Estonian Internal Security Service: Data retention bill needs revision due to Russian threat

Estonia's Internal Security Service (KaPo) has presented its position on the draft law regulating the storage and use of electronic communications data. The service supports finding a comprehensive solution but emphasizes that the norms require significant revision to simultaneously ensure national security and effective crime investigation.

The draft law concerns metadata, not the content of calls or messages—technical information about the fact and parameters of a connection. This includes numbers, IP addresses, connection time and duration, connection type, device technical characteristics, and the approximate location of the subscriber at the time of use. KaPo notes that such data is used for post-event analysis and does not involve real-time surveillance.

KaPo focuses on the idea of universal and uniform data retention. The service insists that communications operators must be obliged to retain metadata for all users without exceptions. According to KaPo, selective or geographic restrictions could create vulnerabilities that foreign intelligence services could exploit.

The service links the need for such measures to the current geopolitical situation. The document notes that the Russian Federation is considered an existential threat to Estonia and Europe, and state structures must have robust tools to counter long-term military and hybrid risks.

If lawmakers abandon permanent data retention and introduce temporary solutions by government decree, KaPo proposes setting such periods for at least two years. This, according to the service, would ensure technical stability and reduce operator costs.

KaPo also points out risks related to the fact that Estonia's largest telecommunications companies have foreign headquarters and may reduce data retention volumes for economic reasons. In that case, investigators' access to data could vary by operator, violating the principle of equal treatment.

As a compromise, operators could be required to guarantee retention of traffic and geolocation data in specific cases: in border zones (up to 10 km from the state border), on islands, in areas of defense and critical infrastructure, in high-crime zones, as well as for users of anonymous prepaid SIM cards and roaming subscribers.

Additionally, KaPo proposes enshrining in law the list of bodies authorized to request such data. This list should include investigative and operational bodies, the prosecutor's office, courts in criminal cases, and security authorities when performing their tasks and checks related to access to state secrets.

In conclusion, the draft law requires serious revision. According to KaPo Director General Margo Palloson, the key goal is to create a system that allows legal and effective use of communications data as evidence in court.