Abstract
The GDPR, which took effect on 25 May 2018, is an ambitious legal act aimed at harmonizing personal data protection and the free flow of data in the European Union. This chapter covers GDPR implementation issues and related topics from an Estonian perspective. The first section (Sect. 3.1) explains the roots of Estonian data protection and gives an overview of the latest developments related to the GDPR and the relevant case law. Section 3.2 offers readers an indication as to how the GDPR interacts with Estonian jurisdiction and identifies the most notable differences and similarities. Section 3.3 focuses on the most prominent issues within Estonian jurisdiction regarding data protection regulations. The main topic in this section is e-governance and the fact that Estonia is one of the recognized pioneers and leaders among modern digital societies. Taken from the perspective of the GDPR, some practices need to be re-evaluated (the cross-use functioning of national databases, the implementation of the “once-only” principle, the openness of state databases, etc.). Section 3.4 gives an overview of the envisaged application of the GDPR within Estonian jurisdiction and the possible problems that may occur when implementing GDPR provisions.
This text was compiled at the end of 2018 and therefore does not reflect the developments and changes introduced by the new Estonian Personal Data Protection Act, which entered into force in 2019.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This work was supported by Estonian Research Council grant PUT 1628.
- 2.
Warren and Brandeis 1890.
- 3.
See Kerikmäe et al. 2017.
- 4.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 5.
First text of EDPA (in Estonian only)—Estonian Personal Data Protection Act/Isikuandmete kaitse seadus RT I 1996, 48, 944 (1996). https://www.riigiteataja.ee/akt/862756. Accessed 1 December 2018.
- 6.
Nõmper 2017.
- 7.
Estonian Public Information Act/Avaliku teabe seadus RT I 2000, 92, 597 (2000). https://www.riigiteataja.ee/en/eli/516102017007/consolide. Accessed 1 December 2018.
- 8.
Estonian Insurance Activities Act/Kindlustustegevuse seadus RT I, 07.07.2015, 1 (2015). https://www.riigiteataja.ee/en/eli/529012018003/consolide. Accessed 1 December 2018.
- 9.
Estonian Ministry of Foreign Affairs 2009 Estonia’s way into the European Union. http://vm.ee/sites/default/files/content-editors/web-static/052/Estonias_way_into_the_EU.pdf. Accessed 1 December 2018.
- 10.
The Estonian Data Protection Inspection (2000) The history of the organization. http://www.ebaltics.com› doc_upl › The_Estonian_Inspection. Accessed 1 December 2018.
- 11.
Peep 2018.
- 12.
Ibid.
- 13.
Ibid.
- 14.
Estonian Rules for Good Legislative Practice and Legislative Drafting/Hea õigusloome ja normitehnika eeskiri RT I, 29.12.2011, 228 (2011). https://www.riigiteataja.ee/en/eli/508012015003/consolide. Accessed 1 December 2018.
- 15.
Estonian Ministry of Justice (2017) Legislative intent for implementing GDPR and directive 680/2016 into Estonian law/Isikuandmete kaitse uue õigusliku raamistiku kontseptsioon. https://eelnoud.valitsus.ee/main/mount/docList/db80bf57-35ca-41e3-be15-827a2f056fdd. Accessed 1 December 2018.
- 16.
Establishment of Cause of Death Act/Surma põhjuse tuvastamise seadus RT I 2005, 24, 179 (2005). https://www.riigiteataja.ee/en/eli/ee/525062018018/consolide/current. Accessed 1 December 2018.
- 17.
Estonian Parliament (2018) History of readings in Parliament of the draft 650 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/96c37d10-383c-40ad-87be-a8583008b994/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus. Accessed 1 December 2018.
- 18.
Estonian Parliament (2018) History of readings in Parliament of the draft 778 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/9d1420bb-b516-4ab1-b337-17b2c83eedb1/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus Accessed 20 December 2018.
- 19.
Archives Act/Arhiiviseadus RT I, 21.03.2011, 1 (2011). https://www.riigiteataja.ee/en/eli/ee/504032016002/consolide/current. Accessed 1 December 2018.
- 20.
Estonian Parliament (2018) History of readings in Parliament of the draft 679 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/5c9f8086-b465-4067-841e-41e7df3b95af/Isikuandmete%20kaitse%20seadus. Accessed 1 December 2018.
- 21.
Supreme Court (Riigikohus) (2007) Case 3-3-1-98-06. https://rikos.rik.ee/?asjaNr=3-3-1-98-06. Accessed 1 December 2018.
- 22.
Supreme Court (Riigikohus) (2018) Case 3-15-2079/28. https://rikos.rik.ee/LahendiOtsingEriVaade?asjaNr=3-15-2079/28. Accessed 1 December 2018.
- 23.
Financial Supervision Authority Act/Finantsinspektsiooni seadus RT I 2001, 48, 267 (2001). https://www.riigiteataja.ee/en/eli/529012018006/consolide. Accessed 1 December 2018.
- 24.
Supreme Court (Riigikohus) (2016) Case 3-3-1-85-15. https://rikos.rik.ee/?asjaNr=3-3-1-85-15. Accessed 1 December 2018.
- 25.
Supreme Court (Riigikohus) (2012) Case 3-3-1-3-12. https://rikos.rik.ee/?asjaNr=3-3-1-3-12. Accessed 1 December 2018.
- 26.
Only the so-called “new general framework data protection legal act” has been approved (by 12 December 2018), but without more specific implementing provisions concerning domestic special laws. Therefore, the full extent of the impact is still not known at the time of the writing of this chapter.
- 27.
Estonian Data Protection Inspectorate 2018c Statistics. https://www.aki.ee/et/inspektsioon/statistika. Accessed 1 December 2018.
- 28.
GDPR rec 53—However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.
- 29.
Human Genes Research Act/Inimgeeniuuringute seadus RT I 2000, 104, 685 (2000). https://www.riigiteataja.ee/en/eli/ee/518062014005/consolide/current. Accessed 1 December 2018.
- 30.
Health Services Organisation Act/Tervishoiuteenuste korraldamise seadus RT I 2001, 50, 284 (2001). https://www.riigiteataja.ee/en/eli/508042019003/consolide. Accessed 1 December 2018.
- 31.
CJEU Judgment Case C-582/14 19 October 2016 (Breyer).
- 32.
Schweighofer et al. 2017.
- 33.
European Commission 2018g The GDPR: new opportunities, new obligations. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf. Accessed 1 December 2018.
- 34.
European Commission 2018d eGovernment & Digital Public Services. https://ec.europa.eu/digital-single-market/en/policies/egovernment. Accessed 1 December 2018.
- 35.
Peep 2018.
- 36.
European Commission 2018c The digital economy and society index (DESI). https://ec.europa.eu/digital-single-market/en/desi. Accessed 1 December 2018.
- 37.
E-Estonia 2018 X-Road. https://e-estonia.com/solutions/interoperability-services/x-road/. Accessed 1 December 2018.
- 38.
Estonian Information System Authority 2018 Riigi Infosüsteemi teejuht. https://www.ria.ee/teejuht/eesti-it-edulood/2013-aastal-tehti-x-teel-ule-280-miljoni-infoparingu. Accessed 1 December 2018 (link no longer active).
- 39.
Ministry of Economic Affairs and Communications 2018 Digital agenda 2020. https://www.mkm.ee/sites/default/files/digital_agenda_2020_estonia_engf.pdf. Accessed 1 December 2018.
- 40.
Ibid.
- 41.
European Commission 2018f The example of Estonia. https://ec.europa.eu/epale/en/blog/e-governance-and-e-guidance-example-estonia. Accessed 1 December 2018.
- 42.
Estonian Open Government Data Portal (2018) https://opendata.riik.ee/ Accessed 1 December 2018.
- 43.
Read further from the European Data Portal: https://www.europeandataportal.eu/en/homepage. Accessed 1 December 2018.
- 44.
See further: https://eteenindus.mnt.ee/juht.jsf.
- 45.
European Commission 2018a Creating a digital society. https://ec.europa.eu/digital-single-market/en/policies/creating-digital-society. Accessed 1 December 2018.
- 46.
European Commission 2018e EU-wide digital once-only principle for citizens and businesses. Policy options and their impacts. Executive Summary, 2015/0062. https://ec.europa.eu/digital-single-market/en/news/eu-wide-digital-once-only-principle-citizens-and-businesses-policy-options-and-their-impacts. Accessed 1 December 2018.
- 47.
Action program of the Government of the Republic of Estonia for 2016–2019/Vabariigi Valitsuse tegevusprogramm 2016–2019 (2016). https://www.riigiteataja.ee/aktilisa/3280/4201/8008/111k_lisa.pdf. Accessed 1 December 2018.
- 48.
Ministry of Economic Affairs and Communications 2017 Zero-bureaucracy. https://www.mkm.ee/en/zero-bureaucracy-0. Accessed 1 December 2018.
- 49.
Work Ability Allowance Act/Töövõimetoetuse seadus RT I, 13.12.2014, 1 (2014). https://www.riigiteataja.ee/en/eli/ee/518122017009/consolide/current. Accessed 1 December 2018.
- 50.
Social Benefits for Disabled Persons Act/Puuetega inimeste sotsiaaltoetuste seadus RT I 1999, 16, 273 (1999) https://www.riigiteataja.ee/en/eli/ee/518122017011/consolide/current. Accessed 1 December 2018.
- 51.
Ministry of Social Affairs (2018) Estonian eHealth Strategic Development Plan 2020. https://www.sm.ee/sites/default/files/content-editors/sisekomm/e-tervise_strateegia_2020_15_en1.pdf. Accessed 1 December 2018.
- 52.
Ibid.
- 53.
Military Service Act/Kaitseväeteenistuse seadus RT I, 10.07.2012, 1 (2012). https://www.riigiteataja.ee/en/eli/ee/511072018002/consolide/current. Accessed 1 December 2018.
- 54.
European Commission 2017 Ministerial Declaration on eGovernment—the Tallinn Declaration. https://ec.europa.eu/digital-single-market/en/news/ministerial-declaration-egovernment-tallinn-declaration. Accessed 1 December 2018.
- 55.
European Commission 2016 Communication from the Commission, EU eGovernment Action Plan 2016–2020, Brussels. https://ec.europa.eu/digital-single-market/en/news/communication-eu-egovernment-action-plan-2016-2020-accelerating-digital-transformation. Accessed 1 December 2018.
- 56.
Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross-Border eHealth Information Services.
- 57.
Article 29 Data Protection Working Party (2018) Subject: Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in
Cross-Border eHealth Information Services. https://ec.europa.eu › newsroom › article29 › document. Accessed 1 December 2018.
- 58.
E-toimik allows participants in the proceeding and their representatives to participate in civil, administrative, criminal and misdemeanor proceedings electronically. The parties to the proceedings are able to follow the procedure, receive and submit documents, and access the digital files.
- 59.
Electronic Communications Act/Elektroonilise side seadus RT I 2004, 87, 593 (2004). https://www.riigiteataja.ee/en/eli/530052018001/consolide. Accessed 1 December 2018.
- 60.
European Commission 2018b Data retention. https://ec.europa.eu/home-affairs/what-we-do/policies/police-cooperation/information-exchange/data-retention_en. Accessed 1 December 2018.
- 61.
P 134(1) of the ruling says that “Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication”.
- 62.
Estonian Human Rights Centre 2017 On data retention and Estonia. https://humanrights.ee/en/2017/12/data-retention-estonia/. Accessed 1 December 2018.
- 63.
E.g., Lõhmus 2016.
- 64.
Article 29 Working Party (2017) Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237. Accessed 1 December 2018.
- 65.
Ibid.
- 66.
Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.
- 67.
Estonian Data Protection Inspectorate 2018b Ettevõtjaportaalis on registreeritud ligi 1600 andmekaitsespetsialisti [Almost 1,600 data protection specialists are registered in the company portal]. https://www.aki.ee/et/uudised/pressiteated/ettevotjaportaalis-registreeritud-ligi-1600-andmekaitsespetsialisti. Accessed 1 December 2018.
- 68.
Estonian Data Protection Inspectorate 2019a Rikkumisteadete arv ületas 100 piiri [The number of infringement notifications exceeded 100]. https://www.aki.ee/et/uudised/uudiste-arhiiv/rikkumisteadete-arv-uletas-100-piiri. Accessed 25 August 2019.
- 69.
Estonian Data Protection Inspectorate 2019b Soovitused aastaks 2019 [Recommendations for 2019]. https://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Aastaraamat.%202018%20kohta.%20Soovitused%20aastaks%202019.pdf. Accessed 25 August 2019.
- 70.
European Commission (2019) Special Eurobarometer 487a report on the General Data Protection Regulation. https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222. Accessed 25 May 2018.
- 71.
Ibid.
- 72.
Ibid.
- 73.
Ibid.
- 74.
Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.
- 75.
The state adds 4% to the mandatory funded pension (II step) out of the current social tax that is paid by the employee in Estonia. The parental benefit amount is calculated based on the person’s last year’s income for which an employer has paid social tax (salary, bonuses, etc.) according to the Family Benefits Act, § 7(2).
- 76.
Bygrave 2017.
- 77.
European Court of Human Rights, Case of I v. Finland, 17 July 2008, no. 20511/03.
- 78.
Ibid.
- 79.
Bygrave 2017.
- 80.
Ibid.
- 81.
Statistics Estonia 2017 Majanduslikult aktiivsed ettevõtted töötajate arvu järgi [Economically active enterprises by number of employees]. Accessed 1 December 2018. https://www.stat.ee/68771.
- 82.
Sein et al. 2018.
- 83.
Ibid.
- 84.
Ibid.
- 85.
Tupay 2016.
- 86.
Ibid.
- 87.
- 88.
Pormeister and Nisu 2018.
- 89.
European Commission 2018h Questions and Answers—Data protection reform package. https://europa.eu › rapid › press-release_MEMO-17-1441_en. Accessed 1 December 2018.
- 90.
Ibid.
- 91.
Pormeister and Nisu 2018.
References
Brkan M (2016) Data Protection and Conflict-of-laws: A Challenging Relationship. European Data Protection Law Review 2016/3, p. 324–341
Bygrave L A (2017) Data protection by design and by default: Deciphering the EU’s legislative requirements. Oslo L Rev 4:105–120
E-Estonia (2018) X-Road. https://e-estonia.com/solutions/interoperability-services/x-road/. Accessed 1 December 2018
Estonian Data Protection Inspectorate (2018a) Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018
Estonian Data Protection Inspectorate (2018b) Ettevõtjaportaalis on registreeritud ligi 1600 andmekaitsespetsialisti [Almost 1,600 data protection specialists are registered in the company portal]. https://www.aki.ee/et/uudised/pressiteated/ettevotjaportaalis-registreeritud-ligi-1600-andmekaitsespetsialisti. Accessed 1 December 2018
Estonian Data Protection Inspectorate (2018c) Statistics. https://www.aki.ee/et/inspektsioon/statistika Accessed 1 December 2018
Estonian Data Protection Inspectorate (2019a) Rikkumisteadete arv ületas 100 piiri [The number of infringement notifications exceeded 100]. https://www.aki.ee/et/uudised/uudiste-arhiiv/rikkumisteadete-arv-uletas-100-piiri. Accessed 25 August 2019
Estonian Data Protection Inspectorate (2019b) Soovitused aastaks 2019 [Recommendations for 2019]. https://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Aastaraamat%202018%20kohta.%20Soovitused%20aastaks%202019.pdf. Accessed 25 August 2019
Estonian Human Rights Centre (2017) On data retention and Estonia. https://humanrights.ee/en/2017/12/data-retention-estonia/. Accessed 1 December 2018
Estonian Information System Authority (2018) Riigi Infosüsteemi teejuht [State Information System Guide]. https://www.ria.ee/teejuht/eesti-it-edulood/2013-aastal-tehti-x-teel-ule-280-miljoni-infoparingu. Accessed 1 December 2018 (link no longer active)
Estonian Ministry of Foreign Affairs (2009) Estonia’s way into the European Union. http://vm.ee/sites/default/files/content-editors/web-static/052/Estonias_way_into_the_EU.pdf. Accessed 1 December 2018
European Commission (2016) Communication from the Commission, EU eGovernment action plan 2016–2020, Brussels. https://ec.europa.eu/digital-single-market/en/news/communication-eu-egovernment-action-plan-2016-2020-accelerating-digital-transformation. Accessed 1 December 2018
European Commission (2017) Ministerial declaration on eGovernment - the Tallinn Declaration. https://ec.europa.eu/digital-single-market/en/news/ministerial-declaration-egovernment-tallinn-declaration. Accessed 1 December 2018
European Commission (2018a) Creating a digital society. https://ec.europa.eu/digital-single-market/en/policies/creating-digital-society. Accessed 1 December 2018
European Commission (2018b) Data retention. https://ec.europa.eu/home-affairs/what-we-do/policies/police-cooperation/information-exchange/data-retention_en. Accessed 1 December 2018
European Commission (2018c) The digital economy and society index (DESI). https://ec.europa.eu/digital-single-market/en/desi. Accessed 1 December 2018
European Commission (2018d) eGovernment & digital public services. https://ec.europa.eu/digital-single-market/en/policies/egovernment. Accessed 1 December 2018
European Commission (2018e) EU-wide digital once-only principle for citizens and businesses. Policy options and their impacts. Executive summary, 2015/0062. https://ec.europa.eu/digital-single-market/en/news/eu-wide-digital-once-only-principle-citizens-and-businesses-policy-options-and-their-impacts. Accessed 1 December 2018
European Commission (2018f) The example of Estonia. https://ec.europa.eu/epale/en/blog/e-governance-and-e-guidance-example-estonia. Accessed 1 December 2018
European Commission (2018g) The GDPR: New opportunities, new obligations. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf. Accessed 1 December 2018
European Commission (2018h) Questions and answers – Data protection reform package. https://europa.eu › rapid › press-release_MEMO-17-1441_en. Accessed 1 December 2018
Kerikmäe T, Joamets K, Rodina A, Pleps J, Berkmanas T, Gruodyté E (2017) The law of the Baltic states. Springer-Verlag, Heidelberg
Lõhmus U (2016) The saga of retaining electronic data has been resolved, yet not in Estonia. Juridica 10:698–708
Ministry of Economic Affairs and Communications (2017) Zero-bureaucracy. https://www.mkm.ee/en/zero-bureaucracy-0. Accessed 1 December 2018
Ministry of Economic Affairs and Communications (2018) Digital agenda 2020. https://www.mkm.ee/sites/default/files/digital_agenda_2020_estonia_engf.pdf. Accessed 1 December 2018
Nõmper A (2017) Personal data protection regulation in Estonia and Directive 95/46/EC. Taylor & Francis Group, London
Peep V (2018) Data protection law seen through the eyes of a data protection authority. Juridica 2018/2:116–124
Pormeister K, Nisu N (2018) Dilemma of the law applicable within the EU in the General Data Protection Regulation. Juridica 2:125–135
Schweighofer E et al. (2017) Privacy by design data exchange between CSIRTs, GDPR & ePrivacy. Springer International Publishing https://doi.org/10.1007/978-3-319-67280-9_6
Sein K et al. (2018) Pilguheit andmesubjekti õiguskaitsevahenditele uues isikuandmete kaitse üldmääruses [A look at the data subject’s remedies in the new General Data Protection Regulation]. Juridica 2:94–115
Statistics Estonia (2017) Majanduslikult aktiivsed ettevõtted töötajate arvu järgi [Economically active enterprises by number of employees]. https://www.stat.ee/68771. Accessed 1 December 2018
Tupay P K (2016) On the right to privacy up to the General Data Protection Regulation, i.e. the right of an unidentified person to the protection of personal data. Juridica 2016/4:227–240
Warren S D, Brandeis L D (1890) The right to privacy. Harv L Rev 4: 193–220
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 T.M.C. Asser Press and the authors
About this chapter
Cite this chapter
Salumaa-Lepik, K., Kerikmäe, T., Nisu, N. (2021). Data Protection in Estonia. In: Kiesow Cortez, E. (eds) Data Protection Around the World. Information Technology and Law Series, vol 33. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-407-5_3
Download citation
DOI: https://doi.org/10.1007/978-94-6265-407-5_3
Published:
Publisher Name: T.M.C. Asser Press, The Hague
Print ISBN: 978-94-6265-406-8
Online ISBN: 978-94-6265-407-5
eBook Packages: Law and CriminologyLaw and Criminology (R0)