Digital Signatures
Data Privacy
Distance Contracting
Consumer Protection


Over the past decade online transactions have had a tremendous influence on commerce. The Internet provides rapid communication capabilities, reduced transaction costs, and human involvement and access to the global market. This technological evolution has necessitated the adaption of existing law and several acts have been amended so far. However, there is a need for more certainty since the laws still do not recognize the uniqueness of internet transactions.

The Estonian legal system requires application of existing law by way of analogy, pursuant to Article 4 of the General Principles of the Civil Code Act (which entered into force on September 1 1994):

"In the absence of a provision regulating a legal relationship, a provision which regulates relationships similar to that legal relationship applies. In the absence of such provision the general purpose of an act shall be the basis.

In the absence of an act regulating a legal relationship, the general purpose of law shall be the basis".

These principles apply while the e-commerce sector is unregulated.

Digital Signatures

The Digital Signatures Act (which was passed on March 8 2000 and entered into force on December 15 2000) stipulates the conditions for using digital signatures and the procedure for supervising the provision of certification and time-stamping services.

Unless otherwise provided for by the law, digital signatures possess the same legal effect as handwritten signatures. A private and public key system is employed for the creation of a digital signature is employed. The signatory uses a signature-creating device (private key) to which a signature verification device (public key) corresponds uniquely.

A digital signature enables:

  • identification of the signatory;
  • determination of the time at which the signature is given; and
  • a linking of the digital signature to data in such a way that any subsequent change to the data is detectable.

Certification services
The Digital Signature Act stipulates the following:

  • the requirements for certificates;
  • procedures for the application for and issue of certificates;
  • the period of validity, suspension and revocation of certificates; and
  • the provision of certification services.

An individual who applies for a certificate may create a private and public key herself, or agree that the certification service provider or another person or agency does so. The Digital Signature Act prohibits the person who creates the private and public keys of another from copying the keys. The certificate can be limited in its scope of use.

The certificate is valid from the beginning of the period of validity stipulated in the certificate and expires at the end of the period of validity or upon revocation of the certificate. The right and/or obligation to suspend or revoke the certificate on the grounds provided for in the act belong to the certification service provider.

The certification service provider can be:

  • a stock company;
  • a limited liability company with a share capital of Ekr400; or
  • a state maintained public company or agency registered in the State Register of Certificates.

Time stamps
A time stamp is linked to data so as to ensure that changes to data can be detected. A representative of a time-stamping service provider digitally signs the time stamp, certifying the existence of a document at a given time.

A time-stamp service provider must comply with the same requirements as certification service providers and follow the relevant principles of the act.

State Register of Ccertificates and supervision
The State Register of Certificates comprises databases of certification service and time-stamping service providers, and a database of time stamps. Data entered into the register is public and access is available 24 hours a day.

The Ministry of Transport and Communications is the chief processor of the State Register of Certificates.

Service providers must adhere to the provisions of the Databases Act (which was passed on March 12 1997 and entered into force on April 19 1997) and the Personal Data Protection Act (which was passed on June 12 1996 and entered into force on July 19 1996). The Data Protection Inspectorate and the Ministry of Transport and Communications exercise supervision over the certification service providers and time-stamping service providers.

Foreign certificates
Certificates issued by a foreign certification service provider are recognized as equivalent to certificates issued by certification service providers registered in the state register if the Ministry of the Transport and Communications decides that the foreign service provider complies with the requirements of domestic legislation, or if the accuracy of the data contained in the certificates of the foreign service provider are guaranteed by a certification service provider registered in the state register. The certificates issued by the foreign certification service provider can also be recognized by an international agreement.

Data Privacy

The processing of personal data is protected under the Personal Data Protection Act (1996). The Databases Act (1997), which provides general principles of maintenance of databases, release and use of data, may also be relevant.

Estonia has acceded to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108).

Personal data protection
The Personal Data Protection Act contains provisions for data processing, required permissions, protection and registration of personal data, and supervision.

Processing of 'sensitive' personal data is permitted if the relevant individual has given prior consent and the processing is not contrary to established law or legislation. Processing of personal data is allowed without the consent of an individual if the data contains 'non-sensitive' information.

The act provides a list of the circumstances in which sensitive personal data imay be processed without the consent of the relevant individual.

'Sensitive' personal data includes:

  • data revealing political opinions, or religious or philosophical beliefs;
  • data revealing ethnic or racial origin;
  • data relating to health or sexual orientation;
  • information collected in criminal or other proceedings.

The chief processors can inform individuals about:

  • the existence or absence of the personal data;
  • the purpose and legal grounds of the processing;
  • the consistence and source of the data;
  • third parties to whom the data may be made available; and
  • the name and address of the chief processor or his representative.

Individuals can demand the correction of false personal data. They can also demand disclosure or deletion of personal data if its processing is deemed to be illegal. The chief processors and relevant third parties are obliged to fulfil a justified claim of the person immediately.

The chief processors are required to register processing of sensitive personal data with the Data Protection Inspectorate.

The processing of a personal identification code is allowed only for the purposes of performance of the obligations laid down in law or a treaty.

Distance Contracting

The existing legislation does not provide rules for distance contracting. However, relevant regulations are expect to be adopted in the forthcoming Obligation Law Act.

Consumer Protection

The Consumer Protection Act (which was passed on December 15 1993 and entered into force on January 1 1994) regulates consumer protection. The forthcoming Obligation Law Act is expected to add to it.

For the purposes of the act the 'consumer' is an individual, whereas a 'supplier' can be either an individual or a legal entity. The legal entity can protect its rights by contractual means and can rely on product liability provisions. Such transactions are subject to the protection provided by the Civil Code (which entered into force on 1964) and the General Principles of the Civil Code Act (which was passed on June 28 1994 and entered into force on September 1 1994).

The Consumer Protection Act establishes consumer rights in relation to:

  • the purchase and use of goods or services;
  • the obligations of sellers, producers;
  • intermediators in safeguarding consumer rights;
  • liability for violation; and
  • the organization of consumer protection.

Although consumer rights in relation to internet transactions should be stricter and wider protection to the consumer should be provided, the act does not recognize the uniqueness of internet transactions.

Certain fundamental consumer rights are set out by the act. First, the consumer is entitled to obtain necessary and correct information in order to make an informed choice from among the offered goods and services. This should be interpreted as an obligation to display correct information clearly. The Draft of the Obligation Law Act provides a list of terms and information which must be disclosed prior the transaction. In case the supplier intentionally misleads a customer in order to induce that person to enter into a transaction, the transaction shall be declared invalid by a court at the request of the victim of the misrepresentation. Second, the consumer is entitled to claim compensation from sellers for any proprietary or moral damage caused.

The protection of consumer rights in the online context is uncertain, particularly in respect of click-wrap licences and layered terms.

During the offer and sale of goods and services to consumers, sellers must adhere to general ethics and trade practices, and should follow the general principles provided by the act.

The Consumer Protection Office exercises supervision over the observance of the requirements of the law and may punish breaches. Individuals can be liable under disciplinary, administrative, civil or criminal laws. The act provides a variety of administrative punishments for legal entities, ranging from a warning to a fine of up to Ekr100,000.

Contracts between consumer and supplier
The contract between a consumer and supplier must be concluded in writing if the consumer is not present during its fulfilment. The General Principles of the Civil Code Act provide that all parties must sign the transaction. Failure to comply will lead to the contract being declared void. Thus, all electronic contracts are technically void. The introduction of digital signatures will solve this problem.

Consumer transactions
The General Principles of the Civil Code Act provide that if the parties to a consumer contract have not agreed on the national law applicable to the contract, then Estonian law applies. If the consumer and seller agree on the law of a foreign country, this shall not deprive the consumer of the rights prescribed by consumer protection law in Estonia. This fact will be stated in the International Civil Law Act, to the effect that the law of a foreign country chosen for a contract will not apply if it leaves the consumer without the protection provided by the imperative provisions of the law of the consumer's place of domicile.


Existing legislation does not provide any special rules for the taxation of online transactions. Although the relevant provisions of the Income Tax Act (which was passed December 15 1999 and entered into force on January 1 2000) and the Value Added Tax Act (which was passed on August 25 1993 and entered into force on January 1 1994) are employed as appropriate.

Value added tax
The sale of goods or services over the Internet are subject to value added tax (VAT). The current VAT rate is 18%. VAT must be paid by individuals and legal entities with annual turnovers of at least Ekr250,000. When importing goods or services VAT must be paid before or during the customs procedures.

Income tax
The sale of goods or the provision of services by individuals is subject to income tax of 26%. Income tax must be paid by legal entities only when dividends to shareholders are paid. The problem of levying income tax on internet transactions relates to the lack of control over transactions.


Though the existing legislation provides some e-commerce regulation, uncertainty remains. Moreover, developments in this area occur much faster than those of legislation and court practice. Legal developments regulating online transactions should be promulgated and continued. The utilization of digital signatures and the adoption of the Obligation Law Act will expedite progress.

For further information on this topic please contact Piret Jesse or Veiko Vahimets at Law Office of Lepik & Luhaäär by telephone (+372 6 306 460) or by fax (+372 6 306 463) or by e-mail ([email protected] or [email protected]).

The materials contained on this web site are for general information purposes only and are subject to the disclaimer.