Top

Published in:

2021 | OriginalPaper | Chapter

3. Data Protection in Estonia

Authors : Kärt Salumaa-Lepik, Tanel Kerikmäe, Nele Nisu

Published in: Data Protection Around the World

Publisher: T.M.C. Asser Press

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The GDPR, which took effect on 25 May 2018, is an ambitious legal act aimed at harmonizing personal data protection and the free flow of data in the European Union. This chapter covers GDPR implementation issues and related topics from an Estonian perspective. The first section (Sect. 3.1) explains the roots of Estonian data protection and gives an overview of the latest developments related to the GDPR and the relevant case law. Section 3.2 offers readers an indication as to how the GDPR interacts with Estonian jurisdiction and identifies the most notable differences and similarities. Section 3.3 focuses on the most prominent issues within Estonian jurisdiction regarding data protection regulations. The main topic in this section is e-governance and the fact that Estonia is one of the recognized pioneers and leaders among modern digital societies. Taken from the perspective of the GDPR, some practices need to be re-evaluated (the cross-use functioning of national databases, the implementation of the “once-only” principle, the openness of state databases, etc.). Section 3.4 gives an overview of the envisaged application of the GDPR within Estonian jurisdiction and the possible problems that may occur when implementing GDPR provisions.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Data Protection Around the World: Belgium

next chapter GDPR in France: A Lot of Communication for a Jurisdiction Well Experienced in the Protection of Personal Data

This work was supported by Estonian Research Council grant PUT 1628.

Warren and Brandeis 1890.

See Kerikmäe et al. 2017.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

First text of EDPA (in Estonian only)—Estonian Personal Data Protection Act/Isikuandmete kaitse seadus RT I 1996, 48, 944 (1996). https://www.riigiteataja.ee/akt/862756. Accessed 1 December 2018.

Nõmper 2017.

Estonian Public Information Act/Avaliku teabe seadus RT I 2000, 92, 597 (2000). https://www.riigiteataja.ee/en/eli/516102017007/consolide. Accessed 1 December 2018.

Estonian Insurance Activities Act/Kindlustustegevuse seadus RT I, 07.07.2015, 1 (2015). https://www.riigiteataja.ee/en/eli/529012018003/consolide. Accessed 1 December 2018.

Estonian Ministry of Foreign Affairs 2009 Estonia’s way into the European Union. http://vm.ee/sites/default/files/content-editors/web-static/052/Estonias_way_into_the_EU.pdf. Accessed 1 December 2018.

The Estonian Data Protection Inspection (2000) The history of the organization. http://www.ebaltics.com› doc_upl › The_Estonian_Inspection. Accessed 1 December 2018.

Peep 2018.

Ibid.

Estonian Rules for Good Legislative Practice and Legislative Drafting/Hea õigusloome ja normitehnika eeskiri RT I, 29.12.2011, 228 (2011). https://www.riigiteataja.ee/en/eli/508012015003/consolide. Accessed 1 December 2018.

Estonian Ministry of Justice (2017) Legislative intent for implementing GDPR and directive 680/2016 into Estonian law/Isikuandmete kaitse uue õigusliku raamistiku kontseptsioon. https://eelnoud.valitsus.ee/main/mount/docList/db80bf57-35ca-41e3-be15-827a2f056fdd. Accessed 1 December 2018.

Establishment of Cause of Death Act/Surma põhjuse tuvastamise seadus RT I 2005, 24, 179 (2005). https://www.riigiteataja.ee/en/eli/ee/525062018018/consolide/current. Accessed 1 December 2018.

Estonian Parliament (2018) History of readings in Parliament of the draft 650 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/96c37d10-383c-40ad-87be-a8583008b994/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus. Accessed 1 December 2018.

Estonian Parliament (2018) History of readings in Parliament of the draft 778 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/9d1420bb-b516-4ab1-b337-17b2c83eedb1/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus Accessed 20 December 2018.

Archives Act/Arhiiviseadus RT I, 21.03.2011, 1 (2011). https://www.riigiteataja.ee/en/eli/ee/504032016002/consolide/current. Accessed 1 December 2018.

Estonian Parliament (2018) History of readings in Parliament of the draft 679 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/5c9f8086-b465-4067-841e-41e7df3b95af/Isikuandmete%20kaitse%20seadus. Accessed 1 December 2018.

Supreme Court (Riigikohus) (2007) Case 3-3-1-98-06. https://rikos.rik.ee/?asjaNr=3-3-1-98-06. Accessed 1 December 2018.

Supreme Court (Riigikohus) (2018) Case 3-15-2079/28. https://rikos.rik.ee/LahendiOtsingEriVaade?asjaNr=3-15-2079/28. Accessed 1 December 2018.

Financial Supervision Authority Act/Finantsinspektsiooni seadus RT I 2001, 48, 267 (2001). https://www.riigiteataja.ee/en/eli/529012018006/consolide. Accessed 1 December 2018.

Supreme Court (Riigikohus) (2016) Case 3-3-1-85-15. https://rikos.rik.ee/?asjaNr=3-3-1-85-15. Accessed 1 December 2018.

Supreme Court (Riigikohus) (2012) Case 3-3-1-3-12. https://rikos.rik.ee/?asjaNr=3-3-1-3-12. Accessed 1 December 2018.

Only the so-called “new general framework data protection legal act” has been approved (by 12 December 2018), but without more specific implementing provisions concerning domestic special laws. Therefore, the full extent of the impact is still not known at the time of the writing of this chapter.

Estonian Data Protection Inspectorate 2018c Statistics. https://www.aki.ee/et/inspektsioon/statistika. Accessed 1 December 2018.

GDPR rec 53—However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

Human Genes Research Act/Inimgeeniuuringute seadus RT I 2000, 104, 685 (2000). https://www.riigiteataja.ee/en/eli/ee/518062014005/consolide/current. Accessed 1 December 2018.

Health Services Organisation Act/Tervishoiuteenuste korraldamise seadus RT I 2001, 50, 284 (2001). https://www.riigiteataja.ee/en/eli/508042019003/consolide. Accessed 1 December 2018.

CJEU Judgment Case C-582/14 19 October 2016 (Breyer).

Schweighofer et al. 2017.

European Commission 2018g The GDPR: new opportunities, new obligations. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf. Accessed 1 December 2018.

European Commission 2018d eGovernment & Digital Public Services. https://ec.europa.eu/digital-single-market/en/policies/egovernment. Accessed 1 December 2018.

Peep 2018.

European Commission 2018c The digital economy and society index (DESI). https://ec.europa.eu/digital-single-market/en/desi. Accessed 1 December 2018.

E-Estonia 2018 X-Road. https://e-estonia.com/solutions/interoperability-services/x-road/. Accessed 1 December 2018.

Estonian Information System Authority 2018 Riigi Infosüsteemi teejuht. https://www.ria.ee/teejuht/eesti-it-edulood/2013-aastal-tehti-x-teel-ule-280-miljoni-infoparingu. Accessed 1 December 2018 (link no longer active).

Ministry of Economic Affairs and Communications 2018 Digital agenda 2020. https://www.mkm.ee/sites/default/files/digital_agenda_2020_estonia_engf.pdf. Accessed 1 December 2018.

Ibid.

European Commission 2018f The example of Estonia. https://ec.europa.eu/epale/en/blog/e-governance-and-e-guidance-example-estonia. Accessed 1 December 2018.

Estonian Open Government Data Portal (2018) https://opendata.riik.ee/ Accessed 1 December 2018.

Read further from the European Data Portal: https://www.europeandataportal.eu/en/homepage. Accessed 1 December 2018.

See further: https://eteenindus.mnt.ee/juht.jsf.

European Commission 2018a Creating a digital society. https://ec.europa.eu/digital-single-market/en/policies/creating-digital-society. Accessed 1 December 2018.

European Commission 2018e EU-wide digital once-only principle for citizens and businesses. Policy options and their impacts. Executive Summary, 2015/0062. https://ec.europa.eu/digital-single-market/en/news/eu-wide-digital-once-only-principle-citizens-and-businesses-policy-options-and-their-impacts. Accessed 1 December 2018.

Action program of the Government of the Republic of Estonia for 2016–2019/Vabariigi Valitsuse tegevusprogramm 2016–2019 (2016). https://www.riigiteataja.ee/aktilisa/3280/4201/8008/111k_lisa.pdf. Accessed 1 December 2018.

Ministry of Economic Affairs and Communications 2017 Zero-bureaucracy. https://www.mkm.ee/en/zero-bureaucracy-0. Accessed 1 December 2018.

Work Ability Allowance Act/Töövõimetoetuse seadus RT I, 13.12.2014, 1 (2014). https://www.riigiteataja.ee/en/eli/ee/518122017009/consolide/current. Accessed 1 December 2018.

Social Benefits for Disabled Persons Act/Puuetega inimeste sotsiaaltoetuste seadus RT I 1999, 16, 273 (1999) https://www.riigiteataja.ee/en/eli/ee/518122017011/consolide/current. Accessed 1 December 2018.

Ministry of Social Affairs (2018) Estonian eHealth Strategic Development Plan 2020. https://www.sm.ee/sites/default/files/content-editors/sisekomm/e-tervise_strateegia_2020_15_en1.pdf. Accessed 1 December 2018.

Ibid.

Military Service Act/Kaitseväeteenistuse seadus RT I, 10.07.2012, 1 (2012). https://www.riigiteataja.ee/en/eli/ee/511072018002/consolide/current. Accessed 1 December 2018.

European Commission 2017 Ministerial Declaration on eGovernment—the Tallinn Declaration. https://ec.europa.eu/digital-single-market/en/news/ministerial-declaration-egovernment-tallinn-declaration. Accessed 1 December 2018.

European Commission 2016 Communication from the Commission, EU eGovernment Action Plan 2016–2020, Brussels. https://ec.europa.eu/digital-single-market/en/news/communication-eu-egovernment-action-plan-2016-2020-accelerating-digital-transformation. Accessed 1 December 2018.

Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross-Border eHealth Information Services.

Article 29 Data Protection Working Party (2018) Subject: Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in

Cross-Border eHealth Information Services. https://ec.europa.eu › newsroom › article29 › document. Accessed 1 December 2018.

E-toimik allows participants in the proceeding and their representatives to participate in civil, administrative, criminal and misdemeanor proceedings electronically. The parties to the proceedings are able to follow the procedure, receive and submit documents, and access the digital files.

Electronic Communications Act/Elektroonilise side seadus RT I 2004, 87, 593 (2004). https://www.riigiteataja.ee/en/eli/530052018001/consolide. Accessed 1 December 2018.

European Commission 2018b Data retention. https://ec.europa.eu/home-affairs/what-we-do/policies/police-cooperation/information-exchange/data-retention_en. Accessed 1 December 2018.

P 134(1) of the ruling says that “Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication”.

Estonian Human Rights Centre 2017 On data retention and Estonia. https://humanrights.ee/en/2017/12/data-retention-estonia/. Accessed 1 December 2018.

E.g., Lõhmus 2016.

Article 29 Working Party (2017) Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237. Accessed 1 December 2018.

Ibid.

Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.

Estonian Data Protection Inspectorate 2018b Ettevõtjaportaalis on registreeritud ligi 1600 andmekaitsespetsialisti [Almost 1,600 data protection specialists are registered in the company portal]. https://www.aki.ee/et/uudised/pressiteated/ettevotjaportaalis-registreeritud-ligi-1600-andmekaitsespetsialisti. Accessed 1 December 2018.

Estonian Data Protection Inspectorate 2019a Rikkumisteadete arv ületas 100 piiri [The number of infringement notifications exceeded 100]. https://www.aki.ee/et/uudised/uudiste-arhiiv/rikkumisteadete-arv-uletas-100-piiri. Accessed 25 August 2019.

Estonian Data Protection Inspectorate 2019b Soovitused aastaks 2019 [Recommendations for 2019]. https://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Aastaraamat.%202018%20kohta.%20Soovitused%20aastaks%202019.pdf. Accessed 25 August 2019.

European Commission (2019) Special Eurobarometer 487a report on the General Data Protection Regulation. https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222. Accessed 25 May 2018.

Ibid.

Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.

The state adds 4% to the mandatory funded pension (II step) out of the current social tax that is paid by the employee in Estonia. The parental benefit amount is calculated based on the person’s last year’s income for which an employer has paid social tax (salary, bonuses, etc.) according to the Family Benefits Act, § 7(2).

Bygrave 2017.

European Court of Human Rights, Case of I v. Finland, 17 July 2008, no. 20511/03.

Ibid.

Bygrave 2017.

Ibid.

Statistics Estonia 2017 Majanduslikult aktiivsed ettevõtted töötajate arvu järgi [Economically active enterprises by number of employees]. Accessed 1 December 2018. https://www.stat.ee/68771.

Sein et al. 2018.

Ibid.

Tupay 2016.

Ibid.

See further: Pormeister and Nisu 2018; Brkan 2016.

Pormeister and Nisu 2018.

European Commission 2018h Questions and Answers—Data protection reform package. https://europa.eu › rapid › press-release_MEMO-17-1441_en. Accessed 1 December 2018.

Ibid.

Pormeister and Nisu 2018.

Brkan M (2016) Data Protection and Conflict-of-laws: A Challenging Relationship. European Data Protection Law Review 2016/3, p. 324–341

Bygrave L A (2017) Data protection by design and by default: Deciphering the EU’s legislative requirements. Oslo L Rev 4:105–120CrossRef

E-Estonia (2018) X-Road. https://e-estonia.com/solutions/interoperability-services/x-road/. Accessed 1 December 2018

Estonian Data Protection Inspectorate (2018a) Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018

Estonian Data Protection Inspectorate (2018b) Ettevõtjaportaalis on registreeritud ligi 1600 andmekaitsespetsialisti [Almost 1,600 data protection specialists are registered in the company portal]. https://www.aki.ee/et/uudised/pressiteated/ettevotjaportaalis-registreeritud-ligi-1600-andmekaitsespetsialisti. Accessed 1 December 2018

Estonian Data Protection Inspectorate (2018c) Statistics. https://www.aki.ee/et/inspektsioon/statistika Accessed 1 December 2018

Estonian Data Protection Inspectorate (2019a) Rikkumisteadete arv ületas 100 piiri [The number of infringement notifications exceeded 100]. https://www.aki.ee/et/uudised/uudiste-arhiiv/rikkumisteadete-arv-uletas-100-piiri. Accessed 25 August 2019

Estonian Data Protection Inspectorate (2019b) Soovitused aastaks 2019 [Recommendations for 2019]. https://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Aastaraamat%202018%20kohta.%20Soovitused%20aastaks%202019.pdf. Accessed 25 August 2019

Estonian Human Rights Centre (2017) On data retention and Estonia. https://humanrights.ee/en/2017/12/data-retention-estonia/. Accessed 1 December 2018

Estonian Information System Authority (2018) Riigi Infosüsteemi teejuht [State Information System Guide]. https://www.ria.ee/teejuht/eesti-it-edulood/2013-aastal-tehti-x-teel-ule-280-miljoni-infoparingu. Accessed 1 December 2018 (link no longer active)

Estonian Ministry of Foreign Affairs (2009) Estonia’s way into the European Union. http://vm.ee/sites/default/files/content-editors/web-static/052/Estonias_way_into_the_EU.pdf. Accessed 1 December 2018

European Commission (2016) Communication from the Commission, EU eGovernment action plan 2016–2020, Brussels. https://ec.europa.eu/digital-single-market/en/news/communication-eu-egovernment-action-plan-2016-2020-accelerating-digital-transformation. Accessed 1 December 2018

European Commission (2017) Ministerial declaration on eGovernment - the Tallinn Declaration. https://ec.europa.eu/digital-single-market/en/news/ministerial-declaration-egovernment-tallinn-declaration. Accessed 1 December 2018

European Commission (2018a) Creating a digital society. https://ec.europa.eu/digital-single-market/en/policies/creating-digital-society. Accessed 1 December 2018

European Commission (2018b) Data retention. https://ec.europa.eu/home-affairs/what-we-do/policies/police-cooperation/information-exchange/data-retention_en. Accessed 1 December 2018

European Commission (2018c) The digital economy and society index (DESI). https://ec.europa.eu/digital-single-market/en/desi. Accessed 1 December 2018

European Commission (2018d) eGovernment & digital public services. https://ec.europa.eu/digital-single-market/en/policies/egovernment. Accessed 1 December 2018

European Commission (2018e) EU-wide digital once-only principle for citizens and businesses. Policy options and their impacts. Executive summary, 2015/0062. https://ec.europa.eu/digital-single-market/en/news/eu-wide-digital-once-only-principle-citizens-and-businesses-policy-options-and-their-impacts. Accessed 1 December 2018

European Commission (2018f) The example of Estonia. https://ec.europa.eu/epale/en/blog/e-governance-and-e-guidance-example-estonia. Accessed 1 December 2018

European Commission (2018g) The GDPR: New opportunities, new obligations. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf. Accessed 1 December 2018

European Commission (2018h) Questions and answers – Data protection reform package. https://europa.eu › rapid › press-release_MEMO-17-1441_en. Accessed 1 December 2018

Kerikmäe T, Joamets K, Rodina A, Pleps J, Berkmanas T, Gruodyté E (2017) The law of the Baltic states. Springer-Verlag, HeidelbergCrossRef

Lõhmus U (2016) The saga of retaining electronic data has been resolved, yet not in Estonia. Juridica 10:698–708

Ministry of Economic Affairs and Communications (2017) Zero-bureaucracy. https://www.mkm.ee/en/zero-bureaucracy-0. Accessed 1 December 2018

Ministry of Economic Affairs and Communications (2018) Digital agenda 2020. https://www.mkm.ee/sites/default/files/digital_agenda_2020_estonia_engf.pdf. Accessed 1 December 2018

Nõmper A (2017) Personal data protection regulation in Estonia and Directive 95/46/EC. Taylor & Francis Group, LondonCrossRef

Peep V (2018) Data protection law seen through the eyes of a data protection authority. Juridica 2018/2:116–124

Pormeister K, Nisu N (2018) Dilemma of the law applicable within the EU in the General Data Protection Regulation. Juridica 2:125–135

Schweighofer E et al. (2017) Privacy by design data exchange between CSIRTs, GDPR & ePrivacy. Springer International Publishing https://doi.org/10.1007/978-3-319-67280-9_6CrossRef

Sein K et al. (2018) Pilguheit andmesubjekti õiguskaitsevahenditele uues isikuandmete kaitse üldmääruses [A look at the data subject’s remedies in the new General Data Protection Regulation]. Juridica 2:94–115

Statistics Estonia (2017) Majanduslikult aktiivsed ettevõtted töötajate arvu järgi [Economically active enterprises by number of employees]. https://www.stat.ee/68771. Accessed 1 December 2018

Tupay P K (2016) On the right to privacy up to the General Data Protection Regulation, i.e. the right of an unidentified person to the protection of personal data. Juridica 2016/4:227–240

Warren S D, Brandeis L D (1890) The right to privacy. Harv L Rev 4: 193–220CrossRef

Title: Data Protection in Estonia
Authors: Kärt Salumaa-Lepik
Tanel Kerikmäe
Nele Nisu
Publisher: T.M.C. Asser Press
Book: Data Protection Around the World
Print ISBN: 978-94-6265-406-8

Electronic ISBN: 978-94-6265-407-5

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-94-6265-407-5_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"