For quite some time now, public attention has been drawn to the fact that the Republic of Estonia has knowingly chosen to violate European Union law and unlawfully collect communications data on all of Estonia’s residents. This month, the Supreme Court issued yet another ruling directing the Ministry of Justice, the Ministry of the Interior, investigative authorities and the Prosecutor’s Office to abandon the mass collection of communications data.
Looking at the previous conduct and positions of these institutions, it appears most likely that the Supreme Court’s guidance will not be followed and that, as a consequence of the situation that has arisen, the state will put enormous pressure on communications companies instead.
In its recent ruling, the Supreme Court noted that there is only one exceptional circumstance in which the collection of communications data is not automatically unlawful: when the data has been collected independently of state coercion and solely for commercial purposes. It is for the Prosecutor’s Office to prove that the data was collected for commercial purposes rather than under state coercion. A mere assertion is not sufficient as proof. If the Prosecutor’s Office is unable to demonstrate this distinction, it is presumed that the data was collected as a result of state coercion.
Thus, communications companies and their commercial objectives will play a very important role going forward, as only their legitimate business purposes create any possibility of using communications data as evidence.
The state coercion established by the Republic of Estonia stems from § 111¹ of the Electronic Communications Act, under which, since 2008, Estonian communications companies have been required to retain the communications data of all customers for one year. The Prosecutor’s Office and investigative authorities can access the data with extreme ease. For example, the Internal Security Service has publicly acknowledged that it can obtain the data directly from the databases of communications companies. Both the European Court of Justice and the Estonian Supreme Court have, over the past decade, clarified every few years that such blanket retention is unlawful.
The Republic of Estonia has deliberately not amended this law. The retention obligation remains in force to this day and authorities continue to seek new ways to carry on collecting and using communications data.
Over the past four years, the Prosecutor’s Office has attempted to circumvent the prohibition on blanket retention by requesting from communications companies only data that the companies already retain for commercial purposes, assuming that this ensures compliance with the law. However, mere formal correctness in such requests is not sufficient to make the practice lawful.
Telecoms would like to collect less data
In October 2024, Estonia’s largest telecommunications companies explained to ERR that they do not even distinguish in their systems whether specific data is retained for commercial purposes or at the state’s request. Telia risk manager Andreas Meister noted that, for commercial purposes, there is no need to retain all such data for that long. Elisa chief legal officer Allan Aedmaa added that, for example, operators would only need location data for one to three months to analyze network performance.
So why is communications data retained for a year? Because the state requires it anyway. Meister pointed out that there is little point in setting a shorter retention period when the law mandates one year regardless and Aedmaa added that reconfiguring systems is a major undertaking that companies prefer to do only once.
This means that the Prosecutor’s Office’s claim that “we only request commercial data” has, for years, existed only on paper. According to the telecommunications companies themselves, there is a broad gray area between commercial purposes and state coercion — one that even the companies cannot clearly distinguish. The Prosecutor’s Office has been aware of this and has taken advantage of it.
The Supreme Court’s ruling establishes a clear standard of proof for the Prosecutor’s Office. It must demonstrate that the data was collected and retained specifically to the extent and for the duration necessary for marketing services, issuing invoices or providing value-added services.
In essence, this means the Prosecutor’s Office must in each individual case be able to show that the specific data in question, from a specific period, was collected for a specific commercial purpose. If telecommunications companies themselves say they cannot distinguish between commercial purposes and state coercion, then proving this is difficult, to put it mildly.
This, however, is where the ruling’s real impact lies. Although the Supreme Court once again emphasized that the Republic of Estonia is unlawfully requiring telecommunications companies to collect and retain data, it is a safe bet that this will fall on deaf ears as has happened on every previous occasion. State and investigative authorities will likely take from this ruling only that the Prosecutor’s Office must prove the commercial purpose of the data. The only party from whom the Prosecutor’s Office can obtain such confirmation is the telecommunications company itself.
Given the strong resistance and even active opposition of the Ministry of Justice, the Ministry of the Interior, investigative authorities and the Prosecutor’s Office to abolishing the blanket retention obligation, it can be assumed that these institutions have an interest in telecommunications companies’ “commercial purpose” aligning with what § 111¹ of the Electronic Communications Act prescribes.
This places telecommunications companies under state pressure where they face a fundamental choice. They can act honestly and acknowledge that data retained for commercial purposes is not the same as that retained under state compulsion and cease retaining and disclosing data to the current extent.
Outside Estonia, telecommunications companies have found the resolve to do so; Tele2’s parent company in Sweden acted this way as early as 2014. On the other hand, there may be a temptation to expand their “commercial purposes” to align with state interests, even if this does not reflect reality.
In the first scenario, the Prosecutor’s Office and investigative authorities lose an important source of evidence. In the second, telecommunications companies become de facto partners of the Prosecutor’s Office in restricting fundamental rights, without any legislative mandate and while misleading their customers.
It is time for the Riigikogu to act
The Supreme Court has consistently explained to the legislature what limits arise from European Union law. It has also established a fair and understandable burden of proof. The Supreme Court has even explicitly left open the question of whether telecommunications companies have a clear legal basis at all for transmitting data retained for commercial purposes to authorities conducting proceedings. This is a polite but unequivocal signal to the legislature.
At last, it is time for the Riigikogu to complete its unfinished work: to abolish the obligation of blanket data retention and to provide more precise guidance on the collection and retention of data for commercial purposes. § 111¹ of the Electronic Communications Act has now been in force for eighteen years.
Every month that passes without amending the law is another month in which the call detail records and location data of every person using communication services in the Republic of Estonia are stored unlawfully. This is a deliberate political choice to allow state authorities, for the sake of convenience, to monitor everyone living in Estonia.
—