Companies required to collect telecoms data for foreseeable future
The Ministry of the Interior has proposed amending the law to allow the use of telecommunications data collected for commercial purposes in criminal proceedings. At the same time, the requirement for companies to collect a broader range of data will remain in place for now.
The European Court of Justice has repeatedly ruled that governments cannot mandate companies to collect telecommunications data in bulk for potential criminal investigations. However, Estonia, like many other countries, expects companies to do this.
This means that all telecommunications companies operating in Estonia are expected to retain data for at least one year, including information about who called or sent messages to whom and which cell towers a device connected to at a given time.
In September, after the Tallinn Circuit Court ruled this data could not be used as evidence in a court case, the Prosecutor's Office temporarily halted its use.
In response, ministries pledged to find a solution by December.
Ministry of the Interior offers a partial solution
This week, Joosep Kaasik, undersecretary for internal security at the Ministry of the Interior, will meet with the Ministry of Justice to propose a two-phase amendment to the law.
"As an initial idea, we want to regulate legal access to those telecommunications data that companies are already collecting today for commercial purposes," he explained.
The Ministry of the Interior plans to suggest amending the Code of Criminal Procedure based on the Electronic Communications Act, but the exact wording is still being discussed.
"This would specifically refer to data that telecommunications companies already collect as part of their operations," Kaasik said.
There are no immediate plans to amend the Electronic Communications Act. This means the existing mandatory data collection requirements for businesses will remain in place.
"The second phase of this process involves determining on what basis, and which types of data, it would be possible and reasonable to collect in the future, taking into account that we cannot collect data indiscriminately and everywhere," Kaasik said. "All European countries are grappling with the same issue, seeking solutions that comply with European court rulings."
Telecommunications companies should separate data
Telecommunications companies Elisa and Telia told ERR in October that, at present, companies make no distinction between data they are mandated by the state to collect and data they collect voluntarily.
They explained that as long as the state does not remove the mandatory data collection requirement, there is no point in maintaining two separate datasets. As a result, companies continue to retain data in at least the same volume and for as long as the law requires.
This practice has been useful to the Prosecutor's Office for years. Chief Prosecutor Taavi Pern told ERR in October that, in reality, the Prosecutor's Office has not used state-mandated data for the past three years, as the Supreme Court had already reminded authorities of the European Court of Justice rulings in 2021.
Pern said since then, the Prosecutor's Office has referred in all its requests to data collected for commercial purposes. This workaround functioned until September, when the Supreme Court said this approach was invalid because the mandatory collection requirement remains in place.
This suggests the solution proposed by the Ministry of the Interior would make no practical difference. However, Kaasik disagrees. He said a clear distinction will be made between data collected under mandatory requirements and data collected voluntarily.
The Ministry of the Interior has also asked companies about the type of data they retain voluntarily. "At this stage, we cannot say exactly where the line will be drawn," Kaasik said. "We are currently gathering this information from them, and our next decisions will be based on that."
The undersecretary acknowledged that under the proposed solution, investigative authorities may have access to less data from some companies and more data from others.
"This is perhaps the biggest issue with the proposed solution. But in any case, it is better than having no access to this data at all," he said.
Discussions could take years
Kaasik reiterated that companies will still be required to collect the data listed in the Electronic Communications Act.
The reason is that the Internal Security Service (ISS) and the Foreign Intelligence Service also use telecommunications data outside of criminal proceedings. If the obligation imposed on companies were abolished, it would make the work of these security agencies significantly more difficult.
Markko Künnapuu, an adviser on criminal law at the Ministry of Justice, told ERR in October that rulings from the European Court of Justice also apply to security agencies. He noted that data retention mandates can be imposed on telecommunications companies for national security purposes only if there is an immediate threat to security.
Kaasik said the issues surrounding the Electronic Communications Act and data retention will continue to be addressed. "This is not something that we can resolve in a single step or within a year. It's a longer process," he said.
The official added that different possibilities were also discussed at a recent meeting of European Union interior ministers. "It was acknowledged there as well that a pan-European solution is needed for accessing telecommunications data. But this is certainly not a quick fix; it's a process that will take years," Kaasik said.
For this reason, Kaasik believes that domestic clarity on data retention obligations must be achieved before a solution is reached at the European level.
"As for the first phase, we definitely aim to have a solution by next year. We will begin work on the second phase in parallel," the deputy secretary general outlined regarding the timeline ahead.
Commenting on the ongoing debate over telecommunications data, Kaasik expressed his view that the discussion has gone off track.
"We are focusing solely on the right to privacy on one hand and the need for investigative authorities to access data on the other. In reality, no investigative authority needs this data. The use of this data is crucial for the people who have fallen victim to crimes," Kaasik said.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Urmet Kook, Helen Wright