This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Estonia.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
Estonian Electronic Communications Act (hereinafter “ECA”), which came into force on 01.01.2005, regulates the (public) electronic communication networks ("(P)ECN"), as well as the provision of public electronic communication services ("(P)ECS"). In addition ECA provides also requirements for the management and use of radio frequencies and for the conduct of radiocommunication and management of the numbering resources, consisting of the allocation of numbering pursuant to the Estonian numbering plan and supervision over the use of numbering.
Are communications networks or services regulated?
If so, what activities are covered and what licences or authorisations are required?
Electronic Communications Act defines that electronic communications undertaking means a person who provides publicly available electronic communications services to the end-user or to another provider of publicly available electronic communications services. Electronic communications service means a service which consists wholly or mainly in transmission or conveyance of signals over the electronic communications network under the agreed conditions. Network services are also electronic communications services.
The general requirements is that an electronic communication undertaking wishing to commence the provision of communication services (data communications, telephone, mobile telephony, network, leased line, cable or other electronic communications services) shall be registered in the Estonian Commercial register and submit a written notice to the Consumer Protection and Technical Regulatory Authority before commencing with business (notice of economic activities). General Part of the Economic Activities Code Act provides the list of information and documents that shall be submitted with a notice of economic activities. In addition to the general data, a description of the provided communications service and the geographical area of the activity shall be also provided with a notice of economic activities.
The notification obligation can be performed only through the Estonian information portal https://www.eesti.ee/en/ (so the legal representative of the electronic communication undertaking should possess e-ID of Estonia) or in a notary.
There is no licensing requirement for the provision of electronic communication services, except if the availability of radio frequencies is necessary for the provision of a publicly available electronic communications service. In such a case, a frequency license shall be applied for from the Consumer Protection and Technical Regulatory Authority. Database of the issued frequency licenses can be found here: https://mtr.mkm.ee/
In case the provision of the electronic communication services requires numbering authorisation, then this application for license shall be submitted also to the Consumer Protection and Technical Regulatory Authority in the form published on Technical Regulatory Authority website: https://www.ttja.ee/et/ettevottele-organisatsioonile/sideteenused/numeratsioon/numbriluba
The Authority shall issue a numbering license within ten working days. The decision to issue a numbering authorization and the conditions of it shall be published in the Register of Economic Activities: https://mtr.mkm.ee/ not later than within ten working days as of the issue of the numbering license. The license is always issued for one year. In order to extend the validity of the license, the license holder must submit an application for renewal of the license to the authority not later than 20 days before the expiry of the authorization and pay the state fee. The authority shall decide on the renewal or non-renewal of the numbering authorization no later than three working days before the expiry of the valid numbering license. The license is again renewed for one year.
State fee shall be payable before issuing of the numbering license. You can see the valid state fees (valid on 2019-2020) here: https://www.ttja.ee/et/ettevottele-organisatsioonile/sideteenused/numeratsioon/riigiloiv-numbriloa-toimingute-eest for example Phone Numbers, Mobile Phone Numbers, Personal Numbers, E-Fax Numbers, Payphone Service Numbers, Mass Dialling Numbers: state fee = € 0.35 for each number allowed for use per year).
Is there any specific regulator for the provisions of communications-related services?
Yes, the Consumer Protection and Technical Regulatory Authority is a government agency operating in the area of government of the Ministry of Economic Affairs and Communications. Its activities in the area of communication-related services are regulated with Electronic Communications Act and Statutes of the Consumer Protection and Technical Regulatory Authority.
As the Consumer Protection and Technical Regulatory Authority shall have the obligation and competence to also analyse the competitive situation in the communications services markets as defined in the Electronic Communications Act (hereinafter market analysis), then it is obliged to consult in this regard with the Estonian Competition Board to ensure the uniform and consistent application of competition law in this sector.
Are they independent of the government control?
Mostly yes. The Consumer Protection and Technical Regulatory Authority is a government agency operating in the area of government of the Ministry of Economic Affairs and Communications, so the ministry may provide directions in connection with the performance of its day-to-day functions or the exercise of its powers (as regulated with the Statutes of the Authority). However, the Minister cannot give directions with respect to anti-competitive conduct and record keeping rules in the telecommunications industry or the telecommunications access regime.
Are platform providers (social media, content sharing, information search engines) regulated?
There are no special legal acts regulating social media, content sharing or information search engines. However, different legal acts regulate certain areas of these activities.
The Estonian Information Society Services Act stipulates requirements for information society service providers. Information society services are services which are provided without the parties being simultaneously present at the same location, and such services involve the processing, storage or transmission of information by electronic means intended for the digital processing and storage of data.
With regard to search engine providers, it is important to note that the Information Society Services Act provides for the restricted liability upon provision of information storage service. Where a service is provided that consists of the storage of information provided by a recipient of the service, the service provider is not liable for the information stored at the request of a recipient of the service when two conditions are met. First, the provider does not have actual knowledge of the contents of the information and, as regards claims for the compensation of damage, is not aware of facts or circumstances from which the illegal activity or information is apparent. Secondly, the provider, upon obtaining knowledge or awareness of the facts, acts expeditiously to remove or to disable access to the information.
The Estonian Media Services Act stipulates, among others, the requirements for on-demand audiovisual media services. Most importantly, this act regulates the content of the media service which is provided. For example, the act stipulates that when providing media services, it is prohibited to incite hatred on the basis of sex, racial or ethnic origin, beliefs or religion or the degrading of the lawful behaviour or violation of law in any of the programmes.
In the Estonian Law of Obligations Act there is a clause which stipulates that it is unlawful to disclose incorrect information or incomplete or misleading factual information which interferes with the economic or professional activities of a person.
If so, does the reach of the regulator extend outside your jurisdiction?
Yes, in certain cases the requirements stipulated in Estonian legal acts may apply even when the activity takes place outside of Estonia. For example, the Estonian Information Society Services Act stipulates that the information society services provided through a place of business located in Estonia must meet the requirements arising from Estonian law, regardless of the Member State of the European Union or Member State of the European Economic Area in which the service is provided.
Does a telecoms operator need to be domiciled in the country?
If a foreign telecom operator wants to provide a permanent service in its name in Estonia, it must pre-register at least a branch in the Estonian commercial register.
Are there any restrictions on foreign ownership of telecoms operators?
Are there any regulations covering interconnection between operators?
Yes, Electronic Communications Act regulates the matter, and the Consumer Protection and Technical Regulatory Authority is supervising. Where an electronic communications undertaking does not have an appropriate network infrastructure for providing end-users with electronic communications services, access and interconnection regulation should be followed.
Electronic Communications Act divides access and interconnection obligation depending on whether the obliged operator has significant market power on the relevant market or not and whether communications undertaking is controlling access by end-users.
General access and interconnection norms provide that communications undertakings are free to agree on the technical and commercial conditions for access and interconnection, but at the same time they need to take account of the special provisions that deal with the interconnection obligation imposed on undertakings by the law and the decisions of the Consumer Protection and Technical Regulatory Authority. The agreement specified should be entered into in writing.
At minimum, the communications undertaking providing network services is required, at the request of other communications undertaking, to negotiate the interconnection in good faith if this is necessary for the provision of communications services. In order to perform that obligation, a communications undertaking is required to disclose to the party with whom it has commenced to negotiate the interconnection, among other things, all the information necessary for the interconnection, including the parameters of the network interfaces.
More detailed regulation is prescribed for the operators of significant market power.
If so are these different for operators with market power?
In line with Electronic Communications Act, the Consumer Protection and Technical Regulatory Authority will conduct the communications market analysis of the competitive situation in order to determine whether on the relevant market exists competition. The authority shall designate one or more undertakings with significant market power where the market analysis has revealed that there is no competition in the relevant communications market and the undertaking meets the characteristics of an undertaking with significant market power: i.e. the undertaking has its own or, together with other companies, significant market power or position it enables it (or jointly) to operate on that market to a significant degree independently of competitors, contractors and end-users.
To such undertakings special obligations related to access and interconnection might be imposed and they might be required to:
- provide a communications undertaking with access to specific network elements or network facilities, including full access or shared access to the local loop or local sub-loop;
- negotiate in good faith with communications undertakings requesting access;
- maintain already granted access;
- provide specific services on a wholesale basis for resale of such services by communications undertakings;
- grant open access to technical interfaces, protocols or other key technologies that are indispensable for the interoperability of services or virtual network services;
- to provide co-location or other forms of facility sharing, including sharing of ducts, buildings or masts;
- provide services necessary to ensure interoperability of end-to-end services to end-users, including facilities for intelligent network services or roaming service on mobile networks;
- provide access to operational support systems or similar software systems necessary to ensure fair competition in the provision of services;
- interconnect networks or network facilities;
- provide end-users with access to the services of a provider of telephone services associated with the network of an undertaking with significant market power by dialling a carrier selection code and by means of pre-selection of a provider of telephone services, with a facility to override any pre-selected choice on a call-by-call basis by dialling a carrier selection code;
- allow wholesale of local loops of the service specified in clause 10) of this subsection to another communications undertaking;
- provide access to an associated service.
If the Consumer Protection and Technical Regulatory Authority has imposed an access or interconnection obligation on a communications undertaking as stated above, the respective communications undertaking is required to enter into an interconnection or access agreement and ensure access to networks, equipment or services and interconnect the networks and equipment within a reasonable term granted by the Consumer Protection and Technical Regulatory Authority, taking into account that the communications undertaking obligated to provide access or interconnection may need to create technical conditions, including to install equipment, for the provision of interconnection or access.
A communications undertaking, whereon the Consumer Protection and Technical Regulatory Authority has imposed an access or interconnection obligation is required, upon performance of the access or interconnection obligation, to comply with the following requirements in accordance with the nature of the obligation:
- ensure the use of the network equipment, buildings and line facilities under equal conditions and with equal quality as compared to these offered by the undertaking to its parent company or subsidiaries, subscribers or business partners;
- enable an undertaking which has submitted an application for access or interconnection to obtain information necessary for access and interconnection;
- use the information obtained in connection with access or interconnection only for the provision of the respective service and not to disclose it to third parties, in particular other structural units, subsidiaries or partners, for whom such information could provide a competitive advantage, unless otherwise provided by law;
- not to restrict the access of its subscribers to the services provided by another communications undertaking.
Law clearly prescribes occasions when the obliged operator may deny or suspend access or interconnection. Chapter 14 of Electronic Communications Act prescribes liability in case there is a violation by a communications undertaking providing network services of the access or interconnection obligation or if access or interconnection is unlawfully restricted.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Electronic Communications Act provides general norms for the provision of communication services to end-users and the protection of rights of end-users. Among others, it states that a communications undertaking who provides connection to a communications network is obliged to enter into a subscription contract with a person based on an application to this effect submitted by the person. A subscription contract is entered into in writing at the request of a party. It also states limited basis, when a communications undertaking may refuse the signing of an agreement and when and how it may unilaterally to change the terms of the contract.
Electronic Communications Act also provides the procedure for entry into subscription contract and the mandatory terms and conditions of communications services that the contract should regulate. It also prescribes limited legal basis when the operator may restrict the provision of services.
Law of Obligations Act provides general regulation for consumer contracts (the notion and criterions of standard terms and invalidity if such terms) and also requirements for distant contracts and contracts entered into through computer network.
What legal protections are offered in relation to the creators of computer software?
Computer software is regulated with several acts, that might affect how the author of software is protected. Computer software is under the protection of the Estonian copyright act (Act). The provisions of the Act regarding computer software, are based on Council Directive 91/250/EEC on the legal protection of computer programs. The Act states that works in which copyright subsists are also computer programs that shall be protected as literary works. Protection applies to the expression in any form of a computer program. According to the Act, the authors of the works (computer software) have moral and economic rights regarding the works, however, the Act also sets out situations, when the computer software can be used more freely. The economic rights of the author can be limited in cases specified by the Act. The legal remedies in case someone violates author’s rights, are provided in the Estonian Law of Obligations Act (LOA). The main legal remedies to use are claim of damages and claim to end the violation of the rights (and also claim to refrain from further violations).
The ownership of the copyrights will depend on whether the works were done as a staff member of an employer – in such case the economic rights of the author to use the work for the purpose and to the extent prescribed by the duties shall be transferred to the employer unless otherwise prescribed by contract.
In addition, Estonian penal code includes provisions regarding offences related to computer software.
Do you recognise specific intellectual property rights in respect of data/databases?
The Estonian copyright act regulates the rights of the makers of databases. The provisions include specific rights of the makers, rights and obligations of the lawful users and limitations of the rights of makers of the database. The maker of a database has the exclusive right to authorise or prohibit the use of the database in the manner prescribed in the copyright act and to obtain remuneration agreed between the parties for such use, except in the cases prescribed law or by agreement of the parties. The first sale of a copy of a database by the maker of the database or with the latter’s authorisation shall exhaust the right of the maker of the database to control the resale of the database or the copy.
What key protections exist for personal data?
There are two main legal acts which provide for the protection of personal data: the Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) and the Estonian Personal Data Protection Act. However, the key obligations for entities processing personal data are stipulated in the GDPR. The Estonian Personal Data Protection Act mostly specifies certain provisions.
In addition to the two main legal acts, there are more than 100 special laws in Estonia which contain specific data protection clauses.
Are there restrictions on the transfer of personal data overseas?
When transferring personal data outside the European Economic Area (the EEA), the rules specified in the GDPR must be followed. As a general rule, it is permitted to transfer personal data outside of the EEA only to countries regarding which the European Commission has made a so-called “adequacy decision”, which means that the level of personal data protection in that country is sufficient.
If a data controller wants to transfer personal data to a country about which no adequacy decision has been made, then the rules stipulated in articles 46-49 of the GDPR must be followed. Personal data can be transferred to a third country only based on the data subject’s consent, if binding corporate rules are used, if a contract containing standard contractual clauses is entered into between the data controller and the recipient, or on some other legal basis stipulated in articles 46-49.
What is the maximum fine that can be applied for breach of data protection laws?
The Estonian Personal Data Protection Act stipulates different offences for breaches of data protection requirements. Each type of offence has its own upper limit for a fine. The highest fine which can be imposed is 20,000,000 EUR or 4 % of the entity’s total worldwide annual turnover of the preceding financial year, whichever is higher.
However, we note that at the present moment, the fines outlined above cannot be imposed, since Estonia has not yet made the necessary amendments to the Penal Code. According to the Penal Code currently in force, the maximum amount of a fine can be 400,000 EUR. The amendments to the Penal Code are currently under review by the legislator.
What additional protections have been implemented, over and above the GDPR requirements?
In the Estonian Personal Data Protection Act, which helps to implement the GDPR, there are certain special requirements for some data processing activities, such as the following:
- When processing the personal data of a minor as part of the provision of information society services, the legal basis can be the minor’s consent only if the minor is at least 13 years old;
- Special rules must be followed when processing personal data for the purposes of scientific or historical research or official statistics. As a general rule, only pseudonymised personal data can be used. Depseudonymisation or the use of identifiable personal data is permitted only in case certain conditions are met;
- There are special rules to be followed when processing the personal data of a data subject who is dead.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
There is no single law that regulates cloud-based services, however certain provisions from various legal acts do specifically apply.
In terms of personal data, cloud-based services can generally be considered as data processors, therefore the conditions and obligations stipulated in the General Data Protection Regulation need to be followed. For example, the processing must be governed by a contract with a controller or other legal act. The processor also must comply with the rules concerning the security of processing. As the servers hosting the data for cloud-based services could be located anywhere, data controllers and processors must also be diligent and comply with the regulation regarding data transfer to third countries. The potential fines for violating the obligations are provided by the Personal Data Protection Act (Isikuandmete kaitse seadus). There is a guide from the Estonian Data Protection Inspectorate regarding cloud-based services and data protection, however it precedes the GDPR and is based on prior regulation.
The Estonian Financial Supervision and Resolution Authority has issued guides for the subjects of financial supervision regarding the outsourcing of activities and requirements for the organisation of IT and information security which also touch upon cloud-based services. Companies are required to maintain adequate control over information containing customer data. Information systems must, at a minimum, be separated in a logically secure way from the information systems of a service provider’s other clients.
Cloud-based services are also qualified as digital service providers in the Cybersecurity Act (Küberturvalisuse seadus), which mandates the service provider to notify the Estonian Information System Authority in cases of cyber incidents. The Information System Authority also exercises state supervision over cloud-based services who are established in Estonia, belong to a group whose parent company is established in Estonia or have a representative in Estonia.
Cloud-based services as information storage services are regulated in the Information Society Services Act (Infoühiskonna teenuse seadus). Information storage services have restricted liability, provided they have no actual information of the contents of the information and upon obtaining knowledge of illegal activity or information on their service, act expeditiously to remove or disable access to the information. Services are not obligated to monitor the information they store or actively seek facts or circumstances indicating illegal activity.
Are there specific requirements for the validity of an electronic signature?
With the REGULATION (EU) No 910/2014 (mostly known as eIDAS), the EU legislator offers to its members and to the internal market trustworthiness in electronic transactions, by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities. Electronic solutions, such as as digital signatures, get a legal meaning through eIDAS.
An electronic signature intends to provide a secure and accurate identification method for transaction partners and third persons. Not every digital signature can be considered as an electronic signature under the eiDAS. An electronic signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the eIDAS. Therefore, it is important to keep in mind that not every electronically given signature is a qualified as an electronic signature. For example, signatures which are given on a screen with a pen or finger are not handwritten signatures and also not a qualified electronic signatures equal of a handwritten one, according to eIDAS. Digital signatures on a screen do not have any certificates and it is almost impossible to link a signature with a signer.
An electronic signature may have several levels of security. According to eIDAS, the strongest electronic signature is a qualified electronic signature which is equal to a handwritten signature. This means that it does not matter if the parties agree to sign a document in a traditional way by a pen on a paper, or will use some digital solution which fulfils the requirements of a qualified electronic signature, according to eIDAS.
The biggest advantage of an electronic signature is that an electronic signature enables an infinite number of copies of equal legal force to be made from a digitally signed document.
The most used type of an electronic signature in Estonia is created by the DigiDoc4 program that is installed into a user’s computer along with the ID-card software, which can be used also by an e-resident. Estonia is the first country to offer e-Residency, a government-issued digital identity and status that provides access to Estonia’s transparent digital business environment (inter alia to use electronic signatures).
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
In the event of an outsourcing of IT services, the employees, assets or third party contracts do not transfer automatically to the outsourcing supplier. Those issues should be regulated contractually.
Copyright Act § 32 (1) provides that the author of a work created under an employment contract or in the public service in the execution of his or her direct duties shall enjoy copyright in the work but the economic rights of the author to use the work for the purpose and to the extent prescribed by the duties shall be transferred to the employer, unless otherwise prescribed by the contract. It can therefore be concluded, that an employer and an employee shall contractually regulate how the employee’s moral rights may be used by the employer and third parties. The employer as a contractor and the outsourcing supplier shall contractually regulate all the IP issues, including the matter that the contractor shall be liable in case any of its employees have a claim against the supplier.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
There is no special law regulating A.I. The State Chancellery and the Ministry of Economic Affairs and Communications has launched a cross-sectoral project to analyze and prepare for the deployment of artificial intelligence in Estonia. The aim of the expert group is also to draft amendments to laws to make it possible to use fully autonomous information systems in different economic areas and to ensure the clarity of the legal area and the necessary supervision.
Currently we may say that the issue of liability is regulated in Estonia by the Estonian Law of Obligations Act (LOA). The question who is liable in case of A.I. malfunctions does not have clear answer in the law. However, the LOA regulates situations where someone’s animal/pet (like a dog) causes damage or damage is caused by major source if danger (for example a car). In such cases, the person, who has the power over the pet (owner) or the major source of danger (driver or in some cases the owner of the car, is liable for the damage caused. A.I. can in some cases considered major source of damage or as an animal (in Estonian legislation animals are subject to the provisions applicable to things). Based on these provisions in the law, the owner of the A.I. should be liable in case of damage due to the malfunctions of the A.I. However, there might be also the liability of the developer of the software, manufacturer or the seller of the A.I. within the relationships of developer-manufacturer, manufacturer-buyer, seller-buyer.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) The Estonian Cybersecurity Act (Küberturvalisuse seadus), which transposed Directive (EU) 2016/1148 (also known as the NIS Directive), details the requirements and obligations for providers of essential services as well as the bases for the prevention and resolution of cyber incidents. The Cybersecurity Act is also applicable for digital service providers, who are online marketplaces, search engines or cloud computing services.
The Cybersecurity Act gives general guidelines regarding the security measures of service providers and digital service providers, as well as setting the obligation to notify the Estonian Information System Authority, who is also the authority exercising state supervision, in cases of cyber incidents.
b) Hacking is regulated in the Estonian Penal Code (Karistusseadustik) § 217(1) as illegal obtaining of access to computer systems by elimination or avoidance of means of protection. Legal literature has explained that the means of protection could be either a physical or a software solution or a combination thereof. Examples of a physical solution would be a secure door restricting access to a server farm or also biometric protection, such as fingerprint or iris scanning. The software solution could be a password or other measure intended to restrict access, such as a firewall.
The penalty is either a pecuniary punishment or up to three years imprisonment. If the act causes significant damage, access was obtained to a computer system containing a state secret, classified foreign information or information prescribed for official use only or if access was obtained to a computer system of a vital sector, the potential penalty is a pecuniary punishment or imprisonment up to 5 years.
During a DDoS attack the targeted service is overwhelmed by a flood of traffic originating from multiple sources. The aim is to render the service incapable of responding to the multitude of queries. Because the attack is distributed, i.e. has multiple sources, it is difficult to stop since You cannot block the access for one specific source. In Estonia, DDoS attacks are qualified under § 207(1) of the Penal Code, which regulates illegal interference with or hindering the functioning of computer systems by way of transmitting data. The maximum penalty is a pecuniary punishment or up to three years imprisonment. If the attack is committed against numerous computer systems, committed by a group, interferes with or hinders the functioning of a computer system of a vital sector or causes significant damage, the potential penalty is a pecuniary punishment or up to five years imprisonment.
Estonia has experience with DDoS type attacks from 2007, when Estonia fell under a cyber-attack lasting twenty-two days. The attack prompted NATO to establish its Cyber Defence Centre in Tallinn. The affected services included banks, news media and the public sector. The website of the prime minister party at the time was also attacked and the person responsible received a pecuniary penalty.
What technology development will create the most legal change in your jurisdiction?
It is somewhat difficult to see any technology completely changing the legal framework in Estonia. Estonia has a reputation for being a hotbed for certain types of new technologies.
The greatest legal changes will be brought by autonomous vehicles and other products or services based on artificial intelligence (AI). This is because currently it is not clear among legal experts how to solve liability issues, in case damages are caused as a result of using AI. However, it is unlikely at the moment, that a single all-encompassing law concerning AI will be enacted in the near-to-mid future. However, amendments to existing laws, regulating liability, right of representation and the use of AI within public services or even for formulaic court judgments are not out of question.
Also cryptocurrencies will bring some legal change. The reason is that that cryptocurrencies have difficult nature and they need clear regulation and legal regime for supervision. Estonia has been in forefront in regulating cryptocurrency related businesses. Already in November 2017 Estonia enacted relevant legislation, based on the 5th AML Directive, that was rather flexible licensing regime for cryptocurrency service providers (Estonia faced ICO boom in 2017-2018 due to simple. fast and inexpensive procedure) . However, currently amendments into the Money Laundering and Terrorist Financing Prevention Act (MLTFPA) are going through its second and third readings in the Estonian parliament. The main reason for these is to strengthen the position of the Financial Intelligence Unit (FIU) in the authorisation and supervision procedure for cryptocurrency related businesses. The core changes shall be: the increase of state fee, requirement to have actual business and location of the management board in Estonia, longer procedural deadlines for FIU, stricter due diligence of the management board members.
Other technological developments which will probably require changes in the legal framework are the 5G network, use of IoT and facial recognition tools, and the use of big data by the government.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
From practical perspective, the impediment is not so much the existing legislation, but rather the absence of clear regulations. For example, the cryptocurrencies and activities with them – there are no clear rules how different cryptocurrencies should be dealt with. There is regulation for licensing regime, but actually no material law regulating leveraging blockchain technology.
However, regarding existing legislation, it seems, that the greatest impediment is AML regulation, that is going to be strengthened even further. The Estonian Commercial Code and the Money Laundering and Terrorist Financing Prevention Act regulation is already now very strict, and companies have issues to fulfil all the obligations, because there are too few guidelines, instructions and tools to follow the rules to a tee. The general aim to strengthen AML supervision has led to the situation where local banks are reluctant to even engage businesses operating in certain business areas, especially those dealing with virtual currencies.
Do you believe your legal system specifically encourages or hinders digital services?
The Estonian legal system generally encourages digital services. Estonia has for years had an open mind towards e-services and innovation in general. For example, digital signature is widely used all over Estonia. As of 1 July 2019, invoices to the public sector can only be sent in e-invoices according to the Accounting Act approved by the Riigikogu on 20 February 2019, so this illustrates that state pushes digital innovation forward with its own activity. As regard to innovation in general, then already in 2017 incorporated Estonia provisions regarding parcel-robots into the traffic act as these robots are already now part of the traffic in Estonian streets.
In addition, Estonia has implemented specific measures in order to encourage foreign entrepreneurs to start offering their digital services in Estonia. The most important measure which has recently been adopted is the e-residency program, which enables a foreigner to use public e-services in Estonia through a “digital identity”. Among other possibilities, e-residents can establish and manage a location-independent company online from anywhere in the world, declare Estonian taxes online, digitally sign and transmit documents, establish a company in one day and manage it fully online.
At the same to we can see some samples where the provision of digital services is somewhat hindered. Regulation regarding AML can be considered obtrusive, however that has mainly originated from other economic fields and found its way to digital services.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The wording of Estonian legislation seems to be general enough, that it is possible to apply already existing legislation to artificial intelligence. However, from time to time, changes are still needed. In recent years, Estonia added clauses to the traffic act, to keep up with the development of technology – there was a need for clauses to regulate parcel-robots in traffic. The changes came quite quickly, which shows Estonia’s readiness to handle technological development.
So far, legal experts have started a discussion about how to solve liability issues regarding AI. In addition, the Estonian Ministry of Economic Affairs and Communications has carried out an in-depth study, focusing on the readiness of the Estonian legal framework for the adoption of AI. The conclusion of this study is that no fundamental amendments are necessary to be made to Estonian laws, however some changes to liability issues are necessary. However, not all Estonian legal experts and other professionals dealing with AI agree with this conclusion.