Challenges of the data protection supervision in Estonia

The General Data Protection Regulation (GDPR) entered into force on the 25th of May 2018. Subsequently, the number of obligations imposed on data controllers increased and a greater mandate was given to the supervisory authorities to conduct supervision. Article 83 of the GDPR lays down the obligation for the EU Member States to transpose into national law administrative fines which correspond with the requirements set out in the GDPR. However, as stated in preamble 151 of the GDPR, the Estonian legal system doesn’t allow for administrative fines as set out in the GDPR. The rules on administrative fines may be applied in such a manner that in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanor procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. In addition, article 83 paragraph 9 states that in such case the fines imposed shall be effective, proportionate and dissuasive.

The current Estonian legal system and its shortcomings

The Personal Data Protection Act was adopted soon after the GDPR came into force.  The Personal Data Protection Act lays down fines in the millions for certain data protection violations. According to the Criminal Code, a legal person shall be held responsible for an act which is committed in the interests of the legal person by its body, a member thereof or by a senior official or competent representative. This means that the nature of the misdemeanor procedure requires the out-of-court proceedings authority (which in Estonia’s case is the Data Protection Inspectorate or DPI in short) to identify that a natural person has acted in the interests of a legal person and that the natural person has committed an act that fulfills all the necessary elements of a punishable offence. Misdemeanors also have a two-year limitation period, which means that they often cannot be processed within the limitation period.

Statistically the DPI rarely initiates misdemeanor proceedings because most of the infringements are processed in the form of state supervision proceedings, which is a form of administrative proceeding. The DPI issues precepts to data controllers in cases of non-compliance and precepts almost always include a warning that a non-compliance levy will be imposed if the data controller fails to implement the precept. Only after there has been a failure to pay the non-compliance levy and/or the data controller continues to breach the precept will the DPI initiate a misdemeanor proceeding. Issuing non-compliance levies to legal persons who objectively do not have the opportunity to perform the prescribed act is not proportional nor effective. The GDPR requires the Member States to have in place fines that can be issued even in the case of violations that cannot be eliminated. The Supreme Court has clarified that non-compliance levies may not be used as a punishment, rather they may only be used to persuade to comply with the order. As such, the non-compliance levy institute is not considered to be suitable for imposing fines such as the GDPR mandates.

The statistics on the imposition of non-compliance levies reflect the issues above – the largest non-compliance levy was imposed in late 2021 for €25 000. One of the largest gas station chains in Estonia recorded video and audio in its premises. The DPI concluded that the use of audiovisual surveillance is not inherently permissible in businesses that provide goods and services, and that its use could be justified only in exceptional cases. No recent non-compliance levies have been issued that are remotely close to the referenced levy.

While the upcoming changes to the system is definitely a step in the right direction, it may not bring a substantial breakthrough

New amendments to the Criminal Code and Personal Data Protection Act are going to take effect from the 1st of November 2023. The amendments are made with the intention of reconciling the administrative fines institute with the misdemeanor procedure. The largest changes relating to the misdemeanor procedure are:

  • Lengthening the two-year statute of limitations to three years.
  • The maximum fine imposable to a legal person will be increased from 400 000 to a theoretical 20 million.

The regulatory authorities have stated however, that these changes are cosmetic and do not fundamentally change the underlying issues of the misdemeanor procedure which are:

  • The unsuitable and cumbersome derivative liability principle in criminal law.
  • Rigid and short statute of limitations.
  • The ab ovo principle in judicial proceedings which implies that courts have to hear the misdemeanor matter in its entirety, regardless of the limits of the appeal filed, and shall verify the factual and legal circumstances on the basis of which the body which conducted the extra-judicial proceedings made its decision.

As it currently stands, the fines issued in Estonia fall short of being effective, proportionate and dissuasive. While the upcoming changes are generally a positive step in the right direction, the majority of legal scholars see them as insufficient in bringing any meaningful changes to the current legal system.