Obtaining data from telecoms firms in the course of criminal investigations in Estonia still goes on, despite stricter limits put in place by the European Union from last year.
In April 2022, the European Court of Justice (ECJ) found that the wholesale storage of personal data, even in the interests of fighting crime, runs counter to EU law.
Whereas in the past in Estonia, communication data could be utilized as evidence in criminal proceedings with the permission of a national prosecutor's office, following the ECJ ruling, this permission must come from a court.
The Estonian Supreme Court had previously ruled, in the summer of 2021, that telecoms data cannot be requested as evidence in investigating crimes, for the same reason, that the procedure in place at the time conflicts with EU law. The court also stipulated that the right to privacy guaranteed by the Estonian Constitution would also be violated in retrieving illegally stored data.
Interior ministry spokesperson: Very specific definition on data law enforcement agencies may gather
Henry Timberg, head of the law enforcement and criminal policy department at the Ministry of the Interior, told ERR that data which law enforcement agencies can access is very specifically defined.
Timberg said: "We are only dealing with data needed for the investigation of serious crimes, which are significantly more narrowly defined than the data types as listed in the [domestic] Electronic Communications Act; the latter are collected by a communications company for commercial purposes, and to ensure the requirements and quality of communications services."
There are some exceptions in respect of key evidence relating to, for instance, cyber crime, and newer court rulings have allowed exemptions on a blanket ban.
"It has also been found [by the court] that the general storage of data relating to user ID is permitted in fighting crime and protecting national security," he added.
A law enforcement agency must, however, provide clear justification as to why the investigation cannot go ahead without the requested data, while both the specific composition of the data and the time periods of their occurrence must be indicated.
Telco: Data stored in line with the law, for one year
Tele2, one of the three major telecoms firms operating in Estonia. A lawyer from the company, Anna Pauliina Aavik, told ERR that the storage and collection of data at Tele2 is carried out in accordance with Section 111 of the Electronic Communications Act which stipulates the obligation of telecoms firms to store data in a manner that, among other things, the communication source, it destination, date duration and time can be readily identified.
Aavik said: "Tele2 collects data specified in paragraphs one to three of this section and stores them as required by law, for one year from the time the communication took place."
A caller's number, customer name and address, start and finish time of the call in question and cellphone ID – which indicates which cellular base station a call or message was initiated from and terminated at – are all amassed.
Internet connection, e-mail and internet telephone service providers must record, for example, the date and time of the start (ie. log-in ) and end (ie. log-off ) of using an email, messaging or call service made via the internet, as well as the user ID and phone number of the communication entering the cellphone network.
Prosecutor's office must now get court permission before obtaining data
Henry Timberg at the interior ministry noted that the principle of innocence until proven guilty remains in place, so the use of telecoms data as evidence in criminal proceedings is as much used to disprove false suspicions as it is to impute culpability.
The use of communications data in Estonia is subject to multiple checks and controls, he stressed.
"Since the start of 2022, an investigative agency must obtain permission from a court when requesting access to communications data. Previously, the law allowed to be limited to the permission of the prosecutor's office."
"The prosecutor's office needs to request permission from the court too, meaning the agency investigating essentially has to request permission twice – first from the prosecutor's office, which must submit to requesting permission from a court, and second from the court itself, which decides whether the law enforcement agency can request data from the communications company or not," Timberg continued.
Criminal investigations carried out by, for instance, the Police and Border Guard Board, are in any case generally directed by the prosecutor's office.
The main issue relates to contrasts between differing fundamental rights, Timberg went on, namely the right to privacy and the right to security, both of which should co-exist.
For this reason, the judiciary supervises data requests, while the state should guarantee security – "Therefore, a reasonable balance must be maintained between various fundamental rights," he said.
Anna Pauliina Aavik at Tele2 said that the company expects legal clarity from the state.
"At Tele2, both security and privacy are important, while at the same time always acting in accordance with those laws which are in force in Estonia. We are interested in legal clarity, and so have approached various authorities, via the Estonian Information Technology and Telecommunications Union (ITL), to obtain a clear position on this issue," said Aavik.
Riigikogu committee chair: ECJ ruling does not exclude storing data relating to national security issues
So far as the legislature goes, the Electronic Communications Act falls under the purview of the Riigikog's Economic Affairs Committee.
That committee's chair Priit Lomp (SDE) told ERR that the ECJ's decision has not excluded the storage of communications data for the purpose of ensuring national security.
"In its decision, the Supreme Court also deals solely with criminal and misdemeanor proceedings," Lomp said.
"For this purpose, the Penal Code was amended accordingly and the options for using this data were restricted," he added.
At the same time, according to Lomp, no bills that would change the Electronic Communications Act or the collection of communication data have reached the committee's table.
This means that it is still the case that data is collected more widely in Estonia, but can only be requested in exceptional cases, Lomp said.
In early April 2022, the ECJ again ruled the collection of private communications data to be unlawful where there are no reasons or limitations, reinforcing earlier rulings from 2014, 2016 and 2020. These rulings require legislative and other changes at member states' domestic level, as well as at EU level.
Editor: Andrew Whyte, Grete-Liina Roosve