According to a 2021 ruling by the European Court of Justice, the mass retention of communications data constitutes a human rights violation. Estonia's Supreme Court reached the same conclusion in 2021. To date, no legal provision requiring telecom companies to retain data has been amended in Estonia.

The Ministry of Justice has completed a draft bill that would regulate access to data collected under the general obligation to retain communications data, for the purposes of criminal proceedings.

The bill does not change the list of data that must be collected under the Electronic Communications Act. Telecom companies must continue to collect the same data as before, Andreas Kangur, head of the Department of Criminal Law and Procedure at the Ministry of Justice and Ministry of Digital Affairs, told ERR.

"It simply cannot all be used in criminal proceedings anymore," he said.

According to the bill, during criminal proceedings, it would be possible—with court approval—to request traffic data retained by telecom companies for their business purposes. For example, billing requires knowing from which number, when, for how long, and with which number someone communicated, or who used the internet, when, and for how long, Kangur said.

Telecoms companies also need to collect data to ensure the availability of services.

"Data retained for business purposes by telecom companies may be requested with the authorization of a preliminary investigation judge only if it is strictly necessary to achieve the objective of the criminal proceedings, and if the seriousness and nature of the crime justify it, and the request does not unjustifiably infringe on individual rights. This is what the court must assess," Kangur said.

The draft has now been sent out for feedback. Hopefully, the government will present the bill to the Riigikogu in the fall, the official added.

Removing data retention obligation is more complex

Balancing the elimination of the general data retention obligation with security concerns is being addressed separately, and that draft will take more time to prepare, Kangur said.

"Primarily, the Electronic Communications Act will need to be amended, but possibly other relevant legal acts as well. The issue of data retention and use for security and criminal proceedings purposes is also being addressed at the European Union level, and the European Commission has launched consultations with member states to develop an appropriate legal framework," he said.

Kangur said the issue is quite complex and involves balancing security and individual rights.

"People generally do not like it when their private lives are being snooped into, and any form of data collection, unfortunately, always carries the risk of leaks and abuse. At the same time, we are used to expecting the state to ensure security—not just that wrongdoers are quickly caught and punished, but above all, that terrorists and other foreign threats are neutralized before they can even act. How much freedom we are willing to give up for security, and under what conditions—that's what we need to figure out," the official said.

As the discussions are still ongoing, this bill likely will not be completed this year, Kangur added.

--

Follow ERR News on Facebook and Twitter and never miss an update!