Freedom on the Net 2016 - Estonia

Key Developments, June 2015-May 2016

• Estonia continues to be one of the most digitally advanced countries in the world. The Estonian Internet Foundation has consolidated its role in raising awareness about key concerns surrounding digital trends and governance of the free internet (see Availability and Ease of Access and Regulatory Bodies).

• In June 2015, the European Court of Human Rights upheld an Estonian Supreme Court decision from 2009, stating that content hosts may be held legally liable for third-party comments made on their websites. Since then, major online media publications have removed the functionality for anonymous comments on their websites and continued active moderation to limit hate speech (see Content Removal).

Introduction:

Estonia's advanced internet freedom environment continued to make gains thanks to increased internet access and online participation among citizens.

Estonia in one of the most wired and technologically advanced countries in the world. With a high internet penetration rate, widespread e-commerce, and e-government services embedded into the daily lives of individuals and organizations, Estonia has become a model for free and open internet access as a development engine for society. When the country regained independence in 1991 after nearly 50 years of Soviet rule, its infrastructure was in a disastrous condition. The country's new leadership, however, perceived the expansion of information and communication technologies (ICTs) as a key to sustained economic growth and invested heavily in their development. This progress has continued with support of all following governments.

After the first internet connections in the country were introduced in 1992 at academic facilities in Tallinn and Tartu, the government further worked with private and academic entities to initiate a program in 1996 called Tiger Leap, which aimed to establish computers and internet connections in all Estonian schools by 2000. This program helped build a general level of technological competence and awareness of ICTs among Estonians. Today, with a high level of computer literacy and connectivity already established, the program's focus has shifted from basic concerns such as access, quality, and cost of internet services to discussions about security, anonymity, the protection of private information, and citizens' rights on the internet. In addition, the majority of users conduct business and e-government transactions over the internet: in 2016, 99.6 percent of banking transactions were done with e-banking services, and 96 percent of people declared their income electronically.^[1]

With regard to freedom of expression online, recent court rulings on intermediary liability in Estonia have posed some concerns. On June 16, 2015, the Grand Chamber of the European Court of Human Rights (ECtHR) issued a ruling that reaffirmed an earlier Estonian Supreme Court decision regarding the legal liability of content hosts for third-party comments. The Grand Chamber of the ECtHR found that a company's legal liability for comments posted by its users did not sufficiently interfere with the freedom of expression guarantees enshrined in the European Convention on Human Rights; therefore, intermediaries could be held responsible for third-party content published on their website or forum, even if they delete the content upon notification.^[2] Since February 2016, several major media companies have removed anonymous comments functions from their online portals.

Over the past couple of years, the issue of privacy for individual users on the internet has become a widely debated topic in Estonia, with a particular focus on the privacy policies of global service providers. The Digital Agenda 2020 for Estonia, established by the Ministry of Economic Affairs and Communications, outlines howboth technological and organizational conditions will be developed to ensure that people will always know and be able to decide when, by whom, and for what purpose their personal data is being used in the public sector.^[3] The same agenda also launched an "e-residency" program to offer its secure and convenient online services to the citizens of other countries. Services include digital authentication, digital signatures, encrypted transmission of documents and other electronic communications, and access to all Estonian public and private sector online services.^[4]

Obstacles to Access:

Estonia continues to be one of the most connected countries in the world with regard to internet access, and Estonian internet users face very few obstacles when it comes to accessing the internet.

Availability and Ease of Access

The number of internet and mobile telephone users in Estonia has grown rapidly in the past 20 years. According to statistics from the International Telecommunication Union (ITU), internet penetration in Estonia reached 88.4 percent in 2015, compared to 84 percent in 2014 and 79 percent in 2013.^[5] There were also nearly 2 million mobile phone subscriptions in 2015, translating to a mobile phone penetration rate of 148 percent.^[6] This figure is commonly attributed to the widespread use of internet-enabled mobile devices, the growing popularity of machine-to-machine (M2M) services, and the use of more than one mobile phone by individual Estonians.

The first public Wi-Fi area was launched in 2001, and since then, the country has developed a system of mobile data networks that enable widespread wireless broadband access. In 2011, the country had over 2,440 free, certified Wi-Fi areas meant for public use, including at cafes, hotels, hospitals, schools, and gas stations, and the government has continued to invest in public Wi-Fi.^[7] In addition, a countrywide wireless internet service based on CDMA technology has been deployed and is priced to compete with fixed broadband access. Three mobile operators cover the country with mobile 3G and 3.5G services, and as of April 2016, 4G services covered over 98 percent of Estonian territory.^[8] Municipalities in rural areas have been subsidizing local fiber and wireless internet deployment efforts, and the country's regulatory framework presents low barriers to market entry, enabling local startups to proliferate.

Estonians use a large variety of internet applications, including search engines (85 percent of users), email (83 percent of users), local online media, news portals, social-networking sites, instant messaging, and Voice over Internet Protocol (VoIP) services.^[9] Estonian Public Broadcasting delivers all radio channels and its own TV production services, including news in real time over the internet; it also offers archives of its radio and television programs at no charge to users.

Restrictions on Connectivity

There were no government-imposed restrictions or disruptions to internet access during the past years.

ICT Market

The Estonian Electronic Communications Act was passed in late 2004 and has been bolstered by a number of amendments added to help develop and promote a free market and fair competition in electronic communications services.^[10] Today, there are over 200 operators offering such services, including six mobile operators and numerous internet service providers (ISPs). ISPs and other communications companies are required to register with the Estonian Technical Regulatory Authority, a branch of the Ministry of Economic Affairs and Communications, though there is no registration fee.^[11]

Regulatory Bodies

The main bodies in charge of regulatory issues in the telecommunications sector include the Technical Regulatory Authority and the Estonian Competition Authority.There have been no recent known cases of government interference with the telecommunications sector through regulatory bodies, or of regulators abusing their powers.

The Estonian Internet Foundation has taken an increasingly larger role in discussions and awareness-building surrounding key concerns about digital trends and governance of the free internet, notably by organizing "Internet Day" annual conferences since 2015.^[12] The foundation was established in 2009 to manage Estonia's top level domain, ".ee."^[13] With its multi-stakeholder foundation, the organization represents the Estonian internet community internationally and has succeeded in overseeing various internet governance issues such as the domain name registration process. In February 2012, the Estonian Internet Foundation was admitted to the Council of European National Top Level Domain Registries (CENTR). During last three years the domain registration and annual fees have dropped from a €20 annual fee to a €7 annual fee, together with a 40 percent decrease in the registrar's deposit, a decrease in the registrar's service fees, and an unlimited number of domains for each user.^[14]

Limits on Content:

Estonians have access to a wide range of content online, and very few resources are blocked or filtered by the government. However, a 2009 court ruling on intermediary liability for third-party comments was upheld by several European Court of Human Rights decisions, including most recently in June 2015, which may increase censorship or content removal, particularly on forums or other websites with public comment sections.

Blocking and Filtering

There are very few restrictions on internet content and communications in Estonia. YouTube, Facebook, Twitter, LinkedIn and many other international video-sharing and social-networking sites are widely available and popular. Estonians use the internet for uploading and sharing original content such as photographs, music, and text – a higher percentage of people in Estonia (32 percent) use the internet to publically share self-created content than do people in any other country in Europe.^[15]

A 2010 law on online gambling requires all domestic and foreign gambling sites to obtain a special license or face access restrictions. As of February 2016, the Estonian Tax and Customs Board had over 1,000 websites on its list of illegal online gambling sites that Estonian ISPs are required to block.^[16] The list of blocked sites is transparent and available to the public.

Content Removal

There have been some instances of content removal related to online communications. Most of these cases involve civil court orders to remove inappropriate or off-topic reader comments from online news sites. Comments are also sometimes removed from online discussion forums and other sites. Generally, users are informed about a given website's privacy policy and rules for commenting, which they are expected to follow. Most of the popular online services have established policies that outline a code of conduct for the responsible and ethical use of their services and have enforcement policies in place.

In June 2015, the Grand Chamber of the European Court of Human Rights (ECtHR) upheld a 2009 Estonian Supreme Court decision establishing intermediary liability over third-party comments on internet news portals.^[17] The debate began in 2008 when the victim of unflattering and largely anonymous comments on a news story filed suit against the popular Estonian news site Delfi , claiming that the web portal must be held responsible for defamatory reader comments and screen them before they become public.^[18] In 2009, the Estonian Supreme Court upheld the rulings of lower courts, stating that Delfi was not a passive intermediary since the site already exerted control over its comments section by removing those that violate their own rules; therefore, it could be held liable for defamatory or otherwise illegal content prior to publication. Website owners argued that they did not have the capacity to monitor and edit all comments made on their sites.

The Estonian Supreme Court ruling was previously upheld in October 2013 by the European Court of Human Rights, which stated that the company's liability for defamatory comments was not a "disproportionate interference" with Article 10 of the European Convention on Human Rights guaranteeing freedom of expression.^[19] The case was then referred to the Grand Chamber of the European Court of Human Rights, which also upheld the decision June 2015.

Beginning in February 2016, one of the major independent media companies, Postimees Grupp, discontinued the possibility for anonymous comments on its online portals in February 2016. The public broadcasting ERR followed suit, while the independent media house Ekspress Group added a registration system for its online comments section. As a result, the number of comments on online outlets has reportedly declined.^[20]

Media, Diversity, and Content Manipulation

Estonians have access to a wide array of content online, and there are few economic or political barriers to posting diverse types of content, including different types of news and opinions.

Additionally, Estonia has the largest functioning public-key infrastructure^[21] in Europe, based on the use of electronic certificates maintained on the national identification (ID) card. More than 1.2 million active ID cards are in use, which enable both electronic authentication and digital signing, and over 40 percent of active ID cards have been used for these purposes.^[22] The Digital Signature Act, adopted in 2000,^[23] gives an individual's digital signature the same weight as a handwritten one and requires public authorities to accept digitally-signed documents. Estonian ID cards were used to facilitate electronic voting during the parliamentary elections in 2007 and were used again in the 2009 municipal and European Parliament elections. During parliamentary elections in March 2015, 176,491 votes were cast over the internet, representing over 30 percent of all votes from Estonia.^[24] In 2016, 96 percent of citizens filed their taxes online, making the web services offered by the tax department the most popular public e-service. Over 63 percent of internet users regularly use e-government services, and 77 percent of these users have indicated their satisfaction with such services.^[25]

Digital Activism

Social media use in Estonia is fairly widespread, and Estonians often make use of such sites to share news and information and generate public discussion about current political debates. In addition to discussions, netizens also actively participate in online petitions that can be initiated by anybody and joined for free.^[26]

Violations of User Rights:

Freedom of speech and freedom of expression are protected by Estonia's constitution and by the country's obligations as a member state of the European Union. Anonymity is unrestricted, and there have been extensive public discussions on anonymity and the respectful use of the internet. Internet access at public access points can be obtained without prior registration. Over the past few years, the government has succeeded in reducing the number and severity of cyberattacks against its infrastructure.

Legal Environment

According to the constitution of Estonia, everyone has the right to freely obtain information and to freely disseminate ideas, opinions, beliefs, and other information. In addition, everyone has the right to the confidentiality of messages sent or received. In general, these rights are well protected. Any restrictions on these rights must be necessary in a democratic society and shall not distort the nature of the rights and freedoms restricted.^[27]

Narrow limits on freedom of expression relate to the incitement of national, racial, religious or political hatred, violence, or discrimination, which are prohibited and punishable by law. Estonia is currently in the process of amending the penal code to establish a framework on hate speech criminalization in the country and thereby comply with the European Council Framework Decision 2008/913/JHA,^[28] issued November 28, 2008, on "combating certain forms and expressions of racism and xenophobia by means of criminal law." In July 2012, the Ministry of Justice initiated proceedings to amend sections 151 and 152 of the penal code, which would lead to a new legal norm regarding hate speech-related legislation in Estonia.^[29] This process was previously a topic of significant public debate within the country, but the present government has taken more cautious positions on proceeding with this initiative.

Prosecutions and Detentions for Online Activities

There were no cases of prosecutions or detentions for online activities during the coverage period.

Surveillance, Privacy, and Anonymity

Estonia has strong privacy protections for its citizens. The Personal Data Protection Act (PDPA), first passed in 1996 and updated in 2008,^[30] restricts the collection and public dissemination of an individual's personal data. No personal information that is considered sensitive – such as political opinions, religious or philosophical beliefs, ethnic or racial origin, sexual behavior, health, or criminal convictions – can be processed without the consent of the individual. The Data Protection Inspectorate (DPI) is the supervisory authority for the PDPA, tasked with "state supervision of the processing of personal data, management of databases, and access to public information."^[31]

In 2015, the Chancellor of Justice (Ombudsman) processed several cases related to online privacy and data protection.^[32] The Ombudsman is an independent official whose duties are to ensure that legislation in Estonia complies with the constitution, and that the fundamental rights and freedoms of the Estonian people are protected. In three cases during the spring of 2015, the Chancellor strongly and clearly argued for the users' right to privacy with regard to the protection of private data in public databases. The Chancellor of Justice's office has taken a leading role in interpreting the constitution in cases related to privacy and private information on the internet in Estonia, establishing new standards for the protection of user rights online.

Data retention practices established under the 2005 Electronic Communications Act,^[33] which aligned with EU legislation, were thrown into doubt by the Court of Justice of the European Union (CJEU) in April 2014, when the court found the European Data Retention Directive (2006/24/EC) to be invalid and in contravention of articles 7, 8, and 52(1) of the European Convention on Human Rights.^[34] The ruling was lauded among privacy proponents who had long argued that requirements for the blanket retention of data constituted mass surveillance and far exceeded what was necessary for law enforcement purposes. However, the decision has also prompted debate among legal experts and different reactions by governments, with some member states now suspending their national implementations of the European directive, while others are drafting new data retention laws in order to compel internet service providers to continue to store user data.^[35]

According to a report by the Estonian Parliament Security Authorities Surveillance Select Committee, which oversees the practices of surveillance agencies and security agencies, there were over 2,700 cases of information requests based on court orders in 2014, a decrease of 4 percent from the previous year.^[36] The select committee was established to exercise supervision over the legality of surveillance and the activities of the Security Police.^[37] The committee monitors the activities of the Security Police Board to ensure conformity with the constitution, the Surveillance Act, and other regulations on security agencies.

Intimidation and Violence

There have been no physical attacks against bloggers or online journalists in Estonia, though online discussions are sometimes inflammatory.

Technical Attacks

Awareness of the importance of ICT security in both private and business use has increased significantly since a series of cyberattacks against Estonian websites and government organizations in the spring of 2007. To protect the country from future attacks, the government adopted a five-year Cyber Security Strategy in 2008 that focused on the development and implementation of security measures that would increase competence in cyber security, improve the legal framework, bolster international cooperation, and raise public awareness.^[38] Estonia's cybersecurity strategy is built on strong private-public collaboration and a unique voluntary structure through the National Cyber Defense League.^[39] With more than 150 experts participating, the league has simulated different security threat scenarios as defense exercises that have served to improve the technical resilience of Estonia's telecommunication networks and other critical infrastructure over the past few years.

Also in 2008, the North Atlantic Treaty Organization (NATO) established a joint cyber defense center in Estonia to improve cyber defense interoperability and provide security support for all NATO members. Since its founding, the center has supported awareness campaigns and academic research on the topic and hosted several high-profile conferences, among other activities.^[40] From 2009, the NATO Cooperative Cyber Defense Centre of Excellence has organized an annual International Conference on Cyber Conflict, or CyCon, bringing together international experts from governments, the private sector, and academia. CyCon has focused on international cooperation and the legal, regulatory, military, and paramilitary aspects of cybersecurity, with the goal of ensuring the development of a free and secure internet.

Notes:

1 Estonian Information System's Authority, "Facts about e-Estonia," accessed June 2, 2016, http://bit.ly/2cjJcTH

2 European Court of Human Rights, Case of Delfi AS v. Estonia, Judgement, June 16, 2015, http://bit.ly/1hu6nIr.

3 Digital agenda 2020 for Estonia, accessed June 11, 2016, http://bit.ly/2dENc0n

4 "What is e-Residency?" e-estonia.com, accessed June 22, 2016, http://bit.ly/2dEOWqz

5 International Telecommunication Union (ITU), "Percentage of individuals using the Internet 2000-2015," accessed October 10, 2016, http://bit.ly/1cblxxY.

6 International Telecommunication Union (ITU), "Mobile-cellular subscriptions 2000-2015," accessed October 10, 2016, http://bit.ly/1cblxxY.

7 Public Wi-Fi Hotspot database in Estonia, accessed June 15, 2016, http://wifi.ee/leviala/

8 Annual report of the Estonian Technical Regulatory Authority 2015, accessed June 25, 2016 http://bit.ly/2eJ8EAf.

9 Pille Pruulmann-Vengerfeldt, Margit Keller, and Kristina Reinsalu, "1.1.4 Quality of Life and Civic Involvement in Information Society," Information Society Yearbook 2009 (Tallinn: Ministry of Economic Affairs and Communications, 2010), http://bit.ly/2eofxJA.

10 "Electronic Communications Act," Ministry of Economic Affairs and Communications, accessed October 11, 2016, http://bit.ly/2eoeKbB.

11 Technical Regulatory Authority, "Commencement of Provision of Communications Service," accessed February 15, 2015, http://bit.ly/2dSKMtP.

12 Interneti Päev, accessed June 2, 2016, http://päev.internet.ee/2016.

13 Estonian Internet Foundation, accessed June 30, 2016, http://www.internet.ee/en/.

14 ".ee domain price to drop to 7 euros", Estonian Internet Foundation, accessed June 1, 2016, http://bit.ly/2dSKCTf.

15 "Individuals Using the Internet for Uploading Self-Created Content to Any Website to Be Shared," Eurostat, accessed June 11, 2015, http://bit.ly/2dItUGb.

16 The list of restricted websites can be found on the Estonian Tax and Customs Board website: "Ebaseadusliku kaughasartmängu serverite domeeninimed" [Illegal gaming servers, domain names], Tax and Customs Board, accessed June 10, 2016, http://bit.ly/2d56Gw1.

17 "CASE OF DELFI AS v. ESTONIA", Grand Chamber judgment, accessed June 18, 2015, http://bit.ly/1hu6nIr.

18 Kaja Koovit, "Big Businessman Goes to War Against Web Portals," Baltic Business News, March 18, 2008, http://bit.ly/2dND70r.

19 "European Court strikes serious blow to free speech," ARTICLE 19, October 14, 2013, http://bit.ly/1Bf9pcV.

20 Postimees, "Hate speech a security threat," Eurotopics.net, January 4, 2016, http://bit.ly/2d8kYrf.

21 A public-key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates, which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates that map public keys to entities, securely stores these certificates in a central repository, and revokes them if needed.

22 See the web portal for the ID-card system, http://id.ee/?lang=en.

23 "Digitaalallkirja seadus" [Digital Signature Act], Riigi Teataja, accessed May 21, 2013, http://bit.ly/2di154f.

24 Vabariigi Valimiskomisjon (Electoral Commission), "Statistics about Internet Voting in Estonia," accessed October 11, 2016 http://bit.ly/2e3L9Qz.

25 Kristina Randver, Kodanike rahulolu riigi poolt pakutavate avalike e-teenustega, Jaanuar 2010 [Citizens' Satisfaction with the Provision of Public E-Services, January 2010] (Tallinn: TNS Emor, 2010), http://bit.ly/2da2nL8.

26 Petitsioon [Petitions], accessed October 11, 2016, http://petitsioon.ee

27 Constitution of the Republic of Estonia [English translation], June 28, 1992, http://bit.ly/2dIm4MT.

28 EUR-Lex, "Access to European Union Law," accessed May 5, 2013, http://bit.ly/2d4YKuV.

29 Office of the High Commissioner for Human Rights, "Tenth and Eleventh Periodic Report on the implementation of the International Convention on the Elimination of all forms of Racial Discrimination in Estonia," January 2013.

30 Estonian Data Protection Inspectorate, "Inspectorate," March 14, 2015, http://bit.ly/2dYLoNz.

31 Electronic Privacy Information Center (EPIC) and Privacy International, "Republic of Estonia," in Privacy and Human Rights 2006: An International Survey of Privacy Laws and Developments (Washington: EPIC, 2007), http://bit.ly/2e38qaI.

32 "Tasks and jurisdiction of the Chancellor of Justice," accessed June 2, 2015, http://bit.ly/2dYL956.

33 Electronic Communications Act, translation to English, http://bit.ly/2eccx3T.

34 The ECJ court ruling pertained to the cases Digital Rights Ireland Ltd ( C-293/12) and Kärntner Landesregierung (C-594/12) and is available at http://bit.ly/1yF25p3.

35 Martin Husovec, "First European Constitutional Court Suspends Data Retention After the Decision of the Court of Justice of EU," The Center for Internet and Society at Stanford Law School, April 28, 2015, http://stanford.io/2dGBfaF.

36 Overview of Parliament Select Committe activities, http://bit.ly/2e6wLbo.

37 "Security Authorities Surveillance Select Committee," Riigikogu: The Parliament of Estonia, June 16, 2016, http://bit.ly/2dGCGpr.

38 Cyber Security Strategy Committee, Cyber Security Strategy (Tallinn: Ministry of Defence, 2008), http://bit.ly/2e6v2my; See also: Ministry of Economic Affairs and Communication, "Cyber Security Strategy 2014-2017," accessed October 11, 2016, http://bit.ly/2fdtquG.

39 "Estonian Defense League's Cyber Unit," Kaitseliit [Defence League], accessed October 11, 2016, http://bit.ly/2dhXTFC.

40 "Cyber Security Conferences," Cooperative Cyber Defense Centre of Excellence (CCD COE), accessed October 11, 2016, http://bit.ly/2dIPzSy.