3.3 Main Stakeholders of the Digitalization of Estonian Administration
The main stakeholders of the digitalisation of Estonian administration are national bodies and agencies, advisory councils, municipalities, research institutions, judiciary and civil society.
3.3.1 Main stakeholders at the national level
In Estonia, legal acts – including those regulating the use of digital solutions by the state and where necessary, also by private persons - are passed by the Estonian parliament (Riigikogu). At least one member of the Riigikogu, Riigikogu parliamentary groups, Riigikogu committees, the government and the President of the Republic - for amendment of the Constitution - have the right to initiate laws. The Estonian Electronic State Gazette (the Riigi Teataja) is the central database and official online publication for Estonian legislation. The Riigi Teataja has been published also online since 1997 but the official electronic Riigi Teataja was presented in 2002. Since 2010, all national legal acts have been public in electronic form only.
In the Estonian public institutions, specific state officials work on Estonian digital administration. At the Ministry of Economic Affairs and Communications, the Undersecretary for Digital Transformation, the Government Chief Data Officer and the Government Chief Technology Officer all play essential roles in the development of digital solutions in Estonian administration. The Ministry of Justice is responsible for data protection and ensuring the protection of fundamental rights in connection with the general coordination of the ministries' law-making activities. The area of responsibility of the Minister of Economic Affairs and Information Technology, who heads the Ministry of Economic Affairs and Communications, includes information technology and telecommunications. The Ministry of Economic Affairs and Communications organises i.a. hackathons to incorporate the private and public sectors in innovation and cooperation concerning the e-state and national digital services contests to determine the best digital service. The Information State Authority (RIA) handles the development and administration of state information systems, oversees their interoperability, and handles any other proceedings regarding information security, including security incidents in Estonian computer networks. The Estonian legislator has assigned a dual role to the Data Protection Inspectorate. On the one hand, the Data Protection Inspectorate has been designated as a supervisory authority within the meaning of the GDPR. On the other hand, the Data Protection Inspectorate also supervises compliance with the requirements of the public information act (PIA; compare above, 3.2.1). The inspection therefore has an inherently divergent dual role: it must protect people's privacy and ensure the transparency of public information at the same time. The IT and Development Centre of the Ministry of the Interior is Estonia’s largest IT institution, which creates and manages the information systems necessary to save lives and ensure internal security (information systems of the police, rescue services and others). In the case of violations of personal data by the state and security/surveillance or authorities, individuals can also inquire assistance from the Chancellor of Justice (compare above, B.I.3.c.).
3.3.2 Advisory bodies
Two important advisory bodies of Estonian public administration digitalization are the E-Estonia Council and the e-Governance Academy (eGA). The E-Estonia Council, composed of experts, ICT sector representatives and related ministers and chaired by the Estonian prime minister, is in charge of overseeing the progress of Estonian digital society, e-governance and implementation of national digital agendas and its work is organised by the Strategy Unit of the Government Office. The e-Governance Academy (eGA) is a joint initiative of the Estonian government, the Open Society Institute (OSI) and the United Nations Development Programme, which helps develop digital technologies for the public sector and civil society organisations by consulting, training, networking, research and assisting.
3.3.3 Municipalities
Estonia has a one-tier local government system. The 79 local governments decide on local issues, however digitalization issues are mostly dealt with on a national level. Yet the government supports the activities of the Association of Estonian Cities and Municipalities (AECM) to further develop local governments’ IT systems and capabilities. The two biggest cities of Estonia, Tallinn and Tartu, are the main developers of AI implementation at local level. For example, Tallinn has a driverless bus route, an AI based pedestrian crossing and autonomous snow shovelling robots intended for public use whilst Tartu is taking part in the European project SmartEnCity and is part of a joint project between Tartu, ICT companies and infrastructure companies called Estonian Smart City Cluster.
3.3.4 Research institutions
Research institutions are also major stakeholders in the digitalisation of Estonian Administration. The University of Tartu (UT) offers an Information Technology Law program. Tallinn University of Technology (TalTech) operates a Digital Governance Lab that aims to advance public governance models and frameworks. TalTech also has a cooperation between TalTech Law School and NJORD Law Firm called TalTech Legal Lab, which joins together law and tech experts who have in-depth knowledge in technology law and are experts in AI, data protection, IT law and legal tech. Other important research institutions include the Estonian Research Council, Praxis and the Arenguseire Keskus (Foresight centre). The Estonian Research Council is a governmental foundation aiming at guaranteeing the funding of research and development. Praxis is a socio-economic research centre that creates evidence-based analyses and monitors the implementation of different policies. Courts of first and second instance are administered in cooperation between the Council for Administration of Courts and the Ministry of Justice.
The Arenguseire Keskus is a think tank situated at the Estonian Parliament that analyses long-term development in society, identifies new trends and developments and drafts development scenarios.
3.3.5. Other Stakeholders
Courts of first and second instance are administered in cooperation between the Council for Administration of Courts and the Ministry of Justice. The Supreme Court on the other hand, being a constitutional institution, administers itself. Although the courts are also open to various IT solutions, as well as applications based on artificial intelligence as helpful tools, such as automatic recording of court hearings using speech recognition technology, the rumour that Estonia is planning to introduce a robot judge is not true.
One important Estonian civil society stakeholder concerning fundamental and digital rights is the Estonian Human Rights Centre. The Estonian Human Rights Centre is an independent non-governmental human rights organization that aims to ensure the respect for each individual’s human rights. However, in Estonia there are not many third-sector institutions focusing on the protection of fundamental rights in the digital sphere.
4. The Values of Democracy and Rule of Law, Trust in Public Administration and Respect of Citizens’ Rights within the Framework of the Digitalization of the Estonian Administration
4.1 Democracy and the Rule of Law
Democracy and rule of law are both core principles of the Constitution of Estonia and are mentioned in its § 10. That means that both of those principles need to be retained and respected throughout the rapid development of digitalization of the Estonian Administration in order not to contradict the Constitution.
4.1.1 Democracy
The value of democracy is a key consideration within the framework of the digitalization of the Estonian administration. With the rapid developments in digitizing public administration, abiding by and implementing the principle of democracy has raised different questions concerning the people’s right to be the source of the state’s 'supreme power', as vested in § 1 of the Constitution.
Questions about the connection between democracy and digitalization have arisen in Estonia particularly in the context of e-elections, and these are closely linked to questions of trust in the system and its technical functioning.
In its decision on the constitutionality of e-voting the court in 2005 acknowledged the aims of e-voting – i.e. the increase of voter turnout, better integration of decision-making in people’s common lives as well as the modernisation of electoral practice – to be legitimate but acknowledged that e-voting could jeopardise the principle of freedom of elections and the principle of secrecy of voting. However, the court held that by providing the possibility of changing one's vote electronically, the legislator had struck an appropriate balance between the electoral principles deriving from the Constitution.
In later cases concerning e-voting, the Supreme Court has acknowledged shortcomings in its legal regulation, but not found explicit unconstitutionality. Recent cases contesting e-voting were brought before the court in March 2023, following parliamentary elections. This also corresponds to a more recent, albeit not predominant, trend in society and politics that questions the legitimacy of e-voting. One of the complaints in this regard was submitted by the Conservative People's Party of Estonia, which can be classified as right-wing conservative. The ESC dismissed all corresponding election appeals, but pointed out that the organisation of electronic voting needs to be more thoroughly written into law.
The Constitutional Review Chamber of the ESC noted i.a. that although the basic regulation of the organisation of electronic voting follow currently from the Riigikogu Election Act and the acts of the National Electoral Commission and the Electoral Service, the regulation of e-voting relies to a great extent on subordinate legislation. Therefore, regulations and processes are often difficult to understand. Though the rapid development of technology can make it difficult for the legislator to keep pace with the relevant changes, the lawmaker has nonetheless a constitutional obligation to lay down the respective rules in electoral law in sufficient detail to ensure scrutiny and public confidence in elections.
Estonia has also introduced digital solutions to better involve people in political decision-making. Two of them, called OSALE.ee and TOM.ee. and launched in the early 2000s, aimed at making it easier for people to contribute their suggestions and views on legislative proposals. However, both of these proved not really successful, mainly because of the sheer volume of information people were confronted with. Today, direct participation is enhanced in particular through the possibility of submitting petitions to parliament as well as local governments. Petitions are handed in and signed digitally. The
https://rahvaalgatus.ee/ environment has proven popular.
The e-governance Academy (see also above, 3.3.2) uses a variety of (especially international) cooperation, training and projects to show how digital solutions can be used in the service of democratic decision-making.
4.1.2 The Rule of Law
In the context of digitalization, issues focused exclusively on the rule of law have rarely been at the forefront of Estonian political and legal discourse. In this respect, the topics are mostly focused on the digitalization of the justice system and in particular the resulting simplification and acceleration of court proceedings. However, two recent examples highlight possible challenges to the rule of law due to digitalization and refer to the question of the extent to which automatic decision-making processes require a legal basis in accordance with the rule of law.
The first example concerns the Estonian Environment Agency’s decision to use automated felling permits in certain situations. In one case, such a felling permit was challenged in court by a non-profit organization because, in the complainant's view, the information system was not able to assess both the existing green belt and the bird species nesting there. On this occasion, the court commented for the first time in more detail on the duties incumbent on public authorities in the context of the regulation and use of automated administrative procedures.
In this respect, the court took the view that the procedure in question was not to be classified as unlawful only due to the fact that the automated decision-making was not based on a corresponding legal basis. In particular, the court argued that the automatic decision was not based on the processing of personal data in the present case and therefore Article 22 GDPR did not apply. Nevertheless, the court noted that it cannot be ruled out that also outside the scope of Article 22 GDPR, an appropriate legal basis may in some cases be necessary for making important administrative decisions by means of more complex technologies, such as self-learning algorithms.
However, according to the court’s decision, the administrative principles of investigation and caution as well as the obligation to inform the public apply to the administrative procedure and issuance of felling permits regardless of whether the decision to register the forest declaration is taken by an individual public official or by an automated information system. The use of an automated system does – in other words – not in itself relieve the administrative authority of the obligation to comply with any of the relevant legal provisions.
In the case at hand, the court declared unlawful the automated granting of felling permits by the Environment Agency without informing the public beforehand. The ESC found that the lawfulness of automated decisions is the responsibility of the authority implementing the information system, which must ensure that the underlying data used by the information system is accurate, complete and up-to-date, and that the information system complies with all legal standards. If the available technology does not allow these requirements to be met, the decision-making process must involve human intervention, the ESC added.
The second example deals with the so-called consent service, a digital solution introduced by the Estonian public administration in 2021. The consent service gives people the opportunity to decide to share data concerning themselves and available in national databases with the private sector. For example, when applying for instalment payments, there is no need to take the necessary data from the Tax and Customs Board to prove one´s solvency – with the applicant’s consent, the bank can quickly and conveniently get the respective information directly from the Tax and Customs Board. With the consent service, a person can also give private entities the right to access one’s health data stored in public databases, for example for personalized medicine applications. According to the National Information System Authority, the health sector may be the one profitting most of such a consent service. Although it was already recognised at the beginning of 2021 that the implementation of the consent service would require a change in the law, the system has now been implemented, but the drafting of the bill has not yet been completed.
Particularly in the context of health data and financial services, the practical implementation of such an innovative solution without a corresponding legal basis raises a number of questions. Among other things, the question arises as to what extent a person's consent is actually free if, for example, the granting of a loan depends on it. Similarly, whether people are sufficiently informed about the scope of private companies' right to access their personal data and to what extent there is adequate regulation for legal responsibility and liability in the event that the public institution, for example, provides private third parties with information about the person that results in discriminatory decisions or other legal violations.
4.2 Trust in Public Administration
A functioning public administration is one of the constituent elements of any form of state. Not only this structural permanence, but also the positive relationship of the citizens to their institutions is a core value. According to recent studies, the two most important determinants of citizens’ trust in public institutions is the quality of public services and the level of social tensions as perceived by the citizens. Estonia is known for the fact that, on average, its inhabitants have great confidence in data processing by the public sector.
According to a research project conducted by the Estonian Ministry of Justice in 2020, Estonian residents consider the collection of data by the state to be secure. Every third Estonian considers that concerns about personal data protection are overrated. The fact that the state can access an individual's personal data without their consent is generally not considered to be a significant problem. Consequently, the general attitude towards the state combining data from different databases is rather positive. People do rather favour the possibility of combining information from different databases if this serves to improve the provision of services by the public sector. Also in its “Estonia’s Digital Agenda 2030” strategy paper, the Ministry of Economic Affairs and Communications draws special emphasis to the importance of ensuring transparency and reliability when implementing new technologies that may have an adverse impact on fundamental rights (e.g. AI, data analytics, etc.).
Transparency is being enhanced by providing people with the possibility to get an overview of the public institutions that use the individual’s personal data and on the respective purposes the data is used. With this in mind, the Estonian administration has introduced the so-called data tacker. The data tracker monitors the traffic of an individual’s personal data in and out of different databases, extracts the necessary log records and stores them in the tracker. This information is displayed to the citizen on the state portal
eesti.ee. For example, the person concerned can see that his or her identity has been checked by the Estonian Police and Border Guard Board at the airport of Tallinn at a certain time. However, it is not mandatory for the administration to connect its databases to the data tracker. Therefore, although the data tracker is a step on the way to more transparency, to date the indicated information does not include all public databases but only some of them. Considering that the Estonian e-government is largely based on the cross-use of different databases of the public administration, the regulation of mandatory use of the data tracker would be an important means to promote transparency.
The Chancellor of Justice explained in her 2022 annual report, that the e-government opens and speeds up the possibilities of communicating with the state. However, this should not lead to a new type of exclusion, which means that those who are excluded from the digital state can no longer actively participate in society. The opportunity to interact with the state must remain open to all people in Estonia, regardless of whether they are able or want to communicate via e-channels or not. Those who cannot or do not have the opportunity or knowledge to use e-channels must be helped by the state to improve their skills and be made aware of how to use the services the e-government provides.
The Chancellor of Justice also emphasized the need to distinguish automated administrative decisions from decisions taken with the help of artificial intelligence, stating that it is important that the person knows that the decision was made by a machine and that they can challenge it effectively if needed.
Trust in the context of the digitization of public administration is shaken if sensitive personal data falls into the wrong hands or becomes public. In February 2019, a mother sent a rehabilitation plan for her adult daughter with a mental disability to the Social Insurance Board (SKA). However, an employee of the agency forgot to add an access restriction to the information provided, as a result of which the health records described in the plan were publicly available in the online document register for two months. This health data was found in the register by a journalist who wrote a news story about his finding, drawing attention to the question of adequate data protection in general. The SKA restricted access to the data concerned as soon as it found out about the problem. The woman, having learned of the incident from the journalist, sought compensation from the SKA on behalf of her daughter for the non-material damage caused by the disclosure of her health data. In its reply, the agency acknowledged the error and apologized, but refused to pay financial compensation. The administrative and district courts hearing the appeal found that the Agency had acted unlawfully in disclosing the health data, but that financial compensation was not justified in this case. The Supreme Court agreed with the judgment of the lower courts and stressed that it had been established that the data had been checked during its unlawful publicity only seven times in total and that it was not known that it had been accessed by anyone other than the SKA officials and the respective journalist. The SKA had also reacted immediately after learning of the incident and apologized to the complainant. Therefore, according to the Supreme Court, the damage caused did not exceed the threshold for the award of a financial compensation. There have been similar cases, where personal information has been unlawfully openly accessible in public databases, but these cases have not caused general uncertainty in the public administration or digital administration, as research has shown.
4.3 Respect of Citizens’ Rights
4.3.1 Fundamental rights protected by the Constitution regarding digitalisation
Also, with a view to digitalisation by the administration, the respect for citizen’s rights can be derived from the Constitution (EC). The following constitutional rights have to do with the gathering, receiving, storing and providing of information.
EC § 26 stipulates that 'everyone has the right to the inviolability of private and family life. State agencies, municipalities and their officials shall not interfere with the family or private life of any person except in the cases and pursuant to a procedure provided by law to protect the health, morals, public order, or the rights and freedoms of others, to prevent a criminal offence or to apprehend a criminal offender.' Informational self-determination also includes a person’s right to decide whether and how much of their personal data is collected and stored. Therefore, an important part of the right to private life is also the protection of personal data. EC § 26 protects a person's right to decide to what extent personal data is published.
In addition to EC § 26, there are other provisions in the Constitution that regulate various aspects of privacy. For example, EC § 43 protects the right to the confidentiality of messages, EC § 33 protects the inviolability of the home and EC § 42 protects Estonian citizens from the collection and storage of data about their various beliefs (religious or philosophical and moral beliefs, political views, etc.).
EC § 44 stipulates that 'everyone has the right to freely receive information disseminated for public use.' A particular citizens’ right to information is specified in section 3 of the paragraph: 'Estonian citizens have the right to access information about themselves held in state agencies and municipalities and in state and municipal archives, pursuant to a procedure provided by law. This right may be restricted on the basis of a law to protect the rights and freedoms of others or the confidentiality of a child’s filiation, and in the interests of preventing a criminal offence, apprehending a criminal offender or ascertaining the truth in criminal proceedings.'
4.3.2 Privacy vs transparency in case-law and opinions
The digitalization of administration poses multiple new questions concerning the protection of personal rights. These problems are most often related to disclosure and processing of personal data.
An example of this is the Estonian regulation on political parties’ membership. As already mentioned above (see 3.2.4), the Public Information Act obliges the disclosure of political parties’ membership lists. The constitutional conformity of this act was doubted by the Chancellor of Justice in 2003, who stated that political party membership lists should not be disclosed publicly. Later, however, the Chancellor of Justice took the view that since the purpose of political parties is the exercise of state power, the transparency of state power also implies the need to ensure the openness of party members. 2019, briefly before the Estonian parliamentary elections, journalists published online and in the newspaper all party members’ names serving sentences and those with valid and time-barred offences and misdemeanours, including the acts committed by them. Although it was mentioned on the fringes of the discussion that the especially the disclosure of those people whose conviction was already time-barred might be very unpleasant for them, the public as well as the parties did generally not call into question the behaviour of the journalists. There were also no debates concerning the legality of such a disclosure, as the journalists’ investigations were clearly in line with current law. According to the Criminal Records Database Act, the person’s name in the respective court decision shall be replaced by initials after the punishment has been time-barred. Anyhow, this regulation does not apply for certain offences, including murder, manslaughter, and offences against minors, but also trafficking of narcotics, affiliation in criminal organisations and money laundering. Everyone has the right to access the databases’ information freely, as far as concerns themself or a legal person. If information concerning another natural person is requested, the legal basis or objective of requesting the data has to be confirmed in the query.
The publication of infringements has also been applied by administrative bodies. For example, in the beginning of the 2000s, the city of Tartu disclosed the information of debtors to the city and the Estonian police published information of people who committed drunk driving. As such measures were based on administrative practice only, they were abandoned with the legal anchoring of digital administration.
Court rulings are generally public. Court decisions that have entered into force are required to be made public online, whilst taking into account disclosure restrictions that arise from other provisions. The information shall be disclosed on a website or through a link to a webpage through which the data can be accessed. The Ministry of Justice has attempted to implicate stricter conditions for the publication of criminal court rulings on several occasions. However, this proposals have been met with criticism by the public and the media as restricting the freedom of the press and information and have not been approved by the parliament. However, the personal identification number and name or date of birth of an underage accused are replaced by initials or a character sign, except if the disposition to be made public is at least the third one convicting the minor of a criminal offence. In civil procedures, the data subject‘s name is replaced with initials or an alphabetic character and their personal identification number, date of birth, registration number or address are not published if the data subject requests so. In administrative procedures, per request of the data subject, the name of the data subject is replaced by initials or a sequence of letters, and their personal identification code, date of birth, registration number, address or other particulars which would permit specific identification of the data subject are not published.
Since 2017, to combat the issue of youth neither in employment nor in education or training (NEET youth), local authorities can let automatically screen their local inhabitants up to twice per calendar year for young people between the age of 16 and 26 who match the NEET criteria and then proactively contact the individual possibly in need. The individual has the right to decline the processing of their personal data but in this case, the respective information on the decline remains in the database until the person’s 27th birthday. The Chancellor of Justice has questioned the proportionality of this regulation with a view to one’s right to privacy. However, the law not been contested in court.
The Chancellor of Justice has had to deal with a number of appeals concerning a person’s place of residence which in some of the online public state registers is openly displayed. For example in the public online business register, the name and personal identification number of the natural person associated with a company as well as its registered office and address are displayed. In some instances, the personal data of natural persons is also published in the online register of economic activities, where the contact details of the entrepreneur (telephone number, e-mail address and postal address) are entered. Individuals who contacted the Chancellor of Justice were disturbed by the disclosure of their personal data, primarily as this registers disseminate their public data to numerous online directories and economic information portals, which are also covered by the google search engine. The Chancellor of Justice stressed that in some instances self-employed persons have no choice but to register a business at their home address. However, a person's home address constitutes personal data and is therefore protected by the fundamental right to privacy. The Chancellor of Justice questioned whether the data collected must be publicly available to anyone for enquiries and also completely downloadable from the register of economic activities, asking both the Minister of Justice and the Ministry of Economic Affairs and Communications to justify the publication of residence data on the Internet. In its reply, the Ministry of Justice admitted that the same problem also occurs in other cases, e.g. in the case of limited liability companies with only one shareholder, as well as in the case of non-profit organisations with a single board member that do not have a separate office. The Ministry of Justice announced its intention to analyse the issue raised and its possible solutions in the framework of the revision of company law. However, the matter has not yet been resolved.
4.3.3 Case-law regarding the infringement of fundamental rights due to digitalization
Digitalization and the processing of data as an infringement of fundamental rights has been a subject of examination for the Supreme Court of Estonia on several occasions. The court has stated that the 'collection, storage, use and disclosure of personal data is considered to be an infringement of the right to respect of privacy, among other things.'
In one case the Supreme Court had to decide upon, the Tartu municipality government refused against the instruction of the Data Protection Inspectorate to share upon request information on the wages for municipal employees in a personalized form. According to the law, the municipality only has the obligation to make salary data of the municipalities’ officials public. However, the law does not regulate the possible communication of information concerning the wages of the employees of local governments. The Supreme Court stated that in the case at hand, two conflicting fundamental rights collided: the right to receive information from the local government about its activities (EC § 44 (2)) and the right of the local government’s employees to privacy (EC § 26). However, the court decided that to ensure transparency of the use of local government property and to prevent corruption, the wages of the respective employees are information the local government is obliged to share upon request. The public interest to information prevails insofar over the personal interest in privacy.
In another case, the Supreme Court analysed the constitutionality of a legal regulation obliging non-profit associations to submit their annual report electronically or through a notary for an additional fee of approximately 25 euros. Annual report submitted to the registrar on paper were not accepted and returned. The court found that the contested regulation violated the freedom of association, as it did not give non-profit associations the possibility to remedy their deficiency and therefore contradicted i.a. the principle of fair procedure, especially in the case at hand where the infringement could lead to a fine or even the deletion of the non-profit association from the register. However, the Supreme Court en banc did not generally find the obligation to submit annual reports exclusively in an electronic form an unproportional infringement of the freedom of association. The court ruled the regulation demanding the presentation of annual reports exclusively in electronic form constitutional, as the law makes administration more uncomplicated and more effective and reporting more transparent and comparable. The majority of judges did not agree with the claimant’s view that the regulation could prove too burdensome for a small non-profit association which did not act for the public benefit nor carry out any economic activity. Therefore in this case at, in the court’s view, the interest of the public prevailed over possible individual legal limitations.
The Supreme Court has also in a recent court ruling for the first time dealt with issues concerning automated decision-making by the public authorities. In this case relating to felling permits (the case is discussed in more detail above, see 4.1.2), the court drew attention to the necessity of paying adequate attention to the principles of citizen-centric public administration also in the context of technological innovation.
5. The possible impact of the EU’s envisioned AI Act on Estonian Administrative Law
5.1 Estonia’s opinion on the EU’s envisioned AI Act
The 'White Paper on Artificial Intelligence: a European approach to excellence and trust' was published by the European Commission in February 2020. In April 2021, the European Commission published the “Artificial Intelligence Act, AIA proposal”, a draft act for an AI regulation. According to the proposal, the AI Act will apply to public and private actors inside and outside of the EU, under the condition that users of AI systems are located within the Union.
The Estonian Government submitted its opinion on the planned AI Act in October 2020, declaring its general support for the proposal’s aim to create a harmonised legal framework for AI and a risk-based approach as well as the prohibition for public authorities to use AI systems for social scoring based on the individual’s behaviour. Estonia also agreed on advancing the EU’s digital single market and mitigating risks that may derive from specific technologies. However, Estonia drew attention to the fact that the proposed legislation should be technology-neutral, efficient and worded in a future-proof way. Above that, Estonia proposed to narrow the scope of regulation, as in Estonia’s view, the proposed definition for AI systems could otherwise lead to a too comprehensive understanding of AI and thus hinder legal clarity and uniform implementation of the regulation. This proposal explicitly aimed to include approaches not traditionally categorised as AI systems, for example, statistical approaches, search and optimisation methods and certain logic and knowledge-based techniques. Estonia further noted that AI used for military objectives and autonomous weapon systems and AI used solely for national security should be outside the scope of regulation for the proposed AI Act and supported the drafting of separate legislation for using AI by law enforcement agencies. Additionally, Estonia stated that the Act should include serious crimes of national importance, such as crimes against the state, in the list of crimes that permit real-time detection. In Estonia’s view, the restrictions imposed by the regulation in the field of law enforcement must not unduly hamper criminal proceedings or the ability of a Member State to fight crime.
According to the explanatory memorandum on the Estonian opinion, the proposed AI Act would significantly impact the organisation of state institutions and local governments and the costs and revenues of the Estonian public sector. The most affected institutions would be the ones using AI systems classified as high-risk. Approximately 40% of the AI solutions used by the public sector in Estonia can be qualified as such. In Estonia's opinion, implementing the AI Act will require notably higher one-time and ongoing costs for the authorities of member states than the Commission has accounted for.
5.2 The EU’s envisioned AI Act’s impact on Estonian national legislation
Estonia does currently not have any specific national legislation on the development and use of AI.
In May 2019, the Estonian AI Taskforce released a report, according to which there was no need for a harmonised national legal act on AI. It was argued that as AI executes tasks decided by humans and there are no “super agents” that operate independently from them, AI's actions could be attributed to the respective AI’s user, be it public or private. With a view to the broader implementation of AI solutions, amendments concerning the wider possible use of AI, in addition to that connected questions on liability and rules and limitations for AI development were proposed.
Estonia’s National AI Strategy, published in July 2019, concluded that fundamental changes to the basics of the judicial system are not necessary. Still, a few amendments to different laws should be made, and the Ministry of Justice was to prepare the legislation bill for further adoption of AI.
In 2020, however, the Ministry of Justice comprehensively analysed possible legal regulations on algorithmic systems. The report concluded that algorithmic systems need separate legal rules depending on the level of risk their use provides for fundamental rights. The primary purpose of an Estonian AI Act was seen to give transparency and better citizen rights protection. However, especially with a view to the upcoming proposal on an AI Act by the European Commission, it was decided to put the development of a national regulation of algorithmic systems on hold.
Estonia has opted for the sake of harmonisation and, to avoid contradictory regulations, decided to wait for the respective regulation at the EU level. However, within national law, the lawmaker has solved specific regulatory issues. In this regard, one of the current aims is to amend the Administrative Procedure Act, establishing a general rule concerning the possibility (basis of) and legal framework to issue automatic administrative acts (see also in more detail above, C.II.2.).