The Estonian Human Rights Centre (EHRC) has been calling for the rules to be changed since 2014, when a Court of Justice of the European Union (CJEU) decision declared the data retention directive, which the Estonian law was based on, invalid. In Estonia, communications metadata (including sensitive location data) is used not only to fight serious crime, but also for minor crimes and misdemeanours as well as in civil lawsuits.
The proposal confirms that the current system of communications data retention does not comply with CJEU case law. The proposal includes a brief outline of a tiered, proportional system for retention and use of data, although it is short on detail.
The Estonian Human Rights Centre stated in its opinion on the proposal that nobody wins if human rights and internal security are set against each other. Mass-surveillance (including mass data retention) breaches trust between citizens and the state and thus should not be used in a democratic society.
EHRC stated that there should be no indiscriminate blanket retention requirement for communications service providers and that the law should be limited to regulating if, when and how communications data already processed and stored by telecommunications providers can be accessed and used in individual cases. There, we emphasised the need for better oversight and notification.
EHRC also raised the issue that the non-compliant provisions of the law should not be applied until a new regulation is in place that safeguards against human rights violations.