Estonia, the Digital Nation: Reflections on a Digital Citizen’s Rights in the European Union

Full text

EDPL|1ReportFullVersion:Estonia,theDigitalNation
Estonia,theDigitalNation-Reflectionsofa
DigitalCitizen’sRightsintheEuropean
Union
ReportFullVersion
PalomaKrõõtTupay*
Ifwedefinelawasasystemofruleswhichaparticularcountryorcommunityrecognizes
asregulatingtheactionsofitsmembersandwhichitmayenforcebytheimpositionofpenal-
ties,thenthequestionarises:Whicharetherulessuitableforadigitalcounty?Arepeople’s
rightsinadigitalnationbetterprotectedordotheyneedenhancedsafeguards?Doesrights’
protectioninthedigitaleraneedanewapproach?Doesadigitalsocietyhavetoleavebe-
hindtheprincipleideasofprivatelifeandinformationalself-determination?Searchingfor
answerstothesequestions,thefollowinglongversionofthisreportonEstonia(fortheshort
versionseeEDPL2020-2)firstintroducesthereaderintothemeaningandcontentoftheEs-
tonian‘e-state’.Onthatbasis,itthenreflectsonthedigitalnation’simpactontheindivid-
ualandhisorherrightsandbythis,onthequestionsthelegalsystemhastoprovidean-
swersforinadigitsedsociety.
I.Introduction:TheSuccessStoryof‘E-
Estonia’
InDecember2017,TheNewY orkerpublishedan
articlewiththeheadline‘TheDigitalRepublic’.1
ThedigitalrepublicdescribedthereinisEstonia.
Almost90%oftheEstonianpopulationusestheIn-
ternetregularly,99.6%ofbankingtransactionsare
doneelectronically,99%ofpublicservicesareavail-
ableonline,withoutqueueing.2Onlymarriage,di-
vorceandthesaleofrealestatecannotbeconclud-
edexclusivelyonline.3Morethan95%ofpeople
submittheirincometaxreturnonline,95%ofda-
tastoredbyhospitalsandfamilydoctorsisdigital.4
Entrepreneursestablishnewbusinessesandsub-
mittheirannualreportsviathee-businessregister.5
Since2002,morethan500millionEstoniandigital
signatureshavebeenused,morethanintherestof
theEuropeanUnionaltogether.6Toputitinthe
wordsofthePresidentofEstonia,KerstiKaljulaid:
‘globallythereisnootherdigitalnationthathasa
state’.7
*DriurPalomaKrõõtT upay,LecturerinConstitutionalLaw ,School
ofLaw ,DepartmentofPublicLaw,T artuUniversity,former
legaladvisertothePresidentofEstonia.F orcorrespondence:
<palomakreet.tupay@ut.ee>.TheauthorthanksMonikaMikiver
andMarisJuhafortheirvaluableadviceandhelpfulsuggestions.
Theresponsibilityforthecorrectnessofanyinformation,state-
mentandopinionstatedinthereportresidessolelywiththe
autor.Anabridgedversionofthisreportwaspublishedinissue
6(2)EDPL.
1NathanHeller ,‘TheDigitalRepublic’TheNewYorker(18and25
December2017)<https://www.newyorker.com/magazine/2017/
12/18/estonia-the-digital-republic>.AllURLsinthiscontribution
werelastaccessed1May2020.
2EnterpriseEstonia,‘e-Estoniafacts’<https://toolbox.estonia.ee/
media/1780>.
3EnterpriseEstonia,‘e-governance’<https://e-estonia.com/
solutions/e-governance/>.Concerningtheobligatoryinvolvement
ofthenotaryinagreementsconcerningthetransferofrealestate,
therearealreadyinitiativestoreplacethenecessityofphysical
presenceofthepartiesbyvideotransmission.
4ibid.
5EnterpriseEstonia,‘e-Estoniaguide’(2019)4,9<https://e-estonia
.com/toolkit/>.
6ibid.
7SpeechofthePresidentoftheRepublicofEstonia,2November
2018atColumbiaUniversity<https://president.ee/en/official
-duties/speeches/14790-president-kaljulaid-at-columbia
-university/index.html>.

EDPL|2ReportFullVersion:Estonia,theDigitalNation
Inthelast29years,Estonia-acountryof1.3mil-
lioninhabitants,abitlargerthantheNetherlands8
andhalf-coveredbyforest-hasstrodeforwardinsev-
en-leagueboots.Estoniaregainedindependencein
1991,whichendedaperiodofmorethan50yearsoc-
cupationbytheSovietUnion.Thetracestheforeign
ruleleftonthecountrywhereimmense.Theecono-
mywasonitsknees,thestatesystemailing.Every-
thinghadtobereinventedfromscratch,andtheEs-
toniansdidso.Oneofthethingstheydidwastoput
theirlongdreamofafree,democraticcountryonsol-
idground:on24June1992Estoniansadoptedthe
ConstitutionoftheRepublicofEstonia(EC)bypop-
ularvote.9Thetaskfulfilledbythefathersandmoth-
ersoftheConstitution,whohadthemselvesbeen
keptforciblyawayfromthedevelopmentsofthede-
mocraticlegalsystemsforsolong,isimpressive.
Theyhadmanagedtodrawupinlessthanayear–
withnotmuchmorethantheperiodichelpofdiffer-
entinternationallegalexperts–anewconstitution,
thatlaidgroundforalegalstateorderthathasbeen
inforcesince.TheEChasbeencalledoneofthe‘in-
terestingconstitutions’ofmoderntimes10and
gainedspecialattentionongroundsofitsmodern
fundamentalrightscatalogue.11
Still,despitearesolutemoneyreform,privatisa-
tionandacleardecisioninfavourofaliberalmar-
keteconomy,Estoniawasinthebeginningofthe
ninetiesaverypoorcountry,withanaveragemonth-
lyincomeof30dollarsin1992.12Fromtheneedto
buildupacountryaffordableforitssmallnumber
ofinhabitantsandthenecessitytofindsomething
thatwouldputEstoniaonthemap,thedecisionof
embracingthenewlyariseninterestforan‘informa-
tionsociety’wasborn.
BasedonarespectiveinitiativeonEuropean
Union(EU)level,13agroupofexpertspublishedin
1994itsproject‘Estonia’swayintoinformationso-
ciety’.14In1997,theso-calledTigerLeapProgram
waslaunched.ItsaimwastoequipEstonianschools
withinformationandcommunicationtechnology
andtheknowledgeofhowtouseit.Thisprogramis
consideredoneofthecornerstonesofthe‘Interneti-
sation’oftheEstoniansociety.15In1998,theEston-
ianparliamentadoptedformallythe‘Principlesof
EstonianInformationPolicy’,designatingthefol-
lowingfourmainaims:modernisationoflegisla-
tion,promotionoftheprivatesector,enhancing
communicationbetweenthestateanditscitizens
andawarenessconcerningtheproblemsofaninfor-
mationsociety.16Oneofthekeyelementsofthesuc-
cessfulimplementationofthee-statehasbeenthe
closecooperationofthestateandtheprivatesector,
especiallyScandinavianbanksinterestedinthis
newmarketanditsopportunities.17Thebankswere
alsopioneersinofferingcustomerstheirserviceson-
line.
From2000,theso-callede-Cabinetprovidesthe
meansforapaper-freegovernmentaldecision-mak-
ingprocess.18Inthesameyear,theEstonianelectron-
ictaxboardwasintroducedandreachedamajorde-
velopmentalmilestonewiththeintroductionofau-
tomatedtaxdeclarationformshelpingtoreducedras-
ticallythetimespentbyprivateindividualsanden-
8Netherlandstotal:approx.41.5sqkm.Estonia:approx.45.2sq
km.Source:LivingintheEU<https://europa.eu/european-union/
about-eu/figures/living_en>.
9TheConstitutionoftheRepublicofEstonia(EestiV abariigi
Põhiseadus1992),EnglishtranslationaccessibleattheState
gazette<https://www .riigiteataja.ee/en/eli/521052015001/
consolide>.Since1June2010,theEstonianstategazetteRiig-
iteatajaispublishedonlineexclusivelyat<https://www
.riigiteataja.ee>andcontainsnexttotheofficialEstonianlegal
actsEnglishtranslationsofseveralofthem.Englishtranslationsof
Estonianlegalactsareavailableat<https://www.riigiteataja.ee/
en/>.
10ManfredH.Wiegandt,‘GrundzügederestnischenVerfassungvon
1992’(MainfeaturesoftheEstonianConstitutionfrom1992)
(1997)45JöR151,151.
11SeefurtherWolfangDrechslerandTaaviAnnus,‘DieVerfas-
sungsentwicklunginEstlandvon1992bis2001’(TheEvolutionof
theConstitutioninEstoniafrom1992to2001)(2000)50JöR
473,481ff;seealsoPeterHäberle,‘V erfassungsentwicklungenin
Europa–ausderSichtderRechtsphilosophieundderVerfas-
sungslehre’(EvolutionofconstitutionsinEurope–fromtheview-
pointsoflegalphilosophyandconstitutionaltheory)(1994)AöR
169,197f.
12SpeechofthePresidentoftheRepublicofEstonia(n8).
13EuropeanCommissionWhitePaperon‘Growth,competitiveness,
andemployment’(1993);seealsoBangemannGroupreporton
theglobalinformationsociety(1994).
14TarmoKalvet,‘TheEstonianInformationSocietyDevelopments
Sincethe1990s’(2007),no29PRAXISpublication10<http://
praxis.ee/wp-content/uploads/2014/03/2007-Estonian
-information-society-developments.pdf>accessed17January
2020.
15PilleRunneletal,‘TheEstonianT igerLeapfromPost-Commu-
nismtotheInformationSociety:FromPolicytoPractice’(2009)
JournalofBalticStudies29.
16Thedocument(inEstonian)canbefoundatthehomepageofthe
Stategazette(n10)<https://www .riigiteataja.ee/akt/75308>
accessed17January2020.
17SeealsoKalvet16f(n15).
18e-Estoniaguide8(n6).

EDPL|3ReportFullVersion:Estonia,theDigitalNation
trepreneursonfilingtaxes.Anemployeewillnowa-
daysspendlessthanfiveminutesinfillingouthis
orhertaxdeclaration.19
On1May2004Estoniabecameamemberofthe
EU.Onlyoneyearlateritwasthefirstcountryinthe
worldtointroducee-voting.Attheelectionstothe
EuropeanParliamentinMay2019over45%ofthe
voteswerecastonline.20LikeinallEUcountries,the
directlybindingandapplicableEU’sGeneralData
ProtectionRegulation(GDPR),21alongsidewithDi-
rective(EU)2016/68022establishingrulesforthepro-
tectionofindividualswithregardtotheprocessing
oftheirpersonaldatabypoliceandcriminaljustice
authorities,harmonizesince25May2018datapro-
tectionalsoinEstonia.ThereformedEUdataprotec-
tionlaw’saimistocompromiseonandharmonize
thehithertorathervariedapproachesofEUmember
statestodataprotection.AlthoughthereformedEU
dataprotectionlawallowsforspecialnationalprovi-
sionsanddifferencesespeciallyonquestionscon-
cerningdatahandlingbypublicauthorities,23data
processinginEstoniacannotbediscussedwithout
incorporatingthedirectaswellasindirecteffectsof
therespectiveEUlaw.
II.TheE-State’sFoundations
ThetwopillarsofEstoniandigitallifearecalleddig-
italIDandx-road.
1.DigitalID
InEstonia,theidentityofeveryperson–beitcitizen
orforeignresident–isbasedonapermanentindi-
vidualIDcode.TheIDcodeconsistsof11numbers,
ofwhichthefirstindicatestheperson’sgender(even
numbersforwomen,unevenformen)andthefol-
lowingsixcorrespondtotheperson’sbirthdate24;the
nextthreeareserialnumbersforpeoplebornonthe
samedayandthelastoneservesascontrolnumber.25
ThisIDcodemaybepublishedforthepurposeof
identificationoftheperson.TheEstonianDataPro-
tectionInspectorate(DPI)hasaffirmedthattheID
numberis,justlikethebirthdate,isnotconsidered
tobesensitive,ieaspecialcategoryofdata.26The
regulationforeseeingthestringofnumbersoftheID
numberhasneverbeenlegallycontested.Theonly
mandatoryidentificationdocumentinEstonia,the
IDcard,carriesinteraliathecardholder’sphotoand
IDcodeandservesaspersonalidentificationdocu-
ment.Additionally ,thecard’schipincludestwoelec-
troniccertificates:oneallowingforthedigitalau-
thenticationoftheperson–thedigitalID-,theoth-
eroneenablingthecardholdertosigndocuments
electronically.27
ThedigitalidentityofanEstoniancitizenisgen-
eratedautomaticallywhenthedoctorentersthebirth
dataofachildintothee-healthsystem.Later,thepar-
entscanaddthechild’snametothedigitalidentity
–online.28Therefore,everyEstoniancitizenhasa
19ibid4,6.
20EstonianNationalElectoralCommittee,‘StatisticsaboutInternet
votinginEstonia’<https://www.valimised.ee/en/archive/statistics
-about-internet-voting-estonia>.
21Regulation(EU)2016/679oftheEuropeanParliamentandofthe
Councilof27April2016ontheprotectionofnaturalpersons
withregardtotheprocessingofpersonaldataandonthefree
movementofsuchdata,andrepealingDirective95/46/EC(Gen-
eralDataProtectionRegulation2016)OJL119/1.
22Directive(EU)2016/680oftheEuropeanP arliamentandofthe
Councilof27April2016ontheprotectionofnaturalpersonswith
regardtotheprocessingofpersonaldatabycompetentauthorities
forthepurposesoftheprevention,investigation,detectionor
prosecutionofcriminaloffencesortheexecutionofcriminal
penalties,andonthefreemovementofsuchdata,andrepealing
CouncilFrameworkDecision2008/977/JHA(2016)OJL119/89.
23SeeegJürgenKühlingandFlorianSackmann,‘Datenschutzord-
nung2018–nachderReformistvorderReform?!’(2018)NVwZ
681;HolgerGreve,‘DasneueBundesdatenschutzgesetz’(2017)
NVwZ737,737f.
24Egincaseof10December1977:101277.
25Seefurther,ElectronicIdentity(eID)ApplicationGuide,AShort
IntroductiontoeID<https://eid.eesti.ee/index.php/A_Short
_Introduction_to_eID>.Astothelegalregulation:Population
registerActpara39s1:‘Apersonalidentificationcodeisanum-
berformedonthebasisofthesexanddateofbirthofaperson
whichcomplieswiththestandardoftheRepublicofEstoniaand
allowsthespecificidentificationofaperson.’
26SeerespectiveinformationontheEstonianDataProtection
Inspectorate’shomepage:<https://www.aki.ee/et/kas-isikukood
-delikaatne>;Sensitivedataaretodayconsideredtobespecial
categoriesofdata,seealsorecital10GDPRandart9GDPR.
27ThedigitalIDcannowadaysalsobeaccessedviamobile
phone–theso-calledmobileID–anddirectlyonline,as’ smart
ID’service.ThemobileID,thathastheadvantagethatthe
mobileIDcanbeusedwithoutacardreader,isbasedona
specialSIM-card,whichcanbeobtainedfromthemobile
phoneoperator,seefurther<https://www.id.ee/index.php?id
=36882>.Thesmart-IDisanappthatcanbeusedonamodern
smartphoneoratablet.Itenablestheusertoaccesse-services
ordigitallysignDocumentwithouttheadditionalneedofa
specialSIM-cardsoracard-reader<https://www.smart-id
.com/>.
28MinistryoftheInterior,informationonthePopulationRegister ,
‘Personalidentificationcode’<https://www.siseministeerium.ee/
en/population-register>;also:SpeechofthePresidentofthe
RepublicofEstonia(n8).

EDPL|4ReportFullVersion:Estonia,theDigitalNation
digitalID,whichisassignedalsotoeveryforeignper-
manentresidentofEstonia.29ThisdigitalIDenables
thepersontoidentifyhim-orherselfonlineandthus
usetheservicesprovidedbythestate.Additionally ,
thiswayofauthentificationcanalsobeusedbypri-
vateserviceproviders.Therefore,thedigitalIDisin
practicealsousedasonlinebankingIDandassuper-
marketclientcard.
2.X-teeandtheOnce-OnlyPrinciple
TheX-tee(English:x-road),thedataexchangelayer
forthenation’svariouspublicandprivatesectore-
servicedatabasesandotherinformationsystems,30
formstodaytheheartofEstoniandigitalservices.It
linksthedifferentdatabasesandinformationsys-
temsandallowsforfastandsecuredinternet-based
dataexchangesbetweenthem,31thusmakingit–in-
teralia–possibletopresentone’staxdeclaration
withinafewminutes:thetaxandcustomsboardfor-
wardsthetaxpayerapre-filleddeclarationinwhich
informationobtainedbyotherinstitutions–inthis
case,thepopulationregisterandthecommercialreg-
ister32–hasalreadybeeninserted.Thetaxpayercan
simplyapprovethedeclarationwithhisorherdigi-
talsignatureormakenecessaryamendmentsbefore
doingso.33
Theideathatthepublicauthoritiesshouldnever
askasecondtimeforinformationthepersonorin-
stitutionhasalreadyprovidedtotheauthorities,has
alsobeenwrittenintolaw .AccordingtothePublic
InformationAct’s(PIA)§431section3:‘Collectionof
datainthedatabaseshallbebasedontheone-re-
quest-onlyprinciple’.34Thisidea,namedalsothe
‘OnceOnlyPrinciple’ ,hasalsobeenembracedatEU
level.In2009,theMinisterialDeclarationone-Gov-
ernmentstatedthatthemembers’intenttojointly
investigatehowmemberstates’publicadministra-
tionscanreducethefrequencywithwhichcitizens
andbusinesseshavetoresubmitinformationtoap-
propriateauthorities.35TheEUministersresponsi-
blefore-GovernmentreaffirmedintheTallinne-Gov-
ernmentdeclarationof2017theircommitmenttoim-
plementtheonce-onlyprincipleforkeypublicser-
vices36andtheEuropeanCommissiondeclaredto
launchapilotprojectforthe'Once-Only'principle
andexplorethepossibilityofitsEUwideapplication
initsDigitalSingleMarketStrategy.37However,the
applicationofthe‘onceonly’principleraisesalso
questionsregardingitscompatibilitywithEUdata
protectionlaw,especiallythepurposelimitation
principle,accordingtowhichpersonaldatashallbe
collectedforspecified,explicitandlegitimatepur-
posesandnotfurtherprocessedinamannerincom-
patiblewiththosepurposes.38Sincetheadoptionof
theDataProtectionDirectivein1995,39thepurpose
limitationprincipleconstitutesoneoftheEU’sdata
processingbasicconceptsandistodaylaiddownin
Article5paragraph1(b)GDPR.Thelimitationofthe
29IdentityDocumentsAct(Isikuttõendavatedokumentideseadus
1999)para6andpara201s2,<https://www .riigiteataja.ee/en/eli/
529032019005/consolide>.
30Homepages,Excelspreadsheets,slidesetcmayconstituteother
informationsystems,see:AndmekaitseInspektsiooniAnd-
mekogudeJuhend(TheEstonianDataProtectionAuthorities’
Guidelinesondatabases)(updatedversion2016,Estonianonly)3
<https://www.aki.ee/et/juhised>.
31FurtherinformationcanbeaccessedattheInformationSystem
Authority’shomepage‘DataExchangeLayerX-tee’<https://www
.ria.ee/en/state-information-system/x-tee.html>.
32Employersarerequiredtoregisterthepersonsemployedbythem
intheemploymentregister,whichismaintainedbytheTax-and
Customs-Boarditself.
33Estonianelectronictaxfilingisexplainedinmoredetailasshow-
caseat<https://scoop4c.eu/showcase/electronic-tax-filing-e-tax>.
TheSCOOP4cprojectisprojectlaunchedbytheEuropean
Commissionin2016exploringhowtheonce-onlyprinciplein
publicserviceprovisioningcanbeimplementedatEuropean
level..
34PublicInformationAct(avalikuteabeseadus2000),English
translationaccessibleattheStategazette(n10)<https://www
.riigiteataja.ee/en/eli/529032019012/consolide>;similarly,ibid,
theGeneralP artoftheEconomicActivitiesCodeAct’ s(Majan-
dustegevuseseadustikuüldosaseadus2014)para13prohibits
economicadministrativeauthoritiestorequirefromundertakings
alreadysubmittedinformation.
35MinisterialDeclarationoneGovernment,theso-calledMalmö-
Declarationof18November2009,accessibleat<https://ec
.europa.eu/digital-single-market/en/news/ministerial-declaration
-egovernment-tallinn-declaration>.
36MinisterialDeclarationoneGovernment-theT allinnDeclaration
of6October2017,ibid.
37CommunicationfromtheCommissiontotheEuropeanParlia-
ment,theCouncil,theEuropeanEconomicandSocialCommittee
andtheCommitteeoftheRegions(SWD(2015)100final,6May
2015).OngoingEU-projectsontheimplementationoftheonce-
onlyprincipleareegtheSCOOP4cproject(fn33)andtheTOOP
project,whichaimstoexplorethepoosibilitiesoftheapplication
oftheonce-onlyprincipleacrossborders(seefurtherat<http://
www.toop.eu/info>).
38SeefurtherMarioMartiniandMichaelWenzel,‘’Onceonly’
versus’onlyonce’:DasOnce-only-PrinzipzwischenZweck-
bindungsgrundsatzundBürgerfreundlichkeit’(2017)DVBl749.
39Seeart6para1b)Directive95/46/ECoftheEuropeanParliament
andoftheCouncilof24October1995ontheprotectionof
individualswithregardtotheprocessingofpersonaldataandon
thefreemovementofsuchdata[1995]OJL281,31.

EDPL|5ReportFullVersion:Estonia,theDigitalNation
datahandlingpurposeaimsatenhancingtrustbe-
tweenthedatasubjectandthedatacontroller,bylim-
itingthecontroller’srighttopassonthedatasub-
ject’spersonaldatatoanunlimitednumberofdata
processorsunknowntotheindividualconcerned.40
Itisconsidereda‘cornerstone’oftherighttodata
protectionandformsassuchalsopartoftheOECD
PrivacyGuidelines41andthe(updated)Councilof
Europe’sConvention108ondataprotection.42The
‘onceonly’principleforeseesacomprehensiveex-
ceptiontherefrom.
Whencreatingtheconceptofthex-layer,itwas
initiallyheldthatthedataobtainedbytheauthori-
tiesintheconductoftheirtasksbelongstothestate
asawhole.43AccordingtotheEstonianDataProtec-
tionAuthority’sguideondatabasesfrom2016,the
rightto(re-)usedataobtainedonapreviouslydiffer-
entpurposeisbasedonthedataprocessor’slegiti-
materighttousedatainordertoperformitspublic
tasks.44Thislegalbasiscanagainbedeductedfrom
theGDPR,accordingtowhichdataprocessingshall
beconsideredlawfulifitscompliantwithalegal
obligationtowhichthecontrollerissubject(Article
6(1)(c)GDPRor/andnecessaryfortheperformance
ofataskcarriedoutinthepublicinterestorinthe
exerciseofofficialauthorityvestedinthecontroller
(Article6(1)(e)GDPR)).45
AtEUlevel,theEuropeanDataProtectionSuper-
visor(EPDS)presentedhisopiniononthe‘once-on-
ly’principlein2017.WelcomingtheCommission’s
proposaltomoderniseadministrativeservicesand
agreeingthateasingadministrativeburdenonindi-
vidualsororganisations,increasingefficiencyofad-
ministrativeproceduresandsavingtimeandre-
sourcesareworthwhilepublicinterestobjectives,he
notesthatthesedoanyhownotconstituteaseparate
groundunderArticle2(1)GDPRwhichwouldpro-
videagenerallegalreasonforrestrictingtheprinci-
pleofpurposelimitation.46TheEPDSthereforepro-
posesinteraliatostatethattheproposaldoesnotin
anywayaimtoprovidearestrictionontheprinciple
ofpurposelimitationpursuanttoArticles6(4)and
23(1)GDPR.47Regrettably,theEDPSdoesnotsub-
stantiatehowthisstatementcouldbeconsideredto
bewellfounded.48AccordingtotheEuropeanDigi-
talRights(EDRi)advocacygrouptheonce-onlyidea
couldpotentiallyreducecitizens’controlovertheir
personaldata.Therefore,itsimplementationhasto
prioritiseprivacybydesignanddefault.49Addition-
ally,theEDRipointsattheneedtoadequatelyassess
andsolvetherisksthatfollowfromthefactthatthe
implementationoftheonce-only-principlecanlead
tomoreprofilingofcitizens.50
III.TheIdeaofanOpenInformation
Society
TheunderlyingideaoftheEstoniandigitisationis
thatofanopeninformationsociety.51Thefundament
forthisideacanalsobefoundintheEstonianCon-
stitution.Accordingtoparagraph44EC,everyone
hastohavefreeaccesstopublicinformationandstate
agenciesandlocalgovernmentshavethedutytoin-
40SeealsoIoannisRevolidisandAlanDahi,‘FurtherProcessingof
PersonalData–IsthereaFutureforthePurposeLimitationPrin-
cipleintheUpcomingGeneralDataProtectionRegulation?’
(2015)ZD-Aktuell04618.
41TheOECDPrivacyGuidelines,ch1.Recommendationofthe
CouncilconcerningGuidelinesgoverningtheProtectionof
PrivacyandT ransborderFlowsofPersonalData(2013)PartT wo.
Basicprinciplesofnationalapplication,p9.
42Amendingprotocol(CETSNo223)amendingtheCouncilof
Europe’sConventionfortheProtectionofIndividualswithregard
toAutomaticProcessingofP ersonalData(ETSNo.108),adopted
bytheCommitteeofMinistersatits128thSessioninElsinoreon
18May2018art5s4b.
43RiinaKivi,‘RiigiandmekogudehetkeolukordjaAndmekogude
seadus’inInfotehnoloogiaavalikushalduses.RiigiInfosüsteemide
OsakonnaAastaraamat(Yearbookofthestateinformationsystems
department)(2003)ch10.1.
44TheEstonianDataProtectionAuthorities’Guidelinesondatabas-
es(n31)12.
45Justiitsministeerium,‘Isikuandmetekaitseuueõiguslikuraamistiku
kontseptsioon’(10.05.2017toimikunr:17-0584)(Conceptofthe
newlegalframeworkontheprotectionofpersonaldata,Estonian
MinistryofJustice10May2017)10f,33<http://eelnoud.valitsus
.ee/main/mount/docList/db80bf57-35ca-41e3-be15
-827a2f056fdd#aek0ABB0>.
46EuropeanDataProtectionSupervisor,‘ AdigitalEuropeneeds
dataprotection’(2017)6,10<https://edps.europa.eu/press
-publications/press-news/press-releases/2017/digital-europe
-needs-data-protection-0_en>accessed17January2020.
47ibid13.
48Annationallevel,theauthorisatpresentundertakingalegal
analysisonthisquestiontogetherwithPhDstudentMonika
Mikiver.
49EuropeanDigitalRights,‘Analysis:AtrulyDigitalSingleMar-
ket?’(2015)2<https://edri.org/files/DSM_Analysis_EDRi
_20150617.pdf>accessed17January2020.
50ibid8ff.
51SeeKalvet(n15).

EDPL|6ReportFullVersion:Estonia,theDigitalNation
formcitizensabouttheiractivitiesandgivethemac-
cesstoinformationtheinstitutionsownabout
them.52Furthermore,everyonehastherighttoad-
dressnoticesandstatementstogovernmentalandlo-
calauthoritiesandreceiveanswerstothemaspro-
videdbylawaccordingtoparagraph46.53Thisright,
unknowntoEstonia’spreviousconstitutions,wasin-
cludedinthenewECwithanexplicitreferraltocoun-
triesundertheruleoflaw,whereintheviewofthe
ConstitutionalCommissionsucharighthadtoap-
ply.54Theopeninformationsociety’slegalframe-
workistodaylaiddowninthePIAwhichaimedto
establishabasisforthetransparentexerciseofpub-
licpower ,whichwouldenablethepublictocontrol
itsexecution.55Inaddition,thehoped-forcost-effi-
ciencyofpublicadministrationwasanadditionalim-
portantargumentforasmallandyoung’countryas
Estoniatoembracedigitalsolutions.56
1.ObligationtoDiscloseInformation
AccordingtothePIA,governmentalagenciesandin-
stitutionsasthechancelleryoftheEstonianparlia-
ment(Riigikogu),theofficeofthepresident,theOf-
ficeoftheChancellorofJustice,thecourts,andlegal
personsinpubliclawarerequiredtomaintainweb-
sitesforthedisclosureofinformation(paragraph31
PIA).Alldatacontainedinpublicdatabasestowhich
accessisnotrestrictedaswellasdatawhichthehold-
erofthedatabaseconsidersnecessarytomakepub-
liclyavailable,shallbepublishedonline(paragraph
28,pages30and32PIA).Amongstother,informa-
tionconcerningpublicinstitutions,includingtheir
budgetsaswellascivilservants’salarieshavetobe
public(paragraph28PIA).Thedisclosureobligation
appliesalsofordraftactsandregulationsandfor
courtdecisions,furthermore,forthelistsofmem-
bersofpoliticalparties(paragraph28,pages15-17,
29and28PIA).Apartfromthat,thePIAinterdicts
torestrictthepublicityofsupervisoryanddiscipli-
narymeasuresandoffencesthatarenotyettime-
barred(paragraph36(1),page12PIA).
3.ObligationtoMaintainaDocument
Register
Furthermore,thePIAestablishestheobligationof
anypublicinstitutiontomaintainadocumentregis-
ter,ieapublicdigitalregisterthatrecordsalldocu-
mentsreceivedbytheagencyandpreparedbyit.As
farasaccessisnotlimitedonspecialgrounds–eg
informationobtainedinthecourseofcriminalpro-
ceedings,informationcontainingspecialcategories
ofdata57etc.–alldocumentcontentscanbefreely
accessedbyanyone(paragraphs12(4)(1)and35PIA).
Paragraph14PIAgiveseveryonetherighttorequest
informationfromtheholderofit,withouttheneed
forspecialjustification.
4.OfficialDatabases
ThePIAsetsalsotherulesfordatabasesthestate,lo-
calgovernmentsorotherpersonsmaintainforper-
formingpublicdutiesprovidedbylaw.Asarule,
thesehavetobepublic,aslongasthelawdoesnot
provideotherwise(paragraph43(8)PIA).Thepublic
databases–suchasthepopulationregister,theland
register,thecriminalrecordsdatabase,theregister
offarmanimalsandother–maycontainanyinfor-
mationassociatedwiththeperformanceofapublic
duty(paragraph43(1)PIA).Accordingtothelawa
databasedoesnotnecessarilyhavetobekeptindig-
italform,butasitshallingeneralberegisteredin
theadministrationsystemofthestateinformation
52ECpara44.‘(1)Everyoneisentitledtofreeaccesstoinformation
disseminatedforpublicuse.(2)Pursuanttoaprocedureprovided
bylaw,allgovernmentagencies,localauthorities,andtheir
officialshaveadutytoprovideinformationabouttheiractivities
toanycitizenofEstoniaathisorherrequest,exceptforinforma-
tionwhosedisclosureisprohibitedbylawandinformation
intendedexclusivelyforinternaluse.(3)Pursuanttoaprocedure
providedbylaw ,anycitizenofEstoniaisentitledtoaccess
informationabouthimselforherselfheldbygovernmentagencies
andlocalauthoritiesandingovernmentandlocalauthority
archives.Thisrightmaybecircumscribedpursuanttolawto
protecttherightsandfreedomsofothers,toprotecttheconfiden-
tialityofachild’sfiliation,andintheinterestsofpreventinga
criminaloffence,apprehendingtheoffender ,orofascertaining
thetruthinacriminalcase.(4)Unlessotherwiseprovidedbylaw ,
citizensofforeignstatesandstatelesspersonsinEstoniaenjoythe
rightsspecifiedinparastwoandthreeofthissequallywith
citizensofEstonia.’(seealson10).
53ibidpara46.
54ViljarPeep(ed.),‘PõhiseadusjaPõhiseaduseAssamblee’(The
ConsitutionandtheConstitutionalAssembly)(Juura1997)551.
55ExplanatorymemorandumtothePublicInformationActdraftact
no462(20June2000)18.Allparliamentarydraftactsincl
therewithconnecteddocumentscanbeaccessedinEstonianat
thehomepageoftheparliamentofEstoniaat<www .ri-
igikogu.ee>.
56ibid.
57seen29.

EDPL|7ReportFullVersion:Estonia,theDigitalNation
systemthatallowsthedatabasetobecomepartof
thedataexchangelayerx-tee,itusuallyhasto(para-
graph43(1),(2)and(7)PIA).
5.LimitsofDisclosure
Thelawalsoprovidesforthegroundstoclassifyin-
formationasinternal.AccordingtothePIA,informa-
tionthatcouldendangerforeignrelations,innerse-
curityormilitarydefence(paragraph35PIA,p3-6)
shallnotbedisclosed.Theobligationofnon-disclo-
sureappliesalsotoinformationcontainingspecial
categoriesofpersonaldata,iedatacontainingdetails
ofaperson’sfamilylifeorhealthandinformation
thatsignificantlybreachestheinviolabilityofprivate
life(paragraph35,pages11-14).
PrivatelifeisprotectedalsounderEstoniancon-
stitutionallaw.AccordingtoECparagraph42,gov-
ernmentagenciesandlocalauthoritiesmaynotgath-
erorstoreinformationonitscitizens’convictions
againstthewilloftheconcernedindividual.TheEC’s
paragraph26protectseveryone’srighttoprivacyand
theEstonianStateCourthasalreadyin1994acknowl-
edgedtherighttoinformationalself-determina-
tion.58Thecourthasnotitselfspecifiedthisrights’
content,butonlystateditsvalidity .Fromits‘creation’
bytheGermanConstitutionalCourtin1983itcan
bederivedthatitcomprisestheindividual’srightto
decideifandtowhatextenttheperson’sdataiscol-
lectedandstoredbythestate.59TheEstonianper-
sonaldataprotectionact(PDPA)ensurestheindivid-
ual’srighttoprotectionofhisorherdata.ThePDPA
isconsideredtobelexspecialisinrelationtothe
PIA.60
6.ObligationtoInformtheDataSubject
Theindividual’srighttoknowwhoisprocessinghis
orherdataisprotectedbyarightofinquiry.Asen-
shrinedinECparagraph44section3,everyEston-
iancitizenisbylawentitledtoaccessinformation
heldbytheauthoritiesabouthim-orherself.This
rightmaybeinvokedbyarequestforinformation
collecteduponperformanceofpublicduties61orby
arequestforexplanation.62Therequestcanbesub-
mittedbyanyoneanddoesnotrequirealegitimate
interest.Anyhow ,thelawalsoprovidesforgrounds
onwhichtheaddresseehastherighttodeclinethe
request,egincaserestrictionsonaccessapplytothe
informationrequestedongroundsoftheirusein
criminalormisdemeanourproceedingsorincaseit
containspersonaldataandaccesstoitcouldsignif-
icantlybreachtheinviolabilityofprivatelifeofthe
datasubject.63Siminarly,inEUlawtheGDPR’sAr-
ticles13and14forseethedatacontroller’sobliga-
tiontoinformthedatasubjectabouttheprocessing
ofhisorherdataandsodoesrespectivelythe
PDPA.64
Additionally,inEstoniaanypersoncan,bylogging
inintotheStatePortal–anonlineportal,fromwhere
publice-servicesandinformationaboutstate-related
activitiescanberetrieved65–accessthepersonalda-
tausagemonitor .Themonitorallowsthedatasub-
jecttocheckwhichpublicauthorityhasbeenaccess-
inghisorherpersonaldatainanonlinedatabase.66
However,notalldatabases’managershaveyetdecid-
edtomakeuseofthispossibility ,asjoiningthemon-
itoris(today)optional.67Currently ,thedatabasesof
theCitizenshipandMigrationBoard,thePopulation
Register,theMedicalPrescriptiondatabase,theSo-
cialServicesdatabaseandtheUnemploymentIn-
58JudgmentIII-4/A-1/94oftheConstitutionalReviewChamberof
theEstonianSupremeCourtfrom12January1994,Englishtrans-
lationavailableat<https://www.riigikohus.ee/en/constitutional
-judgment-III-4A-194>accessed17January2020:‘Thelackof
thoroughregulationbylawsandcovertnatureofthemeasures
depriveapersonoftherighttoinformationalself-determination,
therighttochoosehisorherbehaviourandtherighttodefend
himselforherself.’
59Judgment1BvR209,269,362,420,440,484/83oftheBun-
desverfassungsgerichtfrom15December1983(Volkszählung-
surteil)II1b).
60PIA,para2s2(n35).
61PIA,paras1and6.
62ResponsetoMemorandaandRequestsforExplanationsand
SubmissionofCollectiveProposalsAct(MRSA)(Märgukirjaleja
selgitustaotluselevastamiseningkollektiivsepöördumiseesitamise
seadus2004)para2s2<https://www.riigiteataja.ee/en/eli/
501112016001/consolide>.
63SeePIA,para23ec1p1)inconjunctionwithpara35(n35)and
MRSA,para1s3(n78)respectively.
64SeePersonalDataProtectionAct(isikuandmetekaitseseadus
2007,newversionof2019)paras22-24<https://www
.riigiteataja.ee/en/eli/523012019001/consolide>.
65TheStatePortalcanbeaccessed(inEstonian,EnglishandRuss-
ian)at<https://www.eesti.ee/et/>.Forfurtherinformationabout
theStatePortalsee<https://www.ria.ee/en/state-information
-system/state-portal-eestiee.html>.
66Formoretechnicalinformation,seeinformationabouttheper-
sonaldatausagemonitoronthesoftwaredevelopmentplatform:
<https://github.com/e-gov/AJ/issues/4>.
67Accordingtotheinformationprovidedatthesoftwaredevelop-
mentplatform:<https://github.com/e-gov/AJ/blob/master/doc/
spetsifikatsioonid/Tehniline_kontseptsioon.md>.

EDPL|8ReportFullVersion:Estonia,theDigitalNation
surancedatabaseapplythemonitor.68Altogether,the
government’sinformationsystemcomprisesmore
than1700databases.69Themanagerofthedatabase
canalsodecidetorestrictthedatasubject’saccessto
informationprovidedbythedatamonitoron
groundsprovidedbylaw ,forexampleonthebasis
ofthePDPAthatprovideslegalgroundsonwhich
thefactofdataprocessingisnotdisplayed,forexam-
pleincasesthisisdeemednecessaryforthedetec-
tionorpersecutionofcrimesorifthisisconsidered
tobenecessarytoprotectotherpeoples’rightsorna-
tionalsecurity.
IV .TheIndividualandtheE-state–A
newBeginningortheEndofSelf-
Determination?
1.DatabasesandPersonalData
Accordingtothelaw,publicdatabasesareestablished
bylaworbyvirtueoflaw,70butthetypeandcompo-
sitionofdatacollectedinthemisregulatedinthe
statuteoftherespectivedatabase.71However,thees-
tablishmentofadatabaseaswellaschangestothe
compositionofitsdatashallbeapprovedbythe
DPI.72Anexamplethathasraisedquestionsisthe
EstonianCommunicableDiseasesRegister(ECDR).73
Accordingtothestatute,thesickperson’sprofession,
addressandsocio-economicstatusisamongsttheda-
tatobecollected,74theregisteralsoforeseesthereg-
istrationofanimalandtickbites.75Additionally ,the
dataoftheECDRisstored‘permanently’ ,ieforever.76
ThecompatibilityofthisregulationwithArticle5
GDPR,accordingtowhichonlydatanecessaryfor
theachievementoftheprocessingpurposemaybe
collected(dataminimisationprinciple)andshallbe
deletedwhennolongernecessary(storagelimitation
principle),raisesquestions.77Ascanbeseenfrom
thisexample,themanyregistersmaintainedbythe
Estonianpublicinstitutionsneedcarefulpermanent
analysisinordertoensuretheirconformitywithcur-
rentlaw.
Anotherrisktobeconstantlykeptinviewarepos-
sibledataleaksresultingfromhumanfailure.Such
dataleaksmostlyoccurwheredatathatshouldbe
classifiedasinternal(seeabove,III.4.)ismistakenly
not.Wheresuchleaksoccur,theireffectissignifi-
cant.Fromlastyear,twomajorexamplescanbere-
called.Inonecase,hundredsofchildrenwereaffect-
ed,asajournalistfoundoutthatdataonchildren’s
behaviour,mentalconditionandpsychiatricreports
hadbeenpubliclydisplayedintheschools’manage-
mentinformationsystemforyears.78Inanothersim-
ilarcase,informationaboutconscipts’characterisa-
tions,healthdataanddisciplinaryproceedings,con-
tainingdetailsoftheirbehaviour,privatelifeandpsy-
chologicalcondition,hadbeenpubliclyaccessiblein
theEstonianDefenceForcesregisteroveryears.79In-
terestinglythough,suchcaseshavenothadawider
impactonpeoples‘confidenceinthepublicregisters.
Also,questionsofpossiblecompensationsforthose
affectedbysuchleakshavenotyetbeenapublicis-
sueofdebate.Thismayforonereasonbeowedto
thereluctanceoftheindividualtosuethestateasthe
evidentlymorepowerfulparty .Additionally,theleak-
68ThedatabasesoftheCitizenshipandMigrationBoardismanaged
bythePoliceandBoarderGuardBoard,theP opulationRegister
bytheMinistryoftheInterior,T heMedicalPrescriptiondatabase
bytheEstonianHealthInsuranceFond,theSocialServicesdata-
basebytheMinistryofSocialAffairsandtheUnemployment
InsurancedatabasebytheUnemploymentInsuranceFund.
69AccordingtothehomepageoftheAdministrationsystemforthe
stateinformationsystemRIHA,thestateinformationservice
comprisestogetherwithprivateinformationsystemswhohave
acceededit,morethan2300databases.
70PIA,para433s1(n35).
71PIA,para435(n35).
72PIA,para433s3(n35).
73Nakkushaigustejanakkushaiguskahtluseesinemiseninghaigestu-
miseohuteguritejaennetamisekohtateabeedastamisekord,
nakkushaigusteloetelujaandmesubjektiisikuandmetegaedas-
tatavateandmetekoosseis(Statuteonthenotificationprocedure
ofcommunicabledeseasesinfectionsandrespectivesuspicions,
hazardsandprevention,listofcommunicabledeseasesand
compositionofpersonaldatatobecommunicated2019)<https://
www.riigiteataja.ee/akt/113032019241>;Informationcontained
intheCommunicableDeseasesRegisterisexchangedviathe
communicabledeseasesdatabaseNAKIS;formoreinformation,
see:<https://www .terviseamet.ee/et/nakkushaigused-menuu/
tervishoiutootajale/nakis>(inEstonian).
74ECDR,para1s5,p3(n89).
75ECDR,para1s1,p53.
76ECDR,para12s1.
77GDPR,art5.
78EevaEsseandPriitPärnapuu,‘Sadadelastedelikaatseddokumen-
didrippusidaastaidavalikultinternetis’(Delicatedocumentsof
hundredsofchildrenwereforyearspubliclyontheinternet),
EstonianNewspaperPostimees(16October2018)<https://radar
.postimees.ee/6429640/sadade-laste-delikaatsed-dokumendid
-rippusid-aastaid-avalikult-internetis>.
79EveLoondeetal,‘Kaitseväesalajaseddokumendidrippusidaastaid
avalikultinternetis’(SecretdocumentsoftheEstonianarm ywerefor
yearspubliclyontheinternet),EstonianNewspaperEestiPäevaleht
(8November2018)<https://epl.delfi.ee/eesti/kaitsevae-salajased
-dokumendid-rippusid-aastaid-a valikult-internetis?id=84260115>.

EDPL|9ReportFullVersion:Estonia,theDigitalNation
ingmaynotcauseameasurabledamageandthefeel-
ingofshamemayprevail.
2.TheLandRegister
AsaGermandata-leakin2019confirmed,theonline
publicationofpropertyowners’homeaddressesand
theirrealestatesmayinsomecountriesbeconsid-
eredadangertocertainpeople’ssafety,egFORpoliti-
ciansandpersonsofpublicinterest.80Inasmall
countrylikeEstonia,wherethehomeaddressofthe
primeministeriscommonlyknown,thegeneralon-
linepublicityofthelandregisterprovidedforbylaw
hadlongbeenconsideredunproblematic.81
Attheendof2019,however,theMinistryofJus-
ticedeclaredthatinfuture,accesstootherpersons’
landregisterdatawillonlybegrantedoncondition
thattheinterestedpersonauthenticateshim-orher-
selfonlineviaID-card,mobile-IDorinternetbank
link.82Theministryjustifiedthisdecisiononthe
groundsthatanincreasingnumberofcitizenshad
writtenletterstotheministryandtotheChancellor
ofJustice,expressingtheirdissatisfactionwiththe
factthatanyonecouldfreelylookuponlinewhich
propertiestheyowned.TheMinistryfurtherstated
thattheidentificationofthepersonwould,onthe
onehand,enabletheownertoseewhohadaccessed
hisorherdatainthelandregisterandthus,byhope-
fullyreducingthenumberofrequestsoutofpurecu-
riosity,enableabetterprotectionoftheirdata.On
theotherhand,theMinistryarguedthatauthentica-
tiondoesnotviolatethelegallyrequiredpublicac-
cesstothelandregister.83However,theMinistrydid
notspecifywhetheritconsideredthattherewasare-
strictionofthepublicityoftheregister .Asthere-
quirementofauthenticationisapurelytechnicalso-
lutionandhasnolegalbasis,itseffectivenessremains
uncertain.
ItshouldbenotedthattheMinistryofJusticehas
linkedthenewregulationspecificallytotheEUda-
taprotectionreformof2018andconsiderationsof
respectivenationalamendments.84Intheauthor’s
view,theincreasedinterestofcitizensintheprotec-
tionoftheirpersonaldatacanalsobeassociatednot
leastwiththeEU’sactivestanceinthisregard.
3.CourtRulings
AccordingtotheECparagraph24sections3and4,
courtproceedingsandthedeclarationofthecourt
decisionareusuallypublic.Theobligationtopublish
courtrulingsonlineformspartofthetransparency
principleestablishedbythePIA.85Whenadopting
thePIAin2000andregulatingtherewiththeoblig-
ationtopublishcourtrulingsonline,thelawmaker
didnotseparatelyexplaintheregulations’propor-
tionality,86nordidtheStateCourthavetoexplainit-
selfonthatquestion.
LaterattemptsbytheMinistryofJusticetorestrict
theprincipleofthepublicityofcourtrulingshave
beenmetwithharshcriticism.In2014,theMinistry
ofJusticemadepublicanamendmentproposal,ac-
cordingtowhichthenamesofmostconvictedinrul-
ingspublishedonlinewouldhavebeensubstituted
byinitials–withtheexceptionofcertainserious
crimes,suchastraffickinginhumanbeings,rape,
murdercrimesagainstthestateandothers–while
accesstothenamesofconvictedpersonswouldhave
beenpurchasableforfoureuros.87Theexplanatory
memorandumcommentedontheproportionalityof
theproposal.Butcontrarytothenewspapers’strong
criticismthattheproposedamendmentwouldre-
strictthefreedomofthepressandinformation,88the
80‘PrivateDatenvonHundertenPolitikernundKünstlernveröf-
fentlicht’(Privatedataofhundredsofpoliticiansandartistspub-
lished)MDRaktuellnewsportal(4January2019)<https://www
.mdr.de/nachrichten/politik/inland/persoenliche-daten-von
-politikern-gehackt-100.html>.
81Seetheelectronicpropertyregister’shomepage(Englishversion):
<https://www.rik.ee/en/e-land-register>.
82‘Kinnistusraamatussaabedaspidiotsinguidtehavaidennast
autentides’(Infuture,searchesinthelandregistercanonlybe
carriedoutundertheconditionofauthentication)Informationby
theMinistryofJustice(26November2019)<https://www.just.ee/
et/uudised/kinnistusraamatus-saab-edaspidi-otsinguid-teha-vaid-id
-kaardiga>;seealso:II.1.
83LandRegisterAct(Kinnistusraamatuseadus1993)para74(see
alson10).
84NewspaperPostimees(12February2019)<https://tehnika
.postimees.ee/6521532/lugeja-kusib-kas-uus-e-kinnistusregister
-ohustab-inimeste-privaatsust>.
85PIA,para29s1andpara28s1no29(n35).
86Explanatorymemorandumtodraftactno462(n56).
87Amendmentacttothecriminalprocurementactandtherewith
connectedacts,draftactno578SE(12January2014)<https://bit
.ly/3gfvtcX>.
88TarmoV ahter,‘Riikhakkabkurjategijatenimesidmüüma’(The
stateplanstosellthenamesofcriminals),Estoniannewspaper
EestiEkspress(23January2014)<https://ekspress.delfi.ee/kuum/
riik-hakkab-kurjategijate-nimesid-muuma?id=67659517>;T armo
Vahter,‘Kohtuotsusesolgunimed,mitteinitsiaalid‘(Courtrulings
shallcontainnames,notinitials)EstonianNewspaperÄripäev(6
March2014)<https://www .aripaev.ee/blog/2014/03/06/
kohtuotsuses-olgu-nimed-mitte-initsiaalid>.

EDPL|10ReportFullVersion:Estonia,theDigitalNation
MinistryofJusticeexplainedthattheamendment
wasmotivatedbyadministrativereasonsprimarily .
Thiswasduetothefactthattheimplementationof
theobligationtoexchangetheconvictednames’with
initialswhentheirpunishmentbecomestimebarred
hadproventobeproblematic,ascopiesoftheprevi-
ouspersonalizedrulingscouldstillbecirculatingon
theinternetandthefulfilmentoftheobligation
causedaconsiderableadministrativeburden.89How-
ever,theamendmentwasnotapprovedbythepar-
liament.In2018,theamendmentproposalsencom-
passingtheenactmentoftheGDPRdidia.propose
toshortentheperiodoftimeofpublicationofcon-
victednames’dependingontheseverityoftheof-
fencecommitted.90Accordingtothedraft’smemo-
randum,thepublicationofcourtrulingsservesthe
interestsofthepublic,suchastransparencyandcon-
trolofthecourt,legalclarity,monitoringandhar-
monisingoftheapplicationoflaw ,generalandspe-
cificdeterrence.91However,thememorandumar-
guesthatnotalloftheseaimsrequirethepublica-
tionofthenameoftheconvictedduringthewhole
lengthofhisorherconviction,butcanbeachieved
alsowithlessintrusivemeasures,eganindividual
requestforaccesstothecriminalrecords.92Thepro-
posedamendmentdidnotbecomelaw.93
Theextenttowhichthepersonalinformationof
thelitigantsispublished,hasbeenadjustedovertime.
Atpresent,incivilandadministrativecourtrulings,
thelitigant(beinganaturalperson)canrequestthe
non-publicationofhisorhernameandIDcode(or
birthdate).94Incriminalproceedings,thedefendant’s
nameandIDcode(orbirthdate)arereplacedbyini-
tialsorcharactersincaseofminors,exceptinthecase
theminorisathirdtimeoffender .Ifthedecisioncon-
tainssensitivedataorpersonaldatathepublication
ofwhichisrestrictedbylaw,thecourtshallrefrain
fromthedisclosureoftheperson’sidentitybyreplac-
ingthedefendant’snamebyinitialsorpublishingon-
lytheconclusionorfinalpartofthedecision.95
4.CriminalRecords
Oneofthemostwell-knownEstoniandatabasesis
theCriminalRecordsdatabase.96Thedatabasecon-
tainsinformationaboutcurrentconvictionsformis-
demeanoursandcriminaloffences.Since2012,ac-
cesstothecriminalrecordsofotherpeoplecostsfour
eurosperrequest.Thisishowmuchapersonhasto
paytogettoknowiftheindividualconcernedhas
validcriminaloffences.97Noadditionalcondition(le-
gitimateinterestorsimilar)hasbeensincerequired.
However,apersoncancheckhisorherownperson-
alrecordforfree.Thelawmakerarguedthatdueto
thefactthatcourtrulingswereanyhowpublicand
didnotcontainsensitivedata,98therewasnoreason
torestrictaccesstocriminalrecords.99Thisargumen-
tationhasneitherbeencontestedbytheEstonian
publicnorthecourts.
However,theentryintoforceofGDPRhasledto
theconclusionthattherespectiveregulationneeds
89‘Justiitsministeeriumpõhjendabtapjate,röövlitejaväljapressijate
kaitsmist’(MinistryofJusticejustifiestheprotectionofkillers,robbers
andracketeers),EstoniannewspaperEestiEkspress(24January
2014)<https://ekspress.delfi.ee/kuum/justiitsministeerium-pohjendab
-tapjate-roovlite-ja-valjapressijate-kaitsmist?id=67671423>.
90ExplanatorymemordandumtotheImplementationActtothe
DataProtectionAct(IADPA),draftactno650(4June2018),42f
<https://www.riigikogu.ee/tegevus/eelnoud/eelnou/96c37d10
-383c-40ad-87be-a8583008b994/Isikuandmete%20kaitse
%20seaduse%20rakendamise%20seadus>;criticalcommentary
ontheplannedchanges:T armoVahter ,‘KeskuratloobEestis
riiki,kuskeegimidagiteadaeitohi?!’(Whothehellcreatesan
Estonianstateinwhichno-oneisallowedtoknowanything?!)
EstoniannewspaperÕhtulehtfrom21June2018<https://www
.ohtuleht.ee/883784/kes-kurat-loob-eestis-riiki-kus-keegi-midagi
-teada-ei-tohi>.
91ibid62.
92ibid.
93ImplementationActtotheDataProtectionAct,draftactno778
(13December2018)<https://www.riigikogu.ee/tegevus/eelnoud/
eelnou/9d1420bb-b516-4ab1-b337-17b2c83eedb1/
Isikuandmete%20kaitse%20seaduse%20rakendamise
%20seadus778>.
94CodeofCivilProcedure(Tsiviilkohtumenetluseseadustik2005)
para462<https://www.riigiteataja.ee/en/eli/512042019002/
consolide>;CodeofAdministrativeCourtProcedure(Halduskoh-
tumenetluseseadustik2011)para175<https://www.riigiteataja
.ee/en/eli/521032019005/consolide>(seealson10).
95CodeofCriminalProcedure(Kriminaalmenetluseseadustik2003)
para4081s2<https://www .riigiteataja.ee/en/eli/515052019002/
consolide>(seealson10).
96SeealsotheCentreofRegistersandInformationSystem’ shome-
page:‘CriminalRecordsDatabase’<https://www .rik.ee/en/
criminal-records-database>.
97AccordingtotheCriminalRecordsDatabaseAct(Karistusregistri
seadus2011)para19,informationonoffencesofminorsis
excludedfromthegeneralpublicityofcriminalrecords;however ,
asanexception,accessshallbegrantedi.atoanemployer
uponhiringtheminor.ThelegalregulationisaccessibleinEng-
lishat:<https://www.riigiteataja.ee/en/eli/ee/501042019021/
consolide/current>(seealson10).
98Todaynamed‘specialcategoriesofdata’(seen27).
99ExplanatorymemorandumtotheCriminalRecordsDatabaseAct,
draftactno762(13December2018)2<https://www.riigikogu
.ee/tegevus/eelnoud/eelnou/8ffa1f1d-8dea-9b9b-53f1
-ddf8f342a164/Karistusregistri%20seadus>.

EDPL|11 ReportFullVersion:Estonia,theDigitalNation
tobeamended,asitisnotcompatiblewithArticle
10GDPR,whichstipulatesthatpersonaldatarelat-
ingtocriminalconvictionsandoffencesshallbecar-
riedoutunderthecontrolofofficialauthorityexclu-
sivelyoriftherespectivelegalbaseprovidesforap-
propriatesafeguardsfortherightsandfreedomsof
thedatasubject.100AccordingtotheamendedCrim-
inalRecordsDatabaseAct(CRDA)paragraph15sec-
tion1,inforcesince1March2019:
Everyonehastherighttoobtaindatafromthe
databaseconcerninghimselforherselforanyle-
galperson.Whendataofanotherpersonarere-
quest,thelegalbasisorobjectiveofrequestingthe
datahastobeconfirmedinthequery.
Astotheexplanatorymemorandum,criminalrecords
ofothernaturalpersonswillbeaccessiblealsoinfu-
tureonthegroundslaiddowninarticle6GDPR.That
is,withthedatasubject’spriorconsent,onthebasis
ofarespectivelegalbase,iftheprocessingisneces-
saryfortheperformanceoftasksofpublicinterest,
fortheexerciseofofficialauthority,fortheperfor-
manceofacontract,fortheprotectionofvitalinter-
estsofthedatasubject,incaseofpreponderatelegit-
imateinterestsofthecontrollerorfortheexerciseof
thepressandinformationfreedom.101Thememoran-
dumaddsthattheindicatedgroundsareneithersep-
aratelycontrollednorevaluatedbytheregistrar.102
AsofJanuary2020,thecitedlegalregulationhas
notbeenputintopracticeandonlinequeriescon-
cerningcriminalrecordsofthirdpersonsdonotre-
quiretheentryofaspecialreason.Itisalsoquestion-
ableiftherequirementof‘control’byanofficialau-
thorityorrespectivesafeguards,assetoutbyArticle
10GDPRcanbeconsideredfulfilledincasetheright
toobtaindataoncriminalconvictionsofthirdper-
sons(CRDAparagraph15section1)isinnowaycon-
trolledbytheauthorities.
7.Parties’MembershipandthePractice
ofDisclosure
ThePIAincludesalsotheobligationtodisclosepo-
liticalparties’membershiplists.Thelawmakerdid
notcommentonthegroundsofthatlegalregulation,
buttheEstonianChancellorofJusticedid,whohas
analysedtheact’slawfulnesstwice.In2003,thethen
ChancellorofJusticeAllarJõksquestionedthecon-
stitutionalconformityoftheregulation.Politicians
andthepublicopiniondidnotfollowthechancel-
lor’sconcerns103andinhisfinalconclusionthatwas
publishedin2004,he,too,tooktheviewthatthereg-
ulationdidnotinfringefundamentalrights.104The
argumentsinfavouroftheregulationareinlinewith
theopinionofthenextChancellorofJusticeIndrek
Teder ,whoin2008,reiteratedtheviewoftheregu-
lation’sconstitutionalconformity .105Accordingto
theseconcurringopinions,apoliticalpartyisnota
secretorintimateorganisation.106Therefore,ithas
toabidebythetransparencyprinciplesstemming
fromdemocraticrule.Bothopinionsdeemtheargu-
mentsinfavourofthepublicityofpoliticalpartyaf-
filiationtobesignificant,asitpreventscorruption
andconflictofinterestandallowforavalue-based
executionofpublicpower.Comparedtothat,thein-
fringementoftheindividual’srightsisconsidered
moderate.107ThechancellorofJustice’sviewof2004
addsthatapoliticallyactivepersonjoiningapoliti-
calpartyhastobereadyforanincreaseddisclosure
ofhisorherbeliefsandactsandbelongingtoapo-
liticalpartyisnotobligatory.108Respondingtothe
possibledangerofstigmatisationanddiscrimination
itissaidthatdiscriminationisforbiddenbylawand
anyonediscriminatedagainsthastherighttotakele-
galmeasures.109Neitheroftheopinionsmadeadif-
ferencebetweenso-calledordinarypartymembers
andpoliticians.Nordidanyofbothaddresstheprob-
abilityandprospectofsuccessof(potential)party
memberstotakelegalactionagainstpossibledis-
crimination.
100ExplanatorymemordandumtotheIADPA44f(n97).
101ibid,45.
102ibid.
103BalticNewsService/Estoniannewsportaldelfifrom26July2003:
‘Jõkssalastakserakondadenimekirjad’(Jõkswouldhidepolitical
parties’themembershiplists)<https://www .delfi.ee/news/
paevauudised/eesti/joks-salastaks-erakondade-nimekirjad?id
=6048372>.
104TheChancellorofJustice’sopinionnr6-8/1443from30Septem-
ber2004.
105TheChancellorofJustice’sopinionnr6-1/080996/00808156of
28November2008<https://www.oiguskantsler.ee/sites/default/
files/field_document2/6iguskantsleri_seisukoht_vastuolu
_puudmine_erakonnaliikmete_nimekirjade_avalikustamine
_loppvastus.pdf>.
106TheChancellorofJustice’sopinionnr6-8/1443from2004,3(n
111).
107ibid.
108TheChancellorofJustice’sopinionnr6-1/080996/00808156
from2008,8(n112).
109TheChancellorofJustice’sopinionnr6-8/1443from2004,3(n
111).

EDPL|12ReportFullVersion:Estonia,theDigitalNation
AlthoughEstonianpoliticalpartieshavebeenpri-
vateorganisationsformorethan25yearsnow ,110it
isinthelightofthecountry’shistoricalbackground
thatpeople’sattitudestowardspoliticalpartiesmust
beunderstood.DuringthetimeofSovietOccupation,
from1940until1990,therewasonlyonelawfulpo-
liticalparty,theCommunistPartyofEstonia.Itwas
understoodtobetheextensionof(Soviet)statepow-
er,notatooltoplacepoliticalpowerintopeoples’
hands.111Extensiveregulationsonpartyfinancing
andorganisationadoptedafterregainingindepen-
dencearelikelytohaveconfirmedtheimpressionof
politicalpartiesascentresofpoliticalpower.112Also
today,publictrustinpoliticalpartiesislow,113civil
andstatecontrolovertheiractingisdeemedneces-
saryandjustified,astheChancellorofJustice’sopin-
ionsconfirm.Additionally,Estonia’ssmallsizecan-
notbeneglectedinthisregard.Patronagebetween
higherstateservantsandpoliticalcareerscanhard-
lybeexcluded,itmayinmanycasesevenbejusti-
fiedbythesimplelackofqualifiedleadersandmas-
tersoftheircraft.114
Fromthefactthatcourtrulings,partyaffiliation
andcriminalrecordsarepublicoratleastpublicly
accessible,anewissuearoseinthebeginningof2019,
shortlybeforetheEstonianparliamentaryelections
inMarch2019.Amediaoutletpublishedonlineand
inthenewspaperallnamesofpartymembersserv-
ingsentencesandthosewithvalid–andpartlyalso
time-barred–offencesandmisdemeanours,includ-
ingtheactscommittedbythem.115Whilesomepo-
liticalparties’statuteshadregulationsinforce,ex-
cludingfrommembershipforexamplepeopleserv-
ingasentence,otherslackedrespectiveregulations.
Reactingquickly,thepartiesdecidedwhomtoex-
cludefromthepartyandwhomnot.Theparties’re-
actionsweredifferent:Someexcludedonlythose
whoseconvictions’werenotyettime-barred,others
decidedtoexcludememberswhohadcommittedcer-
tainseriouscrimesandonesmallpartydecidedto
notexcludeanyone,asaccordingtotheirspokesman,
peopleshouldhavetherighttogoonwiththeirlives
afterconviction.116Althoughitwasmentionedonthe
fringesofthediscussionthatespeciallythedisclosure
ofthenamesofthosepeoplewhoseconvictionwas
alreadytime-barred,mightbeveryunpleasantfor
them,thepublicaswellasthepartiesgenerallyDID
notcallintoquestionthebehaviourofthejournal-
ists.Therewerealsonodebatesconcerningthelegal-
ityofsuchadisclosure,asthejournalistsinvestiga-
tionwasclearlyinlinewithcurrentlaw .According
totheCRDA,aperson’snameintherespectivecourt
decisionshallbereplacedbyinitialsafterthepunish-
menthasbeentime-barred.117Anyhow ,thisregula-
tiondoesnotapplyforcertainoffences,including
murder,manslaughterandoffencesagainstminors,
butalsotraffickingofnarcotics,affiliationincrimi-
nalorganisationsandmoneylaundering.118
Thepracticeofpublicdisclosureofinfringements
isnotuncommoninEstonia.Inthebeginningofthe
2000s,thecityofTartuhadthepracticeofpublish-
ingonlinethosepeople’snamesanddebts,whoowed
110AccordingtothePoliticalP artiesAct(erakonnaseadus1994)para
1s2,politicalpartiesareintheirlegalnaturenon-profitorganisa-
tions:<https://www .riigiteataja.ee/en/eli/513042015011/
consolide>(seealson10).
111SeealsoAllanSikk,‘FromPrivateOrganizationstoDemocratic
Infrastructure:PoliticalPartiesandtheStateinEstonia’(2006),
22(3)JournalofCommunistStudiesandTransitionPolitics341,
345f.
112Compareibid,344;ÜlleMadiseandAllanSikk,‘DieInstitution
derpolitischenP arteiinEstland’in:D.Th.Tsatsosetal(eds),
‘ParteienrechtimeuropäischenVergleich,DieParteieninden
demokratischenOrdnungenderStaatenderEuropäischen
Gemeinschaft(2ndedn,Nomos2006),ch4,4,16f.
113AccordingtotheEuropstatbarometerofFebruay2019,political
partiesconstitutewithasupportof18%theleasttrustedEstonian
institution,see:<https://ec.europa.eu/estonia/news/20190219
_Eurobarometer_et>accessed17January2020.
114SeealsoMadiseandSikk7f,18(n119).
115Seeforexample:JoosepTiksandPriitPärnapuu,‘Peksjad,vargad,
pedofiilid.EKREliikmeskondkubisebkurjategijatest’(Violent
criminals,thiefs,pedophiles.EKRE’ssupporterscampisover-
crowdedwithcriminals),EstoniannewspaperEestiPäevaleht(22
January2019)<https://epl.delfi.ee/eesti/kriminaalipaanika-pani
-reformierakonna-enda-liikmete-hulgast-kurjategijaid-otsima-neid
-leiti-ligi-pool-tuhat?id=85234743>;JoosepT iksandPriitPärna-
puu,‘Punasteroosideokkadtilguvadverest.Sotsideliikmeskon-
nas165kriminaali’(Thethornsoftheredrosesdripofblood.The
membershipofthesocialdemocratsmembership165criminals),
EstoniannewspaperEestiPäevalehtfrom30January2019
<https://epl.delfi.ee/eesti/punaste-rooside-okkad-tilguvad-verest
-sotside-liikmeskonnas-165-kriminaali?id=85188135>;Joosep
TiksandPriitP ärnapuu,‘KriminaalipaanikapaniReformierakonna
endaliikmetehulgastkurjategijaidotsima.Neidleitiligipool
tuhat,Estoniannewspaper’(Criminals’panicmadetheReform
partysearchforcriminalsinitsownrows.Approximatelyhalfa
thousandwerefound),EstoniannewspaperEestiPäevalehtfrom5
February2019<https://epl.delfi.ee/eesti/kriminaalipaanika-pani
-reformierakonna-enda-liikmete-hulgast-kurjategijaid-otsima-neid
-leiti-ligi-pool-tuhat?id=85234743>.
116MarvelRiik,‘Üle2000partei-kriminaali:millisederakonnadon
omahingekirjastkurjategijadväljavisanud?’(Over2000party
criminals:whichpartieshavethrownthecriminalsoutoftheir
membershipslists?),EstoniannewspaperÕhtuleht(6February
2019)<https://www .ohtuleht.ee/939948/ule-2000-partei
-kriminaali-millised-erakonnad-on-oma-hingekirjast-kurjategijad
-valja-visanud>.
117CRDA,para28(n106).
118ibid.

EDPL|13 ReportFullVersion:Estonia,theDigitalNation
thecitymoney .Similarly ,theEstonianpoliceusedto
publishthenamesofthosecaughtdrunk-driving.119
Bothmeasuresweretakenwithoutarespectivelegal
regulationandwereabandonedonlyafteryearswith-
outhavinghadtofaceanylegalconsequences.How-
ever,similarpracticeshaveproventobeeffective.Be-
tween2010-2016,childsupportdebtorswerepub-
lishedonline.120Alreadyinthefirstninedaysofthe
applicationofthemeasureoutstandingsumsinthe
amountofhalfamillioneuroswerepaid.121Such
practiceshavebeensuccessfullyappliedalsointhe
privatesector.In2008,adebtcollectionagencypub-
lishedonabillboardatoneofthemostfrequented
crossingsinTallinnalistofdebtorswhowerelegal
personsinlaw,includingtheirboardmember’s
names.TheEstoniadataprotectionagencyargued
thatastheinformationonthesedebtswasinaccor-
dancewiththeprincipleofpublicityofpublicadmin-
istrationavailabletoeveryoneonthecommercialreg-
ister,thepublicationdidnotbreachprivacylaw.122
TheStateCourtconfirmedthelegalityofthepubli-
cation,asitconsideredittobejustified.123
Astheaforementionedcasesshow ,Estonianlaw
considersthepublicationofoffencescommittedby
thedelinquenttobepartofpublicpunishmentby
thesociety.Thisapproachislikelytobeinconflict
atleastwiththoseEuropeancountries,whichhavea
functioningrehabilitationlegislationandpolicyin
place.IvoPilving,todayjudgeattheSupremeCourt
inEstonia,notedwithrespecttotheproportionality
ofthedisclosureofdrunkdriversanddebtorsofcom-
munaldebtorsin2004thatbeforeapplyingpublic
disclosureasapreventivemeasure,thelawmakerhad
theobligationtoevaluateand,asfarasnecessary ,to
adjustthepreventiveeffectivenessoftheexisting
punitivemeasures.Toensureitsproportionality ,the
statehastobeabletocontroleverypenaltyimposed
byit.Thisisnotgiveninthecaseofpillory ,where
theimpactofthemeasuredoesnotdependonthe
committedact’sseveritybutonthe(accidental)me-
diaandpublic’sreaction.124Pilvingreferredalsoto
thefactthatthepublicstigmatisationofdebtorsmay
nothaveanypositiveeffectwherethedebtorissim-
plylackingmoney ,butevenhinderhimorhertofind
orkeepanemploymentthatmakesthereimburse-
mentofthedebtpossible.125Regrettably,theseargu-
mentshavenotgainedfurtherattentionneitherby
theEstonianlegislatornorbythepublic.
5.ProfilingforthePerson’sBestInterest?
In2017,theproblemoftheNEETyouth(‘youthnei-
therinemploymentnorineducationortraining’)be-
cameanissueofenhancedpublicawarenessinEsto-
nia.T otackletheproblem,thegovernmentpresent-
edalegalamendment,withwhichitaimedtoenhance
therapproachmentofthoseyoungpersonsbetween
theageof16-26intothelabourmarketorintoeduca-
tion.Accordingtotheamendment,thelocalauthori-
tywheretheyoungpersonisresidenthastheright
toidentifyonitsowninitiativeifthatpersonmay
needassistance.Thisisassumediftheyoungperson
doesneitherworknorstudyanddoesnothaveany
wellfoundedreasonfornotdoingso(reasonsfor
exludingapersonfromthelistareegregistrationas
unemployed,entrepreneurship,imprisonment,mili-
taryserviceetc).126Forthepurposeofidentifying
119SeealsoP alomaKrõõtTupayandMonikaMikiver‘Derestnische
E-Staat-zukunftsweisendesVorbildoderbefremdlicherEinzel-
gänger?’(TheEstonianE-state–forward-lookingrolemodelor
oddmaverick?)(2015)1ZeitschriftOsteuropa-Recht2,27f;Ivo
Pilving,‘Sugupuudmüügiksjaroolijoodikudhäbiposti?’(Ge-
nealogicalrecordsforsaleanddrunkdriverstopillory?)(2004)II
Juridica75,79.
120From2016,theinformationcanbeobtainedbyanyonewhohas
accesstotheEstoniane-servicesbyenteringtheperson’ sname
andIDcodeorbirthdateintheregisterofmaintenancedebtors.
Thelegislatorjustifiedtheamendmentnotbyreasonofabetter
rightsprotectionbutbytheaimtoavoidtheduplicationofdata,
seeexplanatorymemorandumtothetotheCodeofEnforcement
Procedureactandtherewithconnectedactsamendmentact,draft
actno803(1December2014)<https://www.riigikogu.ee/
tegevus/eelnoud/eelnou/6e9fb22e-69d1-449d-93a1
-40fe2415c1a4/T%C3%A4itemenetluse%20seadustiku
%20muutmise%20ning%20sellega%20seonduvalt%20teiste
%20seaduste%20muutmise%20seadus>;childsupportdebtinfor-
mationservice<https://www.eesti.ee/eng/services/citizen/
perekond_1/elatisvolgnevus>.
121ReportoftheEstoniannewspaperÄripäevfrom10June2014,
‘Häbiposttõitagasipoolmiljoniteurot’(Thewhippingpost
broughtthetaxofficehalfamillioneuro)<https://www.aripaev
.ee/article/2014/6/10/maksuameti-habipost-toi-juba-tagasi-pool
-miljonit-eurot>.
122ErikRand,‘ Andmekaitseseadusvõlgadesfirmajuhatusthäbi-
postisteipäästa’(Thedataprotectionactdoesnotsafethe
indebtedmanager).EstoniannewspaperÄrileht(7January2009)
<http://arileht.delfi.ee/news/uudised/andmekaitseseadus-volgades
-firma-juhatust-habipostist-ei-paasta?id=51154582>.
123Judgment3-2-1-67-10oftheCivilChamberoftheEstonian
SupremeCourt(21December2010),19.Thedecisionsofthe
EstonianSupremeCourtcanbeaccessedonthecourt’shome-
pageat<https://www.riigikohus.ee/>accessed17January2020.
124Pilving83(n126).
125ibid.
126SeefordetailstheSocialWelfareAct(sotsiaalhoolekandeseadus
2015)para15(1)<https://www.riigiteataja.ee/en/eli/
522032019017/consolide>(seealson10).

EDPL|14ReportFullVersion:Estonia,theDigitalNation
suchpersons,theSocialServicesandBenefitsReg-
istryisautomaticallyscreenedforpeoplewhomatch
thosecriteriatwiceayear.Inordertodeterminethe
realneedforassistance,thelocalauthoritymaythen
contacttheyoungpeopleidentified.Ifthepersondoes
notwishforhisorherdatatobeprocessed,thepro-
cessingofdatashallbeconcludeduponreceiptofa
respectiveapplication.127Thelawmakerdidnotmake
itafurtherpointofdiscussionthatthenameandID
codeofthoseyoungpersonswhodeclinefurtherda-
taprocessingbythelocalauthorityinthisregardswill
anyhowberecordedinthedatabaseuntiltheperson’s
27thbirthday .128Suchinformationmayagainlay
groundfornegativeinterpretation,astheyoungper-
sonhasdeclinedtoaccepthelpofferedtohimorher.
Anyhow ,thegroundsfornotworkingorstudyingare
notknowntotheauthorities;theyoungpersoncan
betouringtheworld,writingabookorsimilar.
TheEstonianDataProtectionInspectorate’sDirec-
torGeneralandtheChancellorofJusticecalledinto
questiontheregulation’sconformitywiththeECpara-
graph26secondsentence,accordingtowhichthe
publicauthoritymayinterfereinanyperson’sprivate
andfamilylifeonlyincasesandpursuanttoaproce-
dureprovidedbylawtoprotectpublichealth,public
morality ,publicorderortherightsandfreedomsof
others,topreventacriminaloffenceortoapprehend
anoffender.129Accordingtotheirviews,the‘preven-
tive’interferenceintoyoungpersons’rightscaused
bytheautomaticscreeningoftheSocialServicesand
Benefitsdatabasemightnotbeinaccordancewiththe
provisionwhichrequiresaconcretedangerforalegal-
lyprotectedright.Anyhow,thelawwasproclaimed
bythepresidentandenteredintoforceinApril2018
andhassofarnotbeencontestedbeforeacourt.The
questionoftheconformityofthelegalamendment
washandledbythemediaonsomeoccasionsbutdid
notgainthepublic’sparticularattention.130
6.AnyProblemswiththeDigitalDivide?
ArecentdecisiondeliveredbytheEstonianSupreme
Courtenbancaddressedinteraliathelegalregula-
tionobligingunexceptionallyallnon-profitorgani-
sationstopresentannualreportstothenon-profitas-
sociationsandfoundationsregisterindigitalform.131
Asanalternative,anotarypublicmaybeauthorised
bytheorganisationwiththeelectronicpresentation.
AccordingtotheNotaryFeesAct,thisservicecur-
rentlycosts25eurosand55cents.132Failureto
presentannualreportsleadstothedeletionoftheor-
ganisationfromtheregister .133Inthecaseathand,
thepartyclaimingtheunconstitutionalityofthereg-
ulationwasasmallnon-profitassociationwhichdid
notactforthepublicbenefitnorcarryoutanyeco-
nomicactivity .Thecourtruledtheregulationde-
mandingthepresentationofannualreportsexclu-
sivelyinelectronicformconstitutional,withami-
norityoffivejudgesoutof16presentingdissenting
opinionsinthisquestion.134Accordingtothecourt,
theregulationmakesadministrationsimplerand
moreeffectiveandreportingmoretransparentand
comparable.135Asthedecisionnotes,itmaybeas-
sumedthataprivatelegalpersonistodayabletocom-
municatewiththestateelectronically.136Thedissent-
127ibidpara15(1)s8:‘Ifthepersonwhois16-26yearsofagedoes
notwishforhisorherdatatobeprocessed,theprocessingof
datashallbeconcludeduponreceiptofanappropriateapplica-
tionfromthesaidperson.Uponfirstcontactwithapersonwhois
16-26yearsofage,thelocalauthorityshallaskthepersonfor
consenttofurtherprocesshisorherdata.Ifthepersondoesnot
givehisorherconsent,thefurtherprocessingofdatawillbe
stopped.Inordertoruleoutanyfurtherdataprocessingonlythe
personalidentificationcodeofthepersonshallbestoredinthe
SocialServicesandBenefitsRegistryuntilthepersonattains27
yearsofage.’
128ibid.
129DataInspectorate’sopinionno1.2.-4/18/111from13January
2018;OpinionoftheChancellorofJusticeno
18-2/170578/1701993(10May2017);seealsoIII.4.
130LauraMallene,‘AndmekaitseOssinovskile:erinevaltnõukogude
ajasteiolemittetöötaminekõlblusvastane‘(TheDataInspectorate
toOssinovski:OppositetoSoviettimesnotworkingisnotim-
moral)EstoniannewspaperEestiPäevaleht(8May2017)<http://
epl.delfi.ee/news/eesti/andmekaitse-ossinovskile-erinevalt
-noukogude-ajast-ei-ole-mittetootamine-kolblusvastane?id
=78144546>;MonikaHaukanõmm,‘Lapsedeitohiollavahend
süsteemikatsetamiseks’(Childrenmaynotbeatoolfortestingthe
system)EstoniannewspaperÕpetajateLeht(26January2018)
<http://opleht.ee/2018/01/lapsed-ei-tohi-olla-vahend-susteemi
-katsetamiseks/>;<http://opleht.ee/2018/02/riik-ulatab-noortele
-oppima-ja-toole-asumiseks-abikae/>.
131Judgment2-17-10423oftheEstonianSupremeCourtenbanc
from2October2018.
132NotaryFeesAct(Notaritasuseadus1996)para31p25<https://
www.riigiteataja.ee/en/eli/512022018001/consolide>(seealson
10).
133Non-ProfitAssociationsAct(mittetulundusühinguteseadus1996)
para361s3<https://www .riigiteataja.ee/en/eli/526032019007/
consolide>(seealson10).
134Judgment2-17-10423(n147).DissentingopinionoftheJudges
PeeterJerofejev,HennJõks,AntsKull,VilluKõveandMalle
Seppik.
135ibid;judgement’sp56;59.1.
136ibid;judgement’sp59.1.

EDPL|15 ReportFullVersion:Estonia,theDigitalNation
ingopinioninthisquestionratedtheregulationto
bedisproportionate,asitdoesnotallowforanyex-
ceptionsforparticularcases,asforeseeninmanyoth-
erregulations.137Thepossibilityofturningtoano-
taryisnotenoughtoconsidertherequirementcon-
stitutional,asitdemandsadditionalfinancialand
timeconsumingexpendituresbytheperson.138
Followingthejudgement,theChancellorofJus-
ticeaskedinanopinionpiece,ifapersonhadthe
righttolivewithoutinternet.Ifnot,shesuggested,
theimplementationofafundamentalobligationto
itsuseshouldbeconsidered.139Apartfromthat,the
court’srulingdidnotgainanypublicattention.But
thecaseservesasareminderforanimportantaspect
ofdigitisation:ifdigitalsolutionsshallservesociety
asawhole,risksofa‘digitaldivide’havetobebe-
stowedsufficientattention.
7.HealthData–aWantedAsset
Estoniahasalsooneoftheworld’smostdeveloped
e-healthsystems.99%ofhealthdataisdigitisedand
99%ofprescriptionsaredigital.140TheEstoniane-
healthRecordisanationwidesystemthatintegrates
datafromdifferenthealthcareprovidersandgener-
atescomprehensivemedicalrecordsofeachpatient,
includingmedicaldiagnosis,visitstodoctors,pre-
scribedmedication,x-raysandother.Healthcare
providersareobligedtosubmittheirmedicalinfor-
mationtothee-healthRecord.141Byloggingintothe
e-PatientportalwiththeelectronicID,142thepatient
canthenaccesshisorherpersonalmedicalrecord.
Accordingto§41HealthServicesOrganisationAct
(HSOA),allhealthcareproviders,whohavealegal
obligationtomaintainconfidentiality,havetheright
toprocesspersonaldatarequiredfortheprovision
ofahealthservice,includingpersonaldataofspecial
categories,withoutthepermissionofthedatasub-
ject.However,thepatientcanchoosetooptoutof
theruleofdatasharingviathee-healthRecord.In
thiscase,hisorherhealthdataisexcludedfrombe-
ingsharedbetweendifferenthealthcareservice
providers.143
Additionally,accordingtotheHSOA,accesstopa-
tients’healthdataforotherpersonsmaybeprovid-
edforbylaw .144FromtheHSOA,itcanthereforenot
beclearlydeducedwhomayhaveaccesstothe
Record.Oneexampleofsuchadelegationcanbe
foundintheInsuranceActivitiesAct(IAA).TheIAA
obligespublicinstitutionsandhealthcareproviders
attherequestofaninsurance‘totransmitorgrant’
accesstopersonaldataofthedatasubjectwithout
hisorherconsent‘ifthepersonaldataarenecessary
totheinsuranceundertakingfortheperformanceof
aninsurancecontractandensuringtheperformance
thereoforforexercisingtherightofrecourse.’145The
norm’svaguewordingallowsforabroadinterpreta-
tiononhowtosecureinsuranciesaccesstothenec-
essarydata.Untiltodaythough,accessisprovided
viapublicinstitutionsandhealthcareproviders,the
insurancecompaniesthemselvesdonothavedirect
accesstothee-healthRecord.
Commentingontheregulations’proportionality ,
thelawmakerarguesthattheprocessingofhealthda-
tabytheinsurancesisjustifiedbyArticle9(2)(c)and
(g)GDPR.Thepromptcompensationoftheperson
entitledtoinsuranceformspartofthepublicsocial
protectionsystemandisthereforeinthepublicinter-
est.146Thelegalregulationsoninsuranceactivities
andthepurposelimitationapplyingtotheinsurances’
righttoobtaindataareconsideredsuitableandspe-
cificmeasurestosafeguardthefundamentalrights
andthepurposelimitationinterestsofthedatasub-
jectwithinthemeaningofGDPRArticle9(2)(g).147
Itshouldbenotedinthisrespectthatin2015,the
lawandethicsworkinggrouptooktheviewthatac-
cesstothee-healthdatabaseshouldnotbegivento
entitieslackingspecialexpertiseonthehandlingof
137ibid.DissentingopinionoftheJudgesPeeterJerofejev,HennJõks,
AntsKull,VilluKõveandMalleSeppik,p28.
138ibid;judgement’sp28f.
139ÜlleMadise,‘P õhiseadusearengajaloolisesjavõrdlevasvaates’
(Theevolutionoftheconstitutionfromahistoricalandacompar-
ativeperspective)(2019)1Juridica3,10.
140InformationretrievedfromEnterpriseEstonia<https://e-estonia
.com/solutions/healthcare/e-prescription/>.
141HealthServicesOrganisationAct(HSOA)(Tervishoiuteenuste
korraldamiseseadus2001)para592<https://www.riigiteataja.ee/
en/eli/508042019003/consolide>(seealson10).
142Seeabove,partII.1.
143Thepatientcannotexcludesingleinformationfrombeingshared
(egonmentalhealth),butcanonlychoosetoexcludeallofhisor
herdatafrombeingshared.Onlyafterthat,heorshecandecide
onacase-by-casebasistoshareparticularentriesofhisorher
healthrecord.Theopt-outmodel’suser-friendlinessistherefore
limited.
144SeeHSOA(n148)para59(3)and(1).
145InsuranceActivitiesAct(Kindlustustegevuseseadus2015)para
219<https://www .riigiteataja.ee/en/eli/526032019002/consolide
>.
146ExplanatorymemordandumtotheIADPA49(n97).
147ibid.

EDPL|16ReportFullVersion:Estonia,theDigitalNation
healthdata,astheymaybeunfitforitsappropriate
use.148Theworkinggrouppointedtothemanydif-
ferentcasesinpractice,wheredirectaccesstodata
systems,egthepopulationregister,hadresultedin
anabusebyimpermissiblybroaduseofthisrightby
respectiveofficials.149Theworkinggroupreferred
alsotoanopinionoftheEUArticle29WorkingPar-
ty150of2007 ,wherethedataprotectionexpertstook
theviewthathealthdatacollectedformedicalrea-
sonsshouldnotbemadeaccessibleforthirdparties
whoseaimsdifferfromthoseoftheoriginaldatacol-
lector.151Additionally,theexpertstooktheviewthat
itwasnotenoughtoprotectthedatasubjectbyal-
lowinghimorhertoseewhohascheckedhisorher
dataandcontestpossibledatainfringementsin
court.Astheprivatepersonistheweakerpartofthis
legalrelationshiptheresponsibilitytoprotecthis
rightscannotbefullydelegatedtohimorher,be-
causethepersonmaynotfeelcompetentenoughto
asserthisorherright.152
a.InsuranceFundsandHealthData
Asalreadypointedoutbythelawandethicswork-
inggroupandtheArticle29WorkingParty ,153there
isanever-growinginterestandpressurefromdiffer-
entprivateandnon-privateentitiestogetaccessto
individuals’medicalrecords.Notwithstanding,by
theendofthesameyear2015,theparliamentseemed
readytoadoptalegalamendmentthatwouldex-
presslygiveinsurancesdirectandindividualaccess
tothee-healthRecordassuch.154Itwasonlyforthe
veryclearcriticismfromtheEstonianDataProtec-
tionInspectorate’sDirectorGeneralandtheChancel-
lorofJusticethattheamendmentwasnotpassed.
Likebeforetheworkinggroup,thedataprotection
officerunderlinedthedatasubject’sweakerposition,
whichwouldalsoundermineapossiblevoluntary
consentofthedatasubject,astheindividualisin
practicedependentontheinsuranceproviders.155
Providingtheinsuranceswithunrestrictedaccessto
allhealthdataofeveryEstonianpatientwouldopen
theopportunityforsubstantialmisusebypersons
notsufficientlycompetentinthisfield.156Thepar-
liamentwasfinallyconvincedbythesearguments
andrefrainedfromadoptingtheamendment.Still,
thisincidentatteststwothings.First,thegreatinter-
estofthirdpartiestogainaccesstotheinformation
storedinthee-Healthsystem.Andsecond,theprob-
lemthatmodernlegalregulations’technicalcontent
maynotbefairlyunderstandabletothose–beitusu-
alcitizensorparliamentarians–whohavenotbeen
thoroughlyintroducedtoitscontent.
b.WhatIsItWorth?
Ifdata–asissaid–isthenewoil,Estoniacancon-
sideritselfarichcountry.Thequestionisnowhow
todrillthisoil.Forthetimebeing,thegovernment
haslaunchedanewprojecttofoundastateenter-
prise,whichwouldthenbecommissionedto
anonymisecollectedhealthdataanddecidefor
whom,howandonwhichconditionsthedataob-
tainedwouldbemadeaccessible.157Therehaveal-
sobeenrumoursofgivingthedatasubjectsthem-
selvestherighttodecidetogivehealthwatchesand
148TheLawandethicsworkinggroup(leadedbyReetP ärgmäe,set
upaspartofthee-healthstrategybytheMinistryoftheInteriorin
2015):‘Legalandethicalaspectsforthegovernmentale-health
strategyuntil2020’(2015),27ff.
149ibid,28f.
150TheArticle29WorkingPartywasanindependentEUworking
partythatdealtwithissuesrelatingtotheprotectionofprivacy
andpersonaldataandwasmadeupofarepresentativefromthe
dataprotectionauthorityofeachEUMemberState,Asof25May
2018,thisbodyhasbeenreplacedbytheEuropeanDataProtec-
tionBoard.Formoredetails,see:<https://ec.europa.eu/
newsroom/article29/news-overview.cfm>.
151‘Legalandethicalaspectsforthegovernmentale-healthstrategy
until2020’(n155),30,referringto:Article29WorkingParty
workingdocumentontheprocessingofpersonaldatarelatingto
healthinelectronichealthrecords(WP131,2007),16<https://ec
.europa.eu/justice/article-29/documentation/opinion
-recommendation/index_en.htm#maincontentSec11>.
152ibid,31f.
153SeeegWP131,2007(n158)5;‘Legalandethicalaspectsforthe
governmentale-healthstrategyuntil2020’(n155),27ff.
154AmendmentacttotheWorkingAbilityEndorsementActand
otheracts,draftactno84SEI(14September2015)<https://bit.ly/
38jWZmZ>.
155LetteroftheEstonianDataProtectionInspectorate’ sDirector
GeneraltotheSocialCommitteeoftheP arliamentfrom19Octo-
ber2015,no1.2.-4/15/1976,3f.Thelettercanbeaccessedat
thewebaddressoftheamendmentactinquestion(ibid).
156ibid,4.
157HansLõugas,‘Eestie-riigiuussuurprojekt:hakkamemeierahva
terviseandmetegasuurtrahategema’(TheEstoniane-state’sgrand
newproject:let’smakebigmoneywithpeople’ shealthdata)
(Onlineportaldigigeenius,8October2018)<https://digi.geenius
.ee/rubriik/uudis/eesti-e-riigi-uus-suur -projekt-hakkame-meie-rahva
-terviseandmetega-suurt-raha-tegema/>andHansLõugas,‘Tervise-
andmeteuueriigifirmaplaanjõuabvalitsusse’(Theplanonanew
stateenterpriseforhealthdataheadstothegovernment)(Online
portaldigigeeniusfrom,10October2018)<https://digi.geenius.ee/
rubriik/uudis/terviseandmete-uue-riigifirma-plaan-jouab-valitsusse/>.

EDPL|17 ReportFullVersion:Estonia,theDigitalNation
fitnesstrackersaccesstotheirhealthdata.158Nole-
galanalysishasbeenpresentedinthisregardsofar.
Attentionhastobepaidtoparticularcommercialin-
terestsofdifferentmarketplayers,bearinginmind
thegenerallyweakerpositionoftheconsumer.
V .Concludingremarks
1.TheEstonianUnderstandingofRights’
Protection
TheEstonians’approachtotheprocessingandpro-
tectionoftheirdatahasbeendepictedbyalarge-scale
surveyontherighttoprivacyasahumanrightand
everydaytechnologiesin2014.15941%ofthoseques-
tionedwereoftheopinionthattheconcernsabout
dataprotectionwereexaggerated,16074%didagree
withthestatementthat‘theyhavenothingtohide’ .161
61%agreedwiththeclaimthatthestateneedsfora
betterrightsprotectionmorerightsfordataprocess-
ingwithouttheconsentofthedatasubject.Likewise,
86%ofEstonianinhabitantstrusttheEstonianpo-
liceand75%trusttheEstonianarmy.16283%ofEs-
tonianpeoplebelievethatthedatathestatecollects
fromthemissufficientlyprotected,therespective
numberformedicalinstitutionsis81%.163
Referringtothesurveyof2014,theBritishpriva-
cyadvocateandacademicSimonDaviescalledthe
resultsdisappointing.Accordingtohim,theEstoni-
anshavenotlearnedfromtheirpastunderSovietoc-
cupationandlackunderstandingforthedangerthat
asowellinformedpublicpowerinthewronghands
couldbringabout.164Intheperspectiveoftheauthor
ofthisreport,inordertounderstandtheEstonian
approachtodatahandlingandprotection,cultural
andhistoricalaspectsofthecountrymustnotbene-
glected.165Forone,Estoniahasalwaysbeenasmall
countrywithapopulationsizeofothercountries’
mediumsizetowns;today,ithasslightlymorethan
1.3millioninhabitants.166ThereishardlyanyEston-
ianinhisorherfourtieswhocouldgetacquainted
withsomeoneheorshehasneverheardof.Withthis,
cleardemarcationbetween‘private’and‘public’life
ineverydayEstonianlifehasalreadylongbeforedigi-
tisationbeenfluent.Secondly ,Sovietoccupation
markedtheEstoniansocietyformorethanfiftyyears,
duringwhichpublificationandsharingofpersonal
informationwascommon.Itwasnotonlyusedby
theKGB,theSovietCommitteeforStateSecurity,
whousedcivilinformantsasundercoveragentsto
controlthesocietyanditsmembers’thoughtsand
actions.Itwasalsocommontoensureconformbe-
haviourbythedisseminationofinformationbe-
tweenthepeoplethemselves:Theemployerwasin-
formedofsexuallytransmitteddiseasesoftheem-
ployee,driverscaughtdrunkatthewheelwereis-
suedcarbadgesstartingwiththenumber‘O’,167di-
vorceprocesseswerepublishedinthenewspaper,168
anditwasthedutyoftheso-calledcomrade-courts
establishedineachoffice,collectivefarm,schooland
districttojudgeabouttheinsufficienteducationof
children,improperbehaviourinthefamiliyorcurs-
ingoftheircolleaguesandneighbors.169Itappears
unlikelythatsuchlong-standingpracticesandcultur-
alpecularitieswouldnothaveanyeffectsonthepop-
ulation’sperceptionsconcerningtherighttoprivacy .
Thisunderstandingholdsintheauthor’sviewal-
sotheanswertothequestionsraisedatthebegin-
ningofthisreport:legalregulationsonrights’pro-
tectioninadigitisedcountryarenotaprimarilytech-
nicalquestionthesolutionsofwhichcanbeapplied
incountriesequally .Justasanyothersignificant
question,regulationsareframedbythecountries’his-
158P alomaKrõõtT upay,‘Saeipõgene,vabalaps’(Youcan’tescape,
freechild),EstonianNewspaperPostimees(13November2018)
<https://arvamus.postimees.ee/6452035/paloma-kroot-tupay-sa-ei
-pogene-vaba-laps>.
159StudybytheEstonianInstituteofHumanRights,‘Therightto
privacyasahumanrightandeverydaytechnologies’(2014)
<http://www.eihr .ee/en/privacy-as-a-human-right-and-everyday
-technologies/>.
160ibid:methodologyandresultsofthestudy,48;summary,4.
161ibid4,49.
162HomepageoftheMinistryofDefence,‘ Avalikarvamusriigikait-
sest’(Publicopiniononstatedefence)(autumn2018)<http://
www.kaitseministeerium.ee/et/eesmargid-tegevused/avalik
-arvamus-riigikaitsest>.
163Studyontherighttoprivacyasahumanrightandeveryday
technologies(n166),methodologyandresultsofthestudy,54.
164SeethecriticalstatementofSimonDaviesattheAnnualConference
onHumanRightsinTallinn,Estonia,10December2014,Session1
part5<https://www .youtube.com/watch?v=PiTkSaJpwsw>.
165SeealsoT upayandMikiver31f(n126).
166SeerespectivedataattheStatisticsEstoniahomepage(asof4
April2019)<https://www.stat.ee/pressiteade-2019-007>.
167SeealsoJuhanSepp,‘T ervislikeeluviisidenimelIX’(Inthename
ofhealthylifestyles),EstonianNewspaperNõukogudeÕpetaja
(25April1987)3<https://bit.ly/3eSvUcU>.
168Forthis,seealsothereferralin:T iitHennosteandRoosmarii
Kurvits,‘Eiolemidagiuutpäikeseall’(Nothingnewunderthe
sun)EstonianmagazineSirp(8June2007)<https://sirp.ee/s1
-artiklid/c8-meedia/ei-ole-midagi-uut-p-ikese-all/>.
169SeeKaarelP aas(ed.)‘Eestiseltsimehelikekohtutepõhimäärus.
Kommenteeritudväljaanne’(Commentaryonthebasicregulation
oftheEstoniancomradecourts),Eestiraamat1972.

EDPL|18ReportFullVersion:Estonia,theDigitalNation
toricalbackgroundandsociety .Thedevelopmentof
thenotionofprivacyhas,eveninacountryasdigi-
tallyprogressiveasEstonia,notgeneratedacom-
pletelynewunderstandingofprivacy,butratherde-
lineatesanaturalevolutionoftheperceptionofthe
relationshipbetweentheperson’sinformationalself-
determinationandpublicinterestinEstoniaover
time.Anadditionalargumentforalessprivacy-fo-
cusedapproachiscertainlyalsothesimpleconve-
nienceofdigitalpublicadministration–whowould
notliketopresenthisorhertaxdeclarationwithina
fewminutesandreplacehoursofqueuingattheau-
thoritieswithafewsimplemouse-clicksfromhome?
However,theexampleoftheEstonianregulationon
publicaccesstothelandregistershowsthattheun-
derstandingofdataprotectiondoesbynomeanshave
tomovelinearinthedirectionoflessdataprotection.
Digitisationdoesnotnecessarilymeantheendof
privacyorofself-determinationasitisunderstood
intherespectiveculturalspace.Theperceptionand
extenttowhichthedatahandledbystateauthorities
ismadepubliclyavailable,processedorforwarded,
isaquestionshapedbysocialattitudesanddecided
bytherespectivelawmaker.
AtEUlevel,thereformeddataprotectionlawaims
toconstitutethebasisforacommonunderstanding
ofdataprotectionwithintheUnion.Forthisreason,
thisreportalsoaddresseditsimpactonnationalEs-
tonianlegislationandperceptionwhichhasseen.As
shown,thenewEUdataprotectionlaws’entryinto
forcein2018hasledtoamendmentproposalsand
changesalsoindomesticEstonianlawasaconse-
quence.170Itwillbeofdecisiveimportancetofurther
analyseandcomparetheapplicationofbothregula-
tionsinallEUmemberstates,asinterpretationof
decisiveindeterminatelegalterms,suchas‘public
andlegitimateinterest’ ,andtheimplementationof
EUdataprotectionlawmayvarysignificantly .Atthe
sametime,comparisonandadaptionofthedifferent
nationalunderstandingswillbekeytothebestpos-
sibleimpactofdataprotectionlawintheEU,asthis
ensuresacompromisebasedonallmembersstates’
contributions.
8.TheFutureofDataProtectionin
EstoniaandtheEU
Inviewofthealmostinfiniteincreaseofubiquitous
datahandling,Roßnagelstatedalreadyin2005that
dataprotectionneededanentirelynewapproach.171
Particularlywithregardtotheprinciplesofrequired
consentandpurposelimitationhearguedthatthese
werenotcompatiblewiththeevolutionofdatapro-
cessing.172Asalternativemethodstoensureade-
quatedataprotection,heproposediaabetterand
moretransparenttechnicaldataprotectioncontrol
notonlyatindividual,butalsoinstitutionallevel.173
TheEUlawmakerinturndecidedtomaintainthe
principleofpurposelimitationandthegeneralre-
quirementofconsentalsointhereformedEUdata
protectionlawof2018.174Atthesametime,thepos-
sibilitiesthe‘once-only’ideaoffersforasimplerand
morecitizen-friendlyprovisionofgovernmentalser-
viceshavenotonlyfoundtheirwayinnationalleg-
islations,175butalsointoEUpolicies.However,un-
liketheEstonianSupremeCourt,theEDPShasnot
acceptedtheeasingofadministrativeburdenandits
increasedefficiencyasajustificationforapossible
limitationofdatasubjectrightsrelatedtothedigiti-
sationofadministrativeprocedures.176Asdatapro-
cessingkeepsexpanding,thereisaconstantneedfor
monitoringandadaptionofdataprotectionregula-
tions.TheEstoniane-statecaninsofarserveasa
‘sandbox’forexploringpossiblenewapproachesand
solutions.177ConsideringEstonia’spositiveexperi-
encewiththeapplicationofthe‘onceonly’principle
inpublicadministration,wherethelawfulnessof
processingisjustifiedbytheprocessor’slegaloblig-
ationandarespectivepublicinterest,itcouldbe
askedifthegeneralnecessityofconsent,aslaiddown
inArticle6(1)(a)GDPR,couldtoabroaderextentbe
substitutedbyasystemenablingtheusertocheckat
anytimewhohasaccessedhisorherdata.AstheEs-
170SeeegIV .2.,3.and4.
171AlexanderRoßnagel,‘ModernisierungdesDatenschutzrechtsfür
eineWeltallgegenwärtigerDatenverarbeitung’(2005)2MMR
71.
172ibid72.
173ibid73ff.
174SeeGDPRart5s1point(c)andart7.Arespectivecritiquecan
befoundat:WinfriedV eil,‘DieDatenschutz-Grundverordnung:
desKaisersneueKleider’(2018)10NVwZ686ff.
175Seeforotherexamples:EuropeanCommission,‘Finalreport:
StudyoneGovernmentandtheReductionofAdministrative
Burden’(2014),highlightingas‘champions’UnitedKingdom,the
NetherlandsandDenmark,IV<https://ec.europa.eu/digital-single
-market/en/news/final-report-study-egovernment-and-reduction
-administrative-burden-smart-20120061>.
176CompareII.2.andIV .7.
177Seealso:MartiniandWenzel(n39).

EDPL|19 ReportFullVersion:Estonia,theDigitalNation
toniancaseshows,furtherquestionsarisefromthat.
Oneofthemcomprisesthechallengetobuildasys-
temtransparentenoughtomakeuserstrustthecon-
trolsystemsprovidedbythepublicauthorities.This
includessufficienttransparencyofthetechnological
solutionsusedaswellasabouttheinformationpro-
vided,includinginformationontheexeptionsofdis-
closureofinformation,suchasdatahandlingon
groundsofstateorpublicsecurity.
Anotherchallengearisingfromthedigitalisation
ofpublicadministrationistheoneofadequatere-
sponsibility:Towhatextentshouldthestatebeliable
fordataleaksorthelackofsufficient(data)protec-
tion?178Inprinciple,theGDPRprovidesasystem
thataimstosolvethisquestion.179However,ascan
beseeninthecaseofEstonia,thisdoesnotensure
thatpeoplemakeuseofit.Thegroundsforthatmay
bemanifold,incaseofEstoniapartlyalsocultural,
asthepossibilitytoinvokeone’srightswasnotac-
knowledgedduringSoviettimes.Anyhow ,asweak-
erparty ,theindividualwillgenerallybemorere-
servedtoclaimhisorherrightsvis-à-visthestate.Es-
tonianlawhasalsonot(yet)usedthepossibilitypro-
videdbyArticle80(2)GDPR,whichgivesmember
statesthepossibilitytoregulatenon-profitorganisa-
tions’rightstolodgecollectivecomplaints,iehold
datacontrollersorprocessorsliableindependently
ofarespectivemandatebythedatasubjectcon-
cerned.180Abroaderandsimplersystemofstatelia-
bilityforbreachesoftherighttoprivacyanddata
protectioncouldenhancetheauthorities’effortsto
ensuretheprotectionofdatasubjects’rights.Asthe
Estonianexperienceshows,thestatemaynotalways
bemotivatedtoendthedisproportionalhandlingof
personaldatapromptly .181Atthesametime,person-
aldatathatbecomespublicknowledgehasagreat
impactonthedatasubject’slife.
Withtheadoptionandentryintoforceofthe
GDPR,theEUmemberstateshavedeclaredtheirwill-
ingnesstonotprioritisetechnologyovertheindivid-
ual’srights.However,technologyshouldnotbeseen
asanantipodetopeoples’rights,asatechnological-
lyadvanced,simpleandtransparentsystemofpub-
licadministrationdoesequallyservebetterrights’
protectionandtheirexercise.Constanttechnological
evolutionandthenationallyvaryingunderstanding
oftheGDPRmakethecoordinatedcomparison,
analysisanddevelopmentofdataprotectionlawat
EUlevelapreconditionforaneffectivedataprotec-
tionwithintheUnion.Itisthepresentreport’saim
tocontributetothisprocesswithanoverviewofthe
understandingofdataprotectionwithintheframe-
workoftheEstoniane-state.
178Compareegabove,theEstonianexamplesdescribedinIV .1.and
5.
179CompareGDPRarts77,78,82;seealsoKarinSeinetal.Pil-
guheitandmesubjektiõiguskaitsevahenditeleuuesisikuandmete
kaitseüldmääruses(Aglimpseintothelegalremediesofthe
datasubjectprovidedbythenewgeneralregulationondata
protection)(2018)2Juridica94;interalia,Estoniahas(asof
today)notusedthepossibilitytoexcludeorlimittherightto
imposeadministrativefinesonpublicauthoritiesandbodies,as
foreseeninGDPR,art83s7.
180KarinSeinetal(n187).
181SeeegaboveIV .4.and5.