In a nutshell: data protection, privacy and cybersecurity in Estonia

An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition

Overview

A globally unique feature about Estonia is that in Estonia about 99 per cent of public services are accessible online. Owing to such high level of digitalisation of the state, Estonia is widely known as one of the world's most advanced digital societies or the world's first digital state, and therefore often called 'e-Estonia'.²

Almost all Estonian residents hold a government granted electronic ID (eID), which enables digital signing that is legally equivalent to a handwritten signature, digital authentication and file encryption. As an example, there are more than 5,000 public and private services in Estonia where individuals can digitally identify themselves by using the eID. Furthermore, while the entire population of Estonia is only about 1.3 million, about 20 million digital transactions are made each month with the ID card, it being only one of the three main carriers of the eID (the other two being mobile-ID and Smart-ID) in Estonia.³

Owing to the high level of digitalisation, critical services and personal data being accessible online, the Estonian government has, over the years, put significant focus and investment in cybersecurity-related initiatives. In fact, many of the Estonian cybersecurity initiatives were caused by a major cyberattack against Estonia back in 2007 when Estonia became a target of the largest coordinated and politically motivated cyberattack against a single country.⁴

The Estonian focus on cybersecurity is also demonstrated by the fact that it was decided to locate both the NATO Cooperative Cyber Defence Centre of Excellence and the EU IT Agency in the capital of Estonia, Tallinn. Furthermore, Estonia was elected as a non-permanent member of the United Nations Security Council in 2020–21 and one of its main objectives is ensuring cybersecurity.

However, as opposed to the highly advanced e-government and significant focus on cybersecurity in the public sector, the focus on cybersecurity is significantly lower in the Estonian private sector. Similarly, practice is showing that even three years after the General Data Protection Regulation (GDPR)⁵ became applicable, general awareness about data protection remains low in Estonia.

Regarding the regulatory approach, privacy, data protection and cybersecurity-related rules applicable in Estonia are found in several legal acts. The most important of these are:

1. the Constitution of the Republic of Estonia;⁶
2. the Personal Data Protection Act (PDPA);⁷
3. the GDPR;
4. the Public Information Act (PIA);⁸
5. the Electronic Communications Act (ECA);⁹ and
6. the Cybersecurity Act (CA).¹⁰

The following sections of this chapter describe in more detail the relevant legislative framework, as well as some of the most important and recent developments in the Estonian privacy, data protection and cybersecurity landscape.

The year in review

Like the rest of the world, Estonia was seriously hit by the covid-19 pandemic in early 2020, and the health crisis is ongoing at the time of writing. The pandemic directly impacts the situation of privacy, data protection and cybersecurity, and over the past year the focus of most discussions in Estonia has strongly shifted to the processing of health data, including, but not limited to, the collection of information about covid-19 infections and vaccinations. The pandemic has also put significant and often unexpected pressure on the Estonian e-government and security of the state IT systems in general. For example, at the end of 2020, several Estonian ministries became targets of a cyberattack in which the personal data of almost 10,000 individuals infected with covid-19 was leaked.

Although the pandemic has created numerous heated debates and legal questions about the processing of personal data, including health data (e.g., if and to what extent employers can ask employees about their health status or request employees to be vaccinated, how to carry out contact tracing in a privacy-preserving manner and whether vaccinated individuals should have more rights than unvaccinated individuals), the level of awareness of data protection, including the GDPR, appears to remain low in Estonia. For example, privacy lawyers in Estonia are well aware that many companies and organisations in Estonia have not begun any data protection compliance activities even three years after the GDPR became applicable, or only minimum steps have been taken towards GDPR compliance.

In addition to the general lack of awareness about applicable legal requirements, another reason for data protection being a low priority in Estonia is the continuing lack of GDPR enforcement; as at July 2021, only a few minor sanctions have been imposed for data protection violations in Estonia.

As regards enforcement, it is also important to note that the Estonian legal system still does not allow for administrative fines as set out in the GDPR. This is also stated in Recital 151 of the GDPR, which provides that:

The rules on administrative fines may be applied in such a manner that in . . . Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in [Estonia] has an equivalent effect to administrative fines imposed by supervisory authorities.

In particular, under the current system in Estonia, financial penalties can be imposed for offences that, according to the Estonian Penal Code, are divided into misdemeanours and criminal offences. Liability for GDPR infringements is stipulated in the PDPA, which entered into force in Estonia on 15 January 2019. The PDPA regulates the protection of natural persons upon the processing of personal data to the extent in which it elaborates and supplements the provisions contained in the GDPR. According to the PDPA, GDPR infringements are punishable in Estonia by fines as misdemeanours.

However, although the PDPA also sets forth fines for GDPR violations in amounts that are equivalent to those set forth in the GDPR, the Penal Code in Estonia provides that the maximum fine for a legal person who commits a misdemeanour is €400,000. It is therefore disputable if, under the current system in Estonia, it is even possible to apply the maximum fines as set forth in the GDPR (i.e., up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher). Furthermore, the current system in Estonia makes it difficult to impose fines for GDPR infringements. This is due to various procedural requirements (e.g., a short limitation period) with respect to misdemeanour proceedings.

Owing to these legal obstacles, on 6 May 2020, the Estonian Ministry of Justice announced¹¹ that administrative fines will be introduced in the Estonian legal system, and a relevant concept about new administrative fine law was published.¹² This new administrative fine proposal concerns infringements in the areas of data protection, finance and competition and was expected to become law in the first quarter of 2021. However, as at July 2021, this initiative has not proceeded as expected, and it remains unclear when Estonia will introduce administrative fines for GDPR infringements. If adopted as a law, the concept will make it possible to apply fines as set forth in EU law in administrative proceedings. Among the various changes that are expected with the new administrative fine system, it should be easier in the future to hold legal entities liable for data protection infringements. For example, to hold a legal entity liable under the current system, it is necessary to establish the guilt of a specific natural person. This will no longer be the case under the new system, which plans to introduce the principle of organisational fault.¹³

In addition to the lack of administrative fines, the other significant issue causing a lack of effective enforcement of the GDPR in Estonia is the lack of resources in the Data Protection Inspectorate (DPI).¹⁴ Although the Director General of the DPI stated in the DPI's 2019 annual report that the DPI has not been provided with sufficient resources to cope with its new tasks,¹⁵ the situation did not improve in 2020. According to its 2020 annual report,¹⁶ the number of permanent employees in the DPI (19) has remained the same over the past four years, while its budget only increased by €1,000 in 2020 (the annual budget in 2019 was €750,000 while the budget in 2020 was €751,000). Furthermore, it appears that the lack of resources in the DPI has become so serious that the DPI has announced that this is now resulting in delays to its responses to requests.

Considering these circumstances, the challenge is only growing for Estonia to meet the requirements of Article 52 of the GDPR, which, inter alia, provides that each Member State must ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers.

Outlook

Although Estonia has remained a country with a lack of GDPR enforcement, it is likely that this situation will change in the future, especially if it eventually introduces the administrative fine system. Hence, even though there is not yet any GDPR enforcement in Estonia, companies should pay attention to the priorities of the DPI and make sure that their data processing activities follow the GDPR.