Markko Künnapu, a criminal law adviser at the Ministry of Justice, noted that the Court of Justice of the European Union (CJEU) has proposed two possible solutions.

"Either the data is retained based on categories of individuals, or by geographical areas," he said. According to the adviser, neither of these options are very good.

"It's very difficult to ensure that data is retained precisely within a territory, and not beyond some sort of administrative border," he explained.

Chief State Prosecutor Taavi Pern said that choosing high-crime areas may sound tempting at first. However, he cited as an example a scenario where companies would only be obligated to retain data captured by specific cell towers in Central Tallinn.

"We may have weather conditions or technical circumstances that could result in some other cell tower altogether covering the Tallinn area," he explained. "And then we're faced with the problem again of how to delimit the data that was actually generated in Central Tallinn."

He added that at some point there may be debate in the European court over what level of crime would justify the retention of communications data.

"For example, in sparsely populated Southern and Eastern Estonia, there is the risk of cross-border crimes," Pern noted. "These may not happen every day or even every week, but they can be among the most serious."

Künnapu said that there are also concerns regarding retaining the communications data of only selected individuals.

"On one hand, discrimination," he acknowledged. "On the other hand, how would a telecommunications company even know whose data should or should not be retained?"

Pern said that in principle it would be possible to choose repeat offenders.

"But we're a country where criminals from other countries come as well," he admitted. "And it's undeniable that if a criminal from another country arrives here, there's no chance their profile has been recorded in Estonia."

Thus, the database would not retain the communications data of car thieves from Lithuania or criminals crossing the eastern border into Estonia.

Data retention for criminal proceedings may be ended

Despite all the complexities, the Justice Ministry adviser says that it's understood that the general obligation to retain communications data cannot continue.

"One option is indeed to completely eliminate the general and uniform obligation to retain data for criminal proceedings," Künnapu said. "Going forward, it really would be limited to the data that telecoms retain on their own initiative for commercial purposes."

In that case, he noted, it will need to be taken into account that the data available in investigative bodies' toolkits will be reduced. If the Prosecutor's Office's description of current practices is to be believed, however, this change shouldn't have a major impact.

Pern confirmed that since a Supreme Court ruling came into force in the summer of 2021, the Prosecutor's Office has only requested data that telecoms retain anyway. And thus far, the telecoms have responded to all Prosecutor's Office requests.

Only director's approval needed

At the same time, Künnapu emphasized that on top of criminal proceedings, communications data is also used to ensure national security.

The Security Authorities Act gives Estonia's authorities quite a lot of leeway in this regard. Info regarding who called or sent a message to whom, as well as where a phone was located, can be requested by an Estonian Internal Security Service (ISS) or Estonian Foreign Intelligence Service (EFIS) official with the approval of their respective agency's director.

When national security is at stake, a director's approval is sufficient to conduct covert surveillance or the covert examination of an item. While individuals must later be informed of such activities, the security authority does not have to disclose the viewing of communications data.

CJEU forbids mass data collection for even security reasons

As the Supreme Court of Estonia did not address in its 2021 ruling whether communications data may be retained for national security purposes, the issue hasn't attracted much attention.

Even so, Künnapu at the Ministry of Justice acknowledged that from the CJEU's perspective, Estonia has a problem with that. The EU's top judicial authority has stated that communications data may only be retained for national security purposes when there is an immediate threat to national security.

"In principle, then, a court or competent administrative authority order could compel telecommunications companies to retain certain data for a certain period in a specific area," he explained.

Thus, this part of the law needs to be amended too. How exactly, though, the ministries still have yet to figure out.

"There can be no situation in which data would be retained across the entire country under the pretext of an immediate threat," the criminal adviser underscored. "That would clearly be in conflict with the EU court too."

Künnapu admitted that it's difficult to devise rules that are acceptable to all authorities and also still fit within the EU's legal framework. According to the government's work plan, a solution should be produced by the end of this year.

"The Ministry of the Interior is handling this analysis," he said. "And we hope we'll find some sort of solution."

Karilaid: Ministry promised solution by January 2022

Another question is why a solution is only just now being sought, more than three years after the Supreme Court's initial warning.

Künnapu recalled that the first meetings in fact took place in spring 2021, following the preliminary CJEU ruling requested by Estonia's Supreme Court.

"And the Legal Affairs Committee [of the Riigikogu] initiated a bill of amendments to the Code of Criminal Procedure that May already," he added.

Initially, the ministries believed that it would suffice if the courts, rather than the Prosecutor's Office, would be the ones to authorize communications data requests. The corresponding bill passed two readings in the Riigikogu, but then the Supreme Court issued its ruling.

Estonia's top court ruled that it doesn't matter whether the data is requested by the Prosecutor's Office or a court, because the indiscriminate collection of everyone's communications data is a fundamental infringement, and such data could not be used as evidence. The Supreme Court's finding thus paused the processing of that bill.

MP Jaanus Karilaid, who chaired the Legal Affairs Committee in the first half of 2021 and was later a member of the same, had said that fall that he did not support moving forward with a half-baked solution. Nonetheless, the Riigikogu passed the bill of amendments at the end of the year.

Karilaid recalled the Ministry of Justice promise at the time that a bill addressing the retention of communications data would be issued no later than in January 2022.

"At the time, we solved half the issue, based on the promise that within one or two months, the second half of the issue, which remained unresolved, would be addressed," he explained. "In 2022, coalitions changed, and I don't even remember what caused the delay, but the Ministry of Justice did not present this solution before the parliament."

Prosecutors cautious with data in major cases

According to Chief State Prosecutor Taavi Pern, the Prosecutor's Office understood even then that this issue could resurface at some point. And this despite the fact that the bill's letter of explanation had included a note that for criminal proceedings, only communications data collected by companies for commercial purposes could be requested – and that the Prosecutor's Office has adhered to that.

"Once or twice each year we've also asked or notified the ministries drafting the legislation about it, and asked whether any communications data-related bills are in progress," he highlighted. "We've participated in the discussions and, well, we've been aware of these risks for a long time."

Pern noted that in some very important criminal cases, the Prosecutor's Office has deliberately avoided utilizing communications data.

"We've also used more complex and time-consuming means when gathering evidence, and have achieved results," he said, acknowledging that this has meant much bigger workloads. "But these have been very important cases, which is why such a strategic decision has been made right when initiating proceedings already."

Ministry adviser: We've been seeking a solution all this time

According to Künnapu, all of Estonia's authorities believed in 2021 that the solution found would allow for the continued use of communications data in criminal proceedings.

"Now it's become clear that this change was not sufficient, and the problem remains unresolved," he said.

Essentially, the state took two and a half years at the time to come up with a solution that would also comply with the rulings of the Supreme Court and the CJEU. The Justice Ministry official assured that no one has been sitting idle during this time.

"Actually, this issue has been on our table the whole time," Künnapu said. "We've had various working drafts of the bill. We've been in constant communication with the Interior Ministry and other authorities to find a solution that suits everyone." He reiterated that despite everything, no such solution has yet been found.

"We've also been hoping that some additional guidelines would come from the EU level, whether the CJEU or the European Commission would introduce a new initiative," the adviser admitted. "There is no new legislation yet, although we're hoping maybe it will still come at some point."

Künnapu added that good solutions can't simply be copied from other EU countries either.

"Attempts have been made to solve this issue one way or another, but as far as we know, no one has come up with a truly effective and functional solution yet," he said.

--

Follow ERR News on Facebook and Twitter and never miss an update!