The Ministry of Justice and Digital Affairs is ready to submit to the government a draft bill that would end the legal deadlock surrounding the use of communications data and restore our ability to actually catch criminals.

As minister of justice and digital affairs, my primary responsibility is to protect people's fundamental rights and freedoms. Under European Union law, too, the communications data of all people may not be collected indiscriminately just in case, as that would mean treating everyone as a potential criminal.

One after another, other countries have also begun abandoning such blanket data retention. Over time, higher courts in Austria, Romania, Slovenia, the Netherlands and Germany have declared these provisions invalid.

We are now finally proposing a very good solution that complies with the case law of the Court of Justice of the European Union and ensures both the protection of people's fundamental rights and the ability of investigative authorities to investigate serious crimes. This draft bill is complete and will soon be submitted to the government for discussion.

How things stand

Before turning to the proposed changes, some background is needed. The use of communications data in the form we have previously relied on is no longer possible because it has been prohibited by the European Union, the Court of Justice of the European Union and Estonia's Supreme Court.

The Court of Justice of the European Union has issued several rulings prohibiting the blanket retention of communications data, including in relation to Estonia already in 2021, finding that mass data retention constitutes a violation of human rights. Estonia's Supreme Court agreed with this later that same year. In March 2026, the Supreme Court issued an additional ruling confirming that only communications data retained for commercial purposes may be used as evidence in criminal proceedings and that the burden of proof lies with the prosecution.

Estonian law enforcement, however, has fallen victim to a tangled legal framework that has de facto paralyzed the day-to-day work of investigative authorities and created a profound evidentiary crisis. Although communications data is used in around 1 percent of criminal cases sent to court, the already limited and valuable resources of the police and prosecutors are being spent arguing over the origin of the data, the legal basis for retaining it and proving this in court, instead of investigating crimes.

Even in the case of information retained for business purposes, authorities currently have to split hairs every single time to prove that the data was collected solely and specifically for commercial reasons.

For example, if investigators are examining a murder case and have collected mobile phone data showing a person's presence at the scene, then for that data to be admissible as evidence, the prosecution must prove that the mobile operator collected it for no purpose other than its own operational needs. This is extremely difficult for the state to prove and that is where all the valuable time goes.

This is procedural inefficiency in its purest and most dangerous form. As a state, we cannot accept a situation where cybercriminals using artificial intelligence and brazen phone scammers are emptying the bank accounts of people in Estonia while investigators' hands are tied because of legal ambiguity.

In many such cases, the only way to identify perpetrators is by using traffic and location data. At present, because of the legal deadlock, this data is effectively impossible to use. We are now resolving that deadlock while also enabling the smooth investigation of crimes. The cost of inaction is the growth of organized crime and impunity.

I would nevertheless note that while roughly 40,000 to 50,000 crimes are identified in Estonia each year, the use of communications data in reality concerns significantly fewer than 100 criminal cases.

We must find a solution to a situation in which, on the one hand, data collection in its current form is unlawful, while on the other hand law enforcement authorities have an urgent need to catch criminals. This is not a problem without a solution, nor one that would overturn the existing work of law enforcement agencies.

The past two years have been wasted on political games and illusions, searching for solutions where none can exist technologically or legally. There have been demands to create exceptions for serious crimes, while completely forgetting the root of the problem: the issue is not who is being investigated at any given moment, but how and why the data was originally collected.

If the initial data collection is blanket and indiscriminate and carried out in a manner contrary to established case law, then data connected to mobile phone use is unlawful from the outset. Material gathered illegally does not magically become admissible in court simply because the crime under investigation is considered serious by society.

Unrealistic ideas have also been proposed to collect data only in certain geographic areas or only about specific individuals. Technically, this is a complete dead end because criminals move around constantly with their smart devices and we would immediately run into the problem of storing data about people for whom this is prohibited. Moreover, it would require mobile operators to begin collecting some data twice over, which again would not be in line with the principles of a state governed by the rule of law.

All previous attempts to create similar exceptions for criminal investigations have failed because they are clearly incompatible both with modern technological realities and with the fundamental principles of European law. We are now proposing a concrete solution.

What will be lost and what will remain

With the new legislative amendment, we are cutting through this Gordian knot by replacing the blanket retention obligation that has been declared unlawful with a targeted approach.

Put simply, the current mass, yearlong obligation to retain people's most sensitive data — who spoke with whom on the phone, for how long and in what location during the call — will end.

To address the issue that has generated the greatest public attention: telecommunications companies will no longer be required to store such call detail records and location data for 12 months. That is the central point of our draft bill.

At the same time, law enforcement authorities will continue to be able to use data collected by companies for business purposes in order to investigate crimes. This is a civilized system consistent with the rule of law.

To be very specific: we will retain the obligation for telecommunications companies to store for one year data enabling user identification — whose name a phone number is registered under and what that person's contact details are — so that investigative authorities can, where justified during pretrial proceedings, determine who owned the number from which a criminal call was made or a scam message was sent.

Telecommunications companies will also remain obligated to retain internet service data that helps identify, in cybercrime cases, who was behind a specific IP address from which illegal content was posted or transmitted.

As for all other details, once the amendments take effect the state will rely on information that telecommunications companies already retain in the normal course of business, for example to provide services, ensure quality and issue invoices.

We are working actively with telecommunications companies to legalize the collection of such data both for commercial purposes and for safeguarding national security. This creates a functional and necessary synergy between business interests and law enforcement, restoring investigators' ability to use these tools in proving criminal offenses without forcing telecom companies to build new and costly parallel IT systems. Ultimately, taxpayers would bear those costs, which preliminary estimates place in the six figures, not to mention that smaller companies would likely not survive the required system overhauls.

At the same time, we cannot be naive about today's constantly changing security environment, which is why the draft bill creates separate provisions for the use of communications data in cases involving national security or terrorism offenses.

Should an immediate and serious threat arise to Estonia's national security or constitutional order, the new law would give the government the authority to temporarily implement a significantly stricter data retention regime. This is a tightly controlled instrument whose use has also been explicitly permitted by the Court of Justice of the European Union, ensuring that in a critical moment our authorities have the information necessary to defend the state.

We are ending a legal absurdity that has lasted for years, restoring to law enforcement a real ability to do its job and sending criminals a very clear message: Estonia is no longer a country where people can operate with impunity by hiding behind legal ambiguities.

--

Follow ERR News on Facebook and X and never miss an update!