Tu, 4.10.2022

Bill to obligate data collection and personalize prepaid SIM cards

Liina Laks
, reporter
Bill to obligate data collection and personalize prepaid SIM cards
Facebook LinkedIn Twitter
Photo: Elmo Riig

At a time when the European Court of Justice has banned blanket data collection, Estonia is discussing obligating online messaging platforms to do just that.

The Ministry of Economic Affairs and Communication has finished draft legislation to amend the Electronic Communications Act that includes proposals by the Ministry of Internal Affairs to regulate how messaging platforms should collect and share with the authorities people’s movement data, or who met with whom, where and when. Even though the bill’s explanatory memo suggests the changes are aimed at adopting European directives and Estonia has little choice, a number of clauses in the bill are strictly local so to speak.

One of these clauses that has caused quite a few arguments in recent months would see messaging applications, such as Skype, Viber etc. treated the same as mobile communications operators. Obligations currently on Telia and other Estonian ISPs would also apply to WhatsApp and other messaging apps.

Courts can currently order mobile operators to share with authorities people’s mobility data, which obligation the bill would also place on Skype etc. Real-time monitoring of applications is the only area where the solution proposed by the bill differs from ISPs’ obligations today. The new law does not concern content of conversations, the interior ministry promises.

What does the bill contain?

The controversial so-called backdoor plan that would have given law enforcement organs direct access to data is not mentioned in the bill, with the Ministry of Internal Affairs saying that encryption matters and there are no plans to weaken it. However, nothing is stopping service providers from creating their own backdoors. There have been plenty of examples of such backdoors costing users a great deal.

The interior ministry maintains that mobility data is needed to catch criminals more effectively. Several internet giants, including Facebook Messenger, record their users’ data and share them with the police.

Even though authorities love to say that blanket data collection helps prevent acts of terror, no good examples have been given. Another common argument is that mobility data helps investigate terrorist attacks.

In any case, the ministry finds that it would help investigate narcotics crime and investment scams where people are contacted via messaging applications. It is also emphasized that the data would not be accessible without the prosecution’s order. However, it needs to be said that authorizing surveillance is much easier for prosecutors who must provide lengthy explanations if they refuse a surveillance permit.

Many messaging applications encrypt correspondence end-to-end and allegedly do not record a single word or mobility data. The ministry finds that such applications should record the latter. However, this desire can only be implemented in Estonia, meaning that anyone looking to create the next Skype here will once again have to record who talks with whom and where, which is another aspect not prescribed by European Union law.

While the new law would obligate WhatsApp to record data in Estonia, the ministry said refusal to do so would not lead to the application being banned. It would be easier to put pressure on service providers if the EU regulated data collection principles in a similar manner.

Estonian model delivered a setback from the Court of Justice

If telecoms have been obligated to maintain mobility data for years, the attitude is not nearly as uniform in other countries. The European Court of Justice ruled in October that blanket data recording by service providers or states is strictly prohibited. At the same time, the court determined national security and fighting serious crime as two exceptions to this rule.

The matter ended up in court because, just like Estonia, France and the UK also require telecoms to record data for later use. The EU court found that this violates people’s constitutional rights, including the right to data protection, private life and freedom of speech. However, the exceptions are so general that what comes next depends on how member states will interpret the rules.

The main justification for data collection is that it is convenient both for the companies that make commercial use of the information and law enforcement agencies that can find what they need when they need it. The fact that internet crime is on the rise is irrefutable. However, it needs to be said that collecting data “just in case” entails the danger of eventual data leaks that could lead to information ending up in the hands of criminals. The argument could be made that Facebook (owner of Facebook Messenger and WhatsApp) and other such companies should be prohibited from collecting masses of data instead as that which is not recorded cannot leak.