The bill enabling this is set to take effect in just two weeks, in clear violation of good legislative practice. It would be quite interesting to know whether all the members of the Riigikogu who voted in favor of the bill actually understood what they were voting for. And when you take a closer look at the recent amendments to the Money Laundering and Terrorist Financing Prevention Act — which establish a super-database processed by artificial intelligence, to be used among other things for profiling and to consolidate data on all individuals and legal entities — you can't even say for sure whether it would be better if those esteemed parliamentarians didn't understand what they were doing, or if they did and are going ahead with it anyway.

The creation of a database of this scope — considering its content, scale, proportionality in terms of intrusion into personal data, cybersecurity risks and the questionable necessity — warrants thorough public debate. In addition to the database, the adopted law includes a number of provisions that raise serious concerns from the standpoint of democracy: from the government commission and the regulation of banks' liaison officers to the expansion of RAB's authority and responsibilities and the increasing level of secrecy.

It's somewhat ironic that the explanatory memorandum states this bill is not connected to any other legislation or to the government's action plan. In fact, this bill runs completely counter to what's set out in those foundational documents. This plan is yet another example of expanding bureaucracy and shrinking freedoms, unbothered by the constraints of any government action plan.

And on top of that, it's being adopted in fast-track proceedings, violating the principles of sound legislative drafting. If anyone thinks this urgency stems from an elevated risk of terrorism or money laundering, the truth is quite the opposite: they've actually had the nerve to write down plainly that the reason for the rush is simply that a task scheduled for the fourth quarter of last year wasn't completed and now must be done quickly so that EU funds can be used to create the database.

What is the new database about?

This is a database that will consolidate data from 11 official registries, in addition to the information already collected by the Financial Intelligence Unit (RAB). The new data warehouse will be integrated with the Population Register, Commercial Register, Beneficial Owners Register, Land Register, Traffic Register, Estonian Central Securities Depository, Register of Economic Activities, Register of Taxable Persons, Employment Register, Criminal Records Database and the e-File system. It will also employ data and text mining technologies.

This means the database will affect everyone whose data is recorded in national registries or information systems. And although the bill includes a promise of pseudonymizing the data, it also clearly states that the pseudonymization can be reversed if necessary — and in a fairly straightforward manner. Moreover, if we're putting so much emphasis on pseudonymization, has anyone even asked where the data being pseudonymized is coming from in the first place?

In practical terms, this means that whereas the RAB — whose role is to combat money laundering and terrorism — previously had to work with other agencies and justify its need for specific data, it will now gain access to all data on all individuals. It's true that such a database, powered by artificial intelligence and encompassing everyone's information, will certainly make RAB's work more efficient. But it is clearly disproportionate to enhance the effectiveness of a single agency by limiting the freedoms of the entire population. Without a doubt, this database introduces serious new risks. So rushing this is anything but responsible.

What are the risks?

The risks evident in the bill concern fundamental rights, cybersecurity and the principles of the rule of law. The creation of data warehouses and super-databases by the state poses the risk of personal data leaks, unknown numbers of government officials accessing individuals' private data and, even more concerning, the development of profiles based on that data. Why an "unknown number"? Because even the number of positions at the Financial Intelligence Unit is classified.

The bill states that, as part of strategic analysis, personal data will be processed to detect risks, threats, trends, patterns and methods that indicate money laundering, terrorist financing or related crimes. In itself, a noble goal — but given the serious risks inherent in such super-databases, the fact that Estonia has generally avoided them and the current security situation, it is irresponsible to make decisions about establishing them behind closed doors, in a rush and based on only partial impact assessments. For example, cybersecurity and the resulting national security risks are not mentioned at all in the impact analysis — despite being among the greatest threats.

Here are some examples of how people's freedoms would be severely restricted. The law allows for the creation of profiling analyses using artificial intelligence, with the aim of calculating risk indicators that might point to a person's potential connection to, or likelihood of connection to, money laundering, terrorist financing or related crimes. In other words, it's not just assessing actual involvement, but estimating the probability of involvement. This is hardly a data processing approach befitting a democratic state.

The explanatory memorandum claims, on one hand, that RAB does not make decisions based solely on automated data processing — such as assigning a risk profile — that would result in harmful legal consequences or other negative effects for the data subject. On the other hand, it describes precisely how the use of such risk analysis could lead to exactly that kind of outcome.

The extent of these infringements is further amplified by the fact that data and documents entered into the Financial Intelligence Unit's database are retained for 15 years after the closure of the relevant case file. This retention period starts only after the case file is closed — while the statute of limitations for money laundering under the Penal Code is ten years.

What should be done?

Stop the proceedings on this bill, members of the Riigikogu, and demand answers from the government as to why Estonia needs this database. Do not settle for vague references to international requirements — those are flexible and allow for a variety of solutions.

We should also ask why this bill is being pushed through in expedited proceedings. And why is the authority to appoint the key members of the anti-money laundering commission being shifted from the parliament to the government? Do not accept "because it's faster" as an answer. Parliament can move quickly when it needs to.

Right now, banks submit 14,100 reports to RAB, but only 94 of these are forwarded to investigative authorities — that's just 0.66 percent. Can it truly be considered proportionate to create a database of this magnitude, supposedly to improve RAB's efficiency, by collecting data on every individual's life, work, nationality, political and religious views and economic activities and placing it all in RAB's hands?

There also needs to be a clear explanation of what risk mitigation mechanisms are planned for each identified threat — such as national security risks, erosion of personal privacy and financial cost.

And finally, the question must be asked: where is the money supposed to come from, in the current economic climate, to cover the ongoing costs of maintaining a €3.5 million database starting in 2026, when the responsibility for funding it will fall to Estonia alone?

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!