June 1, 2017 - May 31, 2018
In March 2018, the Estonian parliament ratified an agreement with Luxembourg to establish a “data embassy” to safeguard critical databases in a secure centre overseas (see Technical Attacks).
Estonia’s e-governance infrastructure suffered one of its first challenges in the fall of 2017, when a chip malfunction that could lead to potential security breaches was discovered in government-issued ID cards. The government recalled security certificates for more than 760,000 ID cards, which made their electronic use impossible until the certificates had been renewed (see Technical Attacks).
Local elections in October 2017 did not reveal major changes to the political landscape in Estonia. All major parties support freedom of expression and internet freedom, as well as main aspects of e-governance (see Legal Environment).
Estonia continues to respect internet freedom, with very few restrictions. Estonia remains as a world leader on e-governance and cybersecurity. In 2017, it became the first country to establish a “data embassy” program, which creates special safe havens for government data that can be used in the event of a cyberattack or any other politically destabilizing event.1
The widespread use of information and communication technologies (ICTs) across society has broad political and popular support. Local elections in October 2017 were conducted smoothly and without major incidents. All major political parties support internet freedom, freedom of expression, and freedom of information.
The Estonian e-governance system is one of the most advanced in the world. In the fall of 2017 however, a chip malfunction that could lead to potential security breaches was discovered in government-issued ID cards.2 In response, the government recalled security certificates for more than 760,000 ID cards, which made their electronic use impossible until the certificates had been renewed. Despite this issue, people were able to vote using their ID cards in the October 2017 local elections, and the crisis did not have any noticeable effect on people´s trust in e-governance or electronic services.3
Estonia continues to be one of the most connected countries in the world with regard to internet access, and Estonian internet users face very few obstacles when it comes to accessing the internet.
Availability and Ease of Access
After a period of rapid growth in the number of mobile telephone and internet users in the last 20 years, internet penetration exceeded 88 percent and mobile penetration 145 percent in 2017.4
The availability of mobile broadband is widespread, while fixed broadband access is below the European average. This is mainly due to limited connectivity in sparsely populated rural areas. Work to improve fixed broadband access is ongoing to achieve the country’s ambitious goal of having 98 percent of households no more than 1.5 km from an access point.5 The Technical Regulatory Authority (TRA) has produced a web-based map that shows what services are available at any location in Estonia.6 In January 2017, the government adopted amendments to several laws to facilitate the use of existing infrastructure for broadband, which entered into force in March 2017.7
Tests carried out by TRA confirmed that internet connection speeds are increasing rapidly. In the development plan for 2020, a goal was set to have mobile internet speeds of at least 30 Mbps available in all of Estonia by 2020. By 2017, speeds of 100 Mbps were available in 52 percent of the territory, compared to 37 percent in 2016.8 In December 2017, TRA, together with the Ministry of Communications, initiated a survey to map areas of the country lacking access to fast internet (at least 30 Mbps).9
Estonia’s high level of mobile phone penetration reflects the widespread use of internet-enabled mobile devices. Companies are increasingly offering bundled packages that combine broadband with other services like television at attractive prices.10 The abolition of roaming charges in the EU in June 2017 has led to new price packages for telephone and internet service, although changes have been minimal so far.
Wi-Fi access remains strong. Estonia has numerous free, certified Wi-Fi areas meant for public use, including at cafes, hotels, hospitals, schools, and gas stations.11 In addition, a countrywide wireless internet service based on CDMA technology is priced to compete with fixed-line broadband access. Three mobile operators cover the country with mobile 3G and 3.5G services, and since the end of 2016, 4G services cover over 99 percent of Estonia.12 During the Estonian EU presidency in the second half of 2017, 5G services were tested in Tallinn.13
Internet use is high among both men and women. 89.5 percent of males and 87.4 percent of females used the internet in 2015.14 Knowledge of foreign languages among Estonians is high, which facilitates access to diverse content.15
Restrictions on Connectivity
There were no government-imposed restrictions or disruptions to internet access during the reporting period.
The Estonian Electronic Communications Act was amended in 2014 to develop and promote a free market and fair competition in electronic communications services.16 There were no substantive changes in the ICT market during the reporting period.
There are over 200 operators offering communications services, including six mobile operators and numerous internet service providers (ISPs). ISPs and other communications companies are required to register with the independent regulator, the TRA. There is normally no registration fee and companies can register electronically.17
The main regulatory bodies for the ICT sector are the TRA and the Competition Authority. Both entities have a reputation for professionalism and independence. There have been no reported cases of undue interference in the telecommunications sector or abuse of power by these regulatory bodies.
The Estonian Internet Foundation was established in 2009 to manage Estonia’s top level domain, “.ee,” and is a member of the Council of European National Top Level Domain Registries (CENTR).18 The organization represents a broad group of stakeholders in the Estonian internet community and has succeeded in overseeing various internet governance issues. In recent years, domain registration fees and annual fees have decreased, and limitations on the number of domains per user have been scrapped. No significant changes to regulatory bodies took place during the reporting period.
Estonians have access to a wide range of content online, and very few resources are blocked or filtered by the government. Following court rulings on intermediary liability for third-party comments, some Estonian media outlets have modified their policies regarding commenting on their portals.
Blocking and Filtering
There are very few restrictions on internet content and communications in Estonia.
The Gambling Act, one of the few laws that imposes content restrictions, requires all domestic and foreign gambling sites to obtain a special license or face access restrictions.19 As of January 2018, the Estonian Tax and Customs Board had more than 1,300 websites on its list of illegal online gambling sites that Estonian ISPs are required to block.20 The list of blocked sites is transparent and available to the public.
There have been some instances of content removal related to online communications. Most of these cases involve civil court orders to remove reader comments deemed inappropriate or libelous from online news sites. Comments are also sometimes removed from online discussion forums and other sites. Generally, users are informed about the privacy policies and rules for commenting on websites. Most popular websites have a code of conduct for the responsible and ethical use of their services and have enforcement policies in place.
Some major news sites have limited anonymous commenting on their articles. In June 2015, the Grand Chamber of the European Court of Human Rights (ECHR) upheld a controversial 2009 Estonian Supreme Court decision establishing intermediary liability over third-party defamatory comments on internet news portals.21 The Grand Chamber confirmed that holding intermediaries responsible for third-party content published on their website or forum is not against Article 10 of the European Convention on Human Rights guaranteeing freedom of expression.
Media, Diversity, and Content Manipulation
YouTube, Facebook, Twitter, LinkedIn, and many other international video-sharing and social-networking sites are widely available and popular. Estonians use the internet for uploading and sharing original content such as photographs, music, and text, more than the average in the EU.22 There was no evidence of increased restrictions on content or of self-censorship during the reporting period, and online debates are active and open.
Estonians have relatively unfettered access to the internet, and there are few economic or political barriers to posting a variety of content, including a wide range of news and opinions. Estonians use many internet applications. The most popular website is Google, followed by Facebook and YouTube. The major Estonian news portals Postimees and Delfi are the fifth and sixth most popular sites.23 Estonian Public Broadcasting delivers all radio channels and its own TV production services, including news in real time over the internet; it also offers archives of its radio and television programs at no charge to users. In a display of transparency, the Estonian Secret Police opened its Facebook and Twitter accounts in April 2018.24
While Estonian authorities are aware of Russian information campaigns designed to manipulate public opinion in the region, there were no reported cases of banning content from Russia.25
Social media use in Estonia is widespread, and Estonians often make use of such sites to share news and information, as well as generate public discussion about current political debates. There were no instances of restrictions on the use of social media or other media in political campaigns.
Online petitions are popular.26 Additionally, there is a site that enables people to compile and send collective initiatives with at least 1,000 digital signatures to the parliament of Estonia, as well as follow up on the results of the proposal.27 Since 2013, citizens have been able to engage online as well as offline in a “people’s assembly,” which since 2017 has focused on ideas for active aging.28
Estonians widely use e-services. Estonia has expanded e-governance thanks to the interoperability of all public and some private databases, and digital identification using public-key infrastructure.29 Approximately 99 percent of state services are available online.30 More than 1.2 million active ID cards are in use, which enable both electronic authentication and digital signatures.31 ID cards can be used for electronic voting in all Estonian elections. Minor changes to internet voting, such as shortening the time period for the vote, were implemented for the local elections in October 2017. Despite the shortened timeline, the percentage of internet voters was the highest ever in 2017; 31.7 percent of all votes were cast online.32
Freedom of speech and freedom of expression are protected by Estonia’s constitution and by the country’s obligations as a member state of the European Union. Anonymity is unrestricted, and there have been extensive public discussions on anonymity and the respectful use of the internet. Internet access at public access points can be obtained without prior registration. Over the past few years, the government has succeeded in reducing the number and severity of cyberattacks against its infrastructure.
According to the constitution, all citizens have the right to freely obtain information and to freely disseminate ideas, opinions, beliefs, and other information. In addition, citizens have the right to the confidentiality of messages sent or received.33
In practice, there are few limits on freedom of expression. Speech that publicly incites hatred, violence, or discrimination on the basis of nationality, race, color, gender, language, origin, religion, sexual orientation, political opinion, or financial or social status is punishable under the penal code.34
In October 2017, the Court of Justice of the European Union (CJEU) sought to clarify EU law in a case on internet jurisdiction, at the request of the Estonian Supreme Court.38 The ruling considered whether a defamation case can be brought before a court in Estonia if the company affected is based in Estonia, even though the infringing content was published on a Swedish website. The EU Court clarified that the party affected may sue in the country where its center of interest resides, but noted that it is not possible to bring cases in any country where the online information is accessible.39
Prosecutions and Detentions for Online Activities
There were no cases of prosecutions or detentions for legitimate online activities during the coverage period.
Surveillance, Privacy, and Anonymity
Estonia has strong privacy protections for its citizens. The Data Protection Inspectorate (DPI) is the supervisory authority for the Personal Data Protection Act (PDPA), in force since 2008.40 In addition, the chancellor of justice (ombudsman) can make suggestions regarding data protection. The PDPA was replaced by the EU GDPR after it entered into force in May 2018.41 GDPR gives individuals strengthened control over how and by whom their personal data is stored. To supplement the GDPR and harmonize it with Estonian law, a new data protection bill was presented to parliament in November 2017, but it had not yet been passed.42 The bill provides details on how to meet the requirements of the GDPR as well as rules on possible exceptions, such as instances when personal data can be used by the media if it is in the public interest.
The Electronic Communications Act contains a number of provisions on protection of personal data for communications providers. 43 Data retention practices established under the Electronic Communications Act, which aligned with EU legislation, were cast into doubt by the CJEU in April 2014, when the court found the European Data Retention Directive (2006/24/EC) to be invalid.44 In Estonia, a data retention principle remains in the law (Article 111), with various restrictions on how the data can be stored and used. Data shall be kept for one year, unless there are special circumstances determined by the government that justify keeping it longer, such as maintaining public order and national safety. Article 112 regulates how requests by law enforcement authorities should be made. Requests are kept for two years.
Parliament’s Security Authorities Surveillance Select Committee oversees the practices of surveillance agencies and security agencies. The committee monitors the activities of security authorities to ensure conformity with the constitution, the Surveillance Act, and other regulations on security agencies. The prosecutor´s office monitors the use of surveillance activities and reports regularly to the Select Committee. Surveillance must be proportionate and necessary. In an overview provided in February 2018, the chief prosecutor reported that during 2017, permission for surveillance activities was granted in 2 percent of cases in which there was a legal possibility for such permission. Surveillance was mainly used for drug-related activities, organized crime, and tax-related crimes.45
Intimidation and Violence
There have been no physical attacks against bloggers or online journalists in Estonia, though online discussions are sometimes inflammatory.
According to the ITU’s Global Cybersecurity Index, Estonia ranks fifth in the world and first in Europe.46
Estonian businesses and communities generally prioritize ICT security. Estonia’s cybersecurity strategy is built on strong private-public collaboration and a unique voluntary structure through the National Cyber Defence League.47 With more than 150 experts participating, the league has simulated different security threat scenarios in defense exercises, with the aim of improving the technical resilience of telecommunication networks and other critical infrastructure.48
As an additional measure to ensure the security of public electronic data, Estonia will establish the first of several planned “data embassies.” The first embassy, based in Luxembourg, will store public data and information systems in a cloud, and would enable the Estonian state to function in the event of a cyberattack or other political crisis within the country. The agreement between the two governments to establish the embassy was signed in June 2017, and the embassy is planned to be completed in 2018. The data embassy will be granted the same privileges bestowed upon traditional embassies.49
The Estonian e-governance infrastructure suffered one of its first major challenges in the fall of 2017, when a chip malfunction that could lead to potential security breaches was discovered in government-issued ID cards50 In response, the government recalled security certificates for more than 760,000 ID cards, which made their electronic use impossible until the certificates had been renewed (electronically or manually). The issue was apparently discovered before any data was compromised. Since many certificates were being renewed simultaneously, the online renewal system was overburdened, leading to delays. However, eventually the certificates were renewed, and the incident has not significantly affected the public’s trust in e-governance. 51
A new cybersecurity law was adopted by parliament in May 2018. The law implements the EU Directive 2016/1148 on measures for a high common level of security of network and information systems.52 It includes requirements to have a computer security incident response team (CSIRT) and a competent national network and information security (NIS) authority (which Estonia previously had), and strengthens cooperation among EU member states. Businesses identified as operators of essential services will be required to take appropriate security measures and to notify serious incidents to the relevant national authority.53
The North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence is located in Tallinn. Since its founding, the center has supported awareness campaigns and academic research, and hosted several high-profile conferences, among other activities. The center organizes an annual International Conference on Cyber Conflict, or CyCon, bringing together international experts from governments, the private sector, and academia, with the goal of ensuring the development of a free and secure internet. The tenth such conference was held from May 30 to June 1, 2018, and focused on maximizing effects in cyberspace for military, government, business, and other entities.54
4 International Telecommunication Union, “Percentage of Individuals Using the Internet, 2000-2017” and “Mobile-Cellular Telephone Subscriptions, 2000-2017,” https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
8 Mobile internet speeds in Estonia, December 2017, https://www.tja.ee/sites/default/files/content-editors/Sideteenused/mobiilse_interneti_andmesidekiirused_eestis_detsember_2017_a.pdf
12 Annual report of the Estonian Technical Regulatory Authority 2016
13 Report of the Estonian Technical Regulatory Authority, 3rd quarter 2017, https://www.tja.ee/sites/default/files/content-editors/Sideulevaated/elektroonilise_side_ulevaade_iii_kv.pdf
14 ITU, accessed 28 February 2018, http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
16 Electronic Communications Act RT I 2004, 87, 593. In force 1 January 2005 (major amendments 2014). For English text see: https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/521082017008/consolide
20 The list of restricted websites can be found on the Estonian Tax and Customs Board website: “Blokeeritud hasartmängu internetileheküljed” (Blocked gambling internet pages), Tax and Customs Board, accessed 28 February 2018, https://www.emta.ee/et/eraklient/maa-soiduk-mets-hasartmang/blokeeritud-hasartmangu-internetilehekuljed
21 European Court of Human Rights, Case of Delfi AS v. Estonia, Judgement, June 16, 2015.
22 “Individuals Using the Internet for Uploading Self-Created Content” Eurostat, accessed 28 February 2018 http://ec.europa.eu/eurostat/tgm/refreshTableAction.do?tab=table&plugin=1&pcode=tin00030&language=en
24 https://www.err.ee/746711/kapo-hakkas-sautsuma-ja-laks-facebooki, accessed 10 May 2018
25 The yearbook of the Estonian Internal Security Service (KAPO), p. 9.
29 A public-key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates, which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates that map public keys to entities, securely stores these certificates in a central repository, and revokes them if needed.
30 E-Governance Academy, “e-Estonia, e-Governance in practice,” http://www.ega.ee/publication/e-estonia-e-governance-in-practice/
32 https://www.valimised.ee/et/valimiste-arhiiv/elektroonilise-h%C3%A4%C3%A4letamise-statistika, accessed 27 February 2018
33 Constitution of the Republic of Estonia, June 28, 1992.
34 Article 151 Penal Code, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/519012017002/consolide
35 The amended Penal Code was adopted in 2001 and entered into force in 2002.
36 RT I 2001, 81, 487; in force 1 July 2002. In English at https://www.riigiteataja.ee/en/eli/524012017002/consolide
38 Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.
40 Personal Data Protection Act, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/507032016001/consolide
41 Regulation 2016/679
42 Draft Personal Data Protection Law, http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/iks_en_9.11.17.pdf
43 Electronic Communications Act, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/527032017001/consolide
46 Global Cybersecurity Index 2017, https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
47 Cyber Security Strategy 2014-2017, https://www.mkm.ee/sites/default/files/cyber_security_strategy_2014-2017_public_version.pdf