In July this year, Chancellor of Justice Ülle Madise found that public authorities had accessed account holders' data covered by bank secrecy through the Enforcement Register, which was launched last year, and done so without a legal basis. Tens of thousands of such queries had been sent to banks.

Madise recommended to the justice and digital affairs minister that a regulation be adopted for the Enforcement Register as soon as possible. This regulation, she said, should include provisions for oversight of how the register is used, including the ability to assess the justification and relevance of each individual query to a specific proceeding.

The Ministry of Justice responded to Madise's letter, which was sent on July 1, on October 21. In its reply, Justice Minister Liisa Pakosta stated that the recommendation to adopt a regulation governing the Enforcement Register had already been fulfilled.

The ministry emphasized the importance of distinguishing between two roles: the data controller of the database itself, which is the Ministry of Justice, and the controller of personal data. The former ensures that the register is managed lawfully, but not necessarily that personal data is processed legally.

If the regulation does not specify who is responsible for personal data, Pakosta said that responsibility lies with the institution that determines the purpose and means of data processing.

"In summary, the ministry is the controller of the Enforcement Register under the Public Information Act, but the controller of personal data is the institution that submits queries through the register as part of fulfilling its duties," Pakosta wrote to Madise.

Regarding the chancellor's recommendation that the justification for each query should be reviewable, the ministry said it oversees whether the querying institution, which is also the personal data controller, has sufficiently ensured the legality of data processing. The ministry may request clarifications and propose remedies for any shortcomings.

Before any institution is granted access to interface with the register's information system, the ministry also checks whether a legal basis exists and whether such access is appropriate.

"However, under the regulation, it is not the ministry's role to assess the substantive justification of queries, including their connection to a specific proceeding," Pakosta said.

She added that such assessment would require the ministry to become familiar with the details of investigations carried out by the querying institutions, such as the Internal Security Service or the Police and Border Guard Board, and to determine whether a given query was justified within the context of that investigation.

"It is not feasible for the ministry to substantively review criminal proceedings in order to evaluate the justification of queries. Such a review would also require access to the specific data being requested," the justice minister said.

According to Pakosta, providing a channel for information exchange does not require the ministry to examine the content of requested data and doing so would conflict with the principles of purpose limitation and data minimization in data processing.

She added that, if necessary, the legality of queries can be reviewed by the courts. Under the regulation, the entity making the query must specify to the financial institution the purpose for which the data is being used, along with a reference to the legal basis or proceeding. This is recorded in the institution's information system.

"The justification for queries is also supported by the fact that the public authority processing the data is responsible for its lawful use and for fulfilling all security requirements. It is also required to carry out sufficient oversight and, before being granted access rights, must confirm to the register's controller that appropriate measures have been implemented," Pakosta said.

In early September, the Ministry of Finance completed draft amendments to law aimed at limiting and clarifying the rights of the Tax and Customs Board and the Financial Intelligence Unit to access banking data through the Enforcement Register. The bill was drafted in response to the summer criticism voiced by the chancellor of justice.

However, Madise stated in late September that even the completed bill is not in line with the Constitution. She said that while the bill marks a first step toward proper protection of banking secrecy, it still requires substantial substantive revisions to meet constitutional standards.

Until the law is amended, neither the Financial Intelligence Unit nor the Tax and Customs Board can access banking data through the Enforcement Register.

--

Follow ERR News on Facebook and X and never miss an update!