New Personal Data Protection Act Needs Polishing

Based on the EU general data protection regulation, the Ministry of Justice has prepared the draft of the Personal Data Protection Act. In the Chamber’s opinion, the draft should be clarified a little, most importantly by providing specific examples. Moreover, the Chamber has proposed to consider decreasing the fee rates as granted for Estonia in the general regulation.

The members of the Chamber consider it necessary that the explanatory memorandum to the draft act would contain sufficient amount of examples that would characterise specific situations. For example, with the help of examples, if could be clarified how to interpret excessive damaging of the rights of a data subject or how should a parent give their consent for processing their child’s personal data.

The European Union regulation gives Estonia the possibility to establish a lower maximum penalty rate than that established in the regulation. However, the current draft act establishes the maximum rate set out in the regulation, which, depending on the misdemeanour, is either 10 or 20 million euros. In the Chamber’s opinion, Estonia could take advantage of the opportunity and decrease the maximum penalty applicable for a violation. At the moment the maximum penalty for the violation of the personal data protection rules in Estonia is 32 thousand euros. In general, the maximum misdemeanour penalty for a company in Estonia is 400,000 euros. The draft act prepared by the Ministry sets out a maximum penalty of 32 thousand euros for a violation committed by a law enforcement authority. Therefore, in the Chamber’s opinion, establishing the highest possible penalty for private companies as set out in the EU regulation constitutes unequal treatment.

At the moment, the Estonian draft sets out that upon rendering information society services to people younger than 14 years, the personal data can be processed only with the consent of a parent. The EU regulation gives the opportunity to decrease that age limit to 13 years. In the Chamber’s opinion, Estonia should use this opportunity, because many companies across the world are already using that age limit. Furthermore, a lower age limit will simplify data processing for companies.

It is unclear for the Chamber, why hasn’t the draft Personal Data Protection Act considered the implementing part and other legal acts that have to be amended as a result of the draft. This especially due to the reason that there are a number of legal acts that refer to the Personal Data Protection Act. Setting them out is necessary in order for the entrepreneurs to be able to assess better the extent of administrative burden they will be facing as a result of the draft.