skip to content

Data Protection Laws and Freedom of Expression: Estonia File:Flag of Estonia.svg



Constitutional/Primary Law Background - see also ECHR and EU Charter

Article 45 of the contemporary Estonian Constitution (as revised 2015) protects the right to disseminate information (including ideas, opinions and beliefs) but subject to any legal limitations justified on a wide range of enumerated bases including protection of the rights and freedoms, health, honour and good name of others. Article 38 also establishes the freedom of science and art including their teaching/instruction. Specific data protection rights are confined to the right of Estonian citizens (and others in Estonia unless otherwise provided by law) to access personal information held by the State. Nevertheless, Article 26 establishes a right to the inviolability of private and family life, subject to legally authorized State interferences on grounds broadly comparable to Article 8(2) of the ECHR.  Meanwhile, Article 33 provides specific protection for the inviolability of the home, whilst Article 17 likewise protects honour and good name.  There is no specific protection for correspondence.

The first relevant protection of freedom to express and disseminate thoughts (but only within the limits prescribed by law) as well as inviolability of domicile (but again subject to searches as provided by law) may be traced to articles 37 and 33 of the Fundamental Laws of the Russian Empire 1906. The 1920 Estonian Constitution provided for the freedom of expression of personal ideas subject only to restrictions to defend the State and morals and specifically prohibited censorship (art 13) and also enunciated the freedom of science and art and including their teaching/instruction (art 12). It also established inviolability of domicile (but again subject to searches as provided by law) (art. 10) and secrecy of communications (except by judicial order as foreseen by law) (art. 14).  The constitutional rights as currently set out trace back to the Estonian Constitution of 1992.


First-Generation Statutory Law 

Estonia did not adopt any data protection statute in the first-generation period.

Second-Generation Statutory Law

Estonia adopted its first Data Protection Law on 21 June 1996. Whilst including a personal exemption, this Act did not contain any derogations in favour of special expression, broad expression or knowledge facilitation (other than in relation to statistics). The subsequent Data Protection Act adopted 12 February 2003 neither contained any special provisions beyond the processing for personal purposes. With the adoption of a new Personal Data Protection Act in 2007, however, a special expression derogation as well as Knowledge Facilitation Framework were finally adopted.  
Special Expression Derogation
Neither the 1996 nor 2003 Act addressed the need for such a derogation. The 2007 Act did do so but its overall governance of this area continued to lack clarity. Section 11(2) of the Estonian Personal Data Protection Act provided that ‘personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, if there is predominant public interest therefore and this is in accordance with the principles of journalism ethics. Disclosure of information shall not cause excessive damage to the rights of the data subject. An analysis of the Estonian data protection law indicated that the way it has implemented the sensitive personal data rules and the proactive transparency rule when collecting information directly from the data subject depended on a presumption that consent will be obtained in these cases. A similar presumption applied in relation to the need for a legitimating ground for processing. This provision therefore set out an exemption from these provisions qualified by a strict public interest test based on judicial considerations of the ‘predominant’ interest, journalism ethics and damage to default data subject rights. Whilst no such presumption applied in relation to other transparency rules, in these cases the Act did allow for a restriction where otherwise this may ‘damage rights and freedoms of other persons’ (sec. 12). This may similarly be interpreted as a derogation based on a strict public interest test. In contrast, compliance with the default data quality principles, the data export condition and the notification of processing condition did not intrinsically depend on obtaining the consent of the data subject and nor was any other derogation set out. The Estonian legislation can thus be deemed to have applied these provisions without restriction to the media. No particular provisions were set out in favour of the special purposes of artistic or literary expression.
Broad Expression
There was no relevant provision.
Personal Exemption
The processing of personal data by natural persons for personal purposes was excluded from the application of the Data Protection Act 2007 (sec. 2(1)(1)).A similar provision had been included in both 1996 and 2003 legislation.
Knowledge Facilitation Framework
The 1996 Data Protection Act in section 4(5) provided that collected statistical data relating to a natural person were not personal data if it was not possible to identify the person in relation to which the data were collected. However, other than this exclusion from the scope of application of such statistical data, no knowledge facilitation derogation was contained in the 1996 Law. In the 2003 Law, no mention was made of processing for statistical, scientific, historical or archival purposes was made.
The Estonian Data Protection Act 2007 provided for an exemption for scientific research and official statistics from the consent and compatibility requirements. However, data needed to be stored in coded form (s. 16(1)). No exemptions for the processing of personal data for scientific or statistical purposes were provided from proactive direct transparency rules, the registration requirement, the legitimating condition or the export condition. With regard to the proactive indirect transparency provisions, the extent of a possible exemption were unclear. Pursuant to the Data Protection Act, processing without consent was only possible in coded form or where there is a predominant public interest, no obligations were imposed on the data subject and the data subject’s rights were not excessively damaged in any other way. The processing of sensitive personal data, moreover, required the involvement of the DPA, which had to verify compliance with the requirements in the respective section hearing beforehand from a ethics committee if these were legally established in the relevant area (s. 16(3)). The Estonian Data Protection Act, furthermore, imposed special restrictions on market research. Pursuant thereto, the data subject had the right to prohibit the processing of data concerning him or her for the purposes of research of consumer habits or direct marketing and communication of data to third persons for these purposes (s. 12(1)). Moreover, records of historical archives could only be accessed with the written consent of the data subject (s. 48(2)).
Parliamentary Debates
No parliamentary discussion on the special expression derogation or the knowledge facilitation derogation took place when the initial Data Protection Act entered into force. However, when the proposal for the new law which included specific provisions in both these areas was debated in 2006/2007, both the special expression derogation and the Knowledge Facilitation Framework were at least mentioned, but not substantively discussed.  This proposal became the Data Protection Act 2007.
Special Expression Derogation
Rein Lang, Minister of Justice, stated that processing of personal data for journalistic purposes was permitted where carried out in accordance with principles of journalist ethics and justified by public interests. The decision whether such processing was lawful would have to be made on a case-by-case basis for each publication. It was emphasized that the proposed Data Protection Act aimed at ensuring journalistic freedom of expression.[1] Urmas Kukk, Director General of the Data Protection Inspectorate which supervised the implementation of the Data Protection Act, further highlighted that the proposed Act only addressed the processing of personal data for journalistic purposes in section 11. This section, it was argued, would exclude other provisions protecting the rights of data subjects from applying to the processing of their data for journalistic purposes. It would thus not be necessary to repeat the derogation in the provisions from which such derogations were permissible for journalistic purposes. The resulting complexity was criticized by the Newspaper Association, which expressed concern about possible harassment of the Press if the law entered into force in the then proposed form.[2] However, the Constitutional Committee considered that the wording of section 11 would sufficiently guarantee journalistic freedom of expression, with section 11(2) providing an adequate legal basis for the processing of personal data by the media in case of overriding public interests. Where an individual data subject deemed his or her rights to be violated by the processing of personal data for journalistic purposes, courts should decide on the matter. It was thereby reiterated that the proposed amendment simplified the processing of personal data for journalistic purposes compared to the law then in force by providing for a clear exemption from data protection provisions.[3]
Knowledge Facilitation Framework
The draft Data Protection Law sought to balance research and statistical interests in processing personal data and data protection considerations by requiring the coding of personal data before such data could be used for research or statistical purposes. While concern was voiced that this would worsen the situation of scientists, Rein Lang, the Minister for Justice speaking on behalf of the Committee which prepared the draft, rejected such concerns.[4]

Third-Generation Statutory Law

Estonia Personal Data Protection Act on 12 December 2018.
Special Expression Derogation
Pursuant to Estonia’s implementing Data Protection Act, data can be processed for journalistic purposes without consent of the data subject. Any processing must be compatible with journalistic ethics and the public interest and any disclosure of data must not cause excessive damage to the data subject (s. 4). Nevertheless, in contrast to the previous law, it is no longer stated that any public interest present must be overriding or preponderant, shifting the derogation’s internal threshold from a strict to a permissive public interest test.
There is presumably a fully applicable derogation from restrictions on the processing of sensitive data other than those related to criminality and those related to data export. In contrast, the default data protection principles, transparency rules and the need for a legal basis for processing do not presume data subject consent. The same holds true for the default prohibition on private sector processing of criminal data. The requirement on the controller to make a registration of processing is not explicitly rendered inapplicable. Derogations are extended to the non-journalistic special expressive purposes of academic, artistic and literary expression and, in this cases, only require consideration of whether the processing causes excessive damage to the rights of the data subject (s. 5).  The wording of these clauses only ambiguously establish the priority of the special expression derogation over the Knowledge Facilitation Framework.
Broad Expression
There was no relevant provision.
Personal Exemption – see GDPR, art. 2(2)(c)
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Section 6 of the Data Protection Act permits.processing for the needs fo scientific an dhistorical research and official statistics without consent in a pseuonymized format or a format which provides an equivalent level of protection. IT is specified that prior to transmission, data will be reconfigured in this fashion.  Identified data is only allowed if (i) the purpose of the data processing could not otherwise be achieved; (ii) there is an overriding public interest; (iii) the scope of obligations of a data subject is not changed based on the processed personal data and neither is the rights of the data subject excessively damaged. If sensitive personal data are processed, the approval of an ethics committee, the National Archives where there is retention by that body or, if these bodies are absent, the DPA is necessary .
The data controller is allowed to derogate from the data subject’s rights provided for in Articles 15, 16, 18 and 21 GDPR, insofar as the exercise of these rights is likely to impede to a significant extent or frustrate the objectives of the scientific or historical research or official statistics (s. 6(6)). Public interest archive processors may restrict Articles 15, 16 and 18-21 GDPR, insofar as the exercise of these rights is likely to make the achievement of the purpose of archiving in the public interest impossible or impede it to a significant extent or in order to endanger the condition, authenticity, reliability, integrity and usability of the records (s. 7(1)).
Parliamentary Debates
There were no parliamentary debates on either the special expression or knowledge facilitation derogation.[5]

[1] Estonia, ‘X Riigikogu Stenogramm IX Istungjärk Kolmapäev’ (14 February 2007) (last accessed 26 July 2020).
[2] Ibid.
[3] As observed by MP Urmas Reinsalu, Chairman of the Constitutional Committee, see ‘X Riigikogu Stenogramm IX Istungjärk Kolmapäev’ (14 February 2007) (last accessed 26 November 2020).
[4] Ibid.
[5] For an overview of all documents, see (last accessed 5 March 2021).