Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


Pursuant to the Trading Act, "e-trade" means the offer for sale, or sale of goods or services, on the Internet without the parties being simultaneously present.1 As the processing of personal data is permitted only with the data subject's consent, unless otherwise provided by law, commercial emails to physical persons can be sent to emails given by the addressees. Pursuant to the Law of Obligations Act, an offer may be communicated to the consumer by facsimile, telephone answering machine, or electronic mail only with the consumer's prior consent.2 Furthermore, commercial emails can be sent only with the addressee’s prior consent ("opt-in"), whereby the addressee has to have the possibility to prohibit such use of his or her contact data in the future.3 Violation of this obligation is punishable by a fine in misdemeanour proceedings amounting to approximately €1,150.4 For the same act, if it is committed by a legal person, the fine may go up to approximately €31,956.5


Dissemination of spyware, malware, or computer viruses is punishable by a fine or up to three years' imprisonment.6 The same act, if it is committed at least twice, or if it causes significant damage, is punishable by a pecuniary punishment or up to five years' imprisonment.7

Online behavioural marketing and search engine privacy

There are no laws in Estonia that expressly regulate online behavioural marketing or search engine privacy. However, the DPI has issued guidelines about the privacy risks of search engines.8 In general, digital data can be tracked and linked to a particular person on a case-by-case basis due to data retention obligations imposed on telecommunications companies and Internet service providers. These entities are, for example, compelled to retain the real names and addresses of their customers, to whom an IP address, a user name, or a number has been allocated, as well as the exact period of Internet sessions, etc.9 However, such data can only be made available to the surveillance or security authorities, the Financial Supervision Authority, and the courts.10

Online social networks and virtual communities

According to a survey conducted in December 2009, the most popular social network in Estonia is Orkut, which is used on a monthly basis by 26 percent of respondents.11 Also, there are approximately 255,000 Facebook users in Estonia (or roughly one-fifth of the population), of whom 57.7 percent are females and 63.3 percent are between 18 and 34 years old.12 Other social networks, such as Twitter, MySpace, and LinkedIn, are used by approximately 5 percent of the population.

The DPI has posted on its Web site an Estonian translation of the International Working Group on Data Protection in Telecommunications' "Report and Guidance on Privacy in Social Network Services", most likely to use it as a tool to interpret the data protection requirements in this field.13

Online youth safety

Estonian children have excellent access to the Internet. According to a survey carried out in 2008, 93 percent of children in the 6 to 16 age group use the Internet. However, in contrast to other EU countries,14only 22 percent of parents expressed concern that their child might be the victim of online grooming.15In March 2008, a 16-year-old boy committed suicide, it was presumed due to an online molester who threatened to publish indecent photographs of the victim that he had gathered. Apparently 43 Estonian minors were molested by the same person, who is currently in prison for preliminary investigation. This incident brought the importance of online youth safety acutely into the spotlight. In 2009, the Ministry of Social Affairs summoned a children’s online safety working group, which it has been coordinating ever since.16The same Ministry also represents Estonia in the EU Safer Internet Programme. The Estonian Union for Child Welfare has also been actively involved in the process of promoting online safety. Since 15 March 2010, online grooming is punishable by a fine or up to three years’ imprisonment.17According to the explanatory memorandum of the Penal Code the purpose of the amendment is to prevent the sexual abuse of minors.18

Workplace privacy

Since 1 July 2009 the Employment Contracts Act19 contains a provision pursuant to which an employer is required to respect employees’ privacy and verify the performance of their duties in a manner that does not violate the employee’s fundamental rights. However, there is neither regulation nor case law regarding the employer’s specific rights with respect to monitoring its employees’ Internet browsing, phone use, etc. Therefore, today the most efficient way to regulate the monitoring of employees’ activity in the workplace is through an employment contract.

Health and genetic privacy

Health privacy

According to the Health Care Services Organisation Act,20 from 1st January 2009 all medical institutions will have to record health data in the general Electronic Health Record System (EHRS). It is not possible for a patient, as a data subject, to oppose the recording of his health record in the health information system. However, the patient may block access to some or all of the health data recorded about him through a patient portal21 or during a visit to a medical institution. Patients can access all data recorded about them in the EHRS themselves but, if it is necessary to protect the patient's life or health, the healthcare provider may, upon entering the patient's health record in the EHRS, restrict the patient's access to some of his health record or limit access to only a health care provider.

Genetic privacy

On 13 December 2000, the Estonian Parliament approved the Human Genes Research Act.22 The Act created a national genetic database to be used for research into diseases. The database is owned and controlled by the Estonian Genome Project Foundation.23 However, the Estonian government provides only 20 percent of the funding for the project. A United States registered company, EGeen International Corporation, has agreed to provide the remaining financing.24 The focus of the Estonian database is different than that of the Icelandic database. Rather than looking for genes that cause disease, as in Iceland, the Estonian project is focusing on how genes influence individual responses to medicines.25 The main project is underway after successful completion of pilot programmes in three regions.26

Privacy protection for donors is included in the project design. Doctors who collect samples and medical histories for the project must register their databases with the DPI before they can participate. Individual data is stored in coded form on computers that are not connected to any network. The rights of donors and the consent form they have to sign before donating their samples are publicly available on the Web site of the Estonian Genome Project Foundation.27 These rights include: voluntary consent, anonymity, the right to obtain one's own information or give one's doctor the ability to obtain the information, and the right to have all data removed and deleted from the database.28

The DPI has expressed concern over the lack of pharmacy service providers – there are approximately 300 of them in Estonia – registering for processing sensitive information.29 Each healthcare provider must have a method for registering complaints, their resolution methods, patient feedback, sending on-time notifications to patients on waiting lists about transfers to different healthcare specialists, or about substitutions for their health care professionals.30

Financial privacy

Pursuant to the Credit Institutions Act31 a credit institution is, upon entry into a contract or a transaction, required to identify his client or the client's representative. If the institution has already identified either one in an earlier transaction, it is authorised to require additional identification, and also has the right to verify the validity of identity documents and to obtain personal data from databases of the state agencies that issued the documents. The standard terms of the agreement between the credit institution and the client may include a consent clause by which the client agrees to have the institution process his personal data.32

The criminalisation of identity theft through complementary provisions of the Penal Code entered into force on 15 November 2009. According to Article 157² of the Penal Code, the illegal use of another person's identity is punishable by a fine or up to three years' imprisonment.33