A Obstacles to Access 25 25
B Limits on Content 32 35
C Violations of User Rights 37 40
Last Year's Score & Status
94 100 Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.

header1 Overview

Internet freedom continues to thrive in Estonia, a consolidated democracy and European Union (EU) Member State. Widely known for its pioneering approach to e-government, the Estonian government places few limitations on internet access, fewer limitations on online content, and robust protections for user rights. However, during the coverage period, researchers revealed that the Estonian government likely purchased surveillance technology from Circles, a firm that provides surveillance tools allowing government agencies to intercept data from mobile networks.

Democratic institutions are strong, and political and civil rights are widely respected in Estonia. Right-wing and Eurosceptic populist forces are, however, becoming increasingly vocal. Misinformation is disseminated in social media as well as partisan online channels.

header2 Key Developments, June 1, 2020 - May 31, 2021

  • Estonia continues to invest in the deployment of broadband infrastructure, but the distribution of 5G permits has suffered from a significantly delayed tendering process (see A1 and A4).
  • In October 2020, the Ministry of Interior and the Ministry of Economic Affairs and Communications proposed amendments to the Electronic Communications Act, which would have forced people to verify their identity when purchasing a pre-paid SIM card and required messaging services, including WhatsApp, Viber, and Skype, to register as communication service providers. However, this provision was not included in an updated version of the bill (see C4 and C6).
  • In December 2020, it was revealed that the Estonian government was a likely client of Circles, a surveillance company that allows customers to monitor calls, texts, and cell phone geolocation by exploiting weaknesses in mobile telecommunications infrastructure (see C5).

A Obstacles to Access

A1 1.00-6.00 pts0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 6.006 6.006

In general, there are no infrastructural limitations to internet access in Estonia. According to July 2020 data from Statistics Estonia, the state statistics agency, 89.1 percent of households have internet connections, while 98 percent of people aged 16 to 44 use the internet daily or almost daily.1 According to the EU’s latest Digital Economy and Society Index (DESI), 82.6 percent of households had fixed-line broadband connections in 2020, while mobile broadband penetration reached 152.2 percent.2 Both rates outperform EU averages.

The government continues to enhance information and communications technology (ICT) infrastructure. The EstWin project, run by the Estonian Broadband Development Foundation, a state-supported foundation, is working to improve fixed-line broadband access. By May 2020, EstWin had delivered 7,000 kilometers of backhaul network.3 In 2018, the utility company Elektrilevi received €20 million ($24.2 million) from the state to build last-mile connections that bring high-speed internet access to 40,000 consumers by 2023.4

In April 2020, Estonia passed a supplementary budget, which allotted €15 million ($18.2 million) to improving connectivity in rural areas. The funds were tendered out to connection providers, as well as based on individual applications to compensate the linking-up fees by households. 5

Additionally, an estimated €69 million ($83.7 million) from the European Union funds from the Recovery and Relief Facility (RRF) and European Regional Fund (ERF) will be used to improve broadband access and speed from 2023 to 2027.6

The Consumer Protection and Technical Regulatory Authority (TTJA), the telecommunications regulator, produces an online map that shows what internet services are available at any location in Estonia.7 Public Wi-Fi connections are commonplace, including at cafés, hotels, hospitals, schools, and gas stations.8 According to the Economist intelligence Unit’s 2021 Inclusive Internet Index, 3G mobile networks cover 100 percent of Estonia’s population, while 4G mobile networks cover 99 percent.9 The government adopted a “5G Roadmap” in 2019 which envisions the commercial rollout of 5G services in cities by 2023.10 However, the development of 5G networks was delayed by a legal dispute over the auctioning of radio frequencies and the network providers had not been selected by the end of the coverage period (see A4).11

In the company Cable’s 2020 “Worldwide Broadband Speed League,” Estonia ranked 21st in terms of mean download speed, which stood at 70.9 megabits per second (Mbps).12 According to the company Ookla, the average fixed-line broadband download speed was 49.57 Mbps in May 2021, while the average mobile broadband download speed was 65.79 Mbps.13 . The average internet speeds did not change during most stringent COVID-19 lockdown periods.14

A2 1.00-3.00 pts0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 3.003 3.003

There are no significant digital divides in the country. As a result, nearly all Estonians could avail themselves of distance learning, virtual court procedures, and other digital public services offered during the COVID-19 pandemic. According to DESI, Estonia has one of the highest shares (93 percent) of e-government users in Europe.1

In general, internet connections are affordable. The 2021 Inclusive Internet Index ranks Estonia 36th in terms of affordability of prices for connections.2 A variety of packages offering internet connections are available at low prices, while very high-speed connections are available at somewhat higher prices. In 2020, the International Telecommunication Union (ITU) put the cost of monthly fixed-line broadband subscription at .93 percent of gross national income (GNI) per capita, while 1.5 GB of mobile data cost 0.38 percent of GNI per capita, a sharp decrease from 2019.3 Meanwhile, per the 2021 Inclusive Internet Index, monthly entry-level fixed-line broadband subscriptions cost 1.2 percent of GNI per capita.4 (According to the World Bank, in 2019, Estonia’s GNI per capita was $23,200.)5

According to DESI, prices for fixed-line and mobile broadband plans in Estonia are below the EU average.6 However, the pricing policies of the leading service provider Telia have been criticized in the media. Telia offers connections that exceed 100 Mbps, but at much higher prices than in neighboring countries where the company also operates.7 This has resulted in lower take-up of very high-speed fixed-line broadband services. Even though very high-capacity networks cover 57 percent of households, only 14 percent of households have very high-speed connections, which is below the EU average.8 The Consumer Protection and Technical Regulatory Authority (TTJA), the telecommunications regulator, admits that broadband connection at the speed of 100 mbps or more exceeds the average European price range.9

There is no significant urban-rural digital divide. According to Statistics Estonia, 90.2 percent of households in urban areas had internet connections in 2020, while 89.5 percent of those in rural areas did.10

In 2020, slightly fewer men (88.5 percent) used the internet than women (89.6 percent).11 There is a larger gap in usage in terms of age: 99.7 percent of 16-to-24-year-olds use the internet, while just 56.1 percent of 65-74-year-olds do, per 2020 figures.12

A3 1.00-6.00 pts0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 6.006 6.006

The government does not exercise technical or legal control over the domestic internet, although the Cybersecurity Act,1 which implemented the EU’s Network and Information System Directive,2 gives it limited powers to restrict the use of or access to information systems in the event of a cybersecurity incident. As an exceptional and temporary measure, the government can also restrict internet connections in “emergency situations”3 and “states of emergency,”4 though this would not necessarily entail a total shutdown of internet connections. There were no government-imposed restrictions on or disruptions to connectivity during this coverage period.

A4 1.00-6.00 pts0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 6.006 6.006

There are no undue legal, regulatory, or economic restrictions on Estonia’s ICT market. The Electronic Communications Act aims to develop and promote a free market and fair competition in telecommunications services.1 Information society services, meaning economic or professional activities involving the processing, storage, or transmission of information by electronic means upon a recipient’s request, are regulated by the Information Society Services Act.2

There are over 200 operators offering telecommunications services, including six mobile service providers and numerous internet service providers (ISPs). The ICT market is relatively diverse with no significantly dominant companies. Sweden’s Telia is the leading fixed-broadband and mobile service provider, controlling 50 percent of the mobile market and 51 percent of the fixed-line broadband market according to the company’s 2019 annual report.3

Legally, service providers are required to register with the TTJA. There is a registration fee depending on the service provided; the amount is regulated by the State Fees Act.4 Companies use the Ministry of Economic Affairs and Communications’ Register of Economic Activities for this purpose.5

The distribution of radio frequencies for 5G mobile services in Estonia is delayed because the government is reconsidering network security before holding auctions for usage permits. Andres Sutt, who was appointed to the Minister of Entrepreneurship and Information in January 2021, had pledged to launch the auction in early 2021, 6 but the auction cannot proceed until draft amendments to the Electronic Communications Act are passed, which were postponed in September 2021.7

A5 1.00-4.00 pts0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 4.004 4.004

The main regulatory bodies for the Estonian ICT sector are the TTJA and the State Information System Authority (RIA). Both operate under the Ministry of Economic Affairs and Communications. The TTJA monitors the fixed-line and mobile broadband markets,1 ensuring compliance with EU Regulation 2015/2120,2 which outlines open-internet access requirements and user rights relating to electronic communications networks and services. Meanwhile, the RIA manages state ICT resources.3 Both have a reputation for professionalism and independence. There were no reported cases of undue interference in the ICT sector or abuse of power by these bodies during the coverage period.

The Estonian Internet Foundation manages Estonia’s top-level domain (.ee).4 The organization represents a broad group of stakeholders in the Estonian internet community and addresses various internet governance issues.

B Limits on Content

B1 1.00-6.00 pts0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content, particularly material that is protected by international human rights standards? 5.005 6.006

There are very few blocked websites in Estonia, and political, social, and cultural content is freely available to users.

The primary restriction on internet content remains a ban of online illegal gambling websites (see B3). As of January 2021, the Tax and Customs Board (MTA) had more than 1,600 URLs on its list of illegal online gambling sites that Estonian ISPs are required to block.1

B2 1.00-4.00 pts0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content, particularly material that is protected by international human rights standards? 3.003 4.004

Online content is sometimes removed following a court order, although this is not a widespread issue.

Comments on news websites and discussion boards are sometimes removed by website administrators. Most popular websites have codes of conduct for the responsible and ethical use of their services and enforcement policies that allow certain content to be taken down.

According to its latest transparency report (July-December 2020), neither Facebook1 nor Twitter2 received any content removal requests from the government. During the same period, however, Google received four takedown requests from the government and removed 1.7 percent of the reported content.3

Russian social media platforms Odnoklassniki and VKontakte are also popular in Estonia, but their parent companies do not release data about content removal requests.

B3 1.00-4.00 pts0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 4.004 4.004

Restrictions on online content are transparent and grounded in the law. The Gambling Act, one of the few laws that imposes restrictions, requires domestic and foreign gambling websites to obtain a special license.1 Unlicensed websites are subject to blocking by the MTA (see B1). The MTA’s list of blocked websites is transparent and available to the public.

Under the Information Society Service Act and pursuant to the EU’s E-Commerce Directive, service providers are generally not liable for illegal content transmitted by users.2

However, in 2015, the European Court of Human Rights (ECtHR) upheld a controversial 2009 Estonian Supreme Court decision in the case of Delfi v. Estonia, which established intermediary liability for third-party defamatory comments on news sites.3 The ECtHR confirmed that holding intermediaries responsible for third-party content published on their website or forum is not against Article 10 of the European Convention on Human Rights (ECHR) guaranteeing freedom of expression.

The EU Directive on Copyright in the Digital Single Market,4 which was approved in April 2019, had not entered into law by the end of the coverage period, though all member states were supposed to have transposed it by the end of June 2021.5 Despite opposing the directive at the European Council,6 the Estonian government is bound by this obligation. The directive, among other things, establishes ancillary copyright for digital publishers and makes “online content sharing service providers” partially liable for copyright violations on their platforms.7 The process of transposing this directive is ongoing and led by Ministry of Justice.

Similarly, the EU Audio-Visual Media Services Directive (AVMSD),8 which was approved in November 2018, should have been transposed into Estonian law by September 2020, but it still had not entered into law by the end of the coverage period. The AVMSD requires “video-sharing platform services” such as YouTube to take “appropriate measures” to “protect” minors from content “which may impair their physical, mental or moral development” and the general public from content involving child sexual abuse, racism, or xenophobia as well as content inciting hatred, terrorism, or violence.9 The bill transposing the AVMSD was introduced in February 2021,10 but it has faced delays due to a lack of consensus around the definition of “incitement of hatred.“

B4 1.00-4.00 pts0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 4.004 4.004

In general, self-censorship is not prevalent, and online debates are active and open.

Estonians value freedom of speech highly. According to a recent Eurobarometer survey, Estonians consider protecting freedom of speech one of the key tasks of the European Parliament.1

The far-right Estonian Conservative People’s Party (EKRE), which was a part of Estonia’s coalition government that led until January 26, 2021, has rhetorically targeted critical journalists,2 going so far as to threaten to slash funding for public broadcaster Estonian Public Broadcasting (ERR) for its perceived bias (see B5).

In late 2019, several journalists from Estonia’s largest daily newspaper, Postimees, resigned after repeated requests from their editors to soften the tone of their political reporting. This incident led to tensions between the staff and the newspaper’s leadership, culminating in an ultimatum issued by 19 journalists demanding the resignation of editor-in-chief Peeter Helme. Helme, the nephew of EKRE leader Mart Helme, was accused of pressuring journalists to refrain from publishing opinions that were, in his view, not aligned with the newspaper. He stepped down in November 2019.3 However, in December 2019 and January 2020, a number of journalists left Postimees after a senior staffer was dismissed over “differences about implementation of the newspaper’s vision.”4

B5 1.00-4.00 pts0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 3.003 4.004

Manipulation of the online information landscape was evident during the coverage period. Prior to the new government assuming leadership on January 26, 2021, members of the coalition including the EKRE party, repeatedly issued provocative statements and published biased information via partisan-funded online channels, such as Uued Uudised and Objektiiv.1 The content is widely disseminated on social media, without restrictions.

After calling the US elections rigged and using derogatory terms for president-elect Biden, Minister of Interior Mart Helme, the vice chairman of EKRE, resigned, while accusing mainstream media of propaganda and attacks on his person.2

Russian information campaigns attempt to manipulate public opinion in Estonia.3 An April 2020 report from the cybersecurity company Recorded Future identified an apparent Kremlin-backed disinformation operation aimed at undermining “the government of Estonia and its relationship with the EU while exploiting the ongoing European migrant crisis,” including by disseminating forged government communiqués.4

Generally, disinformation is evident in the online channels. According to Global Disinformation Index (GDI), one quarter of Estonia’s sites present a high risk of disinforming their online readers. These sites are outside Estonian mainstream media market, with some based in Russia.5

Nongovernmental organization (NGO) Reporters Without Borders (RSF) has expressed concern over editorial interference in the operations of Postimees, which also publishes online (see B4).6 Postimees’ owner, Margus Linnamäe, a member of the Isamaa party, has previously allegedly exercised influence over the newspaper’s reporting. However, no allegations have been flagged during the coverage period.

B6 1.00-3.00 pts0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 3.003 3.003

There are few economic or regulatory barriers to posting content online. News websites do not need to register with the government to operate.1

In January 2020, Sputnik, an online news outlet owned by the Russian government, suspended its physical operations in Estonia, closing its office in Tallinn. The Estonian government warned that the company’s Tallinn-based employees could be prosecuted for violating EU sanctions against Russia (specifically, sanctions against Dmitry Kiselyov, CEO of Rossiya Segodnya, Sputnik's parent company), reasoning that “knowingly working for or providing services to a person under sanctions could be a criminal offence.”2 The Estonian foreign minister stressed that the government had not “taken measures against the portal's media content.”3 However, the Organization for Security and Co-operation in Europe’s (OSCE) Representative on Freedom of the Media urged the government “to refrain from unnecessary limitations on the work of foreign media which can affect the free flow of information.”4 Sputnik’s Estonian-language website was not blocked. However, the news outlet has not posted any stories since January 1, 2020.5

In line with the EU, Estonia supports net neutrality. Providers found to be in violation can be fined up to €9,600 ($11,700).6 Estonia has not implemented separate rules on net neutrality and follows the EU’s regulatory framework on open internet access and user rights relating to electronic communications networks and services.7 The TTJA regularly analyzes the ICT market for zero-rating plans that may be in violation or net neutrality, along with other net neutrality violations; in its latest report, it did not identify any violations.8

B7 1.00-4.00 pts0-4 pts
Does the online information landscape lack diversity and reliability? 4.004 4.004

A diverse range of content is available online. At the time of writing, the most popular website was Google, followed by YouTube and Facebook. The websites for Delfi, Postimees, and ERR were the country’s 4th, 5th, and 11th most popular sites in 2020.1 Estonians upload and share user-generated content more frequently than the average user in the EU.2

Knowledge of foreign languages among Estonians is high, which facilitates access to diverse content.3 In addition, the 2021 Inclusive Internet Index report ranks Estonia among the world’s most inclusive countries when it comes to the availability of online content in local languages.4

B8 1.00-6.00 pts0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 6.006 6.006

Estonians use social media platforms to share news and information, as well as generate public discussion about current political issues. No restrictions on mobilization tools were put in place during the coverage period.

In 2014, the official platform was launched, enabling people to compile petitions, send them to Parliament if they gather at least 1,000 digital signatures, and monitor lawmakers’ responses.1 As of February 2021, 163 petitions had been launched, out of which 80 gathered the necessary support to be sent to Parliament.2 The platform also accepts and facilitates petitions to local governments. By law, the petition needs to gather signatures from at least 1 percent of the residents in the given local government unit to warrant the official procedure in the local Council.3

C Violations of User Rights

C1 1.00-6.00 pts0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 6.006 6.006

All citizens have the constitutional rights to freely obtain information and to freely disseminate ideas, beliefs, and facts.1 There are no obstacles to people exercising their right to freedom of expression online.

The judiciary in Estonia is independent, and there have not been any instances of political interference with the judiciary. According to a 2019 survey, 55 percent of Estonians trust the judiciary.2

Protections for journalists, which include the right to the confidentiality of sources, are strong.3

The Ministry of Justice plans to amend the Public Sector Information Act4 by July 20215 to align the legislation with the EU’s revised Public Sector Information Directive,6 which governs public access to state data.

C2 1.00-4.00 pts0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities, particularly those that are protected under international human rights standards? 3.003 4.004

On paper, there are few limits on freedom of expression online. Speech that publicly incites hatred, violence, or discrimination on the basis of nationality, race, color, gender, language, origin, religion, sexual orientation, political opinion, or financial or social status is punishable by a fine of up to €3,200 ($3,900) under the penal code.1 Such speech is also punishable by up to three years in prison if it leads to the “death of a person or results in damage to health or other serious consequences.”

Defamation was decriminalized in 2002.2 Civil defamation cases can be brought under the Law of Obligations Act,3 though damages are usually moderate (see C3).4

The new coalition government has pledged to propose draft legislation on hate speech with the caveat that the definition of hate speech needs to be specified before it can propose any legislation. Minister of Justice Maris Lauri has stated that penalties in hate speech cases should be re-evaluated, specifying that she believes a one to three prison sentence could be a fair penalty in criminal cases.5

In October 2017, the Court of Justice of the European Union (CJEU) sought to clarify EU law in a case on internet jurisdiction at the request of the Estonian Supreme Court.6 The ruling considered whether a defamation case can be brought before a court in Estonia if the company affected is based domestically, despite the infringing content being published on a Swedish website. The CJEU clarified that the party affected may sue in the country where its center of interest resides but noted that it is not possible to bring cases in any country where the online information is accessible.7

C3 1.00-6.00 pts0-6 pts
Are individuals penalized for online activities, particularly those that are protected under international human rights standards? 6.006 6.006

There were no criminal prosecutions or detentions for online activities during the coverage period.

In November 2018, a court in Tallinn held Postimees and two of its reporters liable for a defamatory story about businessman Margo Tomingas. The two reporters were each ordered to pay €500 ($607) in damages, while Postimees was ordered to pay a further €3,000 ($3,600). The defendants also had to cover Tomingas’s legal costs. The verdict was upheld in November 2019.1 The case made headlines because the two reporters were held personally liable. However, the Postimees legal team declined to appeal the decision because, in its view, no precedent had been set in this regard.2 Nevertheless, the state Data Protection Inspectorate (AKI), has since called for “all authors operating in the public sphere,” including social media users, to abide by journalistic principles “when publishing current, social or other public interest texts.”3

C4 1.00-4.00 pts0-4 pts
Does the government place restrictions on anonymous communication or encryption? 4.004 4.004

There are no governmental restrictions on anonymous communication or encryption, and no SIM card registration requirements.1 However, in October 2020, the Ministry of Interior and the Ministry of Economic Affairs and Communications proposed amendments to the Electronic Communications Act, suggesting stricter verification processes for users of pre-paid SIM cards, which would have also required WhatsApp, Viber, and Skype to register as communication service providers.2 The provisions were ultimately abandoned in a revised version of the bill.3

Some major news sites have limited anonymous commenting on their articles in reaction to the establishment of intermediary liability for third-party defamatory comments on internet news portals (see B3).

C5 1.00-6.00 pts0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 6.006 6.006

Historically, government surveillance has not been intrusive, and the constitution guarantees the right to the confidentiality of messages sent or received.1 However, during the coverage period, researchers reported that the Estonian government had used Circles, a surveillance technology that allows government agencies to intercept data by taking advantage of loopholes in mobile telecommunications infrastructure.

Parliament’s Security Authorities Surveillance Select Committee oversees surveillance and security agencies. The committee monitors the activities of these bodies to ensure conformity with the constitution, the Security Authorities Act,2 and other regulations, which include necessity and proportionality requirements.

The prosecutor's office monitors surveillance activities and reports regularly to the parliamentary select committee. In its annual report for 2019, the prosecutor’s office disclosed that it had granted law enforcement bodies permission to use surveillance tools in cases concerning organized crime and crimes relating to drugs and taxes.3

The Chancellor of Justice, who serves as the state ombudsperson, verifies whether state agencies that organize the interception of phone calls and conversations, surveil correspondence, and otherwise covertly collect, process, and use personal data operate lawfully. In her 2019–20 annual report, the Chancellor of Justice noted that the office reviewed 95 surveillance files from police stations, a significant increase from the 2018-2019 period, finding that “surveillance authorizations were reasoned and surveillance was necessary to verify suspicion of a criminal offense.” The Chancellor’s advisors also confirmed that requests in criminal proceedings for the submission of data from communications service providers, including telecommunications companies, had been lawful (see C6).4

A December 2020 investigation by the Citizen Lab, a University of Toronto-based research center, identified the Estonian government as a likely customer of Circles, a surveillance company that allows customers to monitor calls, texts, and cell phone geolocation by exploiting weaknesses in mobile telecommunications infrastructure.5 Following the revelation, the Ministry of Defense refused to comment.6 Digigenius, an Estonian publication, tracked the IP addresses provided by Citizen Lab to the Estonian Education and Youth Agency's education and research data communication network (EEnet), which provides internet to Estonian academic institutions and helps register .ee domains. However, according to the director of EEnet, some of the IP addresses are managed by the Information System Authority (RIA). EEnet asked the RIA to clarify the reason for operating these IP addresses, but the RIA refused to answer. The RIA claims that they do not use the software, but they just provided access to partners, though they would not specify who those partners are. Digigenius speculated that partners could be the Security Police Board or the Foreign Intelligence Agency and noted that the IP addresses were active until the day Citizen Lab published the investigation.7

In response to the COVID-19 pandemic, the government released HOIA, a voluntary contact-tracing application, in August 2020. The application anonymously logs users’ proximity to other users via Bluetooth technology and alerts them when they have been in contact with an individual who has tested positive for COVID-19.8 The app was not widely used as it was not popularized through awareness-raising campaigns.

In May 2020, the Riigikogu adopted the Act Amending the Defense Forces Organization Act, the Security Authorities Act, and the Chancellor of Justice Act, which allows the military to access private data and surveil citizens under certain emergency circumstances.

C6 1.00-6.00 pts0-6 pts
Does monitoring and collection of user data by service providers and other technology companies infringe on users’ right to privacy? 4.004 6.006

Estonia has strong laws protecting citizens’ personal information, although service providers are mandated to retain user data. The General Data Protection Regulation (GDPR), which came into force in all EU member states in May 2018,1 puts limits on how interested parties can use and store Estonians’ data.

Additionally, the Personal Data Protection Act (PDPA) was amended in 2018 and entered into force in January 2019.2 The law contains the provisions left by the GDPR to EU member states' legislation, which includes certain exceptions like those identifying instances when the media can use personal data if it is in the public interest. Laws regulating databases and data collection by public and private registries were also updated during this process.

The AKI is the supervisory authority for the PDPA.3 In addition, the Chancellor of Justice can make suggestions regarding data protection.

Service providers are required to collect and retain a substantial amount of metadata. These requirements were established under the Electronic Communications Act, which aligned with EU legislation. They were cast into doubt by the CJEU in April 2014, when the court found the European Data Retention Directive (2006/24/EC) to be invalid.4

Article 111 of the Electronic Communications Act outlines various restrictions on how this data can be stored and used.5 Data shall be kept for one year, unless there are special circumstances determined by the government that justify keeping it longer, such as maintaining public order and national safety. Article 112 regulates how requests by law enforcement authorities or other agencies can be made in relevant situations, such as criminal investigations, as provided by law. Judicial approval is not always required. These requests for data are kept by the requesting agency for two years. Article 112 also stipulates that operators shall inform the TTJA of requests made and measures undertaken. The Electronic Communications Act has been criticized for allowing requests for metadata in too many situations. While Estonia’s Chancellor of Justice has found that the system does not contradict constitutional guarantees, the office has questioned the proportionality of the law.6 Pursuant to the Electronic Communications Act, the Cybersecurity Act also requires companies to monitor communications, mainly to ensure the security of their own systems; companies are required to inform the RIA of “actions or software compromising the security of the system.”7

In its 2018–19 annual report, the Chancellor of Justice observed that the majority of user data requested by the government in 2017 and 2018 under the Electronic Communications Act was “used in criminal proceedings and in collecting information under the Security Agencies [Authorities] Act,” referring to intelligence and law enforcement agencies.8 The Chancellor of Justice’s office randomly reviewed requests from the Police and Border Guard Board, and the MTA, and found that all the requests “had been justified, had been made with the person’s prior consent and with authorisation from the head of the institution or the prosecutor’s office” (see C5).

In October 2020, the Ministry of Interior and the Ministry of Economic Affairs and Communications proposed amendments to the Electronic Communications Act, which would force messaging services, such as Whatsapp, Viber, and Skype, to register as service providers,9 but this proposal was later abandoned (see C4).10

In November 2018, Estonia’s Supreme Court made a referral for a preliminary ruling to the CJEU to find out whether EU law, such as the Charter of Fundamental Rights, prevents the state from using people’s metadata during investigations into crimes other than serious crimes. The Supreme Court asked for clarification on whether this level of data access is justified and proportional, and whether the process should include judicial review.11 The CJEU’s preliminary ruling outlined that the tracking of movement and communication by using metadata from telecommunication providers is permissible only in cases of terrorism and preventing serious crimes, but not justified in all criminal investigations.12 This preliminary ruling affected many ongoing criminal proceedings as this type of evidence may be considered inadmissible.

In June 2021, after the coverage period, the Supreme Court ruled that the Prosecutor’s Office or the court cannot request communications data from companies in criminal investigations, following an October 2020 ruling from CJEU in the LaQuadrature du Net case, which held that “indiscriminate” collection and retention of communications data in cases involving non-serious crimes does not align with the EU’s ePrivacy Directive. However, under the Estonian ruling, “surveillance and security authorities” still have the right to access communications data, as long as the measure is within the scope of the law.13

During the state of emergency declared in March 2020, the government asked Statistics Estonia to aggregate anonymized geolocation data from users to inform the state’s response to the virus. According to Statistics Estonia’s director general, the office worked with telecommunications companies to collate this data. The director general noted that companies were not required to collate the data, and that users’ privacy was protected according to data protection rules. The director general stated that the data collection effort was approved by the Data Protection Inspectorate and the Ministry of Justice.14 The government did not reintroduce this practice after the initial collection, which lasted for a few months.

C7 1.00-5.00 pts0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in relation to their online activities? 5.005 5.005

There have been no registered physical attacks against users or online journalists, though online discussions are sometimes inflammatory. Both critics and supporters of EKRE have faced online harassment, including threats of violence, for their views.1 Online harassment can be reported to the social media administrators or to the police, which has a designated web patrol unit with a presence on Facebook.2

During the reporting period, several defamation cases have incited public debate on the accepted code of conduct in the digital space and the appropriate sanctioning for breaches such as verbal threats, intimidation, and harassment.3

The new coalition government has pledged to criminalize hate speech, but the prosecutor general opposes this motion, because he believes it restricts freedom of speech.4

In October 2020, the European Commission launched infringement proceedings against Estonia, as the country had not opted for the criminalization of public incitement to violence or hatred directed at vulnerable groups and had not defined adequate penalties for this offense.5

C8 1.00-3.00 pts0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 3.003 3.003

According to the ITU’s 2020 Global Cybersecurity Index, Estonia ranks third in the world regarding its commitment to ensuring cybersecurity.1 In 2018, the government allocated additional funds to advancing the country’s online security and adopted a new Cyber Security Strategy for 2019–22.2 However, during the coverage period, government agencies experienced a major cyberattack.

In November 2020, the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs, and the Ministry of Foreign Affairs were attacked, and personal data was leaked. The Ministry of Social Affairs suffered the most serious attack, as personal data concerning the spread of infectious diseases was obtained from the Health and Welfare Information Systems Center (TEHIK); TEHIK, however, nullified the attack after eight hours.3

Estonia’s cybersecurity strategy is built on strong private-public collaboration and a unique voluntary structure through the National Cyber Defense League.4 With more than 150 experts participating, the league has simulated different security threat scenarios in defense exercises, with the aim of improving the technical resilience of telecommunication networks and other critical infrastructure.5

As an additional measure to ensure the security of public electronic data, Estonia has established the first of several planned “data embassies.” The first embassy, based in Luxembourg, stores public data and information systems critical to the functioning of the state, including its state gazette, land registry, and business register, in the cloud, enabling the Estonian state to function in the event of a cyberattack or other political crisis within the country. The bilateral agreement between the two governments to establish the embassy was signed in June 2017 and it was ratified by both parliaments. The embassy was opened in 2019. The data embassy is granted the same privileges bestowed upon traditional embassies.6

The Estonian e-governance infrastructure suffered one of its first major challenges in 2017, when a chip malfunction that could lead to potential security breaches was discovered in government-issued ID cards.7 In response, the government recalled security certificates for more than 760,000 ID cards, which made their electronic use impossible until the certificates were renewed. The issue was apparently discovered before any data was compromised. Despite delays in fixing the issue, the certificates were renewed, and the incident has not significantly affected the public’s trust in e-governance. 8

Parliament adopted a new cybersecurity law in May 2018. The law implements EU Directive 2016/1148 on measures for a high common level of security of network and information systems.9 It includes requirements to have a computer security incident response team (CSIRT) and a competent national network and information security (NIS) authority (which Estonia previously had) and strengthens cooperation among EU member states. Businesses identified as operators of essential services are required to take appropriate security measures and to notify serious incidents to the relevant national authority. The supervisory authority under Estonian Cybersecurity Act is the RIA.10

The North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence is located in Tallinn. Since its founding, the center has supported awareness campaigns and academic research, and hosted several high-profile conferences, among other activities. The center organizes an annual International Conference on Cyber Conflict, or CyCon, bringing together international experts from governments, the private sector, and academia, with the goal of ensuring the development of a free and secure internet.

On Estonia

See all data, scores & information on this country or territory.

See More
  • Global Freedom Score

    94 100 free
  • Internet Freedom Score

    93 100 free
  • Freedom in the World Status

  • Networks Restricted

  • Websites Blocked

  • Pro-government Commentators

  • Users Arrested