For years, you've been drawing the attention of the Police and Border Guard Board to the fact that, for example, their use of body cameras and license plate recognition systems isn't in line with the law. What exactly concerns you about these two examples?

I'm not blaming the police, because it's not the Police and Border Guard Board's job to make laws. The chancellor of justice's memorandum pointed out that there are a great many cameras in public spaces operated by public authorities, and under the Constitution, there should be a clearly worded law specifying who is collecting the footage, for what purpose, how it will be used and how misuse is being prevented.

Take, for example, photographing traffic violators. That's something decided by the Riigikogu — the people's representatives have determined that if someone exceeds the speed limit, a photo of the person and their car is taken and they receive a fine. If you follow the rules, you're not photographed and, of course, you don't get fined. That's all in order. The same goes for border areas — everything is properly regulated, with clear decisions made by the Riigikogu.

But when we come to so-called license plate recognition cameras, the situation is quite different. In many places, often without the public knowing, all vehicles passing by are photographed "just in case." And at least based on the information we've received, not only are license plates and car makes being photographed, but also the people inside the vehicles. Under the Constitution, taking photos of everyone "just in case" must absolutely be debated and decided by the Riigikogu, to determine whether and to what extent that can be allowed. Right now, unfortunately, we're in a situation where these cameras are in use, but the law doesn't specify what exactly may be photographed or what that footage may be used for.

This gap in the law needs to be fixed. And likely, it's heading in the direction where passengers won't be photographed "just in case" and the use of footage will be clearly limited. To our knowledge, it's also not true that the footage has only been used to track down criminals. Since the legislator — that is, the Riigikogu acting on behalf of the people — hasn't specified how this footage may be used, we've received information indicating that it has also been used for much simpler purposes. And the public has no idea this is happening.

There are two sides to this issue. One is whether something is permitted by law and whether it can be written into the law. All laws must comply with the Constitution, since the Constitution lays out our societal agreement about the kind of state we want to live in. When we talk about camera systems and intrusions on privacy, can the state, in principle, write anything it wants into the law if it has the will to do so? Or do our Constitution, European Court of Human Rights rulings or other agreements say something else?

You absolutely cannot write just anything into the law — the Constitution sets clear limits. The core idea of our Constitution is that our shared life in society must be based on individual freedom and responsibility. Of course, you're not allowed to endanger others — or preferably yourself either — but at the same time, it's largely up to you how you choose to behave. Naturally, that also means people may make mistakes.

In recent years, a certain trend has gained ground: the idea of a "preventive society." The thinking goes that if people are under total control, forced to follow all rules and effectively surveilled, then nothing bad can happen to anyone and life will be great. That's a philosophical question — and surely there are people who believe that's true, that all those rules enforced through harsh control and surveillance are reasonable, and that such a system would benefit everyone.

Unfortunately, history tells a different story. Human societies don't work like that, and human nature doesn't either. If you give the state the power to monitor and control everyone "just in case," to force compliance with any rule under state authority, it breaks people psychologically. Estonia's Constitution does not allow for such a direction.

That's also why, in the context of discussions about surveillance cameras, it's important to also talk about these deeper philosophical issues. Of course, the Constitution can be amended, and if the Estonian people truly wish to become a preventive, fully controlled surveillance society, then yes, that's technically possible — but it would be unwise. Many of us still remember a time when the state dictated how wide your pant legs could be, how long your hair was allowed to be or what kind of love was forbidden or acceptable. And it's not hard to imagine a modern-day scenario where, say, someone decides that the speed limit between Tartu and Tallinn should be 60 km/h, or between Pärnu and Tallinn just 50 — because that way we'd get rid of all those darn cars and prevent accidents. Sure, you could argue that.

But that's exactly where the Constitution comes in — and human nature too. You always have to weigh what goal you want to achieve against the restrictions on freedom and responsibility that would be required. And then ask: is the benefit really worth the harm?

Has the Supreme Court addressed this issue — do we have a case where the court has ruled, in the context of the Constitution, where the line is that must not be crossed? Or are we currently testing that boundary, and it's up to the Supreme Court to define where it lies?

The question of how far you can go in restricting a person's right to be left alone — the right not to be surveilled or controlled when they haven't broken the law — has been addressed to some extent by our courts, and it has also been discussed theoretically. But there's no reason to fear constitutional review or the Supreme Court. Society is changing so rapidly right now — with all the new possibilities for automated decision-making, camera use, mass data processing and artificial intelligence — that we can expect a whole series of very interesting Supreme Court rulings. And that's a completely normal part of how a constitutional democracy functions.

As for license plate recognition cameras — if the law ends up stating that the Riigikogu allows photographing license plates and maybe car makes with those cameras, but that images of people captured "just in case" may not be used, and if the law also defines the purposes for which such data may be used — say, for detecting serious crimes — then I would say that such a setup would be compatible with the Constitution.

That doesn't mean the Supreme Court couldn't take a different position. But if it were decided, for example, to follow the model of some major Chinese cities — where not just vehicles but also people, their body language, facial biometrics and so on are constantly recorded — then in my view, that would clearly contradict the Constitution.

But if we consider the position of the European Court of Human Rights — they've repeatedly emphasized that people must not be treated as potential criminals by default. That's a very significant position. If we place the issue of license plate recognition cameras in that context, the problem is that if you or I haven't broken any laws and we pass through such a camera, until just a few months ago, we were being photographed indiscriminately. As I understand it, from the perspective of the European Court of Human Rights, that's not acceptable.

Since our law didn't specify what those images could be used for or what exactly could appear in the photo, I would assume that, yes, the European Court of Human Rights would find it unacceptable. There's also a relevant comparison with a ruling by the Court of Justice regarding the collection of metadata from all people's internet and phone communications — that is, the cell tower location you were using when you made a call and who you called. In that case, the court ruled that such data must not be collected "just in case."

Personally, I wouldn't go quite that far, because that metadata doesn't automatically end up in a central police database — it's held by telecom companies that compete with one another, and it can only be accessed with proper authorization when there's a legitimate need to investigate a crime. Authorities have to come with a specific request and permission to access that individual's metadata. But even in that context, the EU court said that collecting such data indiscriminately is prohibited.

So photographing every driver "just in case" and using that material for unspecified purposes without clear legal limits — that's a much more serious infringement on individual rights.

We now have a new issue — the so-called super-database that's being proposed. When I look at the explanations from those involved with the Financial Intelligence Unit, they say they can no longer manage without it. They say they need a tool to profile companies and detect complex crimes, such as money laundering. You've likely read the bill, which the Riigikogu has passed. The president, it's true, has not yet decided whether to promulgate it. If we look at the positions of the Bar Association and the Chamber of Commerce and Industry, they're saying we have a serious problem. From your perspective as a legal scholar and chancellor of justice — having read through the legislation — do we indeed have a problem?

I'm afraid the answer is yes — we do have a problem. The Riigikogu did indeed debate whether to allow this kind of data processing by machines, which differs significantly from previous practices of how personal data has been handled in Estonia. In that sense, it's an improvement over some of the earlier examples we discussed. It's also a good sign that, during a parliamentary recess week, members of the [Riigikogu] Finance Committee — led by Maris Lauri in this case — took the time to meet with stakeholders and try to improve the bill.

But in substance, I still believe that if the president promulgates this law, it will need to be reviewed by the Supreme Court for constitutional compliance. What's the issue? In Estonia, we've had a long-standing principle — both to protect individual freedom and responsibility and for national security — that personal data should be kept decentralized. We have a Population Register that includes your name, ID code, marital status, family members, place of residence. There's an education register for schooling information, the health portal for medical data and so on. The Tax and Customs Board has its own database.

Unfortunately, over time, all of these registries have started trying to expand — bit by bit — so that each one ends up holding data it really shouldn't. This has already led to the creation of so-called data warehouses, where information from all these major registries is compiled into a single "box," figuratively speaking.

In this case, the Financial Intelligence Unit wants to create a system where essentially all important information the state has collected about individuals — using the power of state authority — is combined into one database and pseudonymized. But we don't know — and as far as I'm aware, neither does the Riigikogu — what data is actually being stripped away. If you remove a person's name, ID code or date of birth, that's not enough. With today's computing power, knowing where someone went to school, who their family members are and where they work can quickly and reliably identify the individual in question.

This raises multiple concerns. First and foremost, a threat to people's freedom and rights, because this data will be processed by a machine. As soon as the system detects something "suspicious," the pseudonym is removed, the person's name is attached and an investigation begins — based solely on a machine-generated flag. In the worst-case scenario, someone ends up having to explain that they've done nothing wrong, even though they're being treated like a suspect. Maybe the machine just flagged something strange, like a person making repeated transfers to a family member.

In my view, the Constitution does not permit this. Though of course, the Supreme Court could see it differently.

There are also serious security risks. Every such data warehouse requires robust protection. Time and again, we've seen that even highly secure databases can be breached, with sensitive data stolen. You may remember when ID card photos along with names and ID codes were leaked — I was among the victims myself, along with hundreds of thousands of others.

This is precisely why data should be kept decentralized. The potential harm is enormous if someone gains access to absolutely everything about a person in one place. History has taught us this. Before the arrival of occupation forces, before the deportations and property seizures, Estonia had highly detailed, well-maintained databases — made with German precision — which were then exploited.

One major concern for me is also that Estonia committed significant public funds to this project before the Riigikogu had even decided whether it should be allowed. And perhaps worst of all, it appears — at least from what I've seen in the parliamentary materials — that lawmakers were not fully or honestly informed about what exactly this "box" would contain.

This isn't the first case where it's been said that the state wants artificial intelligence to perform data analysis and assist officials. As far as I know, the Estonian state hasn't developed any AI models of its own. So if these are used, there's a risk that our data could end up elsewhere. Hopefully, Estonia will never use Chinese AI models, but in the field of education, I see there's interest in using American ones. Is there a real risk that if anonymous data is sent out of Estonia, it could be re-identified in large datasets — and that another country could learn something about you or me that we entrusted to the Estonian state, but never to a private company or foreign government?

That's a very precise question. I think about it the same way, and as far as I understand, the European Union takes a similar approach — namely, that such information should not be handed over lightly to other countries — not to China, not to the United States, not to Russia, Belarus, North Korea or anyone else.

This kind of data is an incredibly valuable asset today. It can be used to do a great deal of good — but also even more harm. So if any benefit is to come from using such data, it should, first and foremost, serve the people of Estonia.

Several years ago, there were multiple attempts to sell off the contents of Estonia's digital health records, and together with the National Audit Office, we were able to stop those plans. Even then, the full story wasn't honestly presented to the government or to the Riigikogu — but in all likelihood, that's exactly what was on the table.

I've also spoken with the rectors of our universities, especially Professor Toomas Asser, who is a physician himself, about whether we could conduct important medical research using the health data collected in Estonia's digital health system. The idea would be to do this entirely under Estonian jurisdiction — meaning the data stays in Estonia, responsibility stays in Estonia and everything is governed by Estonian law in case something goes wrong. The answer was: absolutely. We have the labs and infrastructure needed. The University of Tartu can support it all. It would be in Estonia's interest to host international research teams here under those conditions. And maybe we should take the same approach in other fields too.

The European Union — where Estonia is working to form partnerships with Finland and Poland — is trying to take steps in this direction. Ideally, the EU would have its own artificial intelligence systems that can be used for public-sector needs.

But the broader issue is this: if AI is used to sift through every piece of data collected about a person and flag something "unusual," and that leads to a person being forced to explain themselves — for example, why they left their job and have been meditating alone in the forest for the past two months — that raises serious questions. What if that person told their family about their plan and chose to take that time for themselves? Does the Estonian state really have the right, after scanning and filtering data, to question the family, to ask where that person is, why they're there — and even worse, to track them down and demand an explanation?

It's an exaggerated example, but examples like that help us understand the very real danger that comes from constant surveillance — especially when machines are the ones deciding what looks "suspicious." That danger can affect every one of us.

But would you agree that if the law enabling the creation of the super-database were to enter into force, the Estonian state would, in effect, begin treating its own entrepreneurs as potential criminals — placing everyone under equal surveillance?

Not just entrepreneurs. Even though the scope of individuals whose data would be, figuratively speaking, placed into this "box" has been narrowed slightly, in our office's view — and it's possible we're mistaken and the Supreme Court might see it differently — this still essentially affects nearly everyone. At present, it seems the only ones left out might be newborns, perhaps people over 90 and maybe a few others. But overall, it concerns the data of the majority — and these are individuals, not just businesses.

But you're absolutely right: entrepreneurs must not be treated as potential criminals "just in case." I noticed that the explanatory memorandum for the bill cited Estonia's serious money laundering issues, referencing years like 2005 and, I believe, 2015. But now it's 2025, and our banks have faced strict oversight. Our office has received a fair number of complaints from people unable to open accounts, whose accounts have been closed or who have been flagged with money laundering suspicions. Company board members in the financial sector are sometimes unable to get the necessary clearances from the Financial Intelligence Unit or the Financial Supervision Authority to operate within their businesses. It seems that the level of discipline has significantly improved.

Unfortunately, I didn't see evidence that the Riigikogu thoroughly debated whether the problem is truly so severe that it justifies placing people under this kind of suspicion — and committing the state budget to such high ongoing costs for securing the system, all while approaching the constitutional limits — or possibly even overstepping them. Was that really warranted? That's the question.

In this situation, how should we deal with 50 or 500 criminals — rather than targeting 500,000 or more people? Is it simply easier to go after the larger population instead of focusing on the actual group that has committed crimes and treating them as they should be treated?

My understanding of the Constitution is that every person — and behind every company, after all, are people — has human dignity. They have human rights and fundamental rights guaranteed by our Constitution: freedom and responsibility. They must not be treated in advance as potential criminals "just in case." When it becomes clear that someone has violated the rules, when there is a suspicion of a crime, then an investigation begins.

But should Estonia really be moving in a direction where all personal data on everyone is collected, fed into a machine and analyzed to detect possible signs that someone might have broken a rule? That's a question that deserves very serious debate. In my view, the Constitution does not allow for such an approach, and I very much hope that the majority of our people do not want to live in that kind of state.

One final question about the development of the so-called super police car. I'm not sure whether this has come across your desk, but a few months ago when the media reported on it, you stated that officials should not spend a single euro developing databases or systems that the law does not permit. Do you have any information on whether the Ministry of the Interior and the Police and Border Guard Board have put the development of such a vehicle — which would drive around, photograph everything and automatically issue fines — on hold?

That would need to be checked — I don't know at the moment. As far as I'm aware, Auditor General Janar Holm shares exactly the same view: that no financial commitments should be made, and certainly no funds spent, before the Riigikogu has made a decision and the president has promulgated the law, confirming that such an information system or technological development is even permissible under Estonia's Constitution. And if there's any doubt, constitutional review may follow — either at the chancellor of justice's initiative or through the courts.

Unfortunately, we've reached a point where it sometimes seems that for at least some ministry officials, the law is treated as a bothersome formality. The practice has become: build it first, then demand the law be changed to fit it. Regrettably, there have been several instances where the Riigikogu has gone along with this kind of ultimatum.

I was very relieved when the mobile phone voting initiative was shelved. That was a textbook case of this pattern: before the Riigikogu had decided whether voting by mobile phone — via app stores entirely outside Estonia's jurisdiction — should be permitted, more than a million euros had already been spent developing the system. And then there was frustration when it turned out the law still needed to be amended — and even then, decision-making power was oddly handed off to the National Electoral Committee, which, in my view, should not have happened. That's a decision for the Riigikogu.

The Electoral Committee determined that full transparency and verifiability — features that are guaranteed with regular internet voting — could not be ensured with mobile voting. With online voting, the process is fully auditable, observable and the vote is counted exactly as it was cast. With mobile phone voting, that same level of certainty was lacking. The committee, by majority, decided to reject it. But the money had already been spent. Now, if development resumes, at least the technical challenges are known — and the Riigikogu has at least partially acknowledged that this is a road they may consider.

But again: the money was spent before a decision had been made.

The Financial Intelligence Unit case is quite similar. Financial obligations were taken on before the Riigikogu had passed the necessary law. As a result, the Riigikogu found itself backed into a corner, with no meaningful opportunity for open, transparent coordination or debate. And the core regulation for this mass data warehouse — the so-called "big box" — which should define what's actually in it, including the extent to which people's banking transactions are included, was never presented to the Riigikogu. At least when I checked, it wasn't available on the Riigikogu's public website.

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!