Fortunately for investigative authorities, companies have not distinguished whether the requested data is stored due to state requirements or business purposes.

While the European Court of Justice (ECJ) has time and again ruled that a member state cannot require firms to retain communication data in all cases, Estonia still has a one-year retention obligation enshrined in its domestic legislation.

This includes retaining data on who was called and at what time, and on phone location in relation to cell towers.

Andreas Meister, risk manager at market leader Telia Eesti, said that if this obligation were not present, at least some of the data would be retained for a significantly shorter time period, purely on business pragmatics.

"For business purposes, we do not need to retain all this data for so long," Meister said.

Meanwhile, Elisa's chief legal officer Allan Aedmaa said the same was the case with his company, exemplifying this with data on how a phone number and its associated phone have moved between cellphone masts.

Aedmaa said: "If the state obligation disappears, then it would be entirely viable that operators would only need this data for network operation analysis, and for one, two, or three months,"

Investigative bodies get everything they need

For several years now the telcos have said that they need less data for themselves than that which the state requires they retain.

The assumption might be that a fundamental change followed a 2021 Supreme Court decision, after which the prosecutor's office said it had only requested communication data that telecommunications firms collect for business purposes.

However, no major substantive change occurred, meaning the quantity of data available to the prosecution has not fallen.

This was reiterated just last week by state prosecutor Taavi Pern.

This is also reflected in the privacy policies that all telecommunications companies carry on their websites and elsewhere.

Tele2 states on its site that to ensure network quality is maintained, they keep both usage and location data, for up to 18 months.

Also, in the interests of better customer management, they retain the same categories of data for up to 30 months after a customer relationship ends – in other words the data from users terminating their contract with the firm will be kept for that period.

According to Telia's website, the company retains both communications and location data for 12-36 months. The one-year retention period applies to maintaining services and products, as well as for marketing based on communication data. Longer retention periods are also due to stated reasons including "product and service delivery."

Andreas Meister said that a specific reason must be given for any retention period over 12 months. Call records are retained for up to a year after an invoice for the charging period in question is paid.

With customer profiling, Telia may retain data for up to two years, though Meister assured ERR that this is not done with personalized data.

"We can retain it longer if it is anonymized," he added.

"For example, we evaluate the number of customers in a given area, to understand if additional technological resources are needed there to guarantee the expected service quality," Meister went on.

No distinction between business reasons and state-imposed obligations

As to why companies have a minimum of a one-year retention period for customer data even as they say they don't need the data for that long, Meister said that there is no point in setting a shorter period if the state already requires the data to be retained for a year.

"In other words, we haven't yet carried out any additional analysis to determine how long we would retain the data were there no requirement under the Electronic Communications Act to do so."

Allan Aedmaa at Elisa said: "Outlining these retention periods in the systems and amending the related processes – that would be quite a big job."

"And we want to do it once. We don't want to duplicate work here," he added.

The companies' current practices have also meant that the prosecutor's office only needs to request data as retained for business purposes; doing so means they can obtain all the data the state requires companies to store in one fell swoop.

In a ruling that took effect in September, the second-tier circuit court indicated that this is fundamentally at odds with EU law.

The prosecutor's office therefore stopped requesting communication data altogether.

The Ministry of Justice has said it hopes to find a new legal solution by the end of the year.

Even as the recent public debate about communication data might seem complex in and of itself, the public can easily check the volume and scope of data involved.

Both Meister and Aedmaa said that anyone can request the data collected about themselves from all telecommunications firms.

Telia, Elisa and Tele2 cover the vast majority of consumer contract phone service provisions.

--

Follow ERR News on Facebook and Twitter and never miss an update!