In Estonia, the breakthrough in public awareness about digital rights and privacy came in February 2012 with the anti-ACTA demonstrations. The Snowden revelations in 2013 confirmed the importance of these issues; from then on data retention and the EU data protection reforms have enjoyed relatively wide media coverage. The Estonian president Toomas Hendrik Ilves and the EU Vice President for the Digital Single Market Andrus Ansip are well-known spokesmen for the information society at both the national and international levels, and Estonia is perceived in Europe as a pioneer in e-governance and software development.
Andrus Ansip, EU Vice President for the Digital Single Market. Photo: European Parliament. Source:Flickr
Because the Estonian economy and its image abroad rely heavily on digital entrepreneurship, the perceived trade-off between the right to privacy and the freedom of business is an extremely live issue. Internet activists support a liberal digital environment which includes net neutrality, minimal state interference and free expression, which also implies that service providers are in general not liable for user created content. Here, they differ from civil rights campaigners, who focus on the protection of individuals and are therefore in favour of more stringent regulations on service providers. The way these two groups reconcile the right to privacy with freedom of expression and freedom to conduct business therefore differs.
The private sector, the public authorities and internet activists approach reforms that might hamper the development of telecom sector, including the European data protection reforms, with great caution. While admitting the need for harmonized regulation, The Estonian Data Protection Inspectorate, the government and the NGO Estonian Internet Community see the reforms as burdening businesses and service providers to a disproportionate extent. On the other side of the spectrum are the civil rights activists, who consider the additional bureaucracy and obligations such as mandatory privacy impact assessments a small price to pay for stronger privacy safeguards.
From the standpoint of digital rights, the new Data Protection Regulation contains measures that restrict the blogosphere, free media and the information society. For example, while containing exemptions to data processing for “solely journalistic purposes”, it allows interpretation of whether or not content published on Wikipedia and blogs falls under the scope of journalism. It also stipulates that personal data should not be shared publicly by default, disregarding the fact that data sharing is the essence of social media sites. The third criticism of the regulation expressed by the Estonian Data Protection Inspectorate and digital rights advocates is its inclusion of a “right to be forgotten”, which conflicts with freedom of information and places an unnecessary burden on business. The civil rights activists view the right to be forgotten more favourably, especially after the ECJ judgment in Google vs Spain.
The response to the NSA affair in Estonia has been varied. NGOs such as the Estonian Human Rights Centre and the Estonian Internet Community have been strongly critical, calling for a parliamentary investigation into whether the data of Estonian citizens have been affected by the mass surveillance programmes. However, no preliminary investigation or court proceedings have been initiated to date. Participation in foreign intelligence cooperation programmes is considered a state secret according to the State Secrets Act, and the strategy of the public authorities has been to “neither confirm, nor deny”. However, the overall position of the state authorities is to claim that no illegal surveillance has been detected. One high-ranking government intelligence official stated that: “I can confirm that Estonia does not participate in any cooperation programme in a manner that is illegal, contradictory to our legal system or directly threatens the rights of law-obedient citizens.” These statements have not convinced the digital rights community, which hit back by launching a series of cryptography workshops in order to equip the average user with the tools to protect online privacy.
Another case where the interests of the civil society and the private sector are incompatible with those of the state is mandatory data retention. Despite the ECJ ruling of 8 April 2014, the Data Retention Directive is still in force in Estonia. This judgment, although of major importance both to the telecom sector and to individuals, received only modest media coverage, possibly because of its technical nature. In 2014, the Chancellor of Justice announced a constitutional review of the national implementation of Data Retention Directive, however since then there have been no further developments. Despite talk at the EU level of greater data retention powers following the Charlie Hebdo attacks, the response in Estonia focused entirely on the problems of multiculturalism and immigration, with no discussion of matters of intelligence or criminal investigation.
In September 2014, Wikileaks revealed that Estonia had bought licences for the spyware programme FinFisher for more than one million euros. FinFisher enables computers to be monitored in real time, can access the contents of files and intercept Skype conversations. The public reaction was reminiscent of the response to the NSA scandal. The Parliamentary Special Committee stated that the government had no information about unlawful surveillance. Its chairman commented that intelligence activities were subject to state secrecy and that “neither law nor best practice allows state secrets to be sifted through simply out of curiosity”, without specifying what would constitute sufficient grounds for investigating the activities of the intelligence services.
Despite the drawbacks and scandals, digital optimism still prevails in Estonia. On average, Estonians have great trust in both public and private data controllers. The fact that 24.3 per cent of voters in the 2011 parliamentary elections voted electronically and that 89 per cent of Estonians use e-banking regularly prove that convenience, novelty and speed tend to outweigh concerns about privacy.