Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The 1994 Surveillance Act regulates the interception of communications, covert surveillance, undercover informants, and police and intelligence databases.1 Surveillance activities are permitted only if the desired purpose cannot be achieved in a manner that less violates individuals' fundamental rights.2 Surveillance can be approved by a "reasoned decision made by the head of a surveillance agency." Surveillance agencies have the right to conduct the following surveillance activities: covert collection of information by persons who are engaged in surveillance activities; covert collection of comparative samples and the covert and initial examinations of documents and objects; covert surveillance and covert examination and replacement of objects; covert identification; collection of information concerning the fact of messages being communicated via telecommunications networks, duration, manner and form of communication thereof, and personal data and location of senders and receivers of such messages.3 Obtaining information by wiretapping or covert observation of messages, or other information transmitted by a public electronic communications network, is allowed only in a criminal proceeding, and only with the permission of a preliminary investigation judge. In 2008 and 2009 the court accepted approximately 99 percent of prosecuting authorities’ requests and issued 1,804 permits for telephone interception.4 Evidence is collected through surveillance activities by a police authority, the Security Police Board, and in some cases also by the Tax and Customs Board, at their own initiative or at the request of an investigative body.5 Illegally obtained evidence is not admissible in court. Unlawful surveillance activities, or unlawful and covert collection of information, unlawful concealment or destruction of information collected by surveillance activities or covertly, if conducted by a person with the right arising from law to engage in surveillance or covert collection of information, are punishable by a fine or up to three years’ imprisonment.6 The legality of surveillance and the activities of the Security Police are monitored by the Security Authorities Surveillance Select Committee, which consists of Parliament members.

National security legislation

There is no update to report under this Section.

Data retention

On 1st January 2005, the new Electronic Communications Act7 came into force. The Act replaced the Telecommunications Act and is in accordance with EU legislation. Since January 2008 electronic communications companies are required to preserve traffic and location data as defined by the Data Retention Directive (2006/24/EC) for one year. With respect to communications data relating to Internet access, Internet telephony, and Internet email, electronic communications companies have been required to retain such data since March 2009. Electronic communications companies must only retain such data that becomes known to them in the course of providing communications services. Electronic communications companies must also provide the surveillance agency or security authority with the information at their disposal.8 Also, electronic communications companies have to grant surveillance agencies and security authorities access to their communications network to conduct surveillance activities or to restrict the right to confidentiality of correspondence.9

National databases for law enforcement and security purposes

The official publication "Official Announcements"10 may represent a problem in the area of personal data protection. Namely, there exists no legal basis for terminating the publication of notices published via a computer network and found via search engines (cache) after the objective of the publication has been fulfilled. Especially serious problems are related to notices that have become misleading insofar as, for example, they incorrectly refer to a person as a debtor, suspect or offender.11

The "Punishment Register" is a general national register containing data concerning individuals punished and their punishments. Currently, individuals processing the data in that register, or issuing register notices, are required to maintain the confidentiality of the information they have learned in the course of their official duties. Persons entitled to receive data from the register are enumerated in the Punishment Register Act.12 However, draft legislation13 that makes the data in the Register public, with some exceptions, is being deliberated by the Parliament. According to the explanatory memorandum of the Act,14 pursuant to the PDPA the decisions of misdemeanour and criminal proceedings are not sensitive personal data.

Since 2001 there is a database codenamed "KAIRI" under the jurisdiction of the Ministry of the Interior, with limited public access, and maintained by police authorities. In 2002, the Director General of the Police enacted rules about the maintenance and usage procedure of the database. The rules are confidential. However, according to the media, the purpose of the database is to collect and maintain information about surveillance activities (including photos and operational information) of suspects and fugitives, as well as grant access to other information systems and databases.15 The database has approximately 4,500 users, of whom approximately 1,300 have the right to access surveillance information.

A uniform Population Register contains the personal data of Estonian citizens and foreigners with Estonian residence permits, and is administered and developed by the Ministry of the Interior. The data in it is used for performing the tasks assigned under the law to officials of state and local government institutions. Legal entities (companies, NGOs) and individuals have access to its data only if they show a legitimate interest. The administration and issuance of Population Register data has to comply with the requirements of the protection of personal data.16

National and international data disclosure agreements

Estonia joined the Schengen information system on 30 March 2008,17 and is a member of Interpol.18


The bulk of cyber offences committed in Estonia are computer-related fraud, the manufacture of works involving child pornography, or making child pornography available.19 Computer-related fraud formed 0.444 percent of all criminal offences against property in 2003, 0.464 percent in 2007 and 1.299 percent in 2008.20 Therefore, an increase in computer-related fraud can be seen. In 2008, 52 cases of manufacture of works involving child pornography or making child pornography available were registered.21 The Parliament has stated in its approval of development trends of criminal policy until 201822 that the fight against cybercrime has to focus on the prevention of sexual abuse of minors, major computer-related fraud, and the spreading of computer viruses. Also, the Parliament has declared that cooperation with the private sector in crime prevention is needed in order to raise the awareness of potential victims. Therefore, the existence of a sufficient number of IT specialists in law enforcement authorities has to be assured.

The Cyber Security Strategy Committee is focused on preventing and combating cyber threats at a state level. The Committee is led by the Ministry of Defence. Estonia hosts the Cooperative Cyber Defence Centre of Excellence (CCD COE) that was formally established on 14 May 2008, in order to enhance NATO’s cyber defence capability. In the spring of 2010, the Ministry of the Interior submitted Estonia’s official proposal to host the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.23

Critical infrastructure

The collection and processing of information concerning activities aimed at changing the constitutional order or territorial integrity of the state by force, and the prevention and blocking of terrorism and its financing is in the hands of the Security Police Board.24 It collects and processes information, including personal data, insofar as is necessary for performing its functions.25 The exact measures used for performing them are not known. However, the Security Police Board can only use the measures that are necessary for performing its functions.26 In case there is a choice between several measures, the authority shall use the measure that causes the minimum level of restrictions to individuals' fundamental rights in connection with the performance of its functions: a measure may be used only if the restrictions it causes to an individual's fundamental rights are not disproportionate to the objective the Security Police Board aims to achieve. This authority may restrict an individual’s right to the confidentiality of the messages he sends or receives by post, telephone or other commonly used means.

Territorial privacy

Video surveillance

Pursuant to the PDPA,27 surveillance equipment transmitting or recording personal data may be used for the protection of persons or property only if this does not excessively damage the justified interests of the data subject, and the collected data is used exclusively for the purpose for which it is collected. In such a case, sufficiently clear communication of the fact of the use of the surveillance equipment and of the data processor's name and contact details substitutes for the consent of the data subject. Private (legal) persons are not allowed to monitor or record images from the public space. However, in cases where an entrance to the premises is being filmed, the recording of public space to some extent is inevitable. According to the Security Act, which provides the conditions and procedure for the activities of companies providing security services, a security agent is required to observe individuals' constitutional rights while using video technology.28 Pursuant to the Police and Border Guard Act, the police is authorised to use surveillance equipment that transmits or records images from public spaces only if the public has been previously informed about the surveillance.29 The same principle is also reflected in the draft legislation of the Maintenance of Law and Order Act that is currently being deliberated by the Parliament.30 The use of CCTV cameras in Estonia is increasing but because of the lack of official data the exact scope of video surveillance cannot be adequately estimated.

The DPI has held that webcast security camera images, where the activities of a data subject may be observed in detail without his or her knowledge, constitute a breach in the right to privacy. Howeever, webcams that only show a street view or scenery at a wide angle are permitted.31

Location privacy (GPS, mobile phones, location based services, etc.)

The regulation of technologies that link an individual to a physical location is subject to the same rules as any other surveillance activity.

Travel privacy (travel identification documents, biometrics, etc.) And border surveillance

Biometric data is sensitive personal data.32 Since 22 May 2007, the Republic of Estonia has been issuing biometric passports for Estonian citizens, putting the holder's biometric data onto a chip.33 Pursuant to the Identity Documents Act, the biometric data of the holder of a document may be processed only in the cases and under the conditions provided by law.34 The Government has established a database for identity documents35 for internal use only, with limited access.

National ID and smart cards

Pursuant to the Identity Documents Act, identity (ID) cards are mandatory for all Estonian citizens over the age of 15 and resident aliens. In Estonia, an identity card is an internal document held by an Estonian citizen or an alien staying permanently in Estonia.36 The following personal data may be entered on it concerning its holder: name; date and place of birth; personal identification code; photo or facial image; sex; citizenship; fingerprint images; signature or image of signature; iris images; hair colour; other personal data as prescribed by an international agreement, a law, or other legislation of general application established on the basis thereof.37 The first Estonian ID Card was issued on 28 January 2002. All ID cards enable the electronic identification of individuals and the digital signing of documents. As of 6 September 2010, there are over 1.1 million active ID cards, whereas the population of Estonia is 1.3 million. Over 37 million electronic signatures have been provided and more than 63 million electronic authentications have been made using the ID card since its launch in 2002.38

Under the General Part of the Civil Code Act, digitally signed documents have the same probative value as documents with written signatures.39 The use of the digital signature is mandatory for public sector institutions. Digital signatures are used throughout the Estonian court system for communications between parties and by the Estonian Tax Board when receiving tax documents from individuals or businesses, and in order to conclude loan agreements with online banks.40 A personal identification number (PIN) is used to activate the card.41 For resident aliens with valid documents, the ID card also contains residence and work permit data.42 Any Estonian citizen over 14 years of age residing permanently in Estonia shall hold an identity card.43 In the same way, any alien residing permanently in Estonia on the basis of a valid residence permit or right of residence shall hold an identity card.44

The ID-card can be used to get access to Internet-based services provided by the state as well as by private companies. Some of the services this card provides are: digital signatures, encryption, electronic voting, online banking, electronic tickets for public transportation, iPatient (an online patient information portal of the East Tallinn Central Hospital), online filing of tax forms with the Tax Board, registration of company-related information with the Company Registration Portal, etc.

The police are authorised to check the identity of a person on the basis of his identity card for safety reasons.45 Also, businesses selling alcoholic beverages are authorised to request an identity card from the individuals they sell them to who look like minors.46 Since May 2007 a "Mobile-ID service" gives customers the ability to identify themselves by using their mobile phone.47 The user enters into a contract to use the Mobile-ID services, swaps out his old SIM card for a new one and "gets the usual PIN and PUK keys plus additional codes needed for Internet-based personal identification and issuance of digital signatures."48

RFID tags

There is neither specific legislation nor reliable data or information regarding the use of RFID tags. However, the general data protection framework is applicable to the processing of personal data through RFID technology.

Bodily privacy

Pursuant to the Police and Border Guard Act49 the police are entitled to use direct coercion to conduct invasive procedures – as long as it is inevitably necessary and complies with the law – such as compelling individuals to provide bodily fluid samples, DNA, or fingerprints. This has been a hugely controversial subject that has generated a lot of media attention.