Let's briefly go over the facts and details. Tens of thousands of requests were made by government agencies to banks. How many of these were legal and justified, how many fell into a gray area and how many were ones that should not have happened at all?

A complaint was filed with the chancellor of justice stating that, via the data exchange layer connected to the enforcement register, certain government agencies — primarily referring to the Financial Intelligence Unit — had access to bank account statements. That means information about transfers made, card payments, incoming and outgoing funds and when they occurred. The law does not provide a specific legal basis for this.

We went to investigate the concern with colleagues and found that the law actually allows the Financial Intelligence Unit access to a much narrower set of data — such as whether an account exists at all, when it was opened and closed; and if it's a business account, who the people behind it are. That kind of information is indeed necessary for detecting and preventing money laundering and identifying suspicious patterns.

However, the right to access full account statements had not been granted.

A whole different layer of the issue is whether the institutions that do have a legal right to access such data have always used it lawfully. That's not something we examined during this particular inquiry.

Let me emphasize — of course, when it comes to criminal investigations or national security, the law does provide grounds for justified access to individuals' banking data, and that's entirely appropriate. No one is disputing that.

We were talking about tens of thousands of requests — so is it the case that we still don't know how many of them were unwarranted, because this hasn't been thoroughly investigated?

That has not been investigated yet. It will likely be examined in some cases during court proceedings. But what we do know is that during the period under review — and that period was somewhat narrower than up to the present day — in 2,000 cases, individuals' bank account statements were accessed in a way that the law does not permit.

How do things like this happen in Estonia? We've created a kind of blanket permission for someone to collect data, but we haven't specified who is allowed to do it, on what grounds or whether anyone should be informed about it.

Honestly, we don't fully know. My goal — and that of my office — is always to resolve the problem. I don't really believe that the officials doing the difficult work of uncovering crimes have bad intentions. I think it's more a matter of negligence — on the part of ministries and perhaps also the Riigikogu. It's possible that they're simply overwhelmed with work.

One hypothesis from our office is that a lot of effort is being spent on substitute activities. Instead of focusing directly — for example, in this current case we're discussing and working to resolve — on the specific question of what exact powers the Financial Intelligence Unit truly needs in order to do its job effectively while limiting the infringement on people's rights as much as possible. In other words, how to prevent situations where phone scammers con people out of large sums of money and move it out of Estonia so quickly that the victim never gets it back — because the scammer is never brought to justice.

Lately, we've been hearing about several decisions or plans that affect our privacy. Are we facing a broader issue that we should be having a public discussion about?

Yes, we absolutely should be having that discussion — and it's not just an issue in Estonia. This is happening everywhere. The ability to collect data — whether by businesses, to whom we voluntarily give information, or by governments and local authorities — is growing rapidly. The capabilities of surveillance cameras, tracking technologies and especially the tools to analyze that data are improving every day, allowing decisions to be made based on it.

That's exactly where the constitution comes in. Of course, we should always strive to take full advantage of technological innovation. Estonia must do this as well. But at the same time, we need to carefully consider the potential harms. And instead of panicking or getting overly cautious, we should weigh the intended benefits against the risks, have a public debate — led by the media and political parties, with input from the public — and ultimately reach a decision in the Riigikogu. As a society, we need to decide what we are willing to permit, for what purposes and how we prevent abuse.

Unfortunately, that kind of process hasn't happened in this case — and as it turns out, this isn't the only instance. There was also the issue with automatic license plate recognition cameras. I'm not accusing the police of anything, but for some reason, the necessary legal provisions were simply left out. And this is not just nitpicking over regulations — it's a fundamentally important question: when officials monitor or investigate people, are there clear boundaries in place and is there oversight of how that information is used?

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!