At the beginning of July, a review by the Office of the Chancellor of Justice revealed that through the enforcement register, some state agencies had access to bank account statements, even though the law provides no clear legal basis for this.

Postimees reported Friday that several entrepreneurs wanted to know whether their own accounts had been subject to such scrutiny.

Attorney Tõnis Loorits of law firm Triniti, which represents the business owners, told ERR that requests for information from the Ministry of Justice and Digital Affairs, as the controller responsible for the enforcement register, were first submitted on July 4.

"People wanted to know retroactively whether inquiries had been made concerning their accounts. Among them was myself, just as any other citizen of the Republic of Estonia might be. Collecting, recording, checking and releasing that data was the ministry's obligation as the controller," Loorits explained.

The ministry, however, refused to release the data and instead suggested that people request the information from the agencies with access to bank statements through the enforcement register — among them the Internal Security Service (ISS), the Foreign Intelligence Service, the Tax and Customs Board and the Financial Intelligence Unit (FIU).

According to Loorits, the ministry justified its refusal by citing the regulation on the enforcement register approved by the minister on July 8 and entered into force on July 13. But he said that refusal has no legal basis.

"The ministry's obligations derive from a directly applicable European Union regulation. Those obligations cannot be excluded or delegated retroactively to someone else through a ministerial regulation adopted, enacted and applied afterward. That leads us into a legal absurdity where, at the level of a ministerial decree, the state could theoretically retroactively exclude any of its duties and responsibilities to its citizens," the attorney argued.

Such a mechanism, he said, would allow retroactive legitimization of violations of all human and fundamental rights, while shielding violators from accountability.

"But the law doesn't work that way. The Charter of Fundamental Rights of the European Union and the Constitution of the Republic of Estonia both protect us against such situations," Loorits added.

Ministry considers releasing the information impossible

The Ministry of Justice sees the matter differently. Ministry communications adviser Aivar Pau told ERR that they must follow the EU General Data Protection Regulation and Estonian laws, which state that only the data controller — in this case, the agency that made the bank inquiry — has both the right and the obligation to disclose information about those inquiries.

Pau explained that the law distinguishes between two roles: the Ministry of Justice is the controller of the database, responsible for its lawful management and technical development, while the actual controllers of personal data are the agencies that make bank inquiries through the enforcement register. These include the FIU, the Police and Border Guard Board, the Internal Security Service, the Tax and Customs Board, the Foreign Intelligence Service and bailiffs.

"It would be unimaginable if, for example, inquiries made during criminal proceedings or intelligence operations could be accessed by rank-and-file ministry officials in order to answer questions from lawyers or anyone else," Pau said.

"If someone wants to know whether an investigative body has made inquiries about them through the enforcement register, only that specific investigative body can answer," he added. "The ministry does not have and must not have detailed information about the background of those inquiries, nor the right to disclose such information."

Therefore, when a person contacts the ministry with a question about an agency's inquiry, the ministry forwards the request to the relevant investigative body for a response.

According to Pau, what the attorney now pursuing the case in court is demanding would in fact create a surveillance society, where ministry officials and politicians would gain direct access to investigative procedures, the related inquiries and individuals' banking secrecy. Otherwise, the ministry could not respond to entrepreneurs' requests without seeing those inquiries themselves.

"The applicants in court seem to want inquiries — which, by their nature, involve access to personal data — not to be answered by the investigative agencies themselves, such as the FIU, but instead by the database administrator, meaning the Justice and Digital Affairs Ministry. We cannot agree with that. From the perspective of the rule of law, it would be extremely dangerous — super-ministry officials would gain access to inquiries made during criminal proceedings and to the banking secrecy of arbitrary individuals and companies," Pau said.

In the ministry's view, this would create an entirely new and unmanageable channel for the movement of banking secrecy, criminal investigation data and security information — with no clear explanation as to whom such a channel would even benefit.

"These issues are already regulated by the specific laws governing each investigative body, including the FIU. Those laws set out under what circumstances, when and to what extent they may disclose information about proceedings — that is, how their data-tracking authority applies. But they most certainly may not release such data during ongoing proceedings," Pau added.

Entrepreneurs who turned to court not named

Tõnis Loorits said the matter was taken to court after the Justice Ministry's July 18 response made it clear the ministry did not intend to fulfill its obligations.

"So far, the court has only admitted a handful of complaints and proceedings remain at a very early pretrial stage. The ministry is required to respond to the complaints no later than October 27," the attorney added.

In its August 27 decision to admit one of the complaints, the court explained that as controller of the enforcement register, the ministry should have collected the data itself, verified its accuracy and replied to the complainant, including issuing a clear refusal if a legal basis for disclosure was lacking.

"If one of the agencies to which the respondent forwarded the complainants' request refused to provide the data, then the respondent was obliged to review the legality of that refusal and subsequently prepare a final response to the complainants," the ruling stated.

Loorits noted that while this does not constitute a final judgment, as counsel he can agree with the court's initial definition of data subjects' rights and the ministry's obligations.

He declined to disclose the identities of the entrepreneurs he represents, saying only that they are Estonian citizens.

Financial Intelligence Unit head Matis Mäeker told Postimees that the claim that the bureau had monitored people without legal grounds was misleading.

"The discussion should focus on whether the law needs to set clearer limits on the channel through which part of this information exchange occurs. While the bureau has decided, for now, to stop requesting account information through the enforcement register, we still maintain that such use was lawful," Mäeker said.

He emphasized that the bureau operates within the law and the public interest, with the goal not of infringing on anyone's privacy but of protecting society against crime.

On Thursday, the Ministry of Finance introduced draft amendments to clarify and restrict the Tax and Customs Board's and the FIU's rights to access individuals' and companies' banking secrecy through the enforcement register. Until the amendments are adopted, both agencies' access to the register remains restricted.

--

Follow ERR News on Facebook and X and never miss an update!