We request the establishment of a protection of personal data special committee in the Riigikogu, which would clarify the lawfulness of the storage, processing and transfer of personal data to third parties in and from the Population Register and the security risks linked to it in the light of the obligations arising from the European Union General Data Protection Regulation (GDPR), also retrospectively since 2018.
Data, especially sensitive personal data, is protected for a reason in democracies around the world. Data controllers are subject to strict rules, because people become deprived of their privacy if their data falls into the wrong hands, and in the worst case they can be influenced by the threat of disclosure. In the case of people in positions of national defence and security, this kind of manipulation can become a security threat. The legal framework - e.g., the Constitution, the Personal Data Protection Act and its implementing legislation, the General Data Protection Regulation (GDPR) at European level - seeks to mitigate such risks.
Recent research scandal has revealed that the personal data of tens of thousands of data subjects have been obtained from the population register unlawfully. It has also been found that the Population Register has been making people's data available by default without their consent, i.e. not implementing the default data protection that would be required by the GDPR, the European Union's General Data Protection Regulation, since 2018. This means that the data of adults, as well as that of minors, have been made available by default. We believe this points to a wider problem and security risk.
In the context of the above, we request the Riigikogu to establish a special committee on data protection to ensure the constitutional rights of all Estonian residents and citizens and the protection of personal data, and to clarify the following aspects:
- Is the protection of personal data under the administration of the Ministry of the Interior ensured in accordance with the principles and standards laid down in the EU General Data Protection Regulation?
- When, by which institution, and based on which law, was the availability of personal data in the electronic population register made freely available to third parties by default (for both research and advertising) in the form of an initial setting?
- Which competent committee and/or working group decided on this, and was it preceded by an open public debate with the participation of civil society organisations?
- Has the Ministry of the Interior informed the public that it is possible to restrict free access to personal data by third parties on the Population Register portal in order to protect their personal data and to ensure its fair use? If not, for what reasons has the Ministry of the Interior and/or the Data Protection Inspectorate refrained from publicly disseminating this information?
- To what extent are Estonian residents protected from psychological profiling by politically motivated think tanks?
- Are the activities of the Ministry of the Interior in the field of profiting from personal data in compliance with the EU GDPR regulation?
- Why does the Ministry of the Interior apply the principle of no default data protection in the population register, i.e. the person has to tick a box to opt out of data processing?
According to Statistics Estonia, there are 1 365 884 people living in Estonia in 2023 whose personal data are entrusted in good faith to the Ministry of the Interior to keep and protect. We believe that the creation of a special committee will help to shed light on the security risks inherent in the protection of personal data contained in the Population Register. Identifying the latter is in the interests of all Estonian residents, but also of the state, and is part of a comprehensive civil defence.