The 1992 Estonia Constitution recognizes the right of privacy, secrecy of communications, and data protection. Article 42 states, "No state or local government authority or their officials may collect or store information on the persuasions of any Estonian citizen against his or her free will." Article 43 states, "Everyone shall be entitled to secrecy of messages transmitted by him or to him by post, telegram, telephone or other generally used means. Exceptions may be made on authorization by a court, in cases and in accordance with procedures determined by law in order to prevent a criminal act or for the purpose of establishing facts in a criminal investigation." Police must obtain a warrant in order to intercept communications. Illegally obtained evidence is not admissible in court.[1042] Article 44 (3) of the Constitution states, "Estonian citizens shall have the right to become acquainted with information about themselves held by state and local government authorities and in state and local government archives, in accordance with procedures determined by law. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children's ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case."[1043]
The Riigikogu, Estonia's Parliament, enacted the Personal Data Protection Act (PDPA) in June 1996.[1044] The Act protects the fundamental rights and freedoms of persons with respect to the processing of personal data and in accordance with the right of individuals to obtain freely any information which is disseminated for public use. The PDPA divides personal data into two groups - non-sensitive and sensitive personal data. Sensitive personal data are data which reveal political opinions, religious or philosophical beliefs, ethnic or racial origin, health, sexual life, criminal convictions, legal punishments and involvement in criminal proceedings. Processing of non-sensitive personal data is permitted without the consent of the respective individual if it occurs under the terms that are set out in the PDPA. Processed personal data are protected by organizational and technical measures that must be documented. Chief processors[1045] must register the processing of sensitive personal data with the data protection supervision authority. Between 1999 and June of 2003, 989 data processors of sensitive data have registered with the Data Protection Inspectorate.[1046]
In April 1997, the Riigikogu passed the Databases Act.[1047] The Databases Act is a procedural law for the establishment of national databases. The law sets out the general principles for the maintenance of databases, prescribes requirements and protection measures for data processing, and unifies the terminology to be used in the maintenance of databases. Pursuant to the Databases Act, the statutes of state registers or databases that were created before the law took effect must be brought into line with the Act within two years. The Act also mandates the establishment of a state register of databases that registers state and local government databases, as well as databases containing sensitive personal data maintained by persons in private law. The chief processor of the register has the right to make proposals to the government, to the chief processors of various databases, and to the state information systems. He or she would also be responsible for coordinating authority with respect to the expansion, merger or liquidation of databases, database cross-usage, or the organization of data processing or data acquisition in a manner aimed at avoiding duplication of effort or substantially repetitive databases.
There have been several amendments to both of these acts over the last number of years but most have been of technical importance with no principal changes. The Government is currently working on an amendment bill to the PDPA to bring it into full compliance with the 1995 EU Data Protection Directive. The bill passed in February 2003 and enters into force on October 1, 2003.[1048] This new version of the PDPA includes changes in registration procedures becoming effective on July 1, 2004. After that date, registration applications will be accepted only via the Internet, through the home page of the Data Protection Inspectorate.[1049] In 2002, the Databases Act was amended. The changes related to support systems for state and local registers.[1050] On January 1, 2001, a significant amendment was made to the list of sensitive data in the PDPA. According to the amendment, information relating to criminal charges is now treated as sensitive only if it is announced prior to the trial or before the judgment. Such data is deemed sensitive if it is necessary to protect morality or individual's private or family life, or necessary in the interests of a minor, a victim, a witness or a fair trial. The amendment also added information about heredity to the list of sensitive data.
The Data Protection Inspectorate (DPI) is the supervisory authority for the PDPA and the Databases Act. The DPI, a division of the Ministry of Internal Affairs, monitors compliance, issues licenses, takes complaints, and settles disputes. The agency can conduct investigations and demand documents, impose fines, and impose administrative sanctions.[1051] The DPI is structured in three departments and employs eighteen persons. The Administrative Department supports all the major activities and is responsible for EU integration issues. The Control Department is divided into two divisions. Division of Registration is responsible for issuing permits while the Division of Supervisory is responsible for monitoring compliance with laws and other legislation related to managing data files of the state and local governments, compliance with the personal data processing requirements provided by law, and for resolving petitions and complaints submitted with regard to the processing of personal data. The Development and Analysis Department is responsible for preparing opinions on legislation, preparing analysis documents, and providing long-term planning and strategies with respect to the progress of technology.[1052]
During 2002, the DPI received 114 complaints from citizens. Only ten complaints dealt with the infringement of the PDPA (imposition of privacy). All the other complaints dealt with the infringement of the Public Information Act. Most complaints were connected with lack of information on the Web site and inappropriate compliance with requests for information. During 2002 the Inspectorate conducted 145 cases, most of them about the infringement of the Public Information Act. For the violation of the PDPA, the DPI issued 51 precepts. Most of the infringements were violations of the obligation to register the processing of sensitive personal data and violations of the requirements regarding measures to protect personal data at different medical institutions. During 2002, the DPI received 807 registration applications from different processors for the permission to process sensitive personal data. Of these applications received, 380 requests were granted.[1053]
The DPI maintains close relations with the data protection authorities (DPAs) in other central and eastern European countries. In December 2001, the data protection commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia and Poland signed a joint declaration agreeing to closer cooperation and assistance. The commissioners agreed to meet twice a year in the future, to provide each other with regular updates and overviews of developments in their countries, and to establish a common website for more effective communication.[1054]
On December 13, 2000, the Estonian Parliament approved the Human Genes Research Act.[1055] The Act created a national genetic database to be used for research into disease. The database is owned and controlled by the Estonian Genome Project Foundation,[1056] However, the Estonian government provides only twenty percent of the funding for the project. A United States registered company, EGeen International Corporation, has agreed to provide remaining financing.[1057] The focus of the Estonian database is different than that of the Icelandic database. Rather than looking for genes that cause disease, as in Iceland, the Estonian project is focusing on how genes influence individual responses to medicines.[1058]
Privacy protection for donors is included in the project design. Doctors, who collect samples and medical histories for the project, must register their databases with the DPAs before they can participate in the project. Individual data is stored in coded form on computers that are not connected to networks. The rights of donors and the consent form they have to sign before donating their samples are publicly available on the Estonian Genome Project Foundation web site. The rights include voluntary nature of the consent, the right not to know the nature of one's genetic profile, the right to obtain one's own information or to give one's doctor the ability to obtain the information, and the right to have all data removed and deleted from the database.[1059]
A new Law on Personal Identity Documents, requiring mandatory identity (ID) cards for all Estonian citizens and resident aliens, took effect in January 1, 2002. Although the cards are, at first, to be used for identification purposes only, the government plans to widen their application in the future. On its face, the card contains standard personal information including name, sex, date of birth, citizenship, personal identification code, date of expiration and signature, and a photograph of the holder.[1060] The card also incorporates a microchip storing an electronic identification certificate and an asymmetric key pair allowing for digital identification and digital signatures. For resident aliens with valid papers, the ID card also contains residence and work permit data.[1061] Under the Digital Signatures Act of 2000,[1062] electronic signatures are given the same legal status as hand written signatures. A personal identification number (PIN) is currently used to activate the card but this may eventually be replaced by a biometric.[1063] In May 2002, it was discovered that the sealed security envelopes containing the secret PIN and PUK (public key) codes issued with the cards were see-through when placed under an ordinary light bulb. The Citizen and Migration Board stated that it would immediately change the printing practices.[1064] In June 2001 members of the Reform Party introduced a bill seeking to reform the law and make the cards voluntary rather than compulsory. The bill was defeated in Parliament in December 2001.
In 2000, a government backed proposal to amend the tax laws and provide for publication of income tax paid by individuals sparked controversy among the public and opposition parties. Responding to this criticism the government told the Parliament in October to discuss the bill but not to enact it as law.[1065]
The 1994 Surveillance Act regulates the interception of communications, covert surveillance, undercover informants and police and intelligence databases.[1066] Surveillance can be approved by a "reasoned decision made by the head of a surveillance agency." "Exceptional surveillance" requires the permission of a judge in the Tallinn Administrative Court for serious crimes. The punishment for illegal surveillance is a fine and three years imprisonment for general surveillance activity, and five years imprisonment for special measures like opening correspondence or telephone bugging.[1067] Illegally obtained evidence is not admissible in court. Citizens have a right under the Surveillance Act to obtain access to information held about them by surveillance agencies. Agencies must respond within three months if the agency maintains information about them.[1068] In October 1999, the Estonian Police Department refused to grant the Tallinn City Police authority the right to plant eavesdropping devices in apartments, offices and telephones to combat organized crime.[1069] The law was amended in May 2000 to allow the tax police to conduct surveillance.[1070] Under the Telecommunications Act approved in February 2000, surveillance agencies can obtain information on the sender and receiver of messages by written or oral request.[1071] Telecommunications providers are also required to delete data within one year and prevent unauthorized disclose of users' information.
In May 1996, the Estonian Intelligence Service started an inquiry on the involvement of former Vice Prime Minister Edgar Saavisar in a politically motivated wiretapping scandal. It eventually led to a change of government.[1072] Swedish papers reported in January 2000 that the Estonian secret services had spied on Swedish diplomats.[1073] In March 2002, the Estonian United People's Party issued a statement alleging that the National Security Police (NSP) engaged in secret surveillance of politicians and members of Parliament. The NSP denied these allegations.[1074]
The Public Information Act was approved by the Parliament and entered into force in January 1, 2001. Supervision and enforcement of the Act will be conducted by the DPI. The law includes significant provisions on electronic access. Government departments and other holders of public information will have a duty to post information on the web, and e-mail requests must be treated as official requests for information. There were no significant developments in 2002, although several projects were conducted in preparation for the 2003 legislative session.[1075]
Estonia is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1076] In November 2001, Estonia ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) (Convention No. 108).[1077] Also In November, Estonia signed the CoE Convention on Cybercrime.[1078]