned to the European Court of Human Rights (ECtHR) in September of 2013 requesting its opinion on the surveillance carried out by the United Kingdom Government Communications Head Quarters in the course of the TEMPORA programme. Due to the speedy nature of the question the ECtHR announced on January 14th 2014 that this case will be given priority.[1]

In Estonia no preliminary investigations or court proceedings have been initiated in relation to the PRISM disclosures, and the predominant public view of authorities of the state is that the data of Estonian citizens has not been gathered in the course of mass surveillance programmes. According to the Security Authorities Surveillance Select Committee of the Riigikogu no illegal surveillance has been detected.[2] Such statements have been received with extreme scepticism.[3] The data of citizens of many of the EU states has reached NSA without their governments being aware of it. Therefore, the absence of concrete evidence does not indicate absence of a problem.

Toomas Hendrik Ilves has become the spokesperson for digital rights and innovation among the Estonian politicians. At the 2013 annual conference of the Data Protection Inspectorate dedicated to the protection of the fundamental right of privacy and the future he admitted that mass surveillance programmes of the government belong in the realm of fantasy rather than actual problems.[4] After the NSA disclosures his main point of view has been that the human rights activists and other critics have reacted to the leaked information with a bit too much heat due to their lack of knowledge of technology, and that the primary concern, instead of the surveillance activity, ought to be data protection.[5]  The president has gathered fame as an opinion leader in this area on the international arena: in November he set about heading the committee of experts called together by the ICANN,[6] which aims to put together a strategy allowing the cyber space to remain a free supranational environment without putting security to risk.[7] In December a reputable organization for promoting the U.S. democracy, the National Democratic Institute gave Ilves an award for developing e-governance and digital civil society.

Another important agent that has developed from the Estonian Institute of Human Rights is the Institute of Digital Rights, which in 2013 published a report “Transparency to protect internet freedom: a shared responsibility” on the practice of removal of content from the internet in Estonia. The report concludes that who, when and on what grounds can clean out the internet is not sufficiently transparent in Estonia, which is why it is difficult to control its legality. The report is available at: 451.ee. 451 is an initiative of the Institute of Digital Rights, which aims to create an effective and user-friendly internet application enabling the data subject to demand removal of materials concerning him- or herself on the precondition that they have been uploaded without the subject’s permission or without other legal grounds.

Court practice

The ECtHR did not pass any judgments concerning Estonia in relation to Article 8 of the convention in 2013. Two of the judgments of the Supreme Court are worth pointing out: 3-1-1-56-13, where the Supreme Court stated that § 26 of the Personal Data Protection Act containing the duty to keep secret personal data that has become available in the course of carrying out work tasks applies not only to delicate information, but to all personal data (p 14.1);[8] and 3-2-1-80-13, where the Supreme Court reaffirmed that publishing a factual statement, which is true, even if it damages the person’s reputation, is not in itself in breach of personal rights and therefore illegal (p. 36).[9]

Therefore, upon publishing information about a debt with the wish to call in the debt from the debtor (as a pressurizing measure), it is allowed to publish appropriate value judgments about the debtor, assuming the debtor is in fact indebted to the creditor and the debtor has generally been reminded of the obligation of his debt, that the publication is within boundaries of decency and not conflicting with good manners (p. 37). The Supreme Court came to the conclusion in discussing the matter that the law basically allows the creditor to publish data about his debtors to third parties and the third parties may in turn publish this data on the internet on the condition that provisions of the Personal Data Protection Act have been followed and no inappropriate value judgments are published (p. 38).

In the Supreme Court’s view the lower courts had, however, not assessed several important circumstances presented in the course of the proceedings.

For example, the breach of personal rights of the appellant in being depicted as a debtor on the internet as such. Therefore, the Supreme Court sent the case to the same circuit court for a new hearing. Therefore, an opinion of the court on setting up “stocks” for public shaming on the internet is to be expected in the near future.

Sending debtors to the “stocks” seems to be a universal method in Estonia to force debtors to meet their financial obligations and ending up on a list of debtors only depends on the existence of a (or an alleged) debt. Whether the debt came about for objective or subjective reasons is not a question that is asked. Neither is it considered that the information is still available on the internet after the debt has been paid without any reference to the fact that the debt has been paid. At the same time the list of debtors is deficient and depends on the debtors themselves. A colourful example of this is the list of debtors of alimony on the homepage of The Estonian Chamber of Bailiffs and Trustees in Bankruptcy; whether the data on the page corresponds to the actual situation is not checked after it has been entered. Such inactivity is in obvious contradiction of § 6 point 5 of the Personal Data Protection Act according to which the employee handling personal data must make sure the personal data is up to date and complete.

Legislative developments

As is often the case with great changes they are also this time first felt on the level of political and civil society, the law is slower to react. On the level of European law the focus is still on the reform of the data protection, implementation of which has now been pushed forward to 2015.[10] On the local level, however, the hot topic is the draft act 295 SE amending the Code of Criminal Procedure, which, in the words of its oponents radically limits the opportunities for surveillance activities, honours privacy and personal freedom perhaps even too much, thereby endangering civil safety.[11] The proponents, however, claim that this is the only way to keep up with standards of European administration of justice.

The draft act significantly limits the prosecution’s options for surveillance activity, prescribing that surveillance is only justified on the permission of the court and for crimes in the first degree, and the information that has been gathered by disproportionately breaching the person’s fundamental rights, or by applying surveillance activities in the situation where more lenient measures would have sufficed, cannot be brought as evidence in criminal proceedings. In order to give legitimate evidence the surveillance activity must be reasonably foreseeable for the person and the permission for it cannot be given based on the object of more serious criminal proceedings or untrue facts. The draft act also precludes as evidence results of such surveillance activity that have been carried out based on a materially or formally faulty application or permit. As a progressive innovation the draft act states that the communication between the advocate and the client is absolutely confidential and cannot, therefore, be the object of surveillance activity, and the information gathered from observing and recording it cannot be used in criminal proceedings. The draft act 295 SE had had a first reading at Riigikogu by February of 2014.[12]

The Chancellor of Justice submitted an application with the Supreme Court in order to declare invalid the paragraph in the Code of Criminal Procedure, which states that legality of deferral of notification of surveillance activities that were initiated by permission, which expired before 2013, doesn’t have to be judicially controlled.

According to the Chancellor of Justice this provision allowed to carry out surveillance activities essentially without judicial control and the duty of notification.

The Supreme Court did not satisfy the application as the Chancellor of Justice had not previously requested Riigikogu to bring the provision into conformity with the constitution.[13] The Chancellor of Justice made the request to Riigikogu in September, which was not met with approval, after which the Chancellor of Justice again turned to the Supreme Court with a similar application.[14]

The activity of the Data Protection Inspectorate

In addition to acts of law, regulations, the EU law and international agreements the area of data protection is also governed by the Data Protection Inspectorate, which regularly publishes guidelines under the so-called soft law. Data Protection Inspectorate is a state supervisory authority in the meaning of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe convention 108) and Article 1 of the Additional Protocol regarding trans-border data flows and Article 18 of the EU Directive 95/46/EC.

In 2013 the Data Protection Inspectorate published non-binding guidelines on the following topics concerning protection of private life:[15]

  • Guidelines for using cameras explaining rights and obligations concerning recording of pictures in various situations, including for personal use, for work and for security.[16]
  • The 2010 guideline for publishing disturbances in payments was also updated explaining rights and obligations regarding publishing of disturbances in payments, and which is an important assisting material for point 38 of the Supreme Court case no 3-2-1-80-13.[17] It is remarkable that the Data Protection Inspectorate did not only explain the provisions of the Personal Data Protection Act, but also drew attention to provisions of the General Part of the Civil Code Act, which have to be considered when publishing disturbances in payments. Such broad-based explaining is very welcome.
  • The guideline on privacy of employees’ computer usage explains how the employer must guarantee employees’ private life and protection of it concerning electronic data processing committed with the means of the employer.[18] Considering the fact that use of means of information technology makes the line between private and work life less distinguishable as before, the guideline provides clarity in implementation of rights between the employer and the employee.  Here the Data Protection Inspectorate also did not only discuss the   Personal Data Protection Act but also provided explanation in the context of the Employment Contracts Act.

Summary 

There were no profound changes in the protection of family and private life in acts of law nor court practice in 2013. There was, however, a fierce social debate over these matters. Surveillance activity was one of the keywords of the year on the international as well as the local level. It is likely that the events of 2013 will find a legal expression in the coming years and then profound changes may well be on the cards.

Recommendations

  • Consider the persons’ right to respect for family and private life more in regulating surveillance activities.
  • Carry out investigation in Security Authorities Surveillance Select Committee of the Riigikogu about whether and how much the Estonia’s security service has been connected to the U.S. mass surveillance programmes.
  • The Data Protection Inspectorate should monitor meeting the requirements of the Personal Data Protection Act when publishing the data of persons not fulfilling their duties.
  • The legislative and the executive power should review the order of publishing persons’ data on the internet, considering the internet’s nature in comparison to publishing on paper.

[1] Privacy not Prism website. Available at: www.privacynotprism.org.uk/.

[2] An email of Chairman of Security Authorities Surveillance Select Committee of the Riigikogu Peep Aru. 10 February 2014.

[3] See for example the website of Internet Society Estonia Chapter. Press release „Valitsus peab tagama eestlaste põhiseaduslikud õigused ka internetis” [The government must guarantee constitutional rights of Estonians also on the internet]. Available at: http://kogukond.org/2013/06/valitsus-peab-tagama-eestlaste-pohiseaduslikud-oigused-ka-internetis/; Internet Society Estonia Chapter. Interview with the former Chairman of Security Authorities Surveillances Select Committee Marek Strandbergiga. Available at: http://kogukond.org/2013/06/eksklusiivne-usutlus-kapo-komisjoni-endise-aseesimehega-komisjonil-puudub-ulevaade-luure-ja-vastuluure-tegevusest.

[4] President Ilves: Euroopa andmekaitse astugu maailma digitaalse arenguga ühte sammu [President Ilves: Europe’s data protection should harmonise with the digital development of the world]. Available at: www.president.ee/et/meediakajastus/pressiteated/8469-2013-01-09-10-02-34/index.html#sthash.JqHlCxf3.dpuf.

[5] Postimees. „President Ilves nimetas NSA nuhkmise ümber puhkenud skandaali ülereageerimiseks“ [President Ilves called the scandal over NSA surveillance an overreaction]. 30 November 2013. Available at: http://www.postimees.ee/2615598/ilves-nimetas-nsa-nuhkimise-umber-puhkenud-skandaali-ulereageerimiseks.

[6] ICANN – Internet Corporation for Assigned Names and Numbers – a private organization that coordinates the international protocol and the domain system.

[7] More information about the panel of experts. Available at: http://www.icann.org/en/about/planning/strategic-engagement/cooperation-governance-mechanisms.

[8] Criminal Chamber of the Supreme Court judgment in case no. 3-1-1-56-13. 7 June 2013.

[9] Civil Chamber of the Supreme Court judgment in case no 3-2-1-80-13. 25 September 2013.

[10] European Council. Conclusions on meeting in Brussels on 25 and 26 October 2013. Available at: http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf

[11] Salu, Mikk. „Seadus, mida pätid ootavad“ [The act that the criminals are waiting for]. Postimees. 27 March 2013; Vaher, Ken-Marti. „Seadus, mille tegeliku eesmärgi kohta hämatakse“ [The act with the hazy true purpose]. Postimees. 24 April 2013; Maruste, Rait. „Seadus, mida euroopalik õigusemõistmine ootab“ [The act that the European administration of justice is waiting for]. Postimees. 1 April 2013; Glikman, Leon. „Põhiõiguste kaitseks“ [For the protection of fundamental rights]. Postimees. 12 April 2013.

[12] Draft Act to Amending the Code of Criminal Procedure and Other Acts. Available at: http://www.riigikogu.ee/?page=en_vaade&op=ems&enr=295SE&koosseis=12.

[13] Office of the Chancellor of Justice. Press release „Õiguskantsler pöördus jälitustoimingutest teavitamise korra põhiseadusvastasuse küsimuses Riigikohtusse“ [The Chancellor of Justice turned to the Supreme Court with regards to the issue of whether the order of notification of surveillance activities is in accordance with the Constitution]. 13 September 2013.

[14] Chancellor of Justice’s application no. 12/2013 on Code of Criminal Procedure Implementation Act’s § 251 accordance with the Constitution. 13 September 2013.

[15] Estonian Data Protection Inspectorate’s website. Available at: https://www.aki.ee/et/juhised.

[16] Estonian Data Protection Inspectorate. Kaamerate kasutamise juhend [Guidelines for using cameras]. Available at: www.aki.ee/et/juhised.

[17] Estonian Data Protection Inspectorate. Maksehäirete avaldamine [Publishing disturbances in payments]. Available at: www.aki.ee/et/juhised.

[18] Estonian Data Protection Inspectorate. Töötajate arvutikasutuse privaatsus [Privacy of employees’ computer usage]. Available at: www.aki.ee/et/juhised.