Skip to main content
SpringerLink
Log in

Data Protection in Estonia

  • Chapter
  • First Online:
Data Protection Around the World

Part of the book series: Information Technology and Law Series ((ITLS,volume 33))

Abstract

The GDPR, which took effect on 25 May 2018, is an ambitious legal act aimed at harmonizing personal data protection and the free flow of data in the European Union. This chapter covers GDPR implementation issues and related topics from an Estonian perspective. The first section (Sect. 3.1) explains the roots of Estonian data protection and gives an overview of the latest developments related to the GDPR and the relevant case law. Section 3.2 offers readers an indication as to how the GDPR interacts with Estonian jurisdiction and identifies the most notable differences and similarities. Section 3.3 focuses on the most prominent issues within Estonian jurisdiction regarding data protection regulations. The main topic in this section is e-governance and the fact that Estonia is one of the recognized pioneers and leaders among modern digital societies. Taken from the perspective of the GDPR, some practices need to be re-evaluated (the cross-use functioning of national databases, the implementation of the “once-only” principle, the openness of state databases, etc.). Section 3.4 gives an overview of the envisaged application of the GDPR within Estonian jurisdiction and the possible problems that may occur when implementing GDPR provisions.

This text was compiled at the end of 2018 and therefore does not reflect the developments and changes introduced by the new Estonian Personal Data Protection Act, which entered into force in 2019.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This work was supported by Estonian Research Council grant PUT 1628.

  2. 2.

    Warren and Brandeis 1890.

  3. 3.

    See Kerikmäe et al. 2017.

  4. 4.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  5. 5.

    First text of EDPA (in Estonian only)—Estonian Personal Data Protection Act/Isikuandmete kaitse seadus RT I 1996, 48, 944 (1996). https://www.riigiteataja.ee/akt/862756. Accessed 1 December 2018.

  6. 6.

    Nõmper 2017.

  7. 7.

    Estonian Public Information Act/Avaliku teabe seadus RT I 2000, 92, 597 (2000). https://www.riigiteataja.ee/en/eli/516102017007/consolide. Accessed 1 December 2018.

  8. 8.

    Estonian Insurance Activities Act/Kindlustustegevuse seadus RT I, 07.07.2015, 1 (2015). https://www.riigiteataja.ee/en/eli/529012018003/consolide. Accessed 1 December 2018.

  9. 9.

    Estonian Ministry of Foreign Affairs 2009 Estonia’s way into the European Union. http://vm.ee/sites/default/files/content-editors/web-static/052/Estonias_way_into_the_EU.pdf. Accessed 1 December 2018.

  10. 10.

    The Estonian Data Protection Inspection (2000) The history of the organization. http://www.ebaltics.com› doc_upl › The_Estonian_Inspection. Accessed 1 December 2018.

  11. 11.

    Peep 2018.

  12. 12.

    Ibid.

  13. 13.

    Ibid.

  14. 14.

    Estonian Rules for Good Legislative Practice and Legislative Drafting/Hea õigusloome ja normitehnika eeskiri RT I, 29.12.2011, 228 (2011). https://www.riigiteataja.ee/en/eli/508012015003/consolide. Accessed 1 December 2018.

  15. 15.

    Estonian Ministry of Justice (2017) Legislative intent for implementing GDPR and directive 680/2016 into Estonian law/Isikuandmete kaitse uue õigusliku raamistiku kontseptsioon. https://eelnoud.valitsus.ee/main/mount/docList/db80bf57-35ca-41e3-be15-827a2f056fdd. Accessed 1 December 2018.

  16. 16.

    Establishment of Cause of Death Act/Surma põhjuse tuvastamise seadus RT I 2005, 24, 179 (2005). https://www.riigiteataja.ee/en/eli/ee/525062018018/consolide/current. Accessed 1 December 2018.

  17. 17.

    Estonian Parliament (2018) History of readings in Parliament of the draft 650 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/96c37d10-383c-40ad-87be-a8583008b994/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus. Accessed 1 December 2018.

  18. 18.

    Estonian Parliament (2018) History of readings in Parliament of the draft 778 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/9d1420bb-b516-4ab1-b337-17b2c83eedb1/Isikuandmete%20kaitse%20seaduse%20rakendamise%20seadus Accessed 20 December 2018.

  19. 19.

    Archives Act/Arhiiviseadus RT I, 21.03.2011, 1 (2011). https://www.riigiteataja.ee/en/eli/ee/504032016002/consolide/current. Accessed 1 December 2018.

  20. 20.

    Estonian Parliament (2018) History of readings in Parliament of the draft 679 SE. https://www.riigikogu.ee/tegevus/eelnoud/eelnou/5c9f8086-b465-4067-841e-41e7df3b95af/Isikuandmete%20kaitse%20seadus. Accessed 1 December 2018.

  21. 21.

    Supreme Court (Riigikohus) (2007) Case 3-3-1-98-06. https://rikos.rik.ee/?asjaNr=3-3-1-98-06. Accessed 1 December 2018.

  22. 22.

    Supreme Court (Riigikohus) (2018) Case 3-15-2079/28. https://rikos.rik.ee/LahendiOtsingEriVaade?asjaNr=3-15-2079/28. Accessed 1 December 2018.

  23. 23.

    Financial Supervision Authority Act/Finantsinspektsiooni seadus RT I 2001, 48, 267 (2001). https://www.riigiteataja.ee/en/eli/529012018006/consolide. Accessed 1 December 2018.

  24. 24.

    Supreme Court (Riigikohus) (2016) Case 3-3-1-85-15. https://rikos.rik.ee/?asjaNr=3-3-1-85-15. Accessed 1 December 2018.

  25. 25.

    Supreme Court (Riigikohus) (2012) Case 3-3-1-3-12. https://rikos.rik.ee/?asjaNr=3-3-1-3-12. Accessed 1 December 2018.

  26. 26.

    Only the so-called “new general framework data protection legal act” has been approved (by 12 December 2018), but without more specific implementing provisions concerning domestic special laws. Therefore, the full extent of the impact is still not known at the time of the writing of this chapter.

  27. 27.

    Estonian Data Protection Inspectorate 2018c Statistics. https://www.aki.ee/et/inspektsioon/statistika. Accessed 1 December 2018.

  28. 28.

    GDPR rec 53—However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.

  29. 29.

    Human Genes Research Act/Inimgeeniuuringute seadus RT I 2000, 104, 685 (2000). https://www.riigiteataja.ee/en/eli/ee/518062014005/consolide/current. Accessed 1 December 2018.

  30. 30.

    Health Services Organisation Act/Tervishoiuteenuste korraldamise seadus RT I 2001, 50, 284 (2001). https://www.riigiteataja.ee/en/eli/508042019003/consolide. Accessed 1 December 2018.

  31. 31.

    CJEU Judgment Case C-582/14 19 October 2016 (Breyer).

  32. 32.

    Schweighofer et al. 2017.

  33. 33.

    European Commission 2018g The GDPR: new opportunities, new obligations. https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf. Accessed 1 December 2018.

  34. 34.

    European Commission 2018d eGovernment & Digital Public Services. https://ec.europa.eu/digital-single-market/en/policies/egovernment. Accessed 1 December 2018.

  35. 35.

    Peep 2018.

  36. 36.

    European Commission 2018c The digital economy and society index (DESI). https://ec.europa.eu/digital-single-market/en/desi. Accessed 1 December 2018.

  37. 37.

    E-Estonia 2018 X-Road. https://e-estonia.com/solutions/interoperability-services/x-road/. Accessed 1 December 2018.

  38. 38.

    Estonian Information System Authority 2018 Riigi Infosüsteemi teejuht. https://www.ria.ee/teejuht/eesti-it-edulood/2013-aastal-tehti-x-teel-ule-280-miljoni-infoparingu. Accessed 1 December 2018 (link no longer active).

  39. 39.

    Ministry of Economic Affairs and Communications 2018 Digital agenda 2020. https://www.mkm.ee/sites/default/files/digital_agenda_2020_estonia_engf.pdf. Accessed 1 December 2018.

  40. 40.

    Ibid.

  41. 41.

    European Commission 2018f The example of Estonia. https://ec.europa.eu/epale/en/blog/e-governance-and-e-guidance-example-estonia. Accessed 1 December 2018.

  42. 42.

    Estonian Open Government Data Portal (2018) https://opendata.riik.ee/ Accessed 1 December 2018.

  43. 43.

    Read further from the European Data Portal: https://www.europeandataportal.eu/en/homepage. Accessed 1 December 2018.

  44. 44.

    See further: https://eteenindus.mnt.ee/juht.jsf.

  45. 45.

    European Commission 2018a Creating a digital society. https://ec.europa.eu/digital-single-market/en/policies/creating-digital-society. Accessed 1 December 2018.

  46. 46.

    European Commission 2018e EU-wide digital once-only principle for citizens and businesses. Policy options and their impacts. Executive Summary, 2015/0062. https://ec.europa.eu/digital-single-market/en/news/eu-wide-digital-once-only-principle-citizens-and-businesses-policy-options-and-their-impacts. Accessed 1 December 2018.

  47. 47.

    Action program of the Government of the Republic of Estonia for 2016–2019/Vabariigi Valitsuse tegevusprogramm 2016–2019 (2016). https://www.riigiteataja.ee/aktilisa/3280/4201/8008/111k_lisa.pdf. Accessed 1 December 2018.

  48. 48.

    Ministry of Economic Affairs and Communications 2017 Zero-bureaucracy. https://www.mkm.ee/en/zero-bureaucracy-0. Accessed 1 December 2018.

  49. 49.

    Work Ability Allowance Act/Töövõimetoetuse seadus RT I, 13.12.2014, 1 (2014). https://www.riigiteataja.ee/en/eli/ee/518122017009/consolide/current. Accessed 1 December 2018.

  50. 50.

    Social Benefits for Disabled Persons Act/Puuetega inimeste sotsiaaltoetuste seadus RT I 1999, 16, 273 (1999) https://www.riigiteataja.ee/en/eli/ee/518122017011/consolide/current. Accessed 1 December 2018.

  51. 51.

    Ministry of Social Affairs (2018) Estonian eHealth Strategic Development Plan 2020. https://www.sm.ee/sites/default/files/content-editors/sisekomm/e-tervise_strateegia_2020_15_en1.pdf. Accessed 1 December 2018.

  52. 52.

    Ibid.

  53. 53.

    Military Service Act/Kaitseväeteenistuse seadus RT I, 10.07.2012, 1 (2012). https://www.riigiteataja.ee/en/eli/ee/511072018002/consolide/current. Accessed 1 December 2018.

  54. 54.

    European Commission 2017 Ministerial Declaration on eGovernment—the Tallinn Declaration. https://ec.europa.eu/digital-single-market/en/news/ministerial-declaration-egovernment-tallinn-declaration. Accessed 1 December 2018.

  55. 55.

    European Commission 2016 Communication from the Commission, EU eGovernment Action Plan 2016–2020, Brussels. https://ec.europa.eu/digital-single-market/en/news/communication-eu-egovernment-action-plan-2016-2020-accelerating-digital-transformation. Accessed 1 December 2018.

  56. 56.

    Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross-Border eHealth Information Services.

  57. 57.

    Article 29 Data Protection Working Party (2018) Subject: Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in

    Cross-Border eHealth Information Services. https://ec.europa.eu › newsroom › article29 › document. Accessed 1 December 2018.

  58. 58.

    E-toimik allows participants in the proceeding and their representatives to participate in civil, administrative, criminal and misdemeanor proceedings electronically. The parties to the proceedings are able to follow the procedure, receive and submit documents, and access the digital files.

  59. 59.

    Electronic Communications Act/Elektroonilise side seadus RT I 2004, 87, 593 (2004). https://www.riigiteataja.ee/en/eli/530052018001/consolide. Accessed 1 December 2018.

  60. 60.

    European Commission 2018b Data retention. https://ec.europa.eu/home-affairs/what-we-do/policies/police-cooperation/information-exchange/data-retention_en. Accessed 1 December 2018.

  61. 61.

    P 134(1) of the ruling says that “Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication”.

  62. 62.

    Estonian Human Rights Centre 2017 On data retention and Estonia. https://humanrights.ee/en/2017/12/data-retention-estonia/. Accessed 1 December 2018.

  63. 63.

    E.g., Lõhmus 2016.

  64. 64.

    Article 29 Working Party (2017) Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237. Accessed 1 December 2018.

  65. 65.

    Ibid.

  66. 66.

    Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.

  67. 67.

    Estonian Data Protection Inspectorate 2018b Ettevõtjaportaalis on registreeritud ligi 1600 andmekaitsespetsialisti [Almost 1,600 data protection specialists are registered in the company portal]. https://www.aki.ee/et/uudised/pressiteated/ettevotjaportaalis-registreeritud-ligi-1600-andmekaitsespetsialisti. Accessed 1 December 2018.

  68. 68.

    Estonian Data Protection Inspectorate 2019a Rikkumisteadete arv ületas 100 piiri [The number of infringement notifications exceeded 100]. https://www.aki.ee/et/uudised/uudiste-arhiiv/rikkumisteadete-arv-uletas-100-piiri. Accessed 25 August 2019.

  69. 69.

    Estonian Data Protection Inspectorate 2019b Soovitused aastaks 2019 [Recommendations for 2019]. https://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/Aastaraamat.%202018%20kohta.%20Soovitused%20aastaks%202019.pdf. Accessed 25 August 2019.

  70. 70.

    European Commission (2019) Special Eurobarometer 487a report on the General Data Protection Regulation. https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222. Accessed 25 May 2018.

  71. 71.

    Ibid.

  72. 72.

    Ibid.

  73. 73.

    Ibid.

  74. 74.

    Estonian Data Protection Inspectorate 2018a Don’t panic! How to be compliant with the new GDPR in 5 steps. http://www.aki.ee/et/node/1471. Accessed 1 December 2018.

  75. 75.

    The state adds 4% to the mandatory funded pension (II step) out of the current social tax that is paid by the employee in Estonia. The parental benefit amount is calculated based on the person’s last year’s income for which an employer has paid social tax (salary, bonuses, etc.) according to the Family Benefits Act, § 7(2).

  76. 76.

    Bygrave 2017.

  77. 77.

    European Court of Human Rights, Case of I v. Finland, 17 July 2008, no. 20511/03.

  78. 78.

    Ibid.

  79. 79.

    Bygrave 2017.

  80. 80.

    Ibid.

  81. 81.

    Statistics Estonia 2017 Majanduslikult aktiivsed ettevõtted töötajate arvu järgi [Economically active enterprises by number of employees]. Accessed 1 December 2018. https://www.stat.ee/68771.

  82. 82.

    Sein et al. 2018.

  83. 83.

    Ibid.

  84. 84.

    Ibid.

  85. 85.

    Tupay 2016.

  86. 86.

    Ibid.

  87. 87.

    See further: Pormeister and Nisu 2018; Brkan 2016.

  88. 88.

    Pormeister and Nisu 2018.

  89. 89.

    European Commission 2018h Questions and Answers—Data protection reform package. https://europa.eu › rapid › press-release_MEMO-17-1441_en. Accessed 1 December 2018.

  90. 90.

    Ibid.

  91. 91.

    Pormeister and Nisu 2018.

References

Download references

Author information

Authors and Affiliations

  1. Tallinn University of Technology, Akadeemia tee 3, 12618, Tallinn, Estonia

    Kärt Salumaa-Lepik & Tanel Kerikmäe

  2. Estonian Ministry of Social Affairs, Tallinn, Estonia

    Nele Nisu

Authors
  1. Kärt Salumaa-Lepik
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tanel Kerikmäe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nele Nisu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kärt Salumaa-Lepik .

Editor information

Editors and Affiliations

  1. International and European Law, The Hague University of Applied Sciences, The Hague, The Netherlands

    Elif Kiesow Cortez

Rights and permissions

Reprints and permissions

Copyright information

© 2021 T.M.C. Asser Press and the authors

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Salumaa-Lepik, K., Kerikmäe, T., Nisu, N. (2021). Data Protection in Estonia. In: Kiesow Cortez, E. (eds) Data Protection Around the World. Information Technology and Law Series, vol 33. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-407-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-94-6265-407-5_3

  • Published:

  • Publisher Name: T.M.C. Asser Press, The Hague

  • Print ISBN: 978-94-6265-406-8

  • Online ISBN: 978-94-6265-407-5

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation