I. Legal framework
Constitutional privacy and data protection framework
The 1992 Estonian Constitution recognizes the right of privacy, secrecy of communications, and data protection. Article 26 states, "Everyone has the right to the inviolability of private and family life. State agencies, local governments, and their officials shall not interfere with the private or family life of any person, except in the case and pursuant to the procedure provided by law to protect the health, morals, public order, or the rights and freedoms of others, to combat a criminal offence, or to apprehend a criminal offender." Article 42 states, "State agencies, local governments, and their officials shall not gather or store information about the beliefs of Estonian citizens against their free will." Article 43 states, "Everyone shall be entitled to secrecy of messages transmitted by him or to him by post, telegram, telephone, or other generally used means. Exceptions may be made on authorisation by a court, in cases and in accordance with procedures determined by law in order to prevent a criminal act or for the purpose of establishing facts in a criminal investigation." Police must obtain a warrant in order to intercept communications. Illegally obtained evidence is not admissible in court.1 Article 44 (3) of the Constitution states, "An Estonian citizen has the right to access information about himself or herself held in state agencies and local governments and in state and local government archives, pursuant to procedure provided by law. This right may be restricted pursuant to law to protect the rights and freedoms of others, or the confidentiality of a child's parentage, and in the interests of preventing a criminal offence, apprehending a criminal offender, or ascertaining the truth in a criminal proceeding."2
Privacy and data protection laws and regulations
The Riigikogu, Estonia's Parliament, enacted the first Personal Data Protection Act (PDPA) in June 1996. It was superseded by a second version of the law to bring Estonia into full compliance with the 1995 EU Data Protection Directive. That law was enacted in February 2003 and entered into force on 1 October 2003. As of February 2007, a third version of the PDPA was enacted and came into force on 1 January 2008.3 The aim of the current PDPA is to protect the fundamental rights and freedoms of natural persons upon the processing of their personal data, and above all the right to inviolability of their private life.4
The PDPA removes the category of "private personal data," thereby removing the government's duty to notify data processing. Instead the law divides personal data into "personal data", "sensitive personal data", and "genetic data", a subcategory of "sensitive personal data".5 It defines "personal data" as any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists.6 The processing of sensitive personal data is more strictly regulated, since it includes the requirement to register such processing with data protection authorities or to appoint a person responsible for the processing of sensitive personal data. The PDPA classifies as "sensitive personal data" the following categories of personal data: data revealing political opinions, or religious or philosophical beliefs, except data relating to membership with a legal person in private law and registered pursuant to a lawful procedure; data revealing a person's ethnic or racial origin; data on his state of health or disability; data on his genetic profile; a person's biometric data â€“ above all fingerprints, palm prints, iris images and genetic data; information on his sex life or trade union membership; information regarding the commission of an offence or falling victim to an offence before a public court hearing, and information with respect to a decision in the matter of the offence or a termination of the court proceedings in the matter.7
Pursuant to the PDPA, processors of personal data8 must ensure that personal data is processed in accordance with the following principles: personal data shall be collected only in an honest and legal manner; shall be collected only to achieve specific and lawful objectives, and shall not be processed in a manner not compatible with the objectives of data processing; shall be used for other purposes only with the data subject's consent, or with the competent authority's authorisation; shall be up-to-date, complete and necessary to achieve the purpose of data processing; security measures shall be applied in order to protect them from involuntary or unauthorised processing, disclosure or destruction; the data subject shall be notified of data collected concerning him, shall be granted access to the data concerning him, and has the right to demand the correction of inaccurate or misleading data.9
Processing of personal data is generally permitted only with the data subject's consent,10 although it is permitted without the data subject's consent if the personal data is to be processed on the basis of law; for the performance of a task prescribed by an international agreement or directly applicable legislation of the European Union; in individual cases for the protection of the data subject's life, health, or freedom if obtaining his consent would be impossible; for the performance of a contract entered into with the data subject or in order to ensure the performance of such contract, unless the data to be processed is sensitive personal data.11
If the rights of a data subject have been violated upon processing of their personal data, the data subject has the right to demand compensation of the damage.12 Violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data, or violation of other requirements for the processing of personal data is punishable by a fine in misdemeanour proceedings amounting to a maximum of approximately â‚¬1,150.13 For the same act, if committed by a legal person, the fine can be set to a maximum of approximately â‚¬31,956.14
In April 1997, the Riigikogu passed the Databases Act (DA). However, as of January 2008 this act is void and a chapter on databases has been appended to the Public Information Act (PIA).15 The purpose of the PIA is to ensure that the public and every person have the opportunity to access information intended for public use, based on the principles of a democratic and social rule of law, and an open society, as well as to create opportunities for the public to monitor the performance of public duties. Pursuant to the PIA, databases shall be accessible to the public while personal data in such databases shall not be made public unless the requirement to publish such data arises by law.16
The Credit Institutions Act17 is one of the few sector-based laws that directly confront the general regulation of the PDPA. It contains a controversial provision which enables credit institutions to unilaterally obtain the consent required from data subjects in order to process their personal data. The credit institutions may obtain such consent by unilaterally amending their standard terms.18
The Electronic Communications Act transposes to the Estonian legal system the ePrivacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC.19
Other relevant legal acts related to the processing of personal data and liability are the Administrative Procedure Act, Investment Funds Act, Official Statistics Act, Insurance Activities Act, Population Register Act, Punishment Register Act, etc. However, these acts do not include a specific sector or subject matter-related data protection regulation, but rather refer to the PDPA and the requirement to adhere to its provisions.
Data protection authority
The Data Protection Inspectorate (DPI) is the supervisory authority for the PDPA and the PIA. On February 14, 2007, the DPI was reorganised: it was moved from an agency operating under the authority of the Ministry of Internal Affairs, and has become an independent agency operating under the Ministry of Justice. The DPIâ€™s goal is "to help design a society that values the right of an individual to privacy and transparency of the state's activities."20 The agency can conduct investigations and request documents, impose fines, and administrative sanctions. The DPI has three departments and approximately 20 officials.21 The Estonian Government appoints the head of the Data Protection Inspectorate for a term of five years at the proposal of the Minister of Justice and after having heard the opinion of the Constitutional Committee of the Estonian Parliament. As of April 2009, DPIâ€™s inspectors are divided between two specialised departments. The first one deals with "soft" issues (the economy, communications, welfare, education, media, the Internet, and spam), while the second one deals with "hard" issues (legal protection and state defence, security service companies, finance, statistics, population accounting, and local government).22 The Control Department exercises control over the processing of personal data and the access to public information, issues precepts, and is the body conducting extra-judicial proceedings. Two departments supervise processing personal data and provide access to public information in various areas of activity.
Based on requests for explanations and complaints, personal data protection is predominantly connected with the following problems: the misuse of personal data in social media and social networking Web sites (including identity theft), intrusive advertising offers in consumers' mailboxes â€“ especially the issue of the lawfulness of the collection of contact details â€“ the prohibited publication of personal data (including the publication of debtors' personal data); excessive requests for personal data (including when clients are applying for credit cards).
During the period from October 2005 to September 2006, the DPI received 414 registration applications and registered 229 processors of sensitive data.23 From October 2005 to September 2006, the DPI performed 48 on-site verification visits to determine compliance with the PDPA.24 The DPI also held 34 training sessions on personal data protection in various locations.25
As can be seen from the table below, there has been a significant increase in DPIâ€™s workload since then:26
In 2009, the DPI received 306 complaints and challenges based on PDPA violations. This resulted in 49 precepts and 46 misdemeanour proceedings.27 Fines or penalties were imposed in 12 cases; 1,429 registration applications were reviewed by the DPI and 459 precepts[wg1] [CL2] were made to data processors for fulfillment of the registration obligation. The same year, the DPI launched a help line that received 851 calls in 2009.
The DPI has changed its policy concerning the supervision of compliance with the Public Information Act. Instead of the predominantly complaint-based response previously used, the DPI is doing their best to influence the implementation of the law. Important tools are comparative monitoring, instructions, and raising awareness. The DPI has introduced comparative monitoring as a new form of work that is designed to identify good and bad practices, cover many subjects, and have a greater impact than supervision proceedings conducted on a subject-by-subject basis. All monitored entities28 are notified of the results. On the basis of monitoring, the DPA initiates separate supervision proceedings for major violations and elaborate instruction materials for recurring problems.29
The monitoring of state agencies' Web sites, which the DPA conducted in autumn 2009, confirmed that compliance with the Public Information Act is irregular and not uniform. Application of the law is too often left in the hands of officials without the necessary training. In December 2009 a memorandum was sent to the Secretary of State concerning clarification of responsibilities in the area of public information. It was proposed that in all state agencies an individual with sufficient authority be assigned to take responsibility to coordinate compliance with the Public Information Act, and supervise those guaranteeing compliance.30
The DPI maintains close relations with the data protection authorities (DPAs) in other central and eastern European countries. In December 2001, the data protection commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia, and Poland signed a joint declaration agreeing to closer cooperation and assistance. The commissioners agreed to meet twice a year in the future, to provide each other with regular updates and overviews of developments in their countries, and to establish a common Web site for more effective communication.31
The DPI participates in the e-PRODAT project, which includes DPAs, universities and regional/city governments from Spain, Italy, Greece, and Estonia. The main goals of e-PRODAT are to share knowledge and experiences related to personal data protection in public bodies of different European countries; to create an Internet-based â€œEuropean e-government data protection observatoryâ€; identify best data protection practices already in use for e-government and other public services, and to make recommendations to improve data protection standards in the public sector.32
Major privacy and data protection case law
In 2004, the DPI was involved in two cases which found their way to the Supreme Court. Both of them dealt with access to public information. The first one concerned the DPI and the Estonian Tax and Customs Board.33 The case involved the Boardâ€™s register of documents and restrictions on access.34 The Supreme Court upheld the previous decisions made by the administrative court and circuit court. According to them, the complaint made by the Board is not within the sphere of competence of the administrative court. Thus, the decision made by the DPI (that the restriction is illegal) was not upheld by the courts. In November 2004, the restriction on access was made legal with the alteration of the Taxation Act.35
Another key case involves the DPI and a private individual.36 The case was about the complaint made by a private person regarding the DPI's decision on appeal. According to the DPI's challenge, the private person (who was a member of a city council) had no right to request information about the wages and salaries of employees of the institutions administered by the city, because these employees are not officials. The Supreme Court decided that the private individual wanted to get information as a member of the City Council and, because of that, it was not even considered a request of information for the purposes of the Public Information Act.37 The Supreme Court repealed previous decisions made by the administrative court and circuit court, and concluded the proceeding because the employees of the institutions administered by the city are not officials, and their salaries and wages are not public. The DPI's decision was upheld.
In 2007, the Supreme Court issued a ruling regarding the right to have the court judgment kept confidential due to the personal data included in it.38 The accused stated that the victims might be recognised and associated with him. The court ruled that the accused, as a person whose personal data are processed, may in general submit such a claim. However, the court found that no sensitive personal data about the accused was included in the court's decision. The sensitive data on the victims would have been anonymised in any case under the Code of Criminal Procedure (the victims were under age). The Supreme Court confirmed the principle recognised in criminal procedures that the disclosure of the defendant's identity in the court's decision is not a violation of his rights.
The definition of "private life" was analysed by the Supreme Court in 2009.39 Pursuant to the Penal Code40 the disclosure of information obtained in the course of professional activities and relating to the health, private life, or commercial activities of another person by an individual who is required by law to maintain the confidentiality of such information, is punishable by a fine.41 In this case, the accused, as a police inspector, gave information about the victims' place of residence, registered vehicles and violations of law to a third person. The police inspector claimed that the forenamed data was neither private nor sensitive42 personal data. The Supreme Court held that "private life" includes the whole sphere of personal life, meaning that it also includes information on an individualâ€™s place of residence, registered vehicles, and violations of law.
In 2008, the Supreme Court deliberated over whether a request about oneâ€™s state of health can be considered as "processing" personal data.43 An imprisoned person requested a doctor but, in response to the prison guardâ€™s question about the nature of his complaint, refused to disclose the exact ailment. The complainant found that, pursuant to the PDPA, information about oneâ€™s state of health is confidential, and that the prison guardâ€™s request was therefore not legitimate. The Supreme Court upheld the previous decisions made by the administrative and circuit court. It agreed that as the prison guard only made a reasoned request on the nature of the complainantâ€™s complaint, no personal data was processed, and therefore the PDPA does not apply. The Supreme Court also agreed that in order to decide whether the need for a doctor is inevitable, the prison guard is entitled to know the grounds of the imprisoned personâ€™s request for a doctor.
Another case that involved the DPI found its way to the Supreme Court in 2010. A former political party leader filed a request with a newspaper in 2008 to take down an online article published in 2004. As the publisher (the newspaper) declined, the plaintiff turned to the DPI. The latter compelled the newspaper to take down the online version of the article. The newspaper, in turn, found that the article and personal data it included had been published under the then newly elected party leader's consent, and that the PDPA allows the processing and disclosure of personal data for journalistic purposes even without the data subject's consent, provided that there is a predominant public interest and it is in accordance with the principles of journalism ethics. As the Supreme Court did not find any grounds to hear the matter, the decision of the circuit court entered into force. The circuit court ruled that the public interest in a former party leader remains after the data subject has finished his or her political activity. The court found that the need to preserve already published news for educational and historical purposes gives rise to a predominant public interest that outweighs the interests of the data subject.
- 1. The Human Rights Report submitted to the United States Congress by the United States Department of State, Section 1f, available at http://www.state.gov/g/drl/rls/hrrpt/2009/eur/136029.htm.
- 2. Constitution of Estonia, available in English: http://www.state.gov/g/drl/rls/hrrpt/2009/eur/136029.htm.
- 3. Personal Data Protection Act RT I 2007, 24, 127, available at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel....
- 4. Id. at Â§ 1(1).
- 5. Article 29 Working Party on Data Protection, Eleventh Annual Report (2008) at 34, available @@
- 6. Id. at Â§ 4(1).
- 7. Id. at Â§ 4(2).
- 8. The Estonian PDPA differentiates between "chief processors" and "authorised processors", however the law refers to both by using the general term "processors of personal data".
- 9. Id.Â§ 6.
- 10. Id.Â§ 10(1).
- 11. Id.Â§ 14(1).
- 12. Id. at Â§ 23.
- 13. Id. at Â§ 42(1).
- 14. Id. at Â§ 42(2).
- 15. Public Information Act RT I 2000, 92, 597. A slightly outdated version is available in English at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=X40095K4&kee....
- 16. Id.at Â§ 43(8).
- 17. The Credit Institutions Act RT I 1999, 23, 349, currently valid version is available in Estonian at https://www.riigiteataja.ee/ert/act.jsp?id=13330780.
- 18. Id.at Â§ 89 (2)2.
- 19. Electonic Communications Act, RT I 2004, 87, 593, current Estonian version available https://www.riigiteataja.ee/ert/act.jsp?id=13333950.
- 20. DPI Web site at http://www.aki.ee/eng/.
- 21. See generally Estonian Data Protection Inspectorate: Structure, available at http://www.aki.ee/eng/?part=html&id=95.
- 22. Estonian Data Protection Inspectorate. Executive Summary of Annual Report 2009, available http://www.aki.ee/eng/systematic/files.php?id=1641, at 2.
- 23. Id. at 6.
- 24. Id. at 14.
- 25. Id. at 6.
- 26. Id. at 3 and Statistics, available at available in English at http://www.aki.ee/est/?part=html&id=23http://www.dp.gov.ee/document.php?...
- 27. Data Protection Inspectorate, Statistics, at http://www.aki.ee/est/?part=html&id=23.
- 28. "Monitored entities" means the organisations or companies subject to particular monitoring by the DPI, usually all organisations and companies that belong to a particular sector under scrutiny, e.g., all state agencies.
- 29. Id. at 4.
- 30. Id. at 7.
- 31. Email from Karel Neuwirt, President, Office for Personal Data Protection, Czech Republic, to Sarah Andrews, Research Director, Electronic Privacy Information Center, 15 May 2002 (on file with EPIC).
- 32. Estonian Data Protection Inspectorate: Main, supra at http://www.aki.ee/eng/.
- 33. Supreme Court case no. 3-3-1-38-04, available in Estonian at http://www.nc.ee/klr/lahendid/tekst/RK/3-3-1-38-04.html.
- 34. Id.
- 35. Amendment of the Taxation Act, available in Estonian at https://www.riigiteataja.ee/ert/act.jsp?id=901885.
- 36. Supreme Court case no. 3-3-1-55-04, available in Estonian at http://www.nc.ee/klr/lahendid/tekst/RK/3-3-1-55-04.html.
- 37. Public Information Act, supra http://www.esis.ee/ist2004/106.html
- 38. Supreme Court case no. 3-1-1-35-07m, available in Estonian at http://www.nc.ee/?id=11&tekst=222504645.
- 39. Supreme Court case no. 3-1-1-81-08, available in Estonian at http://www.nc.ee/?id=11&tekst=RK/3-1-1-81-08.
- 40. Penal CodeRT I 2001, 61, 364, available at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=X30068K8&kee....
- 41. Id. at Â§ 157.
- 42. The PDPA gives a list of personal data that is considered to be "sensitive", the list of which is wider than its scope under Art. 8 of the Directive 95/46/EC.
- 43. Supreme Court case no. 3-3-1-1-09, available in Estonian at http://www.nc.ee/?id=11&tekst=RK/3-3-1-1-09.