III. Privacy topics
Internet and consumer privacy
Pursuant to the Trading Act, "e-trade" means the offer for sale, or sale of goods or services, on the Internet without the parties being simultaneously present.1 As the processing of personal data is permitted only with the data subject's consent, unless otherwise provided by law, commercial emails to physical persons can be sent to emails given by the addressees. Pursuant to the Law of Obligations Act, an offer may be communicated to the consumer by facsimile, telephone answering machine, or electronic mail only with the consumer's prior consent.2 Furthermore, commercial emails can be sent only with the addresseeâ€™s prior consent ("opt-in"), whereby the addressee has to have the possibility to prohibit such use of his or her contact data in the future.3 Violation of this obligation is punishable by a fine in misdemeanour proceedings amounting to approximately â‚¬1,150.4 For the same act, if it is committed by a legal person, the fine may go up to approximately â‚¬31,956.5
Dissemination of spyware, malware, or computer viruses is punishable by a fine or up to three years' imprisonment.6 The same act, if it is committed at least twice, or if it causes significant damage, is punishable by a pecuniary punishment or up to five years' imprisonment.7
Online behavioural marketing and search engine privacy
There are no laws in Estonia that expressly regulate online behavioural marketing or search engine privacy. However, the DPI has issued guidelines about the privacy risks of search engines.8 In general, digital data can be tracked and linked to a particular person on a case-by-case basis due to data retention obligations imposed on telecommunications companies and Internet service providers. These entities are, for example, compelled to retain the real names and addresses of their customers, to whom an IP address, a user name, or a number has been allocated, as well as the exact period of Internet sessions, etc.9 However, such data can only be made available to the surveillance or security authorities, the Financial Supervision Authority, and the courts.10
Online social networks and virtual communities
According to a survey conducted in December 2009, the most popular social network in Estonia is Orkut, which is used on a monthly basis by 26 percent of respondents.11 Also, there are approximately 255,000 Facebook users in Estonia (or roughly one-fifth of the population), of whom 57.7 percent are females and 63.3 percent are between 18 and 34 years old.12 Other social networks, such as Twitter, MySpace, and LinkedIn, are used by approximately 5 percent of the population.
The DPI has posted on its Web site an Estonian translation of the International Working Group on Data Protection in Telecommunications' "Report and Guidance on Privacy in Social Network Services", most likely to use it as a tool to interpret the data protection requirements in this field.13
Online youth safety
Estonian children have excellent access to the Internet. According to a survey carried out in 2008, 93 percent of children in the 6 to 16 age group use the Internet. However, in contrast to other EU countries,14only 22 percent of parents expressed concern that their child might be the victim of online grooming.15In March 2008, a 16-year-old boy committed suicide, it was presumed due to an online molester who threatened to publish indecent photographs of the victim that he had gathered. Apparently 43 Estonian minors were molested by the same person, who is currently in prison for preliminary investigation. This incident brought the importance of online youth safety acutely into the spotlight. In 2009, the Ministry of Social Affairs summoned a childrenâ€™s online safety working group, which it has been coordinating ever since.16The same Ministry also represents Estonia in the EU Safer Internet Programme. The Estonian Union for Child Welfare has also been actively involved in the process of promoting online safety. Since 15 March 2010, online grooming is punishable by a fine or up to three yearsâ€™ imprisonment.17According to the explanatory memorandum of the Penal Code the purpose of the amendment is to prevent the sexual abuse of minors.18
Since 1 July 2009 the Employment Contracts Act19 contains a provision pursuant to which an employer is required to respect employeesâ€™ privacy and verify the performance of their duties in a manner that does not violate the employeeâ€™s fundamental rights. However, there is neither regulation nor case law regarding the employerâ€™s specific rights with respect to monitoring its employeesâ€™ Internet browsing, phone use, etc. Therefore, today the most efficient way to regulate the monitoring of employeesâ€™ activity in the workplace is through an employment contract.
Health and genetic privacy
According to the Health Care Services Organisation Act,20 from 1st January 2009 all medical institutions will have to record health data in the general Electronic Health Record System (EHRS). It is not possible for a patient, as a data subject, to oppose the recording of his health record in the health information system. However, the patient may block access to some or all of the health data recorded about him through a patient portal21 or during a visit to a medical institution. Patients can access all data recorded about them in the EHRS themselves but, if it is necessary to protect the patient's life or health, the healthcare provider may, upon entering the patient's health record in the EHRS, restrict the patient's access to some of his health record or limit access to only a health care provider.
On 13 December 2000, the Estonian Parliament approved the Human Genes Research Act.22 The Act created a national genetic database to be used for research into diseases. The database is owned and controlled by the Estonian Genome Project Foundation.23 However, the Estonian government provides only 20 percent of the funding for the project. A United States registered company, EGeen International Corporation, has agreed to provide the remaining financing.24 The focus of the Estonian database is different than that of the Icelandic database. Rather than looking for genes that cause disease, as in Iceland, the Estonian project is focusing on how genes influence individual responses to medicines.25 The main project is underway after successful completion of pilot programmes in three regions.26
Privacy protection for donors is included in the project design. Doctors who collect samples and medical histories for the project must register their databases with the DPI before they can participate. Individual data is stored in coded form on computers that are not connected to any network. The rights of donors and the consent form they have to sign before donating their samples are publicly available on the Web site of the Estonian Genome Project Foundation.27 These rights include: voluntary consent, anonymity, the right to obtain one's own information or give one's doctor the ability to obtain the information, and the right to have all data removed and deleted from the database.28
The DPI has expressed concern over the lack of pharmacy service providers â€“ there are approximately 300 of them in Estonia â€“ registering for processing sensitive information.29 Each healthcare provider must have a method for registering complaints, their resolution methods, patient feedback, sending on-time notifications to patients on waiting lists about transfers to different healthcare specialists, or about substitutions for their health care professionals.30
Pursuant to the Credit Institutions Act31 a credit institution is, upon entry into a contract or a transaction, required to identify his client or the client's representative. If the institution has already identified either one in an earlier transaction, it is authorised to require additional identification, and also has the right to verify the validity of identity documents and to obtain personal data from databases of the state agencies that issued the documents. The standard terms of the agreement between the credit institution and the client may include a consent clause by which the client agrees to have the institution process his personal data.32
The criminalisation of identity theft through complementary provisions of the Penal Code entered into force on 15 November 2009. According to Article 157Â² of the Penal Code, the illegal use of another person's identity is punishable by a fine or up to three years' imprisonment.33
- 1. Trading Act Â§ 2, available at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=X80015K1&kee....
- 2. Law of Obligations Act Â§ 60, available at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=X30085K3&kee....
- 3. Electronic Communications Act Â§ 1031(1) and Â§ 1031(3), supra at 106.
- 4. Id. at Â§ 1842(1).
- 5. Id. at Â§ 1842(2).
- 6. Penal Code Â§ 208(1), supra at 93
- 7. Id. at Â§ 208(2).
- 8. The Estonian Data Protection Inspectorate. Risks of Web searches, available in Estonian at http://www.aki.ee/download/933/Ohud%20ehk%20v%C3%B5imalused%20veebiotsin....
- 9. Electronic Communications Act Â§ 1111(3), supra at 106.
- 10. Id, Â§ 1111(11).
- 11. "GfK uuring: lÃµviosa noori regulaarselt Orkutis, Twitteris veel mitte," January 2010, available http://www.gfk.lv/et/node/399.
- 12. At http://www.checkfacebook.com/.
- 13. Available at http://www.aki.ee/download/816/Sotsiaalv%C3%B5rgud.pdf.
- 14. In the European Union, 60 percent of parents were very or rather worried that their child could become a victim of online grooming. European Commission, Eurobarometer, Toward safer use of the Internet for children in the EU â€“ A parents' perspective, December 2008, available at http://ec.europa.eu/information_society/activities/sip/docs/eurobaromete....
- 15. Explanatory memorandum of the draft legislation of the amendment act of the Penal Code, available in Estonian at http://www.riigikogu.ee/?page=pub_file&op=emsplain&content_type=applicat...(643)%20seksuaalkuritegu.doc&file_size=101888&mnsensk=640+SE&fd=2010-04-22.
- 16. Available in Estonian at http://www.sm.ee/sinule/lapsele/turvaline-internet/koostoogrupp.html.
- 17. Penal code Â§ 1781(1), supra at 93.
- 18. Explanatory memorandum of the draft legislation of the amendment act of the Penal Code, available in Estonian at http://www.riigikogu.ee/?page=pub_file&op=emsplain&content_type=applicat...(643)%20seksuaalkuritegu.doc&file_size=101888&mnsensk=640+SE&fd=2010-04-22.
- 19. Employment Contracts Act RT I 2009, 5, 35, available in English at http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX042&keel....
- 20. RT I 2001, 50, 284.
- 21. At http://www.digilugu.ee.
- 22. Human Genes Research Act, RT I 2000, 104, 685, available in English at http://www.legaltext.ee.
- 23. See generally, Eesti Geenivaramu at http://www.geenivaramu.ee/index.php?lang=eng.
- 24. "Estonian Genome Foundation Signs Pilot Project Financing Accords," Baltic News Service, 2 January 2002.
- 25. Mark Frary, "Estonian Genome Project ahead of Schedule," Estonian Genome Foundation, 23 December 2002 here.
- 26. A. Metspalu et al., "The Estonian Genome Project in the Context of European Genome Research," Estonian Genome Foundation, 30 April 2004 here.
- 27. Gene Donor Consent Form here.
- 28. Gene Donor Consent Form, Regulation No. 125 (17 December 2001), available in English here.
- 29. Data Protection Inspectorate, supra here.
- 30. RTL 2004, 158, 2376, 28 December 2004.
- 31. Credit Institutions Act Â§ 89(21), RT I 1999, 23, 349 , available in English here.
- 32. Id. at Â§ 89(22).
- 33. "The forwarding of, enabling access to or using information which identifies, or enables to identify, another person, without the person's consent, for the purpose of knowingly creating a misleading image of the person by pretending to be him or her, and provided that it damages the other person's rights or interests protected by law, or for the purpose of hiding a criminal offence, is punishable by a pecuniary punishment or up to three years' imprisonment." Article 157Â² of the Penal Code, RT I 2009, 51, 348.