AKI (Estonia) - 2.1-3/20/347

From GDPRhub
AKI - 2.1-3/20/347
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 15(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.03.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2.1-3/20/347
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: n/a

The Estonian Data Protection Authority (AKI) confirmed that the police are not entitled to deny access to requested documents, if the applicable national law only foresees restrictions for a limited time period that is exceeded and no other legal ground for an access restriction applies.

English Summary

Facts

A journalist submitted a request to receive information from the police. The police refused the request based on national law (§ 40 (1) of the PSA) that foresees restrict access for information intended for the internal use up to five years. In the current case almost 16 years have passed since the creation of the document and the Public Information Act does not provide for the possibility of imposing restrictions for a period exceeding a maximum of 10 years.

Dispute

The AKI assessed, whether information needs to be protected sixteen years after the creation by restrict access, even when the national law only foresees restrictions to the access for a period of maximum ten years.

Holding

The AKI states that in some cases, ten years may be too short a time and a restriction may be needed on the document established for a longer period. This is especially true of documents that have been recognized archival value, but the restrictions cannot be extended without a legal basis. Therefore, the AKI agrees with the Police and Border Guard Board that the grounds for the restriction must be reviewed before the request for information can be complied with.

It remains incomprehensible to the AKI that when the Police understood that even after 10 years, the document contains information that is still needed to be protected why no steps have been taken to legitimize the protection of such information.

Due to the above, the AKI argued that because the Public Information Act does not provide an opportunity to impose on information restrictions for more than 10 years and the Data Protection Inspectorate cannot change this, the Police shall remove access restrictions and provide the claimant with the information he or she wishes if it is not a state secret and there is no other reason to restrict access to information.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

Page 1
PROTECTION OF PRIVACY AND TRANSPARENCY
Tatari tn 39/10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registry code 70004235
CONTEST DECISION
and
PRECAUTIONS WARNING
in public information case no. 2.1-3 / 20/347
Challenge decision and injunction
maker
Chief Inspector of the Data Protection Inspectorate Elve Adamson
Challenge decision and injunction
time and place of making
09.03.2020 in Tallinn
Time to file a challenge
1/27/2020
Holder of the information
Person in charge of the holder of the information
Police and Border Guard Board
address: Pärnu mnt 139, 15060 Tallinn
e-mail address: ppa@politsi.ee 
Director - General
Challenger (information requester)
AS Eesti Ekspress
address: Narva mnt 13, 10151 Tallinn
e-mail address: Procedure@egrupp.ee 
Representative of the appellant
Taimi Rosenberg
RESOLUTION:
§ 45 (1) 1), § 51 (1) 3) and 7) of the Public Information Act (AVTS), administrative proceedings
on the basis of clause 85 2) of the HMS Act and § 75 1 (3) of the Government of the Republic Act
1) I make a decision to challenge the challenge
2) issue a mandatory precept to the holder of information for compliance:
The Police and Border Guard Board shall remove the public from the information requested by the appellant
access restrictions imposed under the Information Act and issue a challenge to the appellant
the information requested by him, unless it is a state secret and there is no other basis for the information
restrict access. 
3) set 20 March 2020 as the term for compliance with the precept
Pursuant to § 52 of the PSA, the holder of information must, within five working days of receiving the precept,
take measures to comply with the precept and notify the Data Protection thereof
To the Inspectorate. 
________________________________________
Page 2
2 (7)
CONTEST REFERENCE:
To the extent that this decision fully upheld the challenge, the challenger will receive it within 30 days
to apply to an administrative court only if the Data Protection Inspectorate violated the proceedings
the rights of the opponent in another way.
A state agency may contest this administrative act with a challenge to the Data Protection Inspectorate
to the Director General or pursuant to the procedure specified in § 101 of the Government of the Republic Act.
Contestation of a precept does not suspend the obligation to comply with the precept or the measures necessary for enforcement
implementation.
WARNING:
If the holder of the information fails to comply with the precept of the Data Protection Inspectorate, the Data Protection may
The Inspectorate may contact the higher authority of the holder of the information, a person or the entire party of the official
to conduct supervision or to initiate disciplinary proceedings against an official. (AvTS §
10 (1) and (4), § 53 (1)).
FACTUAL FACTS:
1. On 3 January 2020, the journalist of AS Ekspress Meedia submitted Xxxxxx Xxxxxx to the Police
Request for information to the Border Guard Board, in which the Director General requested information of 14 June 2004
Directive 141 
2. On 10 January 2020, the Police and Border Guard Board extended the term for responding to a request for information until
24.01.2020, substantiating this with the need to evaluate the document.
3. On 24 January 2020, the Police-Border Guard Board forwarded to the appellant his request
document, but contained some of the information covered by the reason that the police considered it necessary
some of the information contained in the document is still protected, even though the restriction has expired. 
4. The submitter of the challenge did not agree with the above and submitted a partial information to the Data Protection Inspectorate
challenge of non-issuance.
CLAIMER'S REQUEST AND GROUNDS:
1. Facts 
1.1. On 3 January 2020, AS Ekspress Meedia's journalist Xxxxx Xxxxxx was presented by the Police and
Request for information to the Border Guard Board (PBGB) for information on the Director-General's letter of 14 June 2004
Directive No. 141 (Annex 1).
1.2. On 10 January 2020, the PBGB announced that it would extend the deadline for responding to the request for information until
24.01.2020, substantiating this with the need to evaluate the document.
1.3. On 24 January, the PBGB submitted a reply only partially complying with the request for information (Annex 1).
2. Content and grounds of the challenge
2.1. We would like to contest the partial non-compliance of the PBGB with AS Ekspress Meedia's request for information.
2.2. The disputed directive was declared for internal use by the Public Information Act
(AvTS) on the basis of § 35 (1) 9) until 14.06.2009.
2.3. Pursuant to § 40 (1) of the PSA, information intended for internal use may be provided
restrict access for up to five years. The head of the institution may extend this term
up to five years.
2.4. Thus, the deadline for restricting access to the requested directive already arrived on 14.06.2014.
________________________________________
Page 3
3 (7)
2.5. In our opinion, the PBGB has no legal basis for partially non-compliance with the request for information.
2.6. The PBGB cites clauses 5 1, 9 and 10 of § 35 (1) of the PSA as grounds for partial refusal.
However, the grounds for that restriction on access are not set out in the contested document. Even
if the restriction had been included in the document, it would have been possible for internal use
the restriction established on the basis of § 40 (1) of the PSA has expired for a long time. 
2.7. We draw attention to the fact that § 35 of the PSA provides for the recognition of information as internal
but in the present case the time-limit for restricting access has expired and the contested directive has expired
is public information.
3. Application
3.1. Based on the above and guided by §§ 46 and 51 of the Public Information Act, AS Ekspress requests
Media to issue a precept to the PBGB to the Data Protection Inspectorate and to oblige the PBGB to request information
to comply with and issue to Ekspress Meedia AS the directive of the Director General of the PBGB of 14 June 2004
No 141 in its entirety.
GROUNDS OF THE INFORMATION HOLDER:
We will provide answers to the questions submitted in the inquiry of the Data Protection Inspectorate on 06.02.2020.
- On what legal basis did the PBGB refuse the information requester after the restriction of access ended
issue the document in full? 
In our reply to the requester, we explained that the deadline for restricting access to the document was
but the PBGB considers that some of the information contained in it still needs protection. Asked
The directive was created in 2004, but 16 years later the KAIRI information system is enough
in a similar form continues to be a daily tool for criminal police officers. While the information system
the maintenance arrangements have been amended several times over time and the 2004 version is no longer valid,
the police measures, tactics and technological solutions it contains are partly the same.
Therefore, in the opinion of the PBGB, the fulfillment of the request for information is only possible in part. We also added a public
of the Information Act (hereinafter AVTS), the bases on which we used the restriction of information:
• according to § 35 of the PIA one point five one is covered with parts of the text, which contain information
the methods and tactics of the investigative body and the disclosure of such information may
make it more difficult to detect offenses or facilitate the commission of offenses. 
• Pursuant to clauses (1) 9) and 10) of the same section, parts of the text that contain information are covered
description of technological solutions and security measures.
- According to the challenge, the restriction initially imposed on the document was only on the basis of § 35 (1) 9) of the PSA,
but in refusing to comply with a request for information, § 35 (1) 5 ) and
Point 10 of because § 35 section 1 subsection 5 1 added PIA-I in 2016, ie after 12 years apart
the creation of a document, as a result of which the PBGB considers that the document receives the aforementioned provision
(which did not yet exist at the time of the maximum validity of the restriction)
years after the expiry of the maximum limit? 
At the time of the establishment of this directive, clause 35 (1) 9) of the PSA was valid as follows
in the wording: “9) other information provided by law”. In 2007, a response was passed to the law establishing
point 9 was worded as follows: "(9) information containing sensitive personal data". Although
According to RT, this version was valid from 28.12.-31.12.2007, then it probably did not enter into force.
On 1 January 2008, clause 9 entered into force instead with the following wording “9) information security systems,
a description of the security organization or security measures ". In the same form, point 9 applies today.
At the proposal of the PBGB, § 35 (5 1 ) was amended to read “information on the methods of operation of the police and
tactics if it should be made public may make it more difficult or easier to detect offenses
their commission ”, the provision entered into force on 01.01.2010. In 2016, this provision was amended on the proposal of the MTB,
________________________________________
Page 4
4 (7)
by replacing the word "police" with the word "investigative body". The purpose of the change was to expand
this provision to other authorities for whom it was necessary to impose access restrictions. 
It follows from the foregoing that the grounds for imposing a restriction on access are repeated in this case
changed. When complying with a request for information, the holder of the information has the right and also the obligation to check
the relevance and timeliness of the grounds for restricting access to the information
adjust the basis (s) if necessary (supplement, repeal, etc.).
We also did this in response to this request for information: we reassessed and reconsidered the sensitivity of the information
and the realization of the potential risks associated with its publication, and we compared it today
with the current regulation, ie to what extent the information in need of protection is also reflected in the current procedure.
In the course of this, we came to the conclusion that the grounds for the restriction of access are necessary based on the content of the information
supplement (clauses 10, 5 1 ), as well as additions to the grounds for restriction of access shall assist the requester
get a clearer picture of the need for continued restrictions. There are currently
The procedure for maintaining the information system POLIS subsystem KAIRI was established by the Director General on 05.10.2018
Directive No. 117 and a restriction on access to it has been established pursuant to clauses 35 (1) of the PSA
3, 5 1 , 9 and 10.
- Does the PBGB consider that the time limit for all of the above grounds should be longer than
10 years? Please justify your position.
In the case of this directive, the PBGB is of the opinion that the information contained in it still needs some information
protection. 
In fulfilling the request for information, the PBGB comprehensively assessed the continuing need for the restriction sentence by sentence.
The thorough substantive assessment is also confirmed by the fact that the field was involved in the assessment
different experts, so it took extra time to comply with the request for information, and we were also forced to do so
extend the deadline.
Covered passages contain sensitive information that is significantly compromised by disclosure
the achievement of the objectives of criminal proceedings and the pursuit of surveillance
where existing measures and tactics, technological solutions would no longer be possible
implemented as it stands. It must be borne in mind that the methods of operation of the police / investigative body and
tactics will not change significantly for decades. 
§ 35 (1) of the PSA is a mandatory provision which obliges the holder of information to restrict
access to information. Because both the directive requested in the request for information and the current directive
are similar provisions, there is a substantive conflict between § 35 (1) and § 40 (1) of the PSA if
interpret the latter provision as meaning that the access restriction can only be imposed on 5 + 5
year. The procedure for complying with this request for information illustrates the need for legal regulation
to allow the restriction to be extended beyond certain periods in certain cases
5 + 5 years (as long as the reason for imposing the restriction persists).
GROUNDS FOR THE DATA PROTECTION INSPECTORATE:
Access to public information
§ 3 (1) of the PSA provides that public information is in any way and on any medium
recorded and documented information obtained or created by or on the basis of law
in the performance of their public tasks under this legislation. Since the document at issue is
established by the Police and Border Guard Board in the performance of public duties, it is disputed
the document is public information within the meaning of the Public Information Act. 
________________________________________
Page 5
5 (7)
Pursuant to § 3 (2) of the PSA, access to public information can be restricted only as provided by law
in order. The bases for access restriction are set out in § 35 and areas of the Public Information Act
special laws.
The Supreme Court also found in clause 24 of its judgment 3-3-1-5-09 : “ § 44 (2) of the Constitution imposes
to state agencies, local governments and their officials the obligation provided by law
to provide the Estonian citizen with information on his or her activities at his or her request. To this
the obligation is fulfilled by an Estonian citizen (and, unless otherwise provided by law, also in Estonia
the presence of a foreign national and a stateless person present) upon request
information.
The material scope of that right extends to the activities of public authorities
which they do not distribute to the general public. National citizens and other persons must
in order to ensure the transparency of the exercise of official authority, also have access to the information which
for any reason, public authorities do not voluntarily disseminate information to the public. "
Restrictions on access to public information
§ 35 (1) of the PSA provides a list of information which the holder of information is required to establish
access restriction. In the present case, it is common ground that the document contained a restriction
information. The subject-matter of the challenge in the present case is the time-limit for imposing a restriction on the document.
§ 40 (1) of the PSA provides that information intended for internal use shall be established
restriction of access from the time the document is drawn up or received and until necessary
until the event expires or the event arrives, but for no longer than five years. Head of the institution
this period may be extended by up to five years if a restriction on access is imposed
the reason remains. Thus, the Public Information Act clearly states how long the AVTS is possible
Restrict access to information on the basis of subsection 35 (1). The right to extend does not follow from § 40 (1) of the PSA
after the expiry of the period of 10 years. If the Police and Border Guard finds a provision
If the 5 + 5 deadline is short, an amendment to the law should be initiated in the respective part, on the basis of which
it is possible to set a longer restriction period for certain specific information. Not allowed
is a situation where restrictions are imposed on documents without a legal basis.
At this point, I consider it necessary to point out that it is also in the past that a time limit for the application of restrictions is desired
extended, but the legislator has not considered it necessary. For example, 14.09.2009 was requested
initiated amendments to the Personal Data Protection Act, the Public Information Act and the Archives Act
The draft Law 564 SE PIA supplement to § 40 paragraph 4 is added: "This
information intended for internal use pursuant to clause 35 (1) 3) of the Act is established
access restriction for up to five years. The head of the institution may extend this term twice
up to five years if the reason for imposing the access restriction persists ".
The explanatory memorandum to the same draft explains the following: Ҥ 40 of the Public Information Act is amended by a new one
providing a separate basis for information the disclosure of which would be detrimental to the State
external relations, the period of validity of the recognition for internal use is 5 + 5 + 5 years.
The normal term is 5 years, which can be extended once by 5 years . Ten
years may be too short to ensure the protection of external relations. An exception must therefore be made and
to allow a third extension for another five years ”(p. 7 p. 2.6 of the explanatory memorandum of the draft). 1
The following can be read from the transcript of the sitting of the Riigikogu held on 17.02.2010: “ Public information
however, pursuant to subsection 40 (1) of the Act, the head of an agency may establish for internal use
restriction on access to information for a period of five years, subject to the restriction of access
may be extended for a further period of five years. The Government of the Republic therefore only wanted the new provision
to establish a 5 + 5 + 5 system for information that may damage the country's foreign relations.
1 http://www.riigikogu.ee/tegevus/eelnoud/eelnou/bebb8363-8999-f12e-b587-
f3718b56a685 / Personal Data% 20Protection% 20Law,% 20Public% 20Information% 20Law% 20and% 20Archives Act
% 20change% 20 Act / 
________________________________________
Page 6
6 (7)
The Committee on Constitutional Affairs, having discussed this issue in detail at its meetings , considered that it was not
it is justified to give all holders of information the possibility of such extensions for a further period of five years
by. Pursuant to subsection 5 (1) of the Public Information Act, the holder of information is all state and local
local authorities, legal persons governed by public law and subject to certain conditions
legal persons and natural persons in private law. It is obvious that everyone sitting in this Chamber
should report very clearly to, for example, the Foreign Ministry's foreign embassies
The memos drawn up may include assessments by other ambassadors residing in that country
the Head of Government or the President of that State, their possible cooperation with third parties
countries or some doubts as to whether one or the other may be related to one or the other
organization, work with someone, etc. Apparently we all understand that. Is it
all the information listed in the long list contained in the original version should be protected
marked "for official use", this raises serious doubts. /… / Committee on Constitutional Affairs
At the meetings, the members of the commission concluded that because the Ministry of Foreign Affairs is the main state
external relations authority, such an extension should be limited to them.
In particular, this is in the form of a memo between the Ministry of Foreign Affairs and the embassies
internal exchange of correspondence (including negotiation strategies)
information for use. "
Due to the above, the Riigikogu has expressed its position that the access restriction
information can be limited to five years and can be limited to five years at a time
and has discussed an exception for information detrimental to external relations.
The reason for rejecting the aforementioned bill was precisely that the Riigikogu found that an attempt was being made
unduly conceal the information held by the authorities and make the state opaque, which
is not inherent in an open democracy.
The Data Protection Inspectorate agrees with the Police and Border Guard Board that in some cases it may
indeed, ten years may be too short a time and a restriction may be needed on the document
established for a longer period. This is especially true of documents that have been recognized
archival value, but the restrictions cannot be extended without a legal basis. Ka
The Data Protection Inspectorate as a supervisory authority whose task is to control restrictions
when establishing compliance with the law, the right or permission to establish longer than the law cannot be granted here
restriction deadlines.
We agree with the Police and Border Guard Board that since the grounds for the restriction have changed over time,
then the grounds for the restriction must be reviewed before the request for information can be complied with. However, it remains incomprehensible
document (ten years after the creation of the document, if the document no longer exists
possible restrictions) the addition of a restriction that was added to the Public Information Act 12
years after the creation of the document (PIA § 35 section 1 subsection 5 1 ). This was not the case
by changing the wording of the provision, but by adding a new provision to the law. Data Protection Inspectorate
Considers that a document the creation or receipt of which is more than 10 months old
years, grounds for restriction that have been added to the law after the restriction period cannot be added
expiration.
Since in this case almost 16 years have passed since the creation of the document and the Public Information Act
does not provide for the possibility of imposing restrictions for a period exceeding a maximum of 10 years, it does not have to
the inspectorate also needed to analyze the desired parts covered in the desired document
justification for the restriction. However, based on the continued imposition of the restriction
the justification for the need has repeatedly referred to a link to a state secret
information, it should be assessed, if necessary, whether such information, even after 16 years
needs to be protected after its creation should not be covered by a state secret.
It also remains incomprehensible to the Data Protection Inspectorate when the Police and Border Guard Board had
it is understood that even after 10 years, the document contains information that is still needed
why no steps have been taken to legitimize the protection of such information. 
________________________________________
Page 7
7 (7)
Due to the above, because the Public Information Act does not provide an opportunity to impose on information
restrictions for more than 10 years and the Data Protection Inspectorate cannot do anything to anyone here
exemption for the holder of the information, the Police and Border Guard Board shall
remove access restrictions and provide the claimant with the information he or she wishes if
it is not a state secret and there is no other reason to restrict access to information. 
/signed digitally/
Elve Adamson
Inspector General
under the authority of the Director General