The Technology, Media and Telecommunications Review: Estonia
Estonia is a strong advocate of technological advancement, and the ICT sector is of major importance to the government. Estonia has become a model for free and open internet access. It is also the EU frontrunner as regards the digital provision of public services and has one of the highest shares (93 per cent) of e-government users in Europe.2 Estonia continues to implement innovative digital public services, with plans to launch 50 artificial intelligence use cases by the end of 2020 as part of the national strategy for the development and implementation of artificial intelligence.3
Estonia sees ICT as a key to sustained economic growth. The Ministry of Economic Affairs and Communications adopted the Digital Agenda 2020,4 which focuses on creating an environment that facilitates the use of ICT and the development of smart solutions in Estonia in general. The main goals of the Agenda are, among others:
- the completion of the next-generation broadband network, with the aim of that all residents of Estonia will have access to fast (30Mbit/s or faster) internet by 2020 and that at least 60 per cent of households will be using ultrafast (100Mbit/s or faster) internet daily;
- the continuing development of state information systems and public e-services to ensure up-to-date and citizen-friendly solutions; and
- to continue promoting Estonia as a hub for innovation and the development of the information society, and to establish a global information society think tank in Estonia.
An update to the Agenda – the Digital Agenda 2030 is currently being prepared.
The number of internet and mobile telephone users in Estonia has grown rapidly in the past 20 years. The availability of mobile broadband is very good while fixed broadband is less widespread, below the European average, which is mainly because of limited connectivity in sparsely populated rural areas.5 For this reason, a non-profit organisation, the Estonian Broadband Development Foundation (ELA SA), was founded in 2009 by the government and major Estonian communication undertakings to develop Estonia's broadband network and build and operate the EstWin high-speed base network. The project is financed mostly from public sources. In 2018, the Foundation started its 12th and last tender to procure the designing and building of approximately 400km of base network. The Foundation has set its goals to bring broadband no further than 1.5km from 98 per cent of households.6
Separate from the base network project is the government's last mile project. Until 2018, all local municipalities were responsible for mapping out the white areas in their jurisdiction where there is a need for developing the last mile of a high-speed internet network. This approach did not prove to be successful, and in 2018 the Ministry of Economic Affairs and Communications, along with the Estonian Technical Regulatory Authority, initiated the national last mile project, a public competition to find a suitable network builder to bring high-speed internet access to areas where there is no internet access or where the connection is of poor quality and where communications companies would not invest in the next five years (the white area).7 Elektrilevi (part of the state-owned energy operator) was awarded the subsidy and committed to extend broadband access to the largest possible number of households who still lack high-speed internet. Elektrilevi has initiated plans to connect 200,000 households by the end on 2023.8
One of Estonia's key challenges is to award pioneer bands for 5G connectivity. The public auction for three bands of 3,410–3,800MHz was announced in March 2019, but was suspended following an appeal by a broadband network operator. The Ministry of Economic Affairs and Communications is now considering dividing the 3.6GHz spectrum band into four slots with hopes to ensure a more level playing field and to facilitate market entry for new operators.
The fast-developing ICT sector presents some challenges for policymakers, but generally the regulatory landscape in the ICT sector is in quite good shape. As previously mentioned, the ICT sector is of major importance to the state. Estonia experienced several political changes during the past year, but these are unlikely to heavily impact e-governance or other internet use. The government continues with its strategy to market Estonia as an e-state throughout the world.
i The regulators
The electronic communications and media area is supervised by an independent regulatory authority, the Estonian Consumer Protection and Technical Regulatory Authority (ECTRA) (previously the Technical Regulatory Authority), which is sometimes also referred to as the Technical Surveillance Authority.9 ECTRA supervises the fields of consumer protection, electronic communications, industrial safety and transport. In the field of communications services, the ECTRA is tasked with ensuring a sufficient and timely resource of radio frequencies (RFs) and telephone numbers for the provision of communications services and performing national surveillance of the field of communications.10
Other regulatory bodies that may exercise supervision over electronic communications service (ECS) providers pursuant to their competence include (not exhaustively) the Data Protection Inspectorate, the Competition Authority and the Information System Authority. Sector-specific regulation of the competitive situation on the markets for communications services is carried out mainly by the ECTRA, while the Competition Authority has general authority (e.g., in merger proceedings).
ii Main sources of law
ECSs are regulated by the Electronic Communications Act (ECA),11 in force from 1 January 2005 (as amended), which transposes in Estonia the EU's regulatory framework for electronic communications. On basis of the ECA, numerous regulations of the government have been adopted to regulate certain more technical or detailed issues of the framework. Under the ECA, an ECS means a service that consists wholly or mainly in the transmission or conveyance of signals over the ECN under agreed conditions. Network services are also ECSs.12
The ECA provides requirements for public ECNs and publicly available ECSs regarding the use of electronic contact details for direct marketing, the conduct of radiocommunications, and the management of RFs, numbering and apparatus, as well as state supervision over the compliance with these requirements and liability for the violation of these requirements. A publicly available ECS is defined as a service provided by a communications undertaking on the respective communications services market pursuant to the general procedure to all persons, and the persons need not meet any conditions differentiating them from other similar persons. A service is publicly available particularly if provision of the service is continuous and consistent and it is provided essentially under uniform conditions.13 There appear to be no definite (official) criteria available that would help to determine whether a particular service is considered to be publicly available, as there are no official guidelines or case law. However, under a conservative approach from the viewpoint of notification obligations, it does not matter whether the services are offered either on a wholesale level or on a retail level to end users to be considered as publicly available, but rather if the service is open to a particular group of (similar) customers. The scope of application of the ECA is expected to change with the transposition of Directive (EU) 2018/1972 into Estonian law. The Act transposing the directive is currently being prepared and it would expand the scope of application of the ECA to Over The Top (OTT) communications services.14
The ECA is not applicable to information society services to the extent these are regulated by the Information Society Services Act (ISSA),15 which implements Directive 2000/31/EC into Estonian law. Information society services are services provided in the form of economic or professional activities at the direct request of a recipient of the services, without the parties being simultaneously present at the same location, and such services involve the processing, storage or transmission of information by electronic means intended for the digital processing and storage of data. Information society services must be entirely transmitted, conveyed and received by electronic means of communication.16
Media services are regulated by the Media Services Act (MSA),17 in force from 16 January 2011 (as amended). The MSA provides for:
- the procedure and principles for the provision of audiovisual media services and radio services and the requirements for providers of media services;
- the procedure for the issue of activity licences for the provision of television and radio services to legal persons under private law and the procedure for registration of the provision of on-demand audiovisual media services; and
- the principles of protection of a person who has provided information to a person processing information for journalistic purposes.18
The MSA is set to be amended with the transposition of the revised Audiovisual Media Services Directive 2018/1808/EU. The act is currently being prepared and will feature the new harmonised rules for the promotion and distribution of European works and expand the scope of application of the MSA to video sharing platforms.19 Estonian public broadcasting is excluded from the scope of the MSA and is regulated by the Estonian Public Broadcasting Act.20
iii Regulated activities
Under the ECA, each person has the right to commence the provision of communications services. The provision of communications services is subject to a one-off notification obligation. A notice of economic activities for the provision of communications services must, among other required information, set out a description of the provided communications service and the geographical area of activity. Such notice must be filed via the state portal (www.eesti.ee) or via a notary.21 If publicly available communications services are provided by an entity from another EU Member State (cross-border service) on a permanent basis in Estonia, then such entity must also file the notice of economic activities to the ECTRA. The current position of the ECTRA is that foreign operators also need to establish a branch or subsidiary in Estonia.
For the provision of certain communications services, it is necessary for service providers to apply for licences. Namely, use of radio spectrum and numbering is subject to a RF authorisation and a numbering authorisation respectively. Activity licences are required for the provision of television and radio services. All licences and authorisations are subject to relevant state fees, the amount of which varies according to the type of the licence or authorisation in question. All the relevant licences and authorisations mentioned above are issued by the ECTRA.
Frequency authorisations for the use of spectrum are allocated according to the Estonian Radio Frequency Allocation Plan,22 which determines the manner, regime and purpose of using RFs. To receive an authorisation, a standard format application23 to the ECTRA must be submitted with the relevant information about the applicant (name, residence or seat, date of birth or personal identification code or registry code, contact details) and the frequency itself (which frequency is being applied for, what is its purpose, conditions of use, area of use, etc.). The ECTRA has six weeks from the receipt of a complete application to issue a licence if the use of spectrum does not need international coordination, and eight months if it does. If the use of spectrum is being allocated by way of a public competition or auction, the relevant procedural rules and deadlines are determined by the Minister of Economic Affairs and Infrastructure. The ECTRA has the right to refuse an application on certain grounds, for example if the applicant's activities may be hazardous, there is no free spectrum, the use of spectrum is not in line with the Estonian Radio Frequency Allocation Plan or national or international legislation, or if the use of spectrum is ineffective or may cause radio interference.24 The frequency authorisation establishes the conditions and requirements for the use of spectrum. Under certain conditions, the conditions may be amended. If the ECTRA has issued a frequency authorisation, the authorisation can be extended by submitting an application not later than one month before the expiry of the authorisation and by paying the relevant state fee.25
Upon grant of spectrum licences by way of public competition, the Minister of Economic Affairs and Infrastructure may determine a one-off authorisation charge of up to €1.597 million, a deposit for participation in the competition, or both. The one-off authorisation charge shall be determined as a fixed charge or, in the case of an auction, as a starting price. The deposit must be equal to all participants and must not exceed the one-off authorisation charge. The deposit will be returned after the winner is ascertained.26
Authorisations for the use of numbering are allocated according to the Estonian numbering plan,27 which determines the location of numbers, short numbers, identification codes and access codes in the numbering space, the requirements for the length, use and dialling procedure of numbers, the conditions of use and the services for the provision of which they may be used. A numbering authorisation can be obtained by submitting a standard format application28 to the ECTRA, containing the information on the applicant (name, residence or seat, date of birth or personal identification code or registry code, contact details), the planned use of the number, etc. The ECTRA will issue a numbering authorisation within 10 working days after receipt of a complete application if there are no grounds for refusal. The numbering authorisation sets out the conditions of use of the allocated number. A numbering authorisation is issued for up to one year and can be extended by up to one year at a time. Numbering authorisations can also be granted by way of an auction on certain conditions.29
Activity licences for television and radio services are provided on the basis of the MSA. All private broadcasters are required to have an activity licence. Estonian Public Broadcasting, which is a legal person in public law, is not required to apply for an activity licence. Different licences are issued for the provision of free access television services, conditional access television services, satellite television services and radio services. Free access television and radio service licences are issued through a public competition. All the other licences are issued on the basis of an application. For the obtaining of licences, the MSA prescribes necessary requirements on programmes, sustainability of a service and the coverage area of the service, among other conditions. A licence for free access television services is issued for up to 10 years, and the rest of the above-mentioned licences for up to five years.30
iv Ownership and market access restrictions
Currently there are no foreign ownership restrictions in the communications sector.
Under the MSA, a television or radio service provider will not be given an activity licence if it holds a dominant influence over the management to the undertaking that has been issued an activity licence for the provision of television and radio service, and the issue of the activity licence may substantially damage competition in the media services market, particularly through the creation or reinforcement of the dominant position in the market.31 Similarly, aggregate holdings of certain types of spectrum may constitute a dominant position, which would trigger the heightened attention of the ECTRA and the Estonian Competition Authority. When it comes to trading spectrum, the ECTRA has a right to refuse the transfer or grant of right to use RFs if this distorts competition, and it may, if necessary, coordinate the transfer or grant of frequencies with the Estonian Competition Authority.32 These rules apply in addition to the general merger control regime under Estonian and European competition law.
In general, Estonian law does not limit market access, except for the limitations specified above.
v Transfers of control and assignments
Mergers and acquisitions are reviewed by the Estonian Competition Authority. The procedure of merger reviews is regulated by Chapter 5 (Control of Concentrations) of the Competition Act.33 Council Regulation (EC) No. 139/2004 on the control of concentrations between undertakings applies in cases of mergers with an EU dimension, but the national merger control is very similar to that of the EU. Estonia has a mandatory filing requirement for qualifying transactions. For a transaction to be qualifying, the relevant turnover thresholds must be exceeded. A merger is notifiable if the total annual turnover in Estonia of all companies concerned is more than €6 million and the total annual turnover in Estonia of each of at least two of the companies concerned is more than €2 million.34 The companies concerned include those directly involved in the merger, any other associated companies within the same control group and joint ventures. There is a two-phase merger review process, and clearance is required before closing. The length of proceedings is 30 days for a simplified procedure, and will last for four additional months when further investigation is needed. Simplified procedures may end with an approval or a decision to conduct further investigation in Phase II. The latter may conclude with a clearance, a refusal or a conditional clearance.35
While the Competition Authority has general authority over merger proceedings, the sector-specific regulation of ECSs markets is conducted by the ECTRA. The Competition Authority used to have wider competences in the communications sector, but now only postal services have remained fully under its regulatory authority. The ECTRA and the Competition Authority are under a legal obligation to cooperate in the area of market regulation and exercise supervision in the communications sector, and, if necessary, exchange appropriate information.36 This means that when it comes to mergers in the communications sector, the Competition Authority may involve the ECTRA in the merger proceedings. In practice, merely holding a dominant position through an allocated frequency authorisation can be decisive on the outcome of transactions.
As described in subsection iv above, licence transfers may also be subject to competition law concerns. In general, RFs are transferrable or can be granted for use to another person if the Estonian Radio Frequency Allocation Plan allows it, with the RFs for broadcasting being an exception. It is thus necessary to verify the transferability or the permissibility of granting the frequency to the use of another person on a case-by-case basis, based on the Radio Frequency Allocation Plan. The transfer or grant of use must be approved by the ECTRA, who may coordinate with the Competition Authority. The ECTRA has the right to refuse the transfer or grant of the right to use RFs if it distorts competition.37
Telecommunications & internet access
i Internet and internet protocol regulation
IP-based services are regulated by the ISSA. ECSs and information society services are mutually exclusive; therefore, information society services are excluded from the scope the ECA. However, state supervision over compliance with the requirements provided for in the ISSA is exercised by the ECTRA.
Contrary to the ECA, the ISSA does not contain any registration, authorisation or notification obligations for the service providers. The primary obligation of service providers is to render directly and permanently accessible to recipients of services at least the following information:
- the name of the service provider, its registry code and the name of the corresponding register, the service provider's address and other contact details, including the electronic mail address;
- its registration number if, for operation in the corresponding field of activity, registration in the register of economic activities is required by law, or its activity licence number; and
- if reference is made to the fee charged for the service, information on whether the fee includes taxes and delivery charges.
Information society service providers generally have less obligations compared to communications service providers. An information society service provider is generally not liable for the information transmitted upon mere transmission of information and provision of access to public data communications networks, upon temporary storage of information in cache memory and upon provision of information storage services. There are exceptions to this general rule.38 Additionally, information society service providers are not obligated to monitor information upon the mere transmission thereof or provision of access thereto, temporary storage thereof in cache memory or storage thereof at the request of the recipient of the service; nor is the service provider obligated to actively seek facts or circumstances indicating illegal activity. However, in certain circumstances information society service providers are obliged to provide information about alleged illegal activities undertaken or information provided by recipients of their services, and to communicate to the competent authorities information enabling the identification of recipients of their service.39
ii Universal service
Under the ECA, it is possible to designate universal service providers by way of a public competition, or public procurement if the payable charges exceed the relevant thresholds. When designating universal service providers, it must be taken into account that the end goal is to ensure provision of the service in a cost-effective manner that does not prejudice competition, at an affordable price, and in accordance with the objectives of state organisation in the electronic communications sector, which is to promote competition in the provision of ECSs. A universal service provider may be designated separately for each specified service within a specified territory.40
The following services can be designated as universal services:
- connection to a communications network in a fixed location enabling telephone services (which enables the making and receiving of calls, the sending and receiving of faxes and the use of data communication services at data rates sufficient to permit functional internet access, taking into account the hardware and software used by most end users);
- public payphone services or other publicly accessible communications services enabling calls; and
- the availability of a universal electronic public number directory and directory enquiry services.41
The USO is based on a universal service contract between the communication undertaking and the state, which sets out, inter alia, the obligations, term, charges payable by end users and the territory.42 The costs related to the performance of the USO are compensated for out of the universal service charge payable by communications undertakings whose turnover for communications services exceeds €383,500 per year. The rate of the universal service charge, established each year by the government, is 0.01 to 1 per cent of the turnover of a communications undertaking with the financing obligation in the preceding financial year. A communications undertaking with the USO is entitled to compensation for the unreasonably burdensome costs related to the performance of the obligation.43
Despite the detailed regulation of universal service providers, the competition situation in the markets for communications services is in good shape, all the services that can be designated as universal services are available on the market and no communication undertakings have currently been designated as universal service providers.
iii Restrictions on the provision of service
Obligation to provide access to communications networks and general terms and conditions obligations
The EU directives that require communications undertakings to provide access to their networks have been transposed in national law by the ECA. Generally, communications undertakings are required to enter into a subscription contract with any person who submits an application to this effect. Entry into the contract may only be refused in specified cases, which include:
- the technical impossibility in the requested area or manner to connect terminal equipment to the communications network;
- failure by the applicant to provide information necessary for his or her identification or for communications with him or her, or the address of the location of the connection to the communications network allowing the provision of the requested communications service;
- the provision of incorrect information upon submitting the application or upon entering into a requested subscription contract; and
- an applicant has a debt of collectable arrears for the provided communications services or the applicant is subject to bankruptcy proceedings.
If none of these conditions is fulfilled, the communications service provider is obliged to enter into a subscription agreement with the end user and to create a possibility for the end user to commence the use of the ECS within 10 working days after entry into a subscription contract, provided that the end user has performed the obligations assumed by the subscription contract.44
A communications service contract entered into with the end user must contain certain mandatory provisions. There is also formalised process with a one-month prior notice requirement for changes to general terms and conditions. The ECA establishes minimum information and mandatory terms that must be regulated in an ECS contract. These include, among others:
- a description of the communications service and possibilities to use other related services;
- charges for the services, including charges payable for maintenance, procedure for settlement of accounts as well as discounts and other price packages;
- quality requirements set for the communications service, including service quality parameters;
- the procedure and time limit for elimination of faults;
- the procedure and time limit for submission of complaints and claims, and the procedure for resolution of disputes;
- the term of the contract and conditions for cancellation and extension of the contract;
- the measures taken by the communications undertaking to ensure security and integrity of communications networks and services; and
- the terms and conditions of a product or communications service intended for end users with special needs.45
Some of the above contractual information (e.g., information on charges) and any standard terms used by the electronic communications undertaking must be made public on the website of the electronic communications undertaking or, in the absence thereof, in any other reasonable manner.46
Other than the mandatory provisions discussed above, the communications service provider and the end user are free to agree on contract terms.
Regulation (EU) 2015/2120 laying down measures concerning open internet access is directly applicable in Estonia. Thus, all communications service providers in Estonia are under the obligation to treat all traffic equally, when providing internet access services, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used.47 Estonia is a strong supporter of net neutrality, despite not having adopted any national legal acts or guidelines on net neutrality. The freedom and democracy watchdog Freedom House assesses that there are very few restrictions on internet content and communications as Estonia remains among the world leaders in internet freedom. Estonians have access to a wide range of content online, and very few resources are blocked or filtered by the government. Following court rulings on intermediary liability for third-party comments, some Estonian media outlets have modified their policies regarding anonymous commenting on their portals. Freedom House does, however, state concern over the increase of surveillance powers in certain situations and has raised fears of both content manipulation and self-censorship.48
On 31 October 2019, Estonia and the United States signed a memorandum on 5G security and Estonia has since then adopted legislative measures to increase government oversight on the hardware and software used in communications networks. In September 2020, the government published a draft regulation prohibiting the use of high-risk hardware and software by providers of vital services and in mobile communications networks implementing 5G and subsequent generation standards. According to the draft regulation, hardware or software is considered to be of high-risk when its manufacturer, maintenance or support service provider is, among others, located outside the EU, NATO or OECD countries, under a foreign government's or security authority's control with no judicial review or located in a country where no conditions for the protection of intellectual property rights exist.
The ban is set to be implemented in three phases with high-risk hardware and software with critical functionality being banned with the regulation entering into force, high-risk non-standalone hardware and software in 5G and next generation mobile networks being prohibited from 1 January 2024 and high-risk hardware and software with no critical functionality and not in use in 5G or next generation mobile networks being prohibited from 1 January 2030.
Furthermore, the regulation requires electronic communications undertakings to annually notify the ECTRA of the hardware and software in use in its networks and to submit an application for a permit for the use of hardware or software.49
Public consultations concerning the proposal ended on 20 October 2020 and Huawei has indicated its intention to challenge the regulation, claiming it is in conflict with EU law to discriminate on the basis of origin.50
Unsolicited phone calls, faxes, emails and texts
Estonia has implemented the e-Privacy Directive51 with the ECA. The requirements regarding marketing communications are different for legal and natural persons. Under the ECA, the use of electronic contact details of a natural person for direct marketing is allowed only with the person's prior consent (opt-in), while the use of electronic contact details of a legal person for direct marketing is allowed if, upon use of contact details, a clear and distinct opt-out opportunity is given to refuse such use of contact details free of charge and in an easy manner, and the person is allowed to exercise its opt-out right over an ECN.
Regardless of the above, if a communications service provider obtains the electronic contact details of a buyer, who is a natural or legal person, in connection with selling a product or providing a service, such contact details may still be used for direct marketing of its similar products to the buyer if the buyer is given, upon the initial collection of electronic contact details and each time when the buyer's electronic contact details are used for direct marketing, a clear and distinct opt-out opportunity free of charge and in an easy manner; and the buyer is allowed to exercise its right to refuse over an ECN.
It is important to note that the requirements described above do not apply to multiparty voice calls in real time, which have been excluded from the scope the implementation of the e-Privacy Directive in Estonia. Multiparty voice calls in real time are instead regulated in the Law of Obligations Act.52 Real-time multiparty calls may be used for communicating an offer only if the consumer has not expressly forbidden the use thereof. Thus, real time multiparty voice calls are subject to an opt-out possibility, while offers made to consumers by automated calling systems without human intervention, fax, telephone answering machine, electronic mail, SMS or other means are lawful only with the prior consent of the consumer.53
iv Privacy and data security
Since 2018, one of the main legislative acts imposing cybersecurity obligations is the Cybersecurity Act,54 which transposes into Estonian law the Security of Network and Information Systems Directive.55 The Act provides requirements for the maintenance of network and information systems essential for the functioning of society and state and local authorities' network and information systems, liability and supervision as well as the bases for the prevention and resolution of cyber incidents. The Act is not applied to micro and small enterprises.56 The Act includes obligations, among others, for communications undertakings provided for in the ECA that provide cable distribution services consumed by at least 10,000 end users, and broadcasting network service providers upon providing cable distribution services or broadcasting network services. The Act also applies to Estonian Public Broadcasting and information society service providers within the meaning of the ISSA who offer online marketplaces, search engines or provide cloud computing services.57
The Cybersecurity Act requires the above-mentioned service providers to apply organisational, physical and information technological security measures for preventing and resolving cyber incidents, and preventing and mitigating any impact on the continuity of the service or the security of the system due to a cyber incident, or any possible impact on the continuity of another dependant service or the security of a system. Service providers are required, inter alia, to prepare a risk assessment and ensure its timeliness, ensure the monitoring of systems for detecting compromising actions and reduce the impact of cyber incidents. The Act also provides for an obligation to notify the Estonian Information System Authority (EISA) of cyber incidents. EISA is also responsible for the state and administrative supervision of compliance with the requirements of the Cybersecurity Act. Similarly, the ECA also includes a requirement to notify EISA immediately of all incidents endangering the security and integrity of the communications network and services that to a significant extent affect the functioning of the communications services or network, and of measures taken to eliminate such incidents.58
Under the ECA, a communications undertaking is required to take appropriate technical and organisational measures to manage the risks related to security and integrity of the communications services and network. The measures must be proportionate to the potential emergency situation, must ensure the minimum impact of incidents endangering the security and integrity of users of communications services and related networks, and must ensure continuity of the provided services.59 A communications undertaking must also guarantee the security of a communications network and prevent third persons from accessing (without legal grounds) the following data: information concerning specific details related to the use of communications services; the content and format of messages transmitted over the communications network; and information concerning the time and manner of transmission of messages.
If a specific hazard exists to a communications service or the security of the communications network, the communications undertaking must immediately inform subscribers of such hazard in a reasonable manner and, unless the hazard can be eliminated by measures taken by the undertaking, also of possible remedies and of any costs related thereto.60
In the summer of 2017, the new Emergency Act61 entered into force, which includes a list of emergencies that justify the interruption in vital services. Vital services include, among others, phone services, mobile phone services, data transmission services, and digital identification and digital signing.62 A provider of a vital service is required to, among other things:
- prepare a continuity risk assessment and plan of the vital service provided thereby;
- implement measures that prevent interruptions of the vital service, including reducing the dependency on other vital services, essential contract partners, suppliers and information systems through duplicating technical systems, contracts, staff and other means important to the provision of the service, using alternative solutions, having and stocking necessary resources and other similar actions; and
- ensure the capability to guarantee the continuity and quick restoration of the service provided thereby during an emergency or another similar situation, including in the event of a technical failure or an interruption of the supply or another vital service.63
Privacy and personal data protection
The General Data Protection Regulation (GDPR)64 is directly applicable in Estonia and the general rules set out therein are also applicable in the communications sector. Additionally, the Personal Data Protection Act (PDPA)65 and the Personal Data Protection Act Implementing Act apply,66 which entered into force in 2019, replacing the previous pre-GDPR acts and amended national legislation to establish legal conformity with the GDPR.
In conformity with the GDPR, the PDPA introduces specific grounds for processing of personal data. These include processing of personal data without the consent of the data subject for journalistic purposes, academic, artistic and literary expression, as well as for scientific and historical research and official statistics. More specifically, personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, in particular disclosed in the media, if there is public interest therefor and this is in accordance with the principles of journalism ethics. Disclosure of personal data must not cause excessive damage to the rights of any data subjects. Furthermore, some of data subjects' rights, such as right of access, right to rectification and right to restriction of processing, inter alia, can be restricted when processing personal data for archiving in public interest.67 In connection with provision of information society services directly to a child, Estonia has specified that the age at which children can consent is 13 years.68
In addition to the GDPR and the Personal Data Protection Act, some data protection requirements are also set out in the ECA. Under the ECA, a communications undertaking is required to maintain the confidentiality of all information that becomes known thereto in the process of the provision of communications services, and that concerns subscribers as well as other persons who have not entered into a contract for the provision of communications services but who use communications services with the consent of a subscriber. Above all, it must maintain the confidentiality of information concerning specific details related to the use of communications services; the content and format of messages transmitted over the communications network; information concerning the time and manner of transmission of messages.69
This information may be processed only if the undertaking notifies the subscriber, in a clear and unambiguous manner, of the purposes of processing the information and gives the subscriber an opportunity to opt out. Irrespective of whether the subscriber refuses such processing, the undertaking still has the right to collect and process such personal data without the consent of the subscriber:
- when necessary for the purposes of recording transactions made in the course of business and for other business-related exchange of information;
- if the sole purpose of the processing is the provision of services over the communications network;
- if it is necessary for the provision, upon the direct request of the subscriber, of information society services; or
- that is necessary for billing the subscriber, including for the determination and calculation of interconnection charges.70
If the processing is done for publishing data on subscribers in number directories or through directory enquiry services, the processor must provide the subscribers with an opportunity to decide on whether and to what extent they wish such data to be published. Subscribers must also have an opportunity to verify and amend the data that concerns them, and to terminate the publication of such data.71
The ECA also prescribes other requirements deriving from the e-Privacy Directive, as discussed above in Section III.
Lawful interception and data retention
Under Section 113 of the ECA, a communications undertaking must grant a surveillance agency or security authority access to the communications network for the conduct of surveillance activities or for the restriction of the right to confidentiality of messages, respectively. A communications undertaking is required to preserve the confidentiality of information related to the conduct of surveillance activities, and activities that restrict the right to inviolability of private life or the right to the confidentiality of messages. The electronic communications undertaking may recover the costs it incurs in relation to the provision of access to the communications network under the rules of Section 114 of the ECA.
Under Clause 1111(11)5) and Section 1141 of the ECA, a communications undertaking must provide certain retained data at the request of a court within civil matters.
Obligations to generally and indiscriminately retain data (as per the now-invalid Data Retention Directive72) have been imposed under the ECA and have not been revoked despite the Digital Rights Ireland,73 the Tele2 Sverige,74 the Privacy International75 and the La Quadrature du Net and Others76 rulings. Communications undertakings must retain for a period of one year an extensive amount of data under the ECA, and have an obligation to provide information to competent state authorities and courts.77 At the time of writing, the Estonian Supreme Court's request for a preliminary ruling is pending at the CJEU,78 which should in the near future bring clarity about the compliance of the Estonian requirements with EU law. Taking into account the opinion of the Advocate General79 and considering the recent judgments of the CJEU, it is likely that the national law will be found to be non-compliant with EU requirements.
In parallel, the Ministry of the Interior has proposed a legislative amendment whereby, following the addition of OTT services under the definitions of ECSs, ECSs would be obliged not only to ensure the protection of the messages and of the data related to their transmission, but also to ensure the recovery of data in case of technical measures used for their protection. In essence, the Ministry wants to ensure that security and surveillance authorities would be able to access encrypted data transmitted through ECSs (including OTT services), with the possibility to decrypt the data. The proposal has already sparked discussions and the Ministry of Justice has refused to approve the proposal, stating that the proportionality and constitutionality of such a requirement has not been analysed and the scope of application of this requirement is unclear.80
Protection of children online
Estonia has adopted various laws that aim at protecting children online. For example, the Child Protection Act81 limits the permissibility of certain content to all children below the age of 18 years. It is prohibited to manufacture, show and disseminate to children content that promotes violence or cruelty, or contains pornographic content.82 The same is provided in the Act to Regulate Dissemination of Works which Contain Pornography or Promote Violence or Cruelty.83 This can be enforced in administrative proceedings by issuing a precept to terminate the violation and to restrict or take down the improper content. In the event of failure to comply with the precept, penalty payments can be imposed repeatedly until the precept is complied with. Parental consent cannot override the requirements set for content providers or limit their legal liability.
Note that under Estonian law, there are liability restrictions for information society service providers in the case of mere transmission, caching and storage. The latter is feasible if the service provider does not have actual knowledge of the contents of the information and, as regards claims for compensation for damage, is not aware of facts or circumstances from which the illegal activity or information is apparent. Additionally, the service provider must, upon obtaining knowledge or awareness of the facts specified above, act expeditiously to remove or to disable access to the information.84
Sexual enticement of children below the age of 14 is criminalised and punishable under the Penal Code.85 Sexual enticement means, among others, handing over, displaying or otherwise knowingly making available pornographic works or reproductions to a person less than 14 years of age. This is punishable by a pecuniary punishment or up to three years' imprisonment for natural persons and by a pecuniary punishment of €4,000 to €16 million for legal persons. Showing sexual abuse of a person aged less than 14 years, or engaging in sexual intercourse in the presence of such person or knowingly sexually enticing such person in any other way, are punishable by the same sanctions. Handing over, displaying or knowingly making available of works or reproductions of works promoting cruelty in another manner to a person of less than 14 years of age, or showing the killing or torturing of an animal in the presence of such person without due cause or knowingly exhibiting of cruelty to him or her in another manner, are punishable by a pecuniary punishment the amount of which is up to €3,200 in the case of legal persons.86
The MSA also includes provisions that are aimed at protecting children. Television and radio service providers may not transmit programmes that may cause substantial physical, mental or moral detriment to minors, in particular such programmes that include pornography or that propagate violence or cruelty for the purposes of the Act to Regulate Dissemination of Works which Contain Pornography or Promote Violence or Cruelty. On-demand audiovisual media services that may cause substantial damage to the physical, mental or moral development of a minor must be made accessible by the on-demand audiovisual media service provider by means of personal identification codes or other relevant technical solutions only in a manner that is not accessible to minors under normal circumstances.87
The Advertising Act88 includes several requirements for advertising directed at persons less than 18 years of age. Advertising that targets groups that are primarily made up of children must take into account their unique physical and mental state resulting from their age. Children may not be a target group of advertising if it is prohibited to sell the advertised goods or provide the advertised services to children. Advertising that targets groups that are primarily made up of children may not:
- create the impression that the acquisition of certain goods or the use of certain services will give the child an advantage over other children or that the lack thereof will have the opposite effect;
- create feelings of inferiority in children;
- incite children to behave or act in a manner that has or may have the effect of bringing children into unsafe conditions;
- contain elements that frighten children;
- exploit the trust children place in their parents, teachers or other persons;
- include a direct or indirect appeal to children to demand the acquisition of the advertised goods or the use of the advertised services from other persons; or
- directly incite children to enter into transactions independently.89
These requirements also apply to any online advertising.
The Estonian spectrum policy is changing continuously. The demand for spectrum is increasing rapidly with the development of and increasing demand for new technologies and mobile communications services. Currently, the 5G mobile network is being developed. All this proves to be a challenge in conditions where frequency spectrum is a scarce resource.
To tackle this challenge, the Estonian Radio Frequency Allocation Plan is constantly changing to conform to new developments. The use of RFs in Estonia is harmonised with those of the EU, as Estonia takes account of the recommendations of the European Commission to the greatest extent possible.90 The ECA provides that the purpose of regulating the management of RFs is to ensure the purposeful, objective, transparent and proportionate management, and the effective and efficient use, of RFs for the needs of users of RFs and for the provision of communications services, the creation of possibilities for the development of new technologies and fast elimination of radio interference. The Radio Frequency Allocation Plan determines, among other things, the RF bands for the introduction of new technologies together with restrictions on new and existing users. The ECTRA reviews the allocation plan at least once a year and submits to the responsible minister proposals for amendments if the development of electronic communications technology requires it.91
ii Flexible spectrum use
As discussed above, the use of spectrum requires its prior allocation by the ECTRA. Spectrum is allocated on the basis of the Radio Frequency Allocation Plan, which determines the manner, regime and purpose of using frequency bands. Upon granting a frequency authorisation to a communications undertaking, the ECTRA establishes in the authorisation, among other things, the purpose, manner, conditions and area or location of the use of spectrum, as well as the requirements for the shared use of RFs. Therefore the authorisation may include in its conditions the possibility to share the use of spectrum, as well as the possibility to trade frequency or grant it for use on the basis of a contract. Accordingly, the use of spectrum is made more flexible by way of allowing such trading and shared use of spectrum.
In addition, the ECTRA carries out spectrum auctions in previously unused frequency ranges and rearranges the use of spectrum, if need be, as discussed further below.
iii Broadband and next-generation services spectrum use
The ECTRA is also constantly dealing with the need for new uses of mobile spectrum. For example, in 2015 it rearranged the frequency usage of mobile operators in the 900MHz band to enable the introduction of new technologies. In the course of the process, the frequency blocks of each operator were rearranged so that complete frequency ranges were allocated to each operator to create wider bandwidth and create conditions for introducing new 4G and 5G technologies.92 Most recently, the 3,600MHz frequency band was rearranged for terrestrial electronic communications networks in compliance with Commission Implementing Decision 2014/276/EU.93
If the ECTRA finds that the number of available spectra is not sufficient for their allocation, it can hold a public competition in the form of a spectrum auction. The latest auction of mobile broadband spectrum ended in May 2017. The auction of frequencies in the ranges of 2,540–2,570MHz, 2,660–2,690MHz and 2,575–2,615MHz ended with the selling of three frequency division duplexes (FDD) and two time division duplexes (TDD) that provide the right to use 100MHz-worth of spectrum in Estonia. Two operators, Elisa Eesti AS and Telia Eesti AS, participated. FDD I and II were bought by Telia, bidding €1,601,234 and €3,605,535 respectively. FDD III, TDD I and II were bought by Elisa, bidding €2,608,789, €1,612,346 and €1,597,001 respectively. Accordingly, around €11 million was earned through the auction.94
After the digital switchover occurred on 1 July 2010, the freed-up frequencies were allocated for 4G mobile communication services. It can therefore be said that more and more spectrum is becoming available for mobile services. More specifically, the latest and upcoming auctions are focused on 5G technologies. During the Estonian presidency of the Council of the EU from July to December 2017, a Ministerial Declaration was signed to make 5G a success for Europe.95 It was agreed that 5G is the vision for a fully connected European society and a path towards the European gigabit society. The crucial step in implementing this vision is to make more spectrum available in a timely and predictable manner. To realise this goal, it is necessary to release 5G spectrum bands.96 In March 2019, the Ministry of Economic Affairs and Communications published a 5G Roadmap for Estonia, aspiring to achieve 5G coverage in larger cities and their peripheral areas by 2023 and in transport corridors by 2025.97 The plan further envisages international Connected Automated Driving corridors and more leeway for small-cell 5G networks.
iv Spectrum auctions and fees
The ECTRA carries out auctions if it finds that the number of available spectra is not sufficient for their allocation.
Following a consultation with the stakeholders, the ECTRA decided to divide the separable bandwidth of 3,410–3,800MHz into three time division duplexes (TDD) large enough (3x130MHz) to implement the large data amounts and facilitate the future development of 5G technologies: 3,410–3,540MHz, 3,540–3,670MHz and 3,670–3,800MHz. Additionally, a fourth smaller buffer zone was left to ensure undisturbed operation of defence forces equipment.98 This frequency band is considered as the most important 5G frequency range in the European 5G Roadmap, which will allow the use of innovative technologies and devices (IoT).99 In February 2019, the ECTRA announced the auction for the 3,410–3,800MHz frequency range for the development of 5G technology with a starting price of €1,597,000 for each range. The auction was suspended in March 2019 following an appeal by Levikom, a broadband network operator, which argued that dividing the frequency into three large ranges stifles competition and provides an unfair advantage to big operators.100 In its opinion, the Estonian Competition Authority urged the Ministry to consider auctioning the spectrum in smaller 5–10MHz ranges.101 In August 2020, the Ministry of Economic Affairs and Communications relaunched the 3,410–3,800MHz bandwidth auction consultation process with the spectrum band now being proposed to be divided into four blocks with hopes to ensure a more level playing field and to facilitate market entry for new operators.102 As currently set, the bandwidth is divided into three 50MHz frequency blocks and one 40MHz frequency block in the frequency band 3,410–3,600MHz and four 50MHz frequency blocks in the 3,600–3800MHz frequency band. The use of 3,600-3,800MHz frequency band is currently technically restricted due to border interference with Russia. After the conclusion of a coordination agreement with Russia, a transition will take place and operators will be allocated 90–100MHz frequency blocks.103
In addition to the currently suspended 3,410–3,800MHz auction, preparations for allocating spectrum in the 700MHz and 26GHz frequency bands have started: public consultations for planning the use of 700MHz and 26GHz frequency bands have been concluded and the results thereof sent to the Ministry of Economic Affairs and Communications for future spectrum planning.104 Furthermore, a study for the use of spectrum in the 40.5–43.5GHz and 66–71GHz frequency range is planned for the future.105
i Regulation of media distribution generally
Media services are subject to the licensing obligations discussed above. In addition, there are restrictions on content that are one of the pre-requirements for obtaining licences.
For example, the MSA requires a television and radio service provider to reserve at least 5 per cent of the daily transmission time of the programme service on at least six days a week for transmitting self-produced new programmes, except on national holidays. At least 10 per cent of the monthly transmission time must be reserved for transmission of own productions, deducting the transmission time allocated for news, sporting events and games programmes as well as for advertising, teletext services and teleshopping. At least 50 per cent of the minimum capacity of own production must be shown during prime time between 7pm and 11pm. At least 51 per cent of the annual capacity of the television programme service must be reserved for transmission of audiovisual works of European origin, deducting the transmission time allocated for news, sporting events and games programmes, as well as for advertising, teleshopping and teletext services, and at least 10 per cent of such audiovisual works must have been created by producers that are independent of this television service provider. These requirements are subject to certain exceptions; for example, local channels are exempted from some of them.106
The MSA also sets out some requirements for commercial communications, TV and radio advertising, sponsorship and product placements. In addition to the MSA, these are regulated by the Advertising Act.
The abovementioned rules are set to change with the transposition of the revised Audiovisual Media Services Directive 2018/1808/EU into Estonian law.
ii Internet-delivered video content
Besides television services, on-demand audiovisual media services are becoming increasingly popular. On-demand audiovisual media services do not require a licence, but do require a notification of economic activities to be submitted through the state portal or to a notary, as discussed above.
Most of the biggest ISPs in Estonia have started their own video distribution services. However, this does not limit the accessibility of on-demand services of other service providers. Standalone services are also freely accessible. However, generally service providers measure the use of data without taking into account that part of the data that is used for VOD. Still, it must be noted that there are examples on the market of ISPs' own on-demand video distribution services that do not use up mobile data if streamed via the service provider's own networks. Thus, one the strategies used to attract customers to buy video distribution services is that ISPs do not charge for the data used on streaming via mobiles on their own VOD services equally with the data used for other VOD services.
The year in review
The most important changes in the legislation concerning the ICT sector in 2019 and 2020 have been regarding the consolidation of two regulators into one, legislative amendments in light of requirements stemming from EU law, and the auctioning of 5G spectrum frequency.
From 1 January 2019, the Estonian Technical Regulatory Authority and the Consumer Protection Board have been joined into one single regulatory authority: the Consumer Protection and Technical Regulatory Authority (ECTRA). The new Authority resumed the obligations of the Technical Regulatory Authority and the Consumer Protection Board.107
The GDPR became applicable on 25 May 2018, which required companies to adjust their data processing practices and gave people greater control over the use of their personal data. On 15 January 2019, Estonia adopted the new Personal Data Protection Act (PDPA), replacing the previous pre-GDPR act. The PDPA was followed by the Personal Data Protection Act Implementing Act, which came into force on 15 March 2019 and acts to amend national legislation to establish legal conformity with the GDPR.
In 2019, Estonia announced its national strategy for the development and implementation of artificial intelligence. The plan includes public–private partnership initiatives, further e-state services and sandboxes for testing and developing public sector solutions, among others.108 In August 2020, a legislative initiative was published to regulate the effects of algorithmic systems (known as the AI regulation).109
In February 2020, the Ministry of Economic Affairs and Communications published a draft law that would amend the ECA, and sent it to stakeholders and ministries for their opinions. The draft law is aimed at transposing Directive (EU) 2018/1972 into Estonian law. Two rounds of approval have currently been carried out at the time of writing, and several opinions have been submitted to the Ministry. The draft law would change the definition of ECSs and bring OTT services under the regulation of the ECA.110
In September 2020, the government published a draft regulation prohibiting the use of high-risk hardware and software in telecom networks implementing 5G and subsequent generation standards. This would bar the Chinese tech giant Huawei, for instance, from constructing Estonia's 5G network. The regulation further seeks to phase out high-risk hardware and software from Estonian communications networks completely by 2030 and imposes new reporting and permit requirements for electronic communications undertakings.111
Significant recent transactions include the acquisition of Apollo Group by UP Invest, the acquisition of Baltic Classifieds Group by private equity firm Apax Partners, and a pending transaction whereby UP Invest would acquire Forum Cinemas OÜ. In the summer of 2019, the Estonian Competition Authority cleared private equity firm Apax Partners' acquisition of the 100 per cent share of the Baltic Classifieds Group from UP Invest.112 Baltic Classifieds Group operates specialised and general online classifieds portals in the Baltics. The Estonian Competition Authority also cleared the acquisition of sole control over Apollo Group by UP Invest. UP Invest holds 78 per cent of Apollo Group shares following the transaction, while previously UP invest held joint control with another company.113 Apollo Group operates in the entertainment market, managing the Apollo book store and cinema chain. In 2020, UP Invest merged with its parent company MM Grupp OÜ.114 At the end of August 2020, it was announced that MM Grupp OÜ is also planning to acquire Forum Cinemas OÜ, second largest cinema chain operator in Estonia.115 The clearance of the Estonian Competition Authority is required for the transaction. The proceedings are currently ongoing, but there have been doubts as to whether the transaction can be approved by the Competition Authority. The decision is expected in the first quarter of 2021.
Most of the major mobile service providers have recently come out with their own VOD services, such as Elisa's Elisa Elamus and Telia's TELIA TV, which includes FOX NOW, Eurosport Player and HBO. This marks a growing demand for VOD among viewers. In January 2020, Telia, a major mobile and internet service provider, launched a new TV channel Inspira, which broadcasts sports, movies and series.116
With the above developments, there is also an increasing demand for spectrum on the market. An auction for spectrum in the 3,600MHz frequency range in three 130MHz time division duplexes was announced in early 2019, but suspended shorty after a local broadband operator appealed the auction claiming it stifles competition. In August 2020, the Ministry of Economic Affairs and Communications announced plans to relaunch the auction and divide the 3,600MHz spectrum band into four blocks with hopes to ensure a more level playing field and to facilitate market entry for new operators. Preparations are underway to auction spectrum in the 700MHz and 26GHz frequency bands.
Conclusions and outlook
Looking ahead, some of the next important developments in the communications, technology and media sector are the following.
It is expected that the draft act transposing the Directive (EU) 2018/1972 into Estonian law will be submitted to the Parliament in the subsequent months. The act would change the scope of application of the ECA and introduce new rules to enhance the deployment of small cell networks. The act would further phase out anonymous prepaid mobile SIM cards and expand the existing data retention obligations to providers of number-based interpersonal communication services such as Skype, WhatsApp and Viber. It is likely to spark discussions about lawful interception of ECSs and its constitutional limits. Although the deadline for transposing the Directive (EU) 2018/1972 is 21 December 2020, at the time of writing this chapter it appears unlikely that the Directive would be transposed by that time.
Estonia seeks to award the first frequency licenses in the 3,600MHz band for the development of 5G networks in 2020 and it is likely that the 700MHz spectrum auction will follow soon in 2021. Electronic communications undertakings will however most likely need to take into account new requirements imposed on network technology as the Estonian Government seeks to prohibit the use of certain high-risk hardware and software in Estonian communication networks.
Estonia continues to accelerate the development and implementation of artificial technology while at the same time, ensuring necessary regulations are in place to safeguard potential threats to fundamental rights. To achieve this, Estonia intends to develop a new legislative act which would include different provisions that set out the obligations to guarantee fundamental rights, levels of transparency, national supervisory measures, sanctions, amendments to the Administrative Procedure Act, impact assessment and specific regulations for high-risk algorithmic systems.117
The Estonian ICT sector is fast-developing and highly important to the legislators. The government's goals include developing and implementing artificial intelligence technology, bringing ultrafast internet to more and more end users and promoting Estonia as the world's capital of innovation regarding the communications and information society. However, there are still challenges for policymakers caused by convergence and ultra-fast developments in the sector.
Generally, Estonia follows European policies, and has successfully implemented the various pieces of EU legislation into national law. One shortcoming concerns the rules on data retention by communications service providers, which are based on an invalid directive and have not been revoked from national law, despite a number of CJEU judgments that highlight the need to do so. A preliminary ruling of the CJEU is expected in the near future which would specifically address the Estonian national law regarding data retention.
1 Mihkel Miidla is a partner and Liisa Maria Kuuskmaa and Oliver Kuusk are associates at Sorainen.
11 Available in English at https://www.riigiteataja.ee/en/eli/530052018001/consolide.
12 Clause 2 6) of the ECA.
13 Clause 2 68) of the ECA.
14 The draft law is available at: http://eelnoud.valitsus.ee/main/mount/docList/152508b8-ca93-4b13-8df4-d85b996add6e#MJXpJhnv.
15 Available in English at: https://www.riigiteataja.ee/en/eli/ee/513012015001/consolide/current.
16 Clause 2 1) of the ISSA.
17 Available in English at: https://www.riigiteataja.ee/en/eli/ee/511052015002/consolide/current.
18 Section 1 of the MSA.
19 The draft law is available at: https://eelnoud.valitsus.ee/main/mount/docList/83365ad5-a2e1-4865-bca4-6a8d6a344589.
20 Available in English at: https://www.riigiteataja.ee/en/eli/ee/527062014005/consolide/current.
21 Sections 3–4 of the ECA.
24 Sections 11–14 of the ECA.
25 Sections 11, 15–16 of the ECA.
26 Subsections 9(2.2)–9(2.4) of the ECA.
29 Sections 33–39 of the ECA.
30 Sections 32–40 of the MSA.
31 Clause 32 3) of the MSA.
32 Subsection 17(8) of the ECA.
33 Available in English at: https://www.riigiteataja.ee/en/eli/ee/527122017001/consolide/current.
34 Section 21 of the Competition Act.
35 Section 27 of the Competition Act.
36 Subsections 40(4) and 144(1) of the ECA.
37 Section 17 of the ECA.
38 Sections 8–10 of the ISSA.
39 Section 11 of the ISSA.
40 Section 73 of the ECA.
41 Section 69–70 of the ECA.
42 Subsections 72(3)–72(4) of the ECA.
43 Sections 75, 81–84 of the ECA.
44 Sections 93–94 of the ECA.
45 Subsection 96(1) of the ECA. The full list of mandatory terms can also be found therein.
46 Subsection 96(3) of the ECA.
47 Articles 3 and 4 of Regulation (EU) 2015/2120.
49 The draft law is available at: https://eelnoud.valitsus.ee/main/mount/docList/c462f16d-40df-4d96-9096-89b2ae5dcdab.
51 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
52 Available in English at: https://www.riigiteataja.ee/en/eli/ee/507022018004/consolide/current.
53 Section 60 of the Law of Obligations Act.
54 Available in English at https://www.riigiteataja.ee/en/eli/523052018003/consolide.
55 EU Directive 2016/1148.
56 Subsections 1(1) and 1(3) of the Cybersecurity Act.
57 Clauses 3(1)5), 3(1)10) and Subsection 4(1) of the Cybersecurity Act.
58 Subsection 87.2(2) of the ECA.
59 Subsection 87.2(1) of the ECA.
60 Section 101 of the ECA.
62 Section 36 of the Emergency Act.
63 Subsection 38(3) of the Emergency Act.
64 Regulation (EU) 2016/679.
65 Available in English at https://www.riigiteataja.ee/en/eli/523012019001/consolide/current.
67 Sections 4-7 of the PDPA.
68 Subsection 8(1) of the PDPA.
69 Subsection 102(1) of the ECA.
70 Section 102 and 104 of the ECA.
71 Sections 102–107 of the ECA.
72 Directive 2006/24/EC.
73 Judgment of the Court of Justice of the European Union (CJEU) of 8 April 2014 in case C-293/12.
74 Judgment of the CJEU of 21 December 2016 in joined cases C-203/15 and C-698/15.
75 Judgment of the CJEU of 6 October 2020 in case C-623/17.
76 Judgment of the CJEU of 6 October 2020 in joined cases C-511/18, C-512/18 and C-520/18.
77 Section 111.1 of the ECA.
78 Case C-746/18, HK v. Prokuratuur.
79 Opinion of the CJEU Advocate General Pitruzzella in case C-746/18.
80 Both the proposal of the Ministry of the Interior and the opinion of the Ministry of Justice can be accessed here: http://eelnoud.valitsus.ee/main/mount/docList/152508b8-ca93-4b13-8df4-d85b996add6e#MJXpJhnv.
81 Available in English at https://www.riigiteataja.ee/en/eli/ee/520122017002/consolide/current.
82 Section 25 of the Child Protection Act.
83 Available in English at https://www.riigiteataja.ee/en/eli/ee/520012015009/consolide/current.
84 Sections 8–10 of the ISSA.
85 Available in English at https://www.riigiteataja.ee/en/eli/ee/509072018004/consolide/current.
86 Sections 179–180 of the Penal Code.
87 Section 19 of the MSA.
88 Available in English at https://www.riigiteataja.ee/en/eli/ee/504042018001/consolide/current.
89 Section 8 of the Advertising Act.
90 Subsections 6(3), 8(3) and 8(4) of the ECA.
91 Subsection 9(2) and Clause 10(1)1) of the ECA.
106 Section 8 of the MSA.
110 The draft law is available at: http://eelnoud.valitsus.ee/main/mount/docList/152508b8-ca93-4b13-8df4-d85b996add6e#MJXpJhnv.
111 The draft law is available at: https://eelnoud.valitsus.ee/main/mount/docList/c462f16d-40df-4d96-9096-89b2ae5dcdab.