Estonia Estonia X-Road digital infrastructure

Estonia Moves to Abolish Blanket Phone-Data Retention, Five Years After Its Own CJEU Case Required It

Estonia's draft law swaps 12-month bulk phone-data retention for targeted 'quick freeze' rules, five years after the CJEU found the old system unlawful.

Estonia's Data Retention Reversal People of Internet Research · Estonia 2,828 Access authorizations, 2020 Prosecutor-approved requests for r… 376 Access authorizations, 2022 Court approvals collapsed once jud… 12 months Current blanket retention period How long telecoms must currently s… 2.2B X-Road transactions per year Estonia's logged, purpose-bound da… peopleofinternet.com
Estonia's Data Retention Reversal People of Internet Research · Estonia 2,828 Access authorizations, … 376 Access authorizations, … 12 months Current blanket retention period 2.2B X-Road transactions per… peopleofinternet.com

Key Takeaways

A bill five years overdue

Estonia's Minister of Justice and Digital Affairs, Liisa Pakosta (Eesti 200), has sent the government a draft law that would abolish the country's blanket mandate requiring telecoms to log and store everyone's call records and location data for up to a year "just in case" police need them later. In its place: a narrower regime built around targeted, after-the-fact preservation — "quick freeze" — for investigations into serious crime, plus a tightly bounded emergency power reserved for genuine national-security threats (ERR News).

The bill closes a gap that has sat open since 2 March 2021, when the Court of Justice of the European Union ruled, in a case that began in an Estonian courtroom, that Estonia's prosecutor-authorized access to bulk-retained communications metadata for ordinary criminal investigations violated the ePrivacy Directive (Case C-746/18, H.K. v Prokuratuur, EUR-Lex). Estonia's own Supreme Court agreed later that year, and the Riigikogu responded by shifting data-access authorization from prosecutors to courts. What lawmakers didn't touch was the underlying obligation: telecoms still had to retain everyone's data, indiscriminately, for twelve months.

The interregnum

That half-measure produced the legal limbo one would expect. Court-ordered authorizations for accessing retained data collapsed — from 2,828 in 2020 to 376 in 2022 — as judges applied the CJEU's "serious crime" threshold to a system that had never been built around it (ERR News). Reform had actually been proposed once before: the ministry drafted an overhaul back in 2019 after years of pressure from the Estonian Human Rights Centre, which had been campaigning since the CJEU struck down the EU's original Data Retention Directive in 2014 (Liberties.eu). That effort stalled. As late as July 2024, a ministry deputy secretary general said Tallinn had no plans to amend the law, preferring to wait for "EU-level guidance" that never arrived (ERR News). Then, in March 2026, Estonia's Supreme Court tightened the screws again, ruling that only data telecoms retain for their own commercial purposes — billing, network management — may be used as evidence in criminal proceedings, with prosecutors bearing the burden of proving that origin. Data collected purely under the state's retention mandate had become close to unusable in court.

What the bill changes

Under the draft, telecoms would no longer be required to log and store call-detail records and location data on the entire population by default. They would still retain subscriber-identification data — whose name a phone number is registered to — and IP-assignment logs for roughly a year, mainly to keep cybercrime investigations workable. For anything more, investigators would invoke "quick freeze": a request that a provider preserve data it already holds, tied to a specific case, before normal commercial retention schedules delete it. And should Estonia face what the bill calls an immediate and serious threat to national security or constitutional order, the government could temporarily reimpose a stricter regime — a carve-out the CJEU has explicitly sanctioned, not one Estonia invented to route around the judgment.

The steelman, and why it still falls short

Investigators have a genuine complaint about quick freeze: it only works if you already know whose data to preserve. Bulk retention lets a prosecutor reconstruct a suspect's movements or contacts after a crime is discovered — useful for cold cases, for identifying an unknown perpetrator from a pattern of calls, or for tracing a network that was invisible until evidence surfaced. That is a real limitation, not a manufactured one, and it is why Estonian police pushed back on earlier reform drafts. But the CJEU's answer has been consistent since it began building this case law — from the 2014 collapse of the EU's original directive, through the 2016 Tele2/Watson ruling, to Prokuratuur itself in 2021 (eucrim): the cost of logging every resident's movements to solve the rare case where bulk data proves decisive is disproportionate to the privacy interference, and targeted or emergency retention covers the legitimate cases without the blanket sweep. Estonia has had five years to build that targeted architecture and instead spent it in a grey zone that satisfied neither privacy advocates nor investigators working with evidence of increasingly uncertain admissibility.

Where to watch next

The real fight isn't over whether bulk retention ends — the courts made that inevitable — but over how loosely Parliament draws the national-security emergency clause. A vaguely worded "immediate and serious threat" trigger, invoked too readily or left running too long, could functionally restore what the bill claims to abolish; CJEU case law treats that exception as narrow and time-bound, not a standing alternative. That's the provision to watch as the bill moves through the Riigikogu.

There's also a reputational logic Pakosta doesn't need to spell out. Estonia's digital-government brand runs on X-Road, the data-exchange layer connecting more than 3,000 e-services and logging roughly 2.2 billion transactions a year, where every query is authenticated and tied to a specific purpose rather than pooled into an undifferentiated store (e-Estonia). A telecoms law that required exactly the kind of indiscriminate, purpose-agnostic data hoarding X-Road was designed to avoid always looked like an anomaly. Fixing it isn't just about complying with a five-year-old court ruling — it's about keeping the "digital trust" pitch that underwrites Estonia's e-governance model coherent.

Sources & Citations

  1. Case C-746/18, H.K. v Prokuratuur — EUR-Lex
  2. Liisa Pakosta: A solution to the communications data retention stalemate — ERR
  3. Justice ministry plans to continue collecting communications data — ERR
  4. X-Road interoperability services — e-Estonia
  5. Privacy Win! Data Retention Law to Be Overhauled in Estonia — Liberties.eu
  6. CJEU Confirms Strict Limitations of Data Retention — eucrim