Protection of privacy

Section 26 of the Constitution protects the right to the inviolability of private and family life, an inseparable part of which is the right to protection of personal data. The state may interfere with a person’s private life, inclusive of processing their personal data, only in cases laid down by legislation. Any interference must be justified and it must be limited to what is strictly necessary. The stronger the state’s interference with a person’s private life, the more compelling the arguments justifying it must be.

In addition to the Constitution, processing of personal data is regulated by the European Union General Data Protection Regulation. Its principles are further developed by the Estonian Data Protection Act which entered into force in January 2019.

The Chancellor receives many petitions concerning processing of personal data. During the reporting year, many petitions were concerned with the coronavirus. People complained that their personal data had been processed under the pretext of combating the virus. Unfortunately, people’s health data had often been disclosed. As a rule, no justification can exist for this.

Restrictions related to the corona pandemic

The Chancellor was contacted by a kindergarten teacher who had become infected with the coronavirus and had also notified the management of the kindergarten about their positive test result. The director decided that the children in the group of the infected teacher should be sent home. At the same time, the director informed the parents of the infected teacher’s name. This, in turn, caused irritation among the parents although the teacher had acted responsibly.

In the Chancellor’s opinion, nothing justifies disclosing the personal data of infected people. Fear of the virus is understandable but stigmatising the infected does not help to beat the virus. Such stigmatising disclosure may encourage people to hide their disease. Disclosure of sensitive health data is unequivocally prohibited. In this case, there was also no reason for disclosing that the kindergarten employee was infected.

The Chancellor received a petition from a visitor to a sports club who was dissatisfied that the sports club wanted to measure their body temperature and register their name for each visit. The client of the sports club interpreted this as inadmissible processing of personal data. The club justified the measures with the extensive spread of the coronavirus.

The Chancellor is not entitled to intervene in the activities of private establishments. If someone believes that a sports club or other private establishment (a shop, hospital, etc) has unlawfully processed their data, they must notify the Data Protection Inspectorate about this. Under § 56(1) of the Personal Data Protection Act, the duty of monitoring compliance with the requirements for processing personal data lies with the Data Protection Inspectorate.

The Chancellor also had to reply to the question whether the Republic of Latvia may ask people arriving in Latvia about their health data for the purpose of combating the coronavirus. The Chancellor is not competent to supervise the activities of the authorities of another country. Therefore, the Chancellor recommended that the person should bring their complaint to the Latvian ombudsman who supervises how the principle of good administration is complied with and whether the activities of the Republic of Latvia − including collection of personal data at the border − are lawful.

Issues which the Chancellor is not competent to resolve

The Chancellor is often asked for advice when the media have published information about a person’s private life. For instance, information about a past offence which is no longer relevant, or an unjustified value judgement or a false claim may be annoying.

The media may disclose someone’s personal data without their consent if three criteria are fulfilled simultaneously: public interest exists for disclosure of the data of the particular person, principles of journalism ethics are observed in disclosure, and disclosure of personal data does not cause excessive damage to the rights of the person. Such public coverage must concern an important public issue, not merely serve the aim of satisfying people’s curiosity or serve the business interests of a media publication.

Supervision over private media publications is not within the Chancellor’s competence. To such petitioners, the Chancellor can explain alternative ways to protect their rights.

Media related disputes with civil law substance should be resolved by agreement between the parties. If no agreement is reached, the dispute may be resolved by a county court. Under § 15 of the Constitution, everyone has the right of recourse to the court. It is appropriate also to use this right when someone believes that their honour or good name has been damaged. In this regard, it is not important whether inappropriate or false judgments or data have been disclosed by a private individual (e.g. in an anonymous comment) or by the press. Protecting one’s rights helps to remind society that even when making statements online one must respect others and bear responsibility for one’s words.

Someone who believes that a media publication has violated the requirements of journalism ethics may apply to the Press Council. This media self-regulation body also provides an opportunity to find extra-judicial solutions to disagreements with the media.

On the state level, compliance with the requirements of the Personal Data Protection Act is monitored by the Data Protection Inspectorate. If someone feels that their rights have been violated in processing personal data, the Chancellor recommends them to send a complaint to the Data Protection Inspectorate. Summaries of proceedings and observations on processing personal data are available in the yearbook of the Data Protection Inspectorate.

The Chancellor has also been contacted concerning a wish to remove data available in search engines. For instance, where court decisions on a person are freely accessible via a search engine and the person disclosing the data (a legal person in private law) cannot be contacted.

The Chancellor is not competent to supervise the activities of legal persons in private law. However, for example a web portal must have a legal basis if it wishes to process disclosed personal data. Prior disclosure of data (e.g. a court decision accessible through the Riigi Teataja gazette) does not automatically entitle someone to arbitrarily re-disclose the data. Unlimited disclosure of personal data is not allowed.

If a web portal unlawfully processes personal data, a justified application about this should also be submitted to the Data Protection Inspectorate.

If a search engine displays links to websites which include data about a person (e.g. a court decision containing personal data), the person should contact the search engine directly and seek removal of the link containing personal data from the list of search results. The removed link does not affect the content of the web portal but only the list of search results that are displayed. The Chancellor also cannot intervene in resolving such a request.

Often information about someone is disclosed by so-called information portals whose activities are supervised by the Data Protection Inspectorate. During the reporting year, the Inspectorate sent a legal analysis and proposals to economic information portals to ensure that they operate in compliance with the requirements laid down by the General Data Protection Regulation.

Disclosure and use of data

The Chancellor’s assistance was sought by a person who felt annoyed because they had received an invitation to a cancer screening study from the National Institute for Health Development. According to the petitioner, that invitation caused them stress since previously they had had to undergo a complicated operation.

In carrying out screening, the National Institute for Health Development proceeds from the law and the statute of the cancer screening registry. The cancer screening registry collects data from other databases through the data exchange layer of state information systems. Queries by the Institute as the controller of the screening registry are mass queries which are sent to everyone in the target group on the basis of their personal identification code and the screening code.

Excluded from the cancer screening target group are people who, for example, have been diagnosed with a malignant tumour in the previous 60 months (more precise reasons are set out in § 7(2) clauses 1−3 of the statute of the cancer screening registry). All the reasons for exclusion from the target group are medical, so that the Chancellor cannot assess them.

The overall aim of screening is prevention and early detection of tumours. Screening contributes to timely start of treatment and saving lives. Health is a person’s most precious asset and the Chancellor recommends that all those invited should participate in the screening. In this specific case, the Institute took the person’s wish into account and no repeat invitation was sent to them.

Under § 34(1) of the Chancellor of Justice Act, the Chancellor may also check compliance with the principle of guarantee of fundamental rights and freedoms and the principle of good administration on her own initiative.

The Chancellor’s attention was caught by the fact that the data of people wishing to move into a municipal apartment in Raadiku were public on the websites of the city district administrations. The data had been disclosed on the websites of Pirita, Lasnamäe (including an Excel table with 400 young families), Kristiine and Haabersti city districts. Disclosure is regulated by the Tallinn City Government regulation. Provisions in the annexes to the regulation are outdated and misleading in terms of the data protection law currently in force.

According to the Chancellor’s assessment, no substantive reason existed for disclosing those data. After the Chancellor’s intervention, the lists were removed from the website. Currently, apartment applicants receive information about their application from the relevant city district administration. However, the city government regulation along with its annexes, which caused the unlawful situation, has still not been updated.

The Chancellor has also drawn attention to problems related to disclosure of personal data of sole proprietors in the commercial register and register of economic activities. The commercial register and register of economic activities do not require that a sole proprietor should note their home address as the undertaking’s address, but some undertakings might not have a reasonable alternative.

If a sole proprietor enters their residence data in the register, the data become publicly available and may be linked to a specific person. On the basis of an undertaking’s registered address, with a relatively high probability a conclusion can be drawn as to the sole proprietor’s residence (e.g. an apartment or private house). Some undertakings may be annoyed by this. In a similar situation are private limited companies with a single shareholder and non-profit associations with a single member of the board who do not need an office or business premises for their operation.

Disclosure of personal data in registries is dealt with by the Ministry of Justice in the course of a review that it commissioned. Unfortunately, the deadline for review has been repeatedly postponed and it is not clear whether the review will resolve this problem.

Surveillance

The Chancellor monitors whether security and law enforcement agencies carry out covert processing of personal data lawfully.

In 2021, the Chancellor mostly checked surveillance agencies which, under the norms and rules of the Code of Criminal Procedure, organise interception of phone calls and conversations, surveillance of correspondence, and otherwise covertly collect, process and use personal data.

With the help of supervision, it is possible to ensure that covert measures are taken with justification, i.e. in conformity with legislation and the aim sought, at the same time respecting people’s fundamental rights. Even when the actions of the relevant agencies are formally lawful, the Chancellor ensures that people’s fundamental rights are reckoned with to the maximum possible extent. This helps to alleviate uncertainty and fear of unjustified surveillance. Regular, effective and independent follow-up supervision of surveillance is an important guarantee of people’s rights.

In 2020−2021, the Chancellor’s advisers checked how the Police and Border Guard Board and the Tax and Customs Board respected the fundamental rights of individuals when carrying out surveillance. Inspection visits were carried out to the Internal Control Bureau of the Police and Border Guard Board, the criminal bureau of the East Prefecture, the criminal bureau of the West Prefecture, the criminal bureau of the South Prefecture, the criminal bureau of the North Prefecture, the Central Criminal Police, and the investigation department of the Tax and Customs Board.

In addition to the Code of Criminal Procedure, carrying out certain surveillance measures is also regulated by several special laws. Under § 1262(10) of the Code of Criminal Procedure, surveillance measures may also be carried out on bases not laid down in the Code of Criminal Procedure, including in cases listed in § 332 of the Imprisonment Act, § 812 of the Taxation Act, § 10 of the Customs Act, §§ 750 and 752 of the Police and Border Guard Act, § 352 of the Weapons Act, § 181 of the Witness Protection Act, and § 461 of the Security Act. The Chancellor’s adviser checked how often surveillance measures had been carried out under these bases since 2013.

Detailed summaries of inspection visits to security and surveillance agencies are not public since they contain information classified as state secrets or for internal use only. The addressees of the summaries are supervised agencies as well as public authorities (Security Authorities Surveillance Select Committee of the Riigikogu, the court, the prosecutor’s office) which are also responsible for the legality of activities of security agencies.

Control of surveillance files

During the inspection visits, the Chancellor’s advisers examined surveillance files of the Police and Border Guard Board and the Tax and Customs Board where active proceedings had ended by the time of inspection. A total of 135 surveillance files were inspected.

The Chancellor’s advisers assessed the guarantee of fundamental rights and interests of those persons who became objects of covert data collection (i.e. a surveillance measure) in the course of criminal proceedings either as suspects or as ‘third parties’ (including by chance). The inspection focused primarily on whether, in each specific case, conducting the surveillance measure while collecting information about a criminal offence had been lawful (including unavoidable and necessary), and how the surveillance agencies complied with requirements to notify people about a surveillance measure.

In order to ensure better protection of fundamental rights, the Chancellor made several proposals to the surveillance agencies and the prosecutor’s office primarily about notifying people and the reasoning for surveillance authorisations.

Surveillance authorisations

A surveillance measure is lawful only if statutory requirements were complied with when applying for a surveillance authorisation and carrying out the surveillance measure. A surveillance authorisation can be granted by the court or the prosecutor’s office and the authorisation must always include substantive reasons. That is, an authorisation for each surveillance measure must be linked to the circumstances of specific criminal proceedings and fact-based reasoning as to why, in the specific criminal case, collecting evidence without significant difficulty or in a timely manner would be impossible without surveillance.

A surveillance authorisation which is not properly reasoned leads to inadmissibility of evidence collected through surveillance, i.e. the court will not take that evidence into account.

The inspections revealed that, as a rule, surveillance authorisations were reasoned and surveillance was necessary to verify suspicion of a criminal offence. Unfortunately, examination of some surveillance files still raised doubts as to whether the information available at that moment (i.e. reasonable suspicion of a criminal offence) was indeed sufficient to warrant collecting evidentiary information through surveillance and thus restrict people’s fundamental rights.

Reasoning for surveillance authorisations is improving

Special mention should be made of those authorisations containing reasons for the necessity of a surveillance measure, the principle of ultima ratio, i.e. a measure of last resort, as well as the effect of measures on the subject of surveillance and third parties linked to them.

Preliminary investigation judges generally ‒ with very few exceptions ‒ observe the opinion repeatedly expressed in case-law in recent years that reasoning contained in a court order authorising surveillance must also include clear and understandable arguments by the court with regard to the necessity for surveillance.

Unfortunately, some surveillance authorisations issued by the prosecutor’s office had not been reasoned in line with the above requirements. Since a surveillance authorisation which is not properly reasoned leads to inadmissibility of evidence collected through the relevant surveillance measure, surveillance on the basis of such an authorisation essentially amounts to an unnecessary waste of resources which also unlawfully interferes with people’s fundamental rights.

Carrying out surveillance

In previous years, the Chancellor’s advisers did not find any surveillance measures that had been carried out without authorisation by a preliminary investigation judge or a prosecutor and without compliance with the conditions set out in the authorisation.

However, during this reporting year the Chancellor’s advisers found that in the frame of one surveillance file telephone conversations of (a) person(s) were intercepted in respect of whom no surveillance authorisation had been granted. The Internal Control Bureau of the Police and Border Guard Board was notified about the finding, and criminal proceedings have been initiated to ascertain the facts of the incident.

In the frame of surveillance files inspected, surveillance had generally been carried out in line with the purpose. However, inspection of some surveillance files raised doubts as to whether preparatory actions by the surveillance agency and the prosecutor’s office had always been carefully considered, so as to warrant opening a surveillance file to collect evidentiary information through surveillance and thereby restrict people’s fundamental rights.

With a view to protecting fundamental rights, the Chancellor deems it highly important that substantive summaries be added to surveillance files. This helps both the person inspecting the file as well as the person conducting the proceedings to subsequently assess whether a surveillance measure was indeed fit for the purpose and justified. A substantive summary also provides a better overview of the circumstances of restricting fundamental rights.

Largely thanks to the Chancellor’s recommendations, this good practice is also increasingly prevalent in the majority of surveillance agencies. Nevertheless, not all surveillance files contain a substantive summary.

Notifying a surveillance measure

Under the Code of Criminal Procedure, a surveillance measure is notified to the persons with respect to whom the surveillance measure was carried out, as well as other persons identified during the proceedings whose right to inviolability of private or family life was significantly interfered with by the measure. This constitutes an important guarantee of a person’s rights. Notification may be postponed or waived only if permission for this by a prosecutor or the court is given where a specific basis exists laid down by law.

Surveillance measures should remain hidden from a person whose inviolability of family or private life was interfered with only as long as and to the extent necessary and compatible with the law. Timely notification protects people’s fundamental rights and also ensures the right for suspects and the accused to contest the lawfulness of surveillance measures.

A surveillance agency must fulfil the duty of notification immediately upon expiry of the term of authorisation for a surveillance measure. The term “immediately” is an undefined legal concept and its temporal meaning may depend on any circumstances related to carrying out surveillance.

In some cases, if a person is notified only several months after expiry of the surveillance authorisation, this may also be considered immediate notification. In that case, usually the number of people whose rights were interfered with is very large, large amounts of data were collected, or the measures take time. What is important is that a person’s notification is not delayed without justified and substantive need.

Notifying people about surveillance has consistently improved, yet some unjustified delays occasionally occur. In a summary of an inspection visit, the Chancellor persistently draws attention to such cases.

Regrettably, on the basis of one surveillance file, a situation was revealed where a person had not been notified about surveillance nor was there a decision justifying this.

The Chancellor has repeatedly noted that, both in documenting surveillance measures and notifying people, a clear distinction should be drawn between people in respect of whom surveillance was carried out and people whose rights were significantly interfered with by that activity. Such a clear distinction provides a good overview for the body in charge of a surveillance file and for controllers, but even more significantly it clarifies the matter for the addressee of notification. In other words, a person receiving notification should understand without additional explanation whether they were the subject of surveillance or whether for some reason they were simply caught in the sphere of interest of surveillance agents in connection with someone else’s activity.

It cannot be considered justified to identify and notify people whose inviolability of family or private life was not significantly restricted in the course of surveillance. This should only be done in the case of clear and justified need since identifying such a person (for example by collecting additional data on them from an information system or database) in turn interferes with their fundamental rights.

Surveillance on other lawful grounds

Under § 1262(10) of the Code of Criminal Procedure, surveillance measures may also be carried out on bases not laid down in the Code of Criminal Procedure, including in cases listed in § 332 of the Imprisonment Act, § 812 of the Taxation Act, § 10 of the Customs Act, §§ 750 and 752 of the Police and Border Guard Act, § 352 of the Weapons Act, § 181 of the Witness Protection Act, and § 461 of the Security Act. The Chancellor’s adviser checked how often such surveillance measures had been carried out (since 2013).

The majority of cases (except surveillance carried out under the Witness Protection Act) involve situations where surveillance proceedings were carried out with a person’s prior written consent for the purpose of checking their credibility. Admissible surveillance measures usually include covert surveillance of a person; under the Witness Protection Act covert examination of postal items and covert audio and video interception are also possible.

Information received from the relevant agencies demonstrates that collection of data for this purpose through surveillance tends to be rare, and under some special laws no collection of data through surveillance has occurred at all in the period 2013−2021. The majority of surveillance measures have been carried out under the Witness Protection Act.

Cooperation with the Security Authorities Surveillance Select Committee of the Riigikogu

During the Chancellor’s regular meetings with the Security Authorities Surveillance Select Committee of the Riigikogu, members of the Riigikogu receive a direct overview of the results of inspection visits and other problems found in the course of supervision (including in resolving petitions). In turn, members of the Committee can make observations on issues of surveillance.