Data, especially sensitive personal data, is protected for a reason in democracies around the world. Data controllers are subject to strict rules, because people become deprived of their privacy if their data falls into the wrong hands, and in the worst case they can be influenced by the threat of disclosure. In the case of people in positions of national defence and security, this kind of manipulation can become a security threat. The legal framework – e.g., the Constitution, the Personal Data Protection Act and its implementing legislation, the General Data Protection Regulation (GDPR) at European level – seeks to mitigate such risks.

The Crisis Research Centre continues to request the establishment of a protection of personal data special committee in the Riigikogu, which would clarify the lawfulness of the storage, processing and transfer of personal data to third parties in and from the Population Register and the security risks linked to it in the light of the obligations arising from the GDPR, also retrospectively since 2018.

In August 2023, it emerged that the personal data of tens of thousands of data subjects had been unlawfully obtained from the Population Register as part of research targeting Estonian women. It has also been found that the Population Register has been making people’s data available by default without their consent, i.e. not implementing the default data protection that would be required by the GDPR since 2018. This means that the data of adults, as well as that of minors, have been made available by default. We believe this points to a wider problem and security risk.

Therefore, we request the Riigikogu to establish a special committee on data protection to ensure the constitutional rights of all Estonian residents and citizens and the protection of personal data, and to clarify the following aspects:

• Is the protection of personal data under the administration of the Ministry of the Interior ensured in accordance with the principles and standards laid down in the EU General Data Protection Regulation?
• When, by which institution, and based on which law, was the availability of personal data in the electronic population register made freely available to third parties by default (for both research and advertising) in the form of an initial setting?
• Which competent committee and/or working group decided on this, and was it preceded by an open public debate with the participation of civil society organisations?
• Has the Ministry of the Interior informed the public that it is possible to restrict free access to personal data by third parties on the Population Register portal in order to protect their personal data and to ensure its fair use? If not, for what reasons has the Ministry of the Interior and/or the Data Protection Inspectorate refrained from publicly disseminating this information?
• To what extent are Estonian residents protected from psychological profiling by politically motivated think tanks?
• Are the activities of the Ministry of the Interior in the field of profiting from personal data in compliance with the EU GDPR regulation?
• Why does the Ministry of the Interior apply the principle of no default data protection in the population register, i.e. the person has to tick a box to opt out of data processing?

To date, no one at national level has been willing to answer these questions. The Ministry of the Interior is in the process of clarifying the background of the incident. At the same time, we continue to point out that according to the Statistics Estonia, there are 1 365 884 people living in Estonia as of 2023 whose personal data the Ministry of the Interior has been entrusted in good faith to keep and protect.

The creation of a special committee will help to shed light on the security risks lurking in the protection of personal data contained in the Population Register. Identifying the latter is in the interest of all Estonian citizens, but also of the state, and is part of a comprehensive protection of the population. This is first and foremost about YOUR data.

Photo: GDPR regulation (Tumisu/Pixabay, 2018).