The Electronic Communications Act (ESS) regulates data collection in Estonia and obligates communication service providers to process and store it.

For example, telecomms and network providers must record the caller's number, the customer's name and address, the start and end time of the call, as well as the cell ID, which indicates from which base station the call or message was initiated or terminated.

Internet connection, e-mail and internet telephone service providers must record, for example, the date and time of the start ( log-in ) and end ( log-off ) of the use of the service of e-mail or calls made via the web, as well as the user ID and phone number of the communication entering the telephone or mobile phone network.

The European Court of Justice has said this data is too detailed and allows conclusions to be drawn about a person's private life. This is against both EU law and the constitution.

The Estonian Supreme Court told the state it cannot hold this much data on citizens in 2021 to investigate crimes, as it is contrary to EU law. Retrieving illegally stored data would also violate the right to privacy guaranteed by the Constitution.

Based on the decision of the Supreme Court, at the end of 2021, the Riigikogu adopted an amendment to the law, which now says communication data can only be used with the permission of the court – previously, in certain cases, this could also be done with the permission of the prosecutor's office. 

The number of applications for the release of communications data has decreased significantly since the law was amended: while in 2020, there were 2,828 authorizations issued, but in 2022 this fell to 376.

However, the Supreme Court said the transfer of the power to grant authorizations from the prosecutor's office to the court does not resolve the conflict between Estonian and European Union law, as the preventive retention of data infringes the right to privacy regardless of the conditions imposed on access.

Despite this, the Ministry of Justice has no plans to change the law, and data collection continues.

Heddi Lutterus, deputy secretary general for legal policy at the Ministry of Justice, said guidelines are expected from the European Union. 

"At the EU level, there are ongoing legal disputes and discussions on how access to communications data should be granted (inter alia in the light of national security needs). Therefore, Estonia has been rather cautious about changing the regulations in this area itself," Lutterus told ERR on Tuesday.

Over the years, telecom companies have drawn attention to the inconsistency between Estonian and EU law, hoping to find legal clarity. According to lawyers for both Tele2 and Elisa, this is still not the case.

"The legal provisions on the retention and processing of communications data, which are necessary to fight crime, need to be reviewed in their entirety in Estonia and brought in line with EU law and the case law of the European Court of Justice," said Allan Aedmaa, Elisa's chief legal officer.

Telecommunications companies must pay for the costs arising from the collection and storage of data. They have not publicly stated how much they spend.

--

Follow ERR News on Facebook and Twitter and never miss an update!