E-Estonia
The transfer of services to virtual space has become an integral part of our daily lives. On the one hand, provision of public services through the online environment allows saving time and, in general, also makes these services more accessible. On the other hand, we are faced with new challenges: issues of privacy, personal data protection and cybersecurity, as well as the issue of reliability of services. The success of digitalisation will depend on how we as a country can solve these problems.
Protection of personal data
Processing of personal data is constantly increasing in both private and public sectors. Biometric data are also increasingly processed by automated means. At the same time, devices for storing and processing personal data are becoming more and more compact and powerful.
Increasingly often, the Chancellor’s opinion is sought on regulating the use of private cameras. This concerns cameras placed both on private premises and in public space, including, for example, stationary cameras set up in the forest by photography enthusiasts. The question is asked how large an area a video camera can capture and who has the right to use the video recording and under what conditions. People want to know how low a drone can be flown on a property owned by another person and how to identify the owner of a drone. A number of questions also seek an answer to whether a private person can bring down a drone that violates their privacy and what is their liability in case of damage to the drone.
The Chancellor has been asked about Land Board detailed aerial photographs. These photos are of such good quality that property visible from them, such as precious agricultural equipment, can also attract malicious interest.
Processing of personal data restricts the fundamental right of informational self-determination. Under § 26 of the Estonian Constitution, everyone has the right to the inviolability of private and family life. The protected sphere of private life includes, among other things, a person’s right to informational self-determination and the right to one’s speech and image. The state may not interfere in anyone’s private or family life except in the cases and in line with the procedure laid down by law. In view of the fundamental right to defence under § 13(1) of the Constitution, it may prove necessary to regulate the processing of personal data when carried out by another private person.
In a memorandum sent to the Ministry of Justice, the Chancellor pointed out that issues important in terms of fundamental rights must be resolved by a law, i.e. it must be done by the Riigikogu. The powers of government agencies should be limited only to less severe restrictions on fundamental rights.
In the memorandum, the Chancellor complimented the Ministry of Justice for plans to amend the Law Enforcement Act and for having begun to regulate more precisely the use of police body cameras. The Chancellor explained which conditions for the use of body cameras need to be specified in the law. She also pointed out that the law must also further elaborate other provisions relating to mobile cameras used by public authorities (including those used in vehicles and on drones). The Chancellor considered that the law should clearly stipulate that, without a person’s own consent, automatically identifying the person through the image of a camera in a public space (by processing biometric data) is not allowed.
In the Chancellor’s opinion, the law must regulate the bases for processing personal data, the composition of data, the time limits for storing personal data processed, the right of a person to receive information about processing of their personal data, and organisation of the data controller and supervision. Processing of personal data must also comply with European Union law, in particular the General Data Protection Regulation.
The Chancellor also drew attention to the need to create a legal framework to protect the image of a person when using a malicious forgery.
In his reply, the Minister of Justice thanked the Chancellor of Justice for drawing attention to important issues and promised to take these views and proposals into account when drafting legislation.
Data leaks
At the end of 2023, Asper Biogene, a genetic testing and research company, became a victim of a cyberattack: the personal and health data of some 10 000 people were stolen, including data from genetic analyses. As far as we know, this was the largest health data leak in Estonia to date. A large-scale personal data leak also occurred during a cyberattack in early 2024, when criminals gained access to the contact details and, in some cases, the purchase history of pharmacy customers.
According to the Chancellor’s assessment, considering the leakage of genetic data from a private company, it is necessary to review who collects sensitive personal data in Estonia and why. Data about patients’ health and analyses may be kept by hospitals and treating physicians. Storage of these data has a clear purpose which must be plainly and clearly stated in the law.
The need for plain and specific norms concerning data processing was also emphasised by the Chancellor of Justice at a public session of the Riigikogu Social Affairs and Constitutional Affairs Committees. The legal framework under which data entrusted to the state are processed must be understandable to every doctor and patient.
E-examinations and applying for scholarships
Organisation of the Estonian language online test examination
In April, an online test examination in Estonian was organised for basic school leavers. During the examination, pupils were given the opportunity to use the combined dictionary of the Estonian Language Institute’s language portal Sõnaveeb as a reference material, but not the dictionary of standard Estonian, Õigekeelsussõnaraamat.
In her letter to the Education and Youth Board, the Chancellor recalled that the basis for standard written language is the latest dictionary of standard Estonian. Written work in the Estonian language as a subject in the syllabus must follow the orthographic rules, and the teacher must evaluate a pupil’s work on the basis of the norms for standard written Estonian.
The Chancellor found that if reference material is to be made available to pupils during the basic school final examination in Estonian, it must be the latest dictionary of standard Estonian, Õigekeelsussõnaraamat (ÕS) or its online version. Reference material at an examination must be unequivocally clear for a pupil.
According to the Ministry of Education and Research, the standing recommendation is to provide pupils access only to the dictionary of standard Estonian during the online examination.
Basic school final examinations
An examination may be undertaken in writing on paper or electronically in the test database, or orally. This is decided by the Minister of Education and Research for each subject for the following academic year by 25 May at the latest. If the minister establishes an electronic form for the written part of the exams in these subjects, then basic school graduates must be able to prepare for the electronic examination.
Basic education must give a pupil the opportunity for self-realisation according to their abilities. Computer literacy has become increasingly essential over time, which must be taken into account by schools when organising studies. The task of the school is to offer all pupils the opportunity to learn how to use a computer well, so that they can also perform learning tasks on a computer. The ability to use a computer is one of the general competences whose acquisition must be supported in order for a pupil to be able, among other things, to make learning more efficient.
The Chancellor of Justice found that although pupils who have completed an informatics curriculum may have better computer skills, in abstract terms this does not give any advantage to an examinee. It is important that all pupils should be able to familiarise themselves with both the structure and form of an examination before the examination itself. The structure and form of an examination must not come as a surprise to a pupil during the examination.
Applying for a speciality scholarship
In the autumn term of the 2023/2024 academic year, students of the University of Tartu were able to apply for the teacher training and support specialist training scholarship from 2 October to 8 October. Although students were already entitled to apply in September, the technical solution for the study information system could not be completed by that time. No other solutions were offered to apply for the scholarship in September.
A student may apply for a scholarship in free form, unless a mandatory form has been prescribed under a law or on the basis of a law. A possible increase in the administrative burden does not justify violation of students’ rights.
In the Chancellor’s opinion, the University of Tartu violated the principle of good administration and the rights of students, as it deprived students of the opportunity to submit scholarship applications on time and provided misleading information about submitting applications on its website.
Internet use in prison
The Chancellor of Justice has repeatedly said that isolating people in prison from technology and the digital world increases the gap between them and society (see the Chancellor’s opinion in a constitutional review case). This, in turn, can jeopardise safety in prison and society. Therefore, the Chancellor is of the opinion that digital disengagement of people in prison must be reduced and efforts must be made to prevent it from occurring.
The provisions of the Imprisonment Act on the use of information and communication technology should serve modern purposes of imprisonment: to enable prisoners to acquire knowledge and skills necessary to cope in society and to facilitate interaction of people in prison with their next of kin.
In 2023, the Ministry of Justice prepared the long-awaited amendments to the Imprisonment Act, which were adopted by the Riigikogu on 6 March and entered into force on 1 April 2024. As a result of the amendments, people in prison will be able to access, for example, their digital file; they can communicate with the prison electronically; they will be given the opportunity to meet their next of kin or also defence counsel via a video link. Inmates in open prisons and inmates on prison leave will be allowed, under certain conditions and to a certain extent, to use mobile phones issued by the prison. People can use the internet more than before, for example, when studying or working.
The functioning of the MinuKataster e-environment
The state is increasingly providing services only through electronic information systems. In this way, services can be provided more efficiently, more quickly and more cheaply. At the same time, this poses new challenges, as e-service information systems and databases may not always be reliable and user-friendly.
In April, the Land Board introduced MinuKataster, a new procedural environment for the land cadastre, through which a landowner can initiate operations affecting land and which is also a necessary tool for land surveyors. Unfortunately, the reliability of the e-environment has left much to be desired.
The Chancellor drew the attention of the Land Board to the fact that in line with the principles of good administration, an electronic service created for dealings with the authorities must function smoothly and reliably. This is especially important if no alternative to using the e-service is offered. Thus, before introducing a new procedural environment, its reliability and ease of use must be tested so as to avoid failures and errors. If a new procedural environment cannot be fully tested beforehand, it is necessary to be prepared to resolve problems quickly and to provide adequate user support. A situation cannot be allowed to arise in which, due to deficiencies in the information system created for procedural purposes, it is entirely impossible to perform the necessary procedural actions for some time. The Chancellor found that deficiencies revealed in provision of the service restrict the fundamental right to property (§ 32 of the Constitution), since failures in the conduct of land operations also prevent land transactions that require changes in the boundaries of an immovable.
Service of administrative acts
The Chancellor of Justice has received a number of petitions about problems with service of national documents. When is a document deemed to have been served on a person? How important is it that the person has actually received the document? What happens if a person asserts that an administrative act or an important document sent to their e-mail has not reached them?
The Chancellor has had to intervene where a person has not received a cautionary fine notice sent by e-mail from the Police and Border Guard Board and the decision on the fine reached the person only at the stage of the bailiff’s enforcement proceedings.
The Chancellor explained that in the event of initiating enforcement proceedings, the bailiff must also check the data concerning service of the notice of fine. This means that if the state makes a mistake in serving the fine notice or if service of the fine notice fails for objective reasons beyond the control of the person (e.g. an electronic error occurs and the e-mail does not reach the addressee) and the person considers that the bailiff has failed to verify the data proving service, the person has the right to challenge the bailiff’s actions.
The Chancellor has also been approached by companies concerned that state authorities send documents to companies electronically, but do not check whether the document was received. The Chancellor considers that, even though a company must ensure that its e-mail address entered in the commercial register is correct and functional, the state, as the sender of the document, must be able, if necessary, to prove that it has indeed sent the document to the company’s e-mail address entered in the commercial register.
Problems related to service of documents and plans to facilitate service were addressed by the Chancellor’s advisers in an article published in the journal Juridica “Kuhu jäävad põhiõigused? Vastamata küsimused kättetoimetamise fiktsiooni laiendamisel” (Where are Fundamental Rights? Unanswered Questions on Extending the Fiction of Service)
In legislation, a noticeable tendency exists to switch to electronic service of documents and to create opportunities to consider a document as having been served on a person simply by sending it. In essence, this means that the state no longer has an obligation to ensure that a person can examine the document, but the person themselves must carefully monitor whether the state has sent them an important message or document.
However, the state should take into account that not all people have equally good access to technical means and the internet, and people have different understandings of technical glitches and cybersecurity. Before making such legislative amendments, the Riigikogu must analyse how people’s fundamental rights are affected if a document is deemed to have been served, but the person has still not been able to examine the document due to circumstances beyond their control.
Impelled by this, the Chancellor also drew attention to problems of the Land Tax Act and the Act amending the Taxation Act (see the opinion in constitutional review court case No 524-1).
The Draft Act (297 UA) amending the Land Tax Act and the Taxation Act laid down that if a legal person using the e-services environment of the Tax and Customs Board has not opened a document stored there, the document sent to the person is deemed to have been served five working days after the notification was sent, unless earlier receipt of the document has been proven. The amendment laid down a similar requirement for a document sent to an e-mail address.
Such a legislative amendment would also have essentially imposed a due diligence obligation on non-profit associations and foundations to monitor their emails over at least five working days. This means that an entrepreneur should enter the e-services environment of the Tax and Customs Board at least every five working days in order to avoid overlooking an e-mail. An administrative act can be challenged within 30 days of its receipt (§ 46(1) of the Code of Administrative Procedure).
Unfortunately, it is not clear from these amendments for what purpose the rules applicable to non-profit associations and foundations will be changed. No analysis has been carried out as to how such changes will affect the sector as a whole. The draft has been prepared based on an unverified assumption that non-profit associations and foundations will be able to meet the new requirement and are ready to do so.
In its judgment of 18 April 2024 (No 5-24-1), the Supreme Court declared the Act amending the Land Tax Act and the Taxation Act adopted on 18 December 2023 unconstitutional. The court noted, among other things, that the Riigikogu should also assess the substantive constitutionality of norms when re-considering the law, and in doing so also take into account the arguments put forth by the Chancellor of Justice in order to find a balance between the public interest and protection of the fundamental rights of individuals.
In general, it is conspicuous that the state has been inconsistent in changing the rules for service of documents. On the one hand, it wants to lay down a possibility that a document is deemed to have been served after being sent to an e-mail, while on the other hand, the Ministry of Justice wants to expand the possibilities for using the service portal (https://kattetoimetamisportaal.rik.ee/eng/). The portal is currently used to serve documents sent by the prosecutor’s office, courts and authorities conducting misdemeanour proceedings. At the same time, both private individuals and attorneys have complained to the Chancellor about technical problems in using the portal.
It should be analysed whether the further expansion of the portal and the draft laws regarding delivery are in alignment with each other.
Information systems created by the state must work seamlessly. This requirement also applies to the service portal. Otherwise, this will hinder the work of attorneys and limit the ability of people to defend their rights.
E- and m-elections
At the initiative of the Ministry of Justice, the Riigikogu supplemented the electoral laws by introducing into them norms laying down the technical organisation of e-voting, which were previously set out in the procedures and instructions approved by the National Electoral Committee. By doing so, a legal solution was found to the observation made by the Supreme Court in 2019 that the rules for determining the results of electronic voting must be laid down more clearly in legislative acts.
When dealing with election complaints after the 2023 Riigikogu elections, the Supreme Court stated that the task of the Riigikogu is “to stipulate in the electoral laws a sufficiently tight regulation regarding all important issues related to elections, in order to ensure the control of the legislator and the public trust in the elections by means of organisational, procedural and substantive legal requirements”.
These amendments also created a legal basis for the situation that, starting from the 2025 municipal council elections, it will also be possible to use Smart-ID as a means of identification (in addition to ID-cards and mobile-ID) in e-voting.
The third fundamental amendment concerns m-voting, i.e. the possibility to also e-vote with mobile devices, which are usually mobile phones and tablets. To this end, a provision was added to the Riigikogu Election Act, providing an opportunity to create a voter application for the most common mobile operating systems in the future. Their use is decided by the National Electoral Committee prior to elections.
The National Electoral Committee, which was involved in preparing the Draft Act, drew the attention of the Riigikogu to several security risks involved in voting with a mobile or smart device. The main risk concerns compilation and publication of the mobile voter application. While the entire process of regular e-voting is under the control of the state – the voter application is compiled by the State Electoral Office and the application can be downloaded from the state-managed web environment valimised.ee – then in the case of m-voting these operations are performed in online stores of mobile operating system operators (Google Play, Apple Store).
The Electoral Committee concluded the following: “It must be taken into account that it is possible for different parties to upload alternative or malicious voter applications to app stores. In the case of such voter applications, the electoral service cannot guarantee their correct operation, and the removal of these applications requires a quick response from the app store manager. […] Penal norms cannot prevent malicious voter applications from being uploaded if they are uploaded outside Estonia. It is possible that some of these applications will only be made available outside Estonia, which allows influencing the correctness and receipt of electronic votes cast abroad, but makes it difficult for competent state authorities to quickly detect violations.”