Skip to content
Chimera readability score 87 out of 100, Specialist reading level.

Justice and Digital Minister Liisa Pakosta (Eesti 200) has sent the government a draft law that would end telecom companies' obligation to collect people's communications data on a mass scale at the state's request.
The ministry notes in the explanatory memorandum that the aim is to change Estonia's communications‑data regime so that people's fundamental rights are protected in line with EU law — meaning the current state‑mandated, large‑scale retention of communications data will be discontinued.
In criminal proceedings, only communications data collected for commercial purposes and data needed for investigating a specific crime (the so‑called "quick freeze" mechanism) may be used as evidence, the ministry explained.
In misdemeanor proceedings, communications data may be used only in cases of serious or organized offenses.
"For extreme situations that threaten the security of society or the survival of the state, a narrowly limited possibility for short‑term, broader data retention is foreseen — but only with a justified decision by the government and with the involvement of the Riigikogu," the ministry added.
The ministry said the amendment resolves practical problems that have arisen regarding communications‑data requests and the use of such data in criminal and misdemeanor proceedings.
The bill concerns only the retrieval of technical communications data from telecom operators — specifically data needed to identify an end user, as well as the retention and retrieval of traffic and location data. It does not regulate access to the content of communications sessions (such as messages, calls, or uploaded/downloaded files).
Under current law, Estonia allows the use of communications data in criminal and misdemeanor proceedings based on a general, uniform retention obligation imposed on telecom operators.
The ministry points out that the Court of Justice of the European Union and Estonia's Supreme Court have ruled that using generally and uniformly retained traffic and location data in criminal proceedings is not permitted, as it does not meet EU requirements for personal‑data and privacy protection. The only exceptions are data needed to identify an electronic communications service user and IP‑address data.
"The amendments provide clearer protection for people's communications data and establish clear procedural rules for law‑enforcement authorities on how such data may be used in criminal and misdemeanor proceedings," the memorandum states.
Going forward, only data needed to identify an electronic communications service user and IP‑address data will be retained generally and uniformly. The general retention obligation for phone and mobile‑service traffic and location data will be abolished.
Communications data are data associated with the provision of electronic communications services that give background or additional information about the service and are created or processed in the service provider's information systems. Such data include, for example, the source and destination of a message or other communication, device location data, date, time, duration, size, route, format, protocol used, compression type, and other electronic‑communications metadata.
Communications data do not include the content of messages.
Only commercially collected data may be used in proceedings
In future, law‑enforcement authorities will be able to request communications data needed to identify a user and use data that telecom operators retain for commercial purposes.
To ensure that commercially retained data are available for a specific investigation, authorities will be able to request their rapid preservation ("quick freeze").
The bill also provides narrowly defined, short‑term grounds for retaining data to combat very serious crime (such as crimes against humanity, war crimes, terrorism, human trafficking, crimes against the state, illegal handling of narcotics, corruption, money laundering, participation in a criminal organization, illegal handling of weapons, ammunition or explosives, and other dangerous or organized crime).
For combating very serious crime, targeted temporary retention may be ordered by the government based on specific geographic areas where serious crime levels are significantly higher than usual.
For national‑security purposes, temporary retention may be ordered by the government when the state faces an elevated or immediate threat.
Data retained for national‑security purposes cannot be used in criminal proceedings; they may be used only in administrative procedures related to national security.
Administrative burden for telecom operators will increase
According to the explanatory memorandum, telecom operators' administrative burden will increase because the amendment introduces a different retention regime. Instead of uniformly retaining all data, operators must distinguish between data needed to identify users and traffic/location data, including possible targeted retention for combating crime and general retention for national‑security purposes.
The ministry notes that administrative burden will arise from changes needed to implement the new regulation and from ongoing costs related to retention and differentiated access.
"If we assume that the process of making and responding to data requests does not become more complex, the additional burden will be temporary. Even now, operators retain data both under state‑mandated obligations and for commercial purposes," the ministry added.
Telecom operators will need to review and update their data‑retention processes and rules, and adjust procedures for handling requests and releasing data. They may also need to update electronic interfaces used for submitting requests.
--
Editor: Valner Väino, Argo Ideon

Facts Only

* Justice and Digital Minister Liisa Pakosta sent a draft law to the government.
* The aim is to end the obligation for telecom companies to collect people's communications data on a mass scale upon state request.
* The goal is to protect fundamental rights in line with EU law by discontinuing state-mandated, large-scale retention of communications data.
* In criminal proceedings, only commercially collected data and data needed for specific crime investigations ("quick freeze") may be used as evidence.
* In misdemeanor proceedings, communications data may only be used in cases of serious or organized offenses.
* A narrowly limited possibility for short-term, broader data retention is foreseen only with a justified decision by the government and involvement of the Riigikogu for extreme security situations.
* The bill concerns the retrieval of technical communications data from telecom operators, specifically data needed to identify an end user and the retention/retrieval of traffic and location data.
* The bill does not regulate access to the content of communications sessions (messages, calls, or files).
* Only data needed to identify an electronic communications service user and IP-address data will be retained generally and uniformly moving forward.
* Data retained for national security purposes cannot be used in criminal proceedings; they may only be used in administrative procedures.
* Telecom operators must distinguish between data types (user identification vs. traffic/location) to manage retention and access requests.

Executive Summary

The Estonian government has proposed a draft law to end the obligation for telecommunications companies to collect mass communications data upon state request, aiming to align the nation's regime with EU law regarding fundamental rights. The core change seeks to discontinue the current state-mandated, large-scale retention of communications data. Under the proposed framework, communications data will generally only be retained for identifying an end-user and IP addresses. Data used in criminal proceedings must be limited to information collected for commercial purposes or specific investigations known as the "quick freeze" mechanism. In misdemeanor proceedings, data use is restricted to cases involving serious or organized offenses. A narrow exception allows for short-term, broader retention for extreme security threats, requiring government justification and Riigikogu involvement. While this aims to enhance privacy protections by invalidating the general retention of traffic and location data based on EU rulings, telecom operators anticipate increased administrative burdens due to the need to differentiate between various types of retained data and implement new procedures.

Full Take

The proposed regulatory shift involves balancing established state interests—national security and law enforcement—against enshrined fundamental rights, as reflected in EU jurisprudence. The mechanism explicitly separates the general commercial retention of metadata from legally permissible uses in criminal and misdemeanor contexts, suggesting a move away from a blanket surveillance architecture toward targeted data access predicated on necessity. The conflict arises in defining the practical operational boundaries for law enforcement versus privacy guarantees. While the framework seeks to correct past issues identified by the Court of Justice regarding indiscriminate retention, the implementation raises questions about the definition of "necessary" and how 'justified decisions' by the government are made regarding security exceptions. Furthermore, the acknowledgment that administrative burden will increase suggests a tension between abstract legal ideals and the practical realities of operationalizing complex data governance across private sector entities. The focus shifts from *what* is collected to *how* it can be legally accessed, implicating future judicial scrutiny over executive decisions concerning data retention scope.
Estonia weighs limits on bulk communications‑data retention — Arc Codex