In general, there are no infrastructural limitations to internet access in Estonia. As of 2018, approximately 90 percent of households had access to the internet, according to European Union (EU) and International Telecommunications Union (ITU) data.1 According to the EU’s latest Digital Economy and Society Index, the country’s household fixed broadband penetration rate was 81percent in 2018, while its mobile broadband penetration rate was 144 percent.2 Both rates outperform EU averages.

The government continues to enhance infrastructure. The EstWin project, an initiative run by the government-established Estonian Broadband Development Foundation, works to improve fixed broadband access, and aims to achieve the country’s goal of having 98 percent of households no more than 1.5 km from a fiber-optic access point by 2020.3 The Consumer Protection and Technical Regulatory Authority (TTJA), Estonia’s telecommunications regulator, produces an online map that shows what services are available at any location in Estonia.4

Public Wi-Fi access remains strong. Estonia has numerous free, certified Wi-Fi hotspots meant for public use, including at cafes, hotels, hospitals, schools, and gas stations.5

Three mobile operators cover the country with 3G and 3.5G services, and 4G services cover over 99 percent of Estonia.6 In December 2018, the first 5G network was opened at the Tallinn University of Technology campus, though 5G services were not commercially available during the coverage period.7

Speeds are steadily improving. In 2018, 83 percent of households had access to broadband connections of 30 Mbps or more.8 The government has set a target of 100 percent high-speed (30 Mbps or more) broadband coverage by 2020.9 According to a May 2019 survey from the internet intelligence service Ookla, Estonia ranked 22 in the world for mobile broadband speeds (with an average download speed of 44.07 Mbps) and 43 for fixed broadband speeds (with an average download speed of 57.18 Mbps).10

• 1Eurostat, “Households - level of internet access” https://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_ci_in_h&l…; European Commission, “Digital Economy and Society Index (DESI), 2019 Country Report: Estonia” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=59894; International Telecommunication Union, “Estonia Profile,” last updated 2018, https://web.archive.org/web/20190224191105/https://www.itu.int/net4/itu…
• 2European Commission, “Digital Economy and Society Index (DESI), 2019 Country Report: Estonia” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=59894
• 3European Commission, “Digital Single Market: Polies – Estonia” https://ec.europa.eu/digital-single-market/en/country-information-eston…
• 4The Consumer Protection and Technical Regulatory Authority, “Estonian communication coverage application” www.netikaart.ee
• 5Public Wi-Fi Hotspot database in Estonia, https://web.archive.org/web/20161013201941/http://wifi.ee/
• 6Annual report of the Estonian Technical Regulatory Authority 2016 https://www.ttja.ee/sites/default/files/content-editors/TJA/Aastaraamat… (p. 15)
• 7Dmitri Povilaitis, “The first 5G network was opened in Tallinn today,” Paelinn, December 20, 2018 http://www.pealinn.ee/tagid/koik/tallinnas-avati-tana-esimene-5g-vork-n…
• 8European Commission, “Digital Economy and Society Index (DESI), 2019 Country Report: Estonia” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=59894
• 9European Commission, “Digital Economy and Society Index (DESI), 2019 Country Report: Estonia” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=59894
• 10Speedetest, “Speedtest Global Index, May 2019” http://web.archive.org/web/20190629201034/https://speedtest.net/global-…

There are no significant digital divides in the country.

In general, internet connections are affordable. The 2019 Inclusive Internet Index report ranks Estonia 20 out of 100 countries in terms of the affordability of prices for connections.1 A variety of packages offering internet connections are available at low prices, while very high-speed connections are available at somewhat higher prices. According to 2017 ITU data, monthly entry-level fixed broadband subscriptions cost 1.2 percent of GNI per capita,2 while a mobile broadband plan offering 1 GB of data per month cost 0.6 percent of GNI per capita.3 According to EU studies, prices for fixed and mobile broadband plans in Estonia are below the bloc’s averages.4 The EU’s abolition of roaming charges in 2017 has helped lower the cost of internet services. Additionally, the government-created Internet Home Project, launched in 2017, aims to provide households and offices in most parts of the country with fiber-optic connections at a subsidized price (150 euros for the last mile).5

Internet connectivity is limited in sparsely-populated rural areas. According to 2017 data, while over 80 percent of Estonians have access to internet connections of 30 Mbps or more, only 40 percent of those living in rural areas do.6

Internet usage is high among both men (87.9 percent) and women (88.3 percent), as of 2017.7 There is a larger gap in usage along age: 100 percent of 16-to-24-year-olds use the internet, while just 59 percent of 65-74-year-olds do, according to official figures from 2018.8

• 1The Inclusive Internet Index 2019, “Estonia: Price” https://theinclusiveinternet.eiu.com/explore/countries/EE/performance/i…
• 2International Telecommunication Union, “ICT Price Baskets, Fixed Broadband Basket” https://www.itu.int/en/ITU-D/Statistics/ICTprices/Pages/default.aspx
• 3International Telecommunication Union, “ICT Price Baskets, Fixed Broadband Basket” https://www.itu.int/en/ITU-D/Statistics/ICTprices/Pages/default.aspx
• 4“Fixed Broadband Prices in Europe 2017” A study prepared for the European Commission DG Communications Networks, Content & Technology by Empirica and TUV Rheinland https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=55892; https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57336
• 5Eesti Andmesidevõrk [Estonian Data Communication Network] https://www.internetkoju.ee/
• 6European Court of Auditors, “Broadband in the EU Member States: despite progress, not all the Europe 2020 targets will be met” 2018 https://www.eca.europa.eu/Lists/ECADocuments/SR18_12/SR_BROADBAND_EN.pdf
• 7ITU, accessed April 24, 2019 http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
• 8Statistics Estonia, “The use of sharing economy services is growing,” September 19, 2018 https://www.stat.ee/news-release-2018-100

The government does not exercise technical or legal control over the domestic internet. There were no government-imposed restrictions on or disruptions to internet connectivity during the coverage period. The government does not have explicit legal authority to shut off internet connections, even in states of emergency.1

• 1Riigi Teataja, “State of Emergency Act” https://www.riigiteataja.ee/en/eli/ee/530122013002/consolide

There are no undue legal, regulatory, or economic restrictions on Estonia’s information and communication technology (ICT) market. The Electronic Communications Act aims to develop and promote a free market and fair competition in telecommunication services.1 Information society services, meaning economic or professional activities involving the processing, storage, or transmission of information by electronic means upon a recipients’ request, are regulated by the Information Society Services Act.2 There have not been any substantive changes to the laws or to the ICT market during the coverage period.

There are over 200 operators offering telecommunications services, including six mobile operators and numerous internet service providers (ISPs). The ICT market is relatively diverse with no significantly dominant companies. However, according to the 2019 Inclusive Internet Index report, Estonia’s mobile market is “moderately concentrated,”3 while its fixed broadband market is “highly concentrated.”4 Sweden’s Telia Company is the leading mobile and fixed broadband service provider, controlling 47 percent of the mobile market and 53 percent of the fixed broadband market, according to its 2018 annual report.5

Service providers are required to register with the TTJA. There is normally no registration fee, and companies can register online.6

• 1Riigi Teataja, “Electronic Communications Act” https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/521082017008/consol…
• 2Riigi Teataja, “Information Society Services Act” https://www.riigiteataja.ee/en/eli/504112013008/consolide
• 3The Inclusive Internet Index 2019, “Estonia: Wireless operators' market share” https://theinclusiveinternet.eiu.com/explore/countries/performance/affo…
• 4The Inclusive Internet Index 2019, “Estonia: Broadband operators' market share” https://theinclusiveinternet.eiu.com/explore/countries/performance/affo…
• 5Telia Company, “”Bringing The World Closer” Annual And Sustainability Report 2018” https://www.teliacompany.com/globalassets/telia-company/documents/repor…
• 6Ministry of Economic Affairs and Communications, “Statistics of economic activities” https://mtr.mkm.ee/statistika/yld?m=157

The main regulatory bodies for the ICT sector are the TTJA and the Competition Authority. In January 2019, the TTJA was created out of the merger of the Consumer Protection Authority and the Technical Surveillance Authority. The TTJA operates under the Ministry of Economic Affairs and Communications, while the Competition Authority operates under the Ministry of Justice. Both are led by directors appointed by the relevant minister after a pubic call for applications. Directors may be reappointed but are term-limited. The two entities have a reputation for professionalism and independence. There have been no reported cases of undue interference in the ICT sector or abuse of power by these regulatory bodies.

The Estonian Internet Foundation was established in 2009 to manage Estonia’s top level domain, “.ee,” and is a member of the Council of European National Top Level Domain Registries (CENTR).1 The organization represents a broad group of stakeholders in the Estonian internet community and oversees various internet governance issues.

• 1Estonian Internet Foundation, http://www.internet.ee/en/

There are very few blocked websites in Estonia, and political, social, and cultural content is freely available to users.

The primary restriction on internet content remains a ban of online illegal gambling websites (see B3). As of June 2019, the Estonian Tax and Customs Board had more than 1,400 URLs on its list of illegal online gambling sites that Estonian ISPs are required to block.1

• 1Tax and Customs Board, “Blokeeritud hasartmängu internetileheküljed” (Blocked gambling internet pages) https://www.emta.ee/et/eraklient/maa-soiduk-mets-hasartmang/blokeeritud…

There have been some instances of online content being removed, although this is not a widespread issue. Many of these instances involve civil court orders to remove comments that are defamatory or otherwise damaging, pursuant to a landmark 2015 case establishing intermediary liability for third-party comments (see B3).

In addition, comments on news websites or discussion boards are sometimes removed by administrations. Most popular websites have code of conducts for the responsible and ethical use of their services and enforcement policies that allow certain content to be taken down.

According to its latest transparency report, Facebook removed seven items of content between July and December 2018 in response to requests from the government and other domestic entities. In one case, the company restricted access to content containing hate speech after the Estonian Human Rights Centre, an NGO, reported it.1 Meanwhile, the government sent five removal requests to Google between July and December 2018, targeting content relating to defamation, drug abuse, or national security.2 The company only removed content in response to two of these requests. The government did not send any removal requests to Twitter during the same period.3

Russian social media platforms Odnoklassniki (OK) and VKontakte (VK) are also popular in Estonia, but their parent companies do not release data about content removal requests.

• 1Facebook Transparency, “Estonia” https://transparency.facebook.com/content-restrictions/country/EE
• 2Google Transparency Report, “Government requests to remove content: Estonia” https://transparencyreport.google.com/government-removals/by-country/EE
• 3Twitter Transparency Report, “Removal Requests” https://transparency.twitter.com/en/removal-requests.html#removal-reque…

Restrictions on online content are transparent and grounded in the law. The Gambling Act, one of the few laws that imposes restrictions, requires domestic and foreign gambling sites to obtain a special license.1 Unlicensed sites are subject to blocking (see B1). The Tax and Customs Board’s list of blocked websites is transparent and available to the public.

Under the Information Society Service Act and pursuant to the EU E-Commerce Directive, service providers are generally not liable for illegal content transmitted by users.2

However, in 2015, the European Court of Human Rights (ECtHR) upheld a controversial 2009 Estonian Supreme Court decision establishing intermediary liability for third-party defamatory comments on news websites.3 The ECtHR confirmed that holding intermediaries responsible for third-party content published on their website or forum is not against Article 10 of the European Convention on Human Rights guaranteeing freedom of expression.

The EU-level Directive on Copyright in the Digital Single Market,4 which was approved in April 2019, must now be incorporated into Estonian law. Despite opposing the directive at the European Council,5 the government is bound by this obligation. The directive, among other things, establishes ancillary copyright for digital publishers and makes "online content sharing service providers" partially liable for copyright violations on their platforms.6

• 1Riigi Teataja, “Gambling Act” https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/507122016002/consol…
• 2Swiss Institute of Comparative Law “Comparative Study on Blocking, Filtering and Take-Down of Illegal Internet Content,” December 20, 2015 https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?d…
• 3Global Freedom of Expression, “Delfi AS v. Estonia” https://globalfreedomofexpression.columbia.edu/cases/delfi-as-v-estonia/
• 4European Union, “Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC” https://eur-lex.europa.eu/eli/dir/2019/790/oj
• 5Dario Cavegn, “Estonia not supporting EU copyright directive in Monday EU council vote,” Err.ee, April 15, 2019 https://news.err.ee/930334/estonia-not-supporting-eu-copyright-directiv…
• 6European Union, “Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC” https://eur-lex.europa.eu/eli/dir/2019/790/oj

In general, self-censorship is not prevalent, and online debates are active and open.

The rhetoric of one of the parties in Estonia’s new government, the far-right EKRE, has targeted critical journalists. Within a week of the new government’s inauguration, for example, two journalists who also published their work online -- one from the newspaper Postimees and the other from the public broadcaster ERR -- resigned due to what they claimed was pressure from their editors to alter their coverage of the party.1 EKRE’s rhetoric has not yet had a chilling effect on the digital public sphere. However, given the close links between traditional and digital media, observers are concerned that the resignation of the two journalists could negatively impact online reporting.

• 1Sten Hankewitz, “The first Estonian journalist leaves a major newspaper over her views,” Estonian World, April 23, 2019 https://estonianworld.com/security/the-first-estonian-journalist-leaves…; Silver Tambur, “Estonian liberal commentator Ahto Lobjakas resigns in the face of self-censorship demands,” Estonian World, April 27, 2019 https://estonianworld.com/security/estonian-liberal-commentator-ahto-lo…

Manipulation of the online information landscape was not a significant issue during the coverage period, though EKRE has openly called for critical voices to be stifled. For example, in March 2019, EKRE vice-chair Martin Helme, who sits on the board of the public broadcaster ERR, asked his fellow board members to sanction ERR employees who criticized his party.1 The other members of Estonia’s government coalition did not support these calls.

Russian information campaigns attempt to manipulate public opinion in Estonia.2 In January 2019, Facebook removed a number of Estonia-focused accounts and pages linked to Sputnik, the Russian-backed news agency, for engaging in “coordinated inauthentic behavior.”3 In late 2018, the anti-disinformation blog Propastop observed an effort to spread the anti-EU hashtag #ESTExitEU using fake social media accounts linked to Russia.4

However, Propastop did not detect any efforts to interfere in Estonia’s March 2019 parliamentary elections.5 Similarly, Russian information campaigns did not appear to specifically target the country during the May 2019 EU parliamentary elections, though the bloc found evidence of “continued and sustained disinformation activity by Russian sources aiming to suppress turnout and influence voter preferences.”6

While press freedom remains strong in Estonia, the civil society group Reporters Sans Frontières (RSF) has expressed concern over editorial interference in the operations of leading newspaper Postimees, which also published online.7 Margus Linnamäe, the owner of the paper and member of one of the parties in the current coalition government, has presided over the resignation of five top editors since 2018 in his efforts to, according to RSF, turn Postimees into “a propaganda mouthpiece for his conservative and nationalist opinions.”8 In November 2019, the paper’s much-criticized editor-in-chief resigned due to pressure from journalists, who regarded him as interfering in their independent journalistic work.

• 1Vahur Koorits, “Martin Helme demands ERR to punish journalists critical of EKRE and take it off the air,” Delfi, March 28, 2017 https://www.delfi.ee/news/paevauudised/eesti/martin-helme-nouab-err-ilt…
• 2The yearbook of the Estonian Internal Security Service (KAPO), 2018 pg. 9. https://www.kapo.ee/sites/default/files/public/content_page/Aastaraamat…
• 3Facebook Newsroom, “Removing Coordinated Inauthentic Behavior from Russia,” January 17, 2019 https://newsroom.fb.com/news/2019/01/removing-cib-from-russia/
• 4Propastop, “Attention! Provocative fake news is circulating in Narva,” December 20, 2018 https://www.propastop.org/eng/2018/12/20/attention-provocative-fake-new…; Propastop, “Hashtag ESTexitEU, is being distributed by fake accounts connected to Russia,” January 4, 2019 https://www.propastop.org/eng/2019/01/04/hashtag-estexiteu-is-being-dis…
• 5Propastop, “Did foreign sources influence the Estonian elections?,” March 12, 2019 https://www.propastop.org/eng/2019/03/12/did-foreign-sources-influence-…
• 6European Commission, High Representative of the Union for Foreign Affairs And Security Policy, “Report on the implementation of the Action Plan Against Disinformation,” June 14 2019 https://eeas.europa.eu/sites/eeas/files/joint_report_on_disinformation…
• 7Reporters Without Borders, “Estonia” https://rsf.org/en/estonia
• 8Reporters Without Borders, “Editors abandon Estonia’s leading daily because of owner meddling,” June 2, 2019 https://rsf.org/en/news/editors-abandon-estonias-leading-daily-because-…

There are few economic or regulatory barriers to posting content online. Online news websites do not need to register with the government to operate.1

In line with the EU, Estonia supports net neutrality. Providers found to be in violation can be fined up to 9,600 euros ($10,700).2

• 1Urmas Loit, Halliki Harro-Loit, “Estonia,” Centre for Media Pluralism and Freedom, December 2016 http://cmpf.eui.eu/media-pluralism-monitor/mpm-2016-results/estonia/
• 2Thomas Lohninger, Benedikt Gollatz, Cornelia Hoffmann, Erwin Ernst Steinhammer, Ludger Benedikt Deffaa, Ali Al-Awadi, Andreas Czák, “The Net Neutrality Situation in the EU: Evaluation of the First Two Years of Enforcement,” Epicenter Works, January 29, 2019 https://epicenter.works/sites/default/files/2019_netneutrality_in_eu-ep…

A diverse range of content is available online. The most popular website is Google, followed by YouTube and Facebook. The major Estonian news portals Delfi and Postimees are the fourth and fifth most popular sites, respectively.1 Estonians use the internet for uploading and sharing original content such as photographs, music, and text, more than the average in the EU.2 Knowledge of foreign languages among Estonians is high, which facilitates access to diverse content.3

• 1Similar Web, “Top Website Ranking: Estonia”, accessed April 26, 2019 https://www.similarweb.com/top-websites/estonia
• 2Eurostat, “Individuals Using the Internet for Uploading Self-Created Content” accessed April 26, 2019 http://ec.europa.eu/eurostat/tgm/refreshTableAction.do?tab=table&plugin…
• 3“Estonia Ranks High for English Proficiency,” Study In Estonia, November 9, 2015, https://web.archive.org/web/20180411095606/http://www.studyinestonia.ee…

Estonians use social media platforms to share news and information, as well as generate public discussion about current political issues. Online petitions are also popular. There were no restrictions on mobilization tools during the coverage period.

There has been a strong counter-reaction online to the inclusion of EKRE in government. The movement “Kõigi Eesti” or “My Estonia Too” (which uses the hashtags #KõigiEesti, #MyEstoniaToo, and # ОбщаяЭстония) is the main vehicle for this counter-reaction.1 Kõigi Eesti’s online activism has contributed to offline action: in April 2019, 10,000 people attended a concert organized by the movement.2

The state runs a website that enables people to compile, send, and monitor initiatives with at least 1,000 digital signatures to the parliament.3 Since 2013, citizens have been able to engage online as well as offline in a “people’s assembly” focusing on issues of and ideas for active aging.4

• 1Andrew Whyte, “Kõigi Eesti movement launched by concerned residents”, Err.ee, March 23, 2019 https://news.err.ee/922982/koigi-eesti-movement-launched-by-concerned-r…
• 2Anna Aurelia Minev, “Gallery: Kõigi Eesti Laul concert brings 10,000 to Song Festival Grounds,” Err.ee, April 15, 2019 https://news.err.ee/930511/gallery-koigi-eesti-laul-concert-brings-10-0…
• 3Rahvaalagatus (Citizens initiative), accessed May 10, 2018 https://rahvaalgatus.ee/
• 4Rahvaalgatus, New Aging 2050 and People's Proposals,” accessed May 10, 2018 https://uuseakus.rahvaalgatus.ee/

All citizens have the constitutional rights to freely obtain information and to freely disseminate ideas, opinions, beliefs, and other information.1 There are no obstacles to people exercising their right to freedom of expression online.

The judiciary in Estonia is independent, and there have not been any instances of political interference with the judiciary. Over 60 percent of Estonian trust the judiciary, according to 2018 survey data.2

Protections for journalists, which include the right to confidentiality of sources, are strong.3

• 1Constitution of the Republic of Estonia https://www.president.ee/en/republic-of-estonia/the-constitution/
• 2European Commission, “Public Opinion” http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Chart/getCh…
• 3Ieva Azanda, Mogens Blicher Bjerregård, Jüri Estam, Ilze Jaunalksne, Allen-Illimar Putnik, “Of the Rights and Responsibilities of the Journalist,” Baltica and the Centre for Media Studies of the Stockholm School of Economics https://www.sseriga.edu/sites/default/files/inline-files/estonian_legal…

In practice, there are few limits on freedom of expression online. Speech that publicly incites hatred, violence, or discrimination on the basis of nationality, race, color, gender, language, origin, religion, sexual orientation, political opinion, or financial or social status is punishable by a fine of up to 3,200 under the penal code.1 Such speech is also punishable by up to three years in prison if it leads to the “death of a person or results in damage to health or other serious consequences.”2

Defamation was decriminalized in 2002.3 Civil defamation cases can be brought under the Law of Obligations Act,4 though cases are rare and damages are usually moderate.5

In October 2017, the CJEU sought to clarify EU law in a case on internet jurisdiction at the request of the Estonian Supreme Court.6 The ruling considered whether a defamation case can be brought before a court in Estonia if the company affected is based domestically, despite the infringing content being published on a Swedish website. The EU Court clarified that the party affected may sue in the country where its center of interest resides, but noted that it is not possible to bring cases in any country where the online information is accessible.7

• 1Riigi Teataja, Penal Code, Article 151 https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/519012017002/consol…
• 2Riigi Teataja, Penal Code, Article 151 https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/519012017002/consol…
• 3The amended Penal Code was adopted in 2001 and entered into force in 2002. See: https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/519012017002/consol…
• 4Riigi Teataja, Law of Obligations Act https://www.riigiteataja.ee/en/eli/524012017002/consolide
• 5Cases from the Estonian Supreme Court are available at http://www.nc.ee/?id=194
• 6Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.
• 7Judgement of the Court 17 October 2017 in Case C-194/16 Bolagsupplysningen OÜ and Ingrid Ilsjan v. Svensk Bolagsuppkysning AB. Available at http://curia.europa.eu/juris/liste.jsf?num=C-194/16

There were no cases of prosecutions or detentions for online activities during the coverage period.

There are no governmental restrictions on anonymous communication or encryption. There are no SIM card registration requirements.1

Some major news sites have limited anonymous commenting on their articles in reaction to the establishment of intermediary liability for third-party defamatory comments on internet news portals (see B3).

• 1Privacy International, “Timeline of SIM Card Registration Laws,” June 11, 2019 https://privacyinternational.org/long-read/3018/timeline-sim-card-regis…

Government surveillance is not intrusive, and the constitution guarantees the right to the confidentiality of messages sent or received.1

Parliament’s Security Authorities Surveillance Select Committee oversees surveillance and security agencies. The committee monitors the activities of theses bodies to ensure conformity with the constitution, the Security Authorities Act,2 and other regulations, which include necessity and proportionality requirements.

The prosecutor´s office monitors surveillance activities and reports regularly to the Select Committee. In an overview provided in February 2018, the chief prosecutor reported that during 2017, permission for surveillance was granted in 2 percent of cases where the law allowed. Surveillance was mainly used in cases concerning organized crime as well as crimes relating to drugs and taxes.3 More recent data is not yet available.

In February 2019, parliament voted to amend the Defence Forces Organisation Act to allow the military to access private data and surveil citizens under certain emergency circumstances.4 However, President Kersti Kaljulaid rejected the measure in March 2019, arguing that it trampled over basic rights. Parliament passed the amendment again, and Kaljulaid again vetoed it.5 The Supreme Court is expected to review the constitutionality of the proposed amendment in late 2019.6

• 1Constitution of the Republic of Estonia https://www.president.ee/en/republic-of-estonia/the-constitution/
• 2Riigi Teataja, Security Authorities Act https://www.riigiteataja.ee/en/eli/522032019003/consolide
• 3Riigikogu, “The Special Committee received an overview of the prosecution's supervision of the surveillance and security authorities”, February 5, 2018 https://www.riigikogu.ee/pressiteated/julgeolekuasutuste-jarelvalve-eri…
• 4Dario Cavegn, “Riigikogu backs extension of military surveillance capabilities,” Err.ee, May 29, 2019 https://news.err.ee/946931/riigikogu-backs-extension-of-military-survei…
• 5Dario Cavegn, “Supreme Court to decide on military surveillance expansion this fall,” Err.ee, June 19, 2019 https://news.err.ee/953694/supreme-court-to-decide-on-military-surveill…
• 6Helen Wright, “President and Riigikogu to meet in court over intelligence law in October,” Err.ee, September 16, 2019 https://news.err.ee/981023/president-and-riigikogu-to-meet-in-court-ove…

Estonia has strong laws protecting citizens’ personal information, although service providers are mandated to retain user data. The General Data Protection Regulation (GDPR), which came into force in all EU member states in May 2018,1 puts limits on how interested parties can use and store Estonians’ data.

Additionally, the Personal Data Protection Act (PDPA) was amended in 2018 and entered into force in January 2019.2 The law contains the provisions left by the GDPR to EU Member States' legislation, which includes certain exceptions like those identifying instances when the media can use personal data if it is in the public interest.

The Data Protection Inspectorate is the supervisory authority PDPA.3 In addition, the Chancellor of Justice (ombudsman) can make suggestions regarding data protection.

Service providers are required to collect and retain a substantial amount of metadata. These requirements were established under the Electronic Communications Act, which aligned with EU legislation. They were cast into doubt by the CJEU in April 2014, when the court found the European Data Retention Directive (2006/24/EC) to be invalid.4

Article 111 of the Electronic Communications Act outlines various restrictions on how this data can be stored and used. Data shall be kept for one year, unless there are special circumstances determined by the government that justify keeping it longer, such as maintaining public order and national safety. Article 112 regulates how requests by law enforcement authorities or other agencies can be made in relevant situations, such as criminal investigations, as provided by law. Judicial approval is not always required. These requests for data are kept by the requesting agency for two years. Article 112 also stipulates that operators shall inform the TTJA of requests made and measures undertaken. The Electronic Communications Act has been criticized for allowing requests for metadata in too many situations. While Estonia’s Chancellor of Justice has found that the system does not contradict constitutional guarantees, the office has questioned the proportionality of the law.5 Beyond the Electronic Communications Act, there are no other provisions requiring companies to monitor communications, and such requests are not routinely made by the government.

In November 2018, Estonia’s Supreme Court made a referral for a preliminary ruling to the Court of Justice of the European Union (CJEU) to find out whether EU law, such as the Charter of Fundamental Rights, prevents the state from using people’s metadata (such as origin and destination of a message, location, date, time, and type of device used) in the course of investigations into crimes other than serious crimes. The Court has asked for clarification on whether this sort of access to data is justified and proportional, and whether the process should include judicial review.6 The case is pending.

• 1Riigi Teataja, Personal Data Protection Act, https://www.riigiteataja.ee/akt/104012019011
• 2European Union, Regulation 2016/679 https://publications.europa.eu/en/publication-detail/-/publication/3e48…
• 3Republic of Estonia, Data Protection Inspectorate https://www.aki.ee/en
• 4European Court of Justice, “Digital Rights Ireland Ltd (C-293/12) and Kärntner Landesregierung (C-594/12)” http://curia.europa.eu/juris/document/document.jsf?docid=150642&doclang…
• 5“Elektroonilise side seaduse § 1111 alusel sideandmete töötlemise põhiseaduspärasus” [Constitutionality of processing of communications data under § 1111 of the Electronic Communications Act], Chancellor of Justice, April 22, 2016, No. 6-1 / 140621/1601788, https://www.oiguskantsler.ee/sites/default/files/field_document2/elektr…
• 6Riigikohus, Case I-16-6179, https://www.riigikohus.ee/et/lahendid?asjaNr=1-16-6179/85

There have been no physical attacks against users or online journalists, though online discussions are sometimes inflammatory. Critics as well as supporters of EKRE have faced online harassment, including threats of violence, for their views.1

• 1Shaun Walker, “Racism, sexism, Nazi economics: Estonia's far right in power,” The Guardian, May 21, 2019 https://www.theguardian.com/world/2019/may/21/racism-sexism-nazi-econom… For cases, see complaints made to the Press Council regarding reporting about EKRE and organisations close to it (cases pending), https://web.archive.org/web/20190730134421/https://www.eall.ee/pressino…

According to the ITU’s Global Cybersecurity Index, Estonia ranks fifth in the world and fourth in Europe in regards to its commitment to ensuring cybersecurity.1 In 2018, the government allocated additional funds to advancing the country’s online security, as well as adopted a new Cyber Security Strategy for 2019-2022.2

Estonia’s cybersecurity strategy is built on strong private-public collaboration and a unique voluntary structure through the National Cyber Defence League.3 With more than 150 experts participating, the league has simulated different security threat scenarios in defense exercises, with the aim of improving the technical resilience of telecommunication networks and other critical infrastructure.4

As an additional measure to ensure the security of public electronic data, Estonia has established the first of several planned “data embassies.” The first embassy, based in Luxembourg, stores public data and information systems in the cloud, enabling the Estonian state to function in the event of a cyberattack or other political crisis within the country. The agreement between the two governments to establish the embassy was signed in June 2017, and the embassy was completed in 2018. The data embassy is granted the same privileges bestowed upon traditional embassies.5

The Estonian e-governance infrastructure suffered one of its first major challenges in 2017, when a chip malfunction that could lead to potential security breaches was discovered in government-issued ID cards6 In response, the government recalled security certificates for more than 760,000 ID cards, which made their electronic use impossible until the certificates had been renewed. The issue was apparently discovered before any data was compromised. Despite delays in fixing the issue, the certificates were renewed, and the incident has not significantly affected the public’s trust in e-governance. 7

Parliament adopted a new cybersecurity law in May 2018. The law implements the EU Directive 2016/1148 on measures for a high common level of security of network and information systems.8 It includes requirements to have a computer security incident response team (CSIRT) and a competent national network and information security (NIS) authority (which Estonia previously had), and strengthens cooperation among EU member states. Businesses identified as operators of essential services will be required to take appropriate security measures and to notify serious incidents to the relevant national authority.9

The North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence is located in Tallinn. Since its founding, the center has supported awareness campaigns and academic research, and hosted several high-profile conferences, among other activities. The center organizes an annual International Conference on Cyber Conflict, or CyCon, bringing together international experts from governments, the private sector, and academia, with the goal of ensuring the development of a free and secure internet.

• 1Global Cybersecurity Index 2018, ITU, https://web.archive.org/web/20190407211525/https://www.itu.int/en/ITU-D…
• 2National Information System Authority, Cyber Security 2019 https://www.ria.ee/sites/default/files/content-editors/kuberturve/kuber…
• 3Cyber Security Strategy 2014-2017, https://www.mkm.ee/sites/default/files/cyber_security_strategy_2014-201…
• 4“Estonian Defense League’s Cyber Unit,” Kaitseliit (Defence League), http://www.kaitseliit.ee/en/cyber-unit
• 5Riigikogu, “The Economic Commission supports the establishment of a data embassy in Luxembourg,” February 13, 2018 https://www.riigikogu.ee/pressiteated/majanduskomisjon-et-et/majandusko…
• 6“ID-kaardi turvariski ja uuendamise taustinfo” [Background information on ID card security risk and renewal], Article ID: 38176, October 25, 2017, https://web.archive.org/web/20171109075059/http://www.id.ee:80/index.ph…
• 7“ID-kaardi turvariski ja uuendamise taustinfo” [Background information on ID card security risk and renewal], Article ID: 38176, October 25, 2017, https://web.archive.org/web/20171109075059/http://www.id.ee:80/index.ph…
• 8Riigikogu, Cyber ​​Security Act 597 SE https://www.riigikogu.ee/tegevus/eelnoud/eelnou/61815f7a-1025-4aea-9b0e…
• 9European Commission, “The Directive on security of network and information systems (NIS Directive),” July 15, 2019 https://ec.europa.eu/digital-single-market/en/network-and-information-s…