The government of Estonia likes to promote the country as a digital society. There is much to be happy with: many state services are delivered with minimal hassle and projects like the so-called e-residency and internet voting are innovative and potentially transformative. However, unlike Estonia’s Nordic neighbour Sweden, the e-state is built upon a foundation that does not fully take into account basic human rights such as protection of personal data.

A privacy nightmare

Consider the case of the data retention directive, which was introduced to the Estonian legal code with no debate whatsoever. Estonia’s version of the data protection laws are a privacy nightmare: any government agency with an investigative function, from tax authorities to environmental protection officers, have access to the retained data. Also, a direct access system is used by the authorities to access the mobile operators’ networks, which means that even the internet companies themselves have to rely on the state authorities for statistics.

Even though the Court of Justice of the European Union (CJEU) has declared the data retention directive invalid, Estonia’s overly broad law remains. In last December’s Tele2 Sverige and Watson judgment, the CJEU clarified that such laws are incompatible with EU law. In Estonia, this caused no discussion or debate until a few weeks ago, when two lawyers raised the issue in a daily newspaper. Even with the support of prominent legal scholars such as Estonia’s former judge in European Court of Human Rights, the discussion was met with delaying tactics by the government.

No valid arguments

The minister of justice, Urmas Reinsalu, deflected the criticism by stating that the case was about so-called meta-data (i.e. data such as location) and not the content of phone calls. He also implied that the CJEU allowed racial or other types of discriminatory profiling if true mass surveillance cannot take place. Finally, he brought out the argument that it means fewer tools for the police to ensure safety. None of the arguments are valid in light of the CJEU decision.

The Estonian Human Rights Centre has written to Estonia’s three big telecom service providers (Telia, Elisa, Tele2) to ask for further information regarding their practices regarding data retention in light of the CJEU case law. So far just one has responded with a short one-paragraph message that it follows Estonian law in this case.

The success or failure of the Estonian democratic e-state depends ultimately on whether the government can take human rights, including the right to privacy seriously. The data retention case seems to indicate it does not.