Estonian entrepreneur Parvel Pruunsild recently filed a lawsuit against telecom company Telia, demanding that it stop the unlawful collection of communications data and their transfer to the Estonian Internal Security Service (ISS), and seeking €1 million in compensation for non-material damages. 

Pruunsild's representative Paul Keres said the complaint is based on a situation in which telecom companies continue to collect data and forward it to law enforcement authorities, even though the Supreme Court five years ago declared the law requiring this to be contrary to European Union law.

Chief State Prosecutor Pern noted in an ERR broadcast that various courts have stated that, at present in Estonia, communications data may be used if they were obtained and collected for commercial purposes. Data that have been collected solely because the state has imposed a retention obligation on telecom operators should not be used in court proceedings.

Keilin Tammepärg, head of policy and legal affairs at the Estonian Association of Information Technology and Telecommunications (ITL), said the association has raised the data retention issue for many years, including making appeals to officials and politicians as well as to the Chancellor of Justice, to gain clarity.

"The directive on the basis of which a general data-retention obligation exists in Estonia's communications law was annulled as early as 2014," Tammepärg pointed out.

At the same time, according to her, the association's position is that the law establishing the obligation to retain communications data is still in force in Estonia.

"Estonia has a legal system in which a court ruling does not automatically invalidate a law. In other words, the general retention obligation does still apply. And all of the court decisions that have come from the Supreme Court have discussed how these data may be used in criminal proceedings — not how telecom companies should behave," she added.

Tammepärg said that data generated in the course of business activity include the customer's name and when they used a communications service. "For example, to dispute a bill, these data need to be kept for a certain period if someone says, 'I didn't make that call and I'm not going to pay for it.'"

"But telecom companies retain an entire long list of data based on the law, and this problem is broader than just criminal proceedings. Because the court has not said anything about retaining data for security purposes. And in addition, there are misdemeanor proceedings — the Environmental Board, the Consumer Protection Authority, civil courts. They all have the right to obtain communications data. In fact, this regulation needs to be fixed comprehensively."

According to Chief State Prosecutor Pern, the prosecution frequently uses data in its work about where a communications session took place and from which mobile phone the session originated, including the phone's IMEI code. "These are the usual kinds of data that people often also see on their own mobile phone bills. We can find out that a call took place connected to a mobile base station located in Tallinn city center. This does not provide certainty about where the person was."

In the case of SMS messages, according to Pern, data about the time of sending is retained, but not the content. "Only the time and place and where it was sent."

As for calls made via Messenger, FaceTime, Signal, or WhatsApp, according to Pern, no such data is retained. What is visible is the flow of data usage. "We see that a person has used, for example, 14 gigabytes of data over the course of a month. But what they did within that, where they did it — that we certainly do not see."

Tammepärg noted that the obligation to retain communications data is an additional burden for information technology companies. "If this obligation did not exist, less data would be stored for a shorter period. At present, the data-retention period is one year."

Pern said that the biggest point of dispute in the legal sphere is the question of whether the state can impose an obligation on telecom operators to retain data, and within what limits such an obligation can be imposed.

The European Court of Justice has provided certain guidelines.

For example, in Belgium data collection is organized in such a way that it takes place in specific areas — such as airports, ports, or high-crime areas in cities.

According to Tammepärg, a similar solution has been discussed for Estonia, but it does not seem particularly reasonable in the context of a small country like Estonia. "Plus the fact that criminals move around. In addition, we have a security threat coming from our neighbor."

According to Pern, security issues should be at the center of the whole discussion.

"In matters of national security, the European Court of Justice has also named certain conditions under which communications data may be retained, taking into account the security threats we face," he said. "These communications data are not used only in a few hundred criminal proceedings, but more generally to ensure our security. There must certainly be regulation that helps us retain and collect communications data for more than just one or two weeks or a couple of months."

--

Follow ERR News on Facebook and X and never miss an update!