October 1, 2025, Swissotel Tallinn
Distinguished audience,
Let me start briefly by saying what I hope to convince you of in 15 minutes. I fear that some of you may get angry, close your ears and remark that yet another lawyer is spoiling all that is good. Others, hopefully, will be willing to join me on a short intellectual journey. What is certain is that the monopoly on truth is not mine to hold.
The point of my keynote is this: in my opinion, the GDPR and the EU AI Act, designed to protect human dignity and free society, are not on the wrong track when they prohibit doing the following lightly:
- Collecting and storing people’s data longer than strictly necessary
- Consolidating data from separate databases into one personalized data warehouse
- Creating possibilities for predictive AI-based analysis in high-risk areas and using AI in that manner.
Data collection and use, especially mass processing, are allowed only as an exception that requires justification, only for truly good and reasonable purposes, where benefits outweigh risks and harm. Risks can be reduced by using the best privacy technologies. These already exist.
It is clear that data must and should be used for investigating crimes. As long as the above principles apply, there is hope that political fundamental freedoms, such as departing from the party and government line, will not be defined as crimes. Those with the experience of occupation know what this means.
It is also clear that money laundering must be fought. Tax obligations must be enforced. Unfair competition must be prevented. But: I have heard a sweet-sounding idea – give all data about a person to the state, and taxes can be automatically calculated and deducted straight from bank accounts. Convenient and good! No more tax avoidance! And in general: your declared business rent is too high – you can get a cheaper office somewhere else! Why buy industrial equipment from Finland or Germany when a Chinese product is cheaper?
I have also heard that if only we could process all data, public health problems would be solved.
Everyone should prove and justify their healthy lifestyle choices and their entrepreneurial decisions to the state!
I hope to convince you that taking all people under control and imposing harsh order will not bring eternal happiness or a pain-free life. History teaches us that totalitarian governance ultimately hurts, stifles innovation, and personal defiance simmers beneath the surface.
Running human society is not as simple as issuing strict orders, punishments, and omnipresent coercion.
Human psychology is more complex. Living in a panopticon breaks most people down. People need a sense of belonging, but also the right to make their own choices, autonomy. When an authoritarian power fails to understand this, falsehood and violence come into play.
From Estonia’s own history we know how freedom of speech was restricted to avoid social unrest and to silence criticism of the government. And where that led. The best decisions and greatest public benefit are born when political freedoms are guaranteed and no one holds absolute power.
Currently, Estonia has not adopted a “preventive state,” where state surveillance and mass data processing ensure that no risk or violation could even occur.
Indeed, both the public and private sectors hold enormous amounts of data. You have surely heard the complaint that this data is not being widely used. That criticism is partly justified: with privacy technologies and more attention to the essence of risks, we could do more. But not everything needs to or should be done.
The state has, through coercion, collected data on all people into its databases – biometric data necessary for facial recognition, fingerprints, and much, much more: family, property, education, work, health, etc.
Let us not be lulled into believing that the private sector knows all this too. It does not.
Even banks do not know. Though banks know a lot, and precisely for that reason, banking secrecy must be carefully protected. And, generally, there is no coercion in the private sector. At least as long as competition works, one can choose a shop that does not identify you at the door by face, does not know your purchase history, and cannot automatically withdraw money from your account.
The fact that people have thoughtlessly sold themselves to tech giants must not be taken as justification for the state to claim the right to surveil everyone by force.
I agree with the Chairman of the Financial Supervision Authority, Kilvar Kessler, who says: “The entire financial market operates on trust. If that trust is undermined, people will start asking: why should I keep my money in an Estonian bank?”
And I would add: if people cannot or dare not trust banks anymore, then we will be enforcing the slogan seen at a foreign demonstration: “Cash is printed freedom.” Surely we do not want to return there.
I believe that the principle of decentralized databases, which we have followed so far in Estonia, is extraordinarily important for protecting a free society and everyone’s fundamental rights. And also the distinction between investigating crimes or violations, and mere analysis or prevention.
The latter two may not be so important as to justify limiting privacy – for example, banking secrecy or trade secrets. Banks already have extensive obligations to prevent money laundering, and from complaints that reach our office, it is clear that these obligations are being diligently carried out.
Distinguished audience,
it may already be the case that the state has collected more data by coercion than it truly needs, and institutions may be retaining more data than the law clearly permits. Sometimes data in registers is even made public, becoming accessible to the entire world. Leaks, thefts, and accidents have already occurred. Estonia has understood the importance of cybersecurity early on – thanks in large part to President Toomas Hendrik Ilves – and has explained it globally. Thanks to all who take cybersecurity seriously and demand the same from others.
Fortunately, overall trust persists. And that must be preserved like the apple of our eye. The e-state is a great value. Data and technological tools must be used, but in a way where benefits and harms are weighed honestly, and trust is preserved.
Yet: the pressure to apply mass data processing is growing. It is exciting! Think of what could be discovered – behavior patterns, correlations! Helpful for shaping policy, it is said. We could prevent crimes, it is claimed. How convenient it would be to ensure tax compliance!
For mass data processing, data from decentralized databases would be consolidated into a single data warehouse and analyzed as a whole, often with the possibility of identifying the individuals involved.
The extreme form of such mass processing – prohibited under the EU AI Act – would be making preventive decisions based on all aspects of a person’s life, including banking transactions, location data, and body language captured by cameras. Figuratively speaking: imprisoning a person before they even begin preparing a crime.
From China we can already learn what can be done under the banner of “total security and order” with the people’s alleged enthusiastic consent, using technology. Yes, when all aspects of life are visible to the state, much good can potentially be done. But human nature does not guarantee that this good will actually be done.
Power struggles and wars will never disappear – or more precisely, they may disappear only when the last human disappears, as Ambassador and war historian Margus Laidre has explained in his brilliant essays and recent “Night University” lecture. Humans tend to fight and wage war, despite the destruction and tragedy it brings.
There will always be someone who wants absolute power and never intends to give it up. And part of the people – perhaps even a vocal majority, fueled by mass hysteria – will support them. They will want others to be forced to live as they see fit, stripped of freedom and responsibility. But when the iron hand is already around their throat, it is too late.
The claim that “an honest person has nothing to fear” is true – but only as long as a democratic state governed by the rule of law protects everyone’s freedom and responsibility, when restricting fundamental rights (including data collection and use) remains the exception, not the rule, and when legality checks are guaranteed. Again: human nature and society have not radically changed; universal goodness or sharp reason does not govern the world. We must always consider that our data is not handled solely by noble and ideal people, and that data can always be misused. Therefore, safeguards must always be built in.
I fear that an infallible, selfless enlightened monarch does not exist. Power tends to corrupt.
Restricting human freedom of choice or any fundamental right – including surveillance, photographing people everywhere, or accessing their banking secrets – requires clear and limited authorization by the Riigikogu, i.e., a law.
The law must clearly state what data may be collected, where, how, and for how long it is stored; who may use the data and for what purpose; and what internal and external control mechanisms apply.
Money may only be spent on acquiring and developing surveillance technologies after the Riigikogu has passed a law authorizing such restrictions of fundamental rights, the President has promulgated it, and, if necessary, constitutional review has been passed.
Right now, however, the opposite seems to be happening. We have noticed attempts to virtually blackmail the Riigikogu into passing laws: expensive data warehouses, information systems, and cameras are already in use, millions have been spent – how can it now be forbidden?!
We must constantly seek the best balance between security and the general interest on one hand, and human freedom and privacy on the other. Where good can be achieved, and where good purposes outweigh risks and costs, innovative solutions must be used. Rights and technical means must indeed be given to state authorities to catch criminals and fraudsters.
But we must always keep the Constitution and human psychology in mind.
Thank you!