Capital E: How Estonia’s Cyber Security Strategy Went Beyond Regulations During its Rise to Leadership in E-Governance

By Albert Chang

Ray Tomlinson sent the first email in 1971, which created a new concept of nearly instantaneous communication that could replace old snail mail.[1] Since then, digital technology has become exponentially more advanced and complex than what Tomlinson used to send that first e-mail. Digital technologies are now “essential tools for communication and collaboration between policy makers, the private sector and societies across the globe” as the new form of digital governments.[2] These technologies have given rise to a new form of governance: E-Governance.

E-Governance is defined as the use of information and communications technology by governments to provide public services to people more efficiently and transparently.[3] For example, Estonia— a country that was once “tiny, poor and under centuries of serial occupation”— transformed itself into “the first digital republic in the world.”[4] Recognition for Estonia’s digitalization is well represented in the 2022 E-Governance Survey, where the country was selected as the top country using the Online Service Index.[5]  Estonians can set up a business, apply for licenses, receive social benefits, cast their ballot for the presidential election, access their health records, and provide personal identification, all using digital technology through an app on a mobile phone.[6]

In the private sector, global corporations are seeing a similar shift towards highly personalized data. For example, the Apple Watch Series 8 can now track a user’s temperature, electrocardiogram, and heart rate zones throughout different workouts.[7] The latest social media platform TikTok uses a combination of the user’s location, search history, content of messages exchanged, viewing patterns, and additional personal data like age and gender, to create a personalized “for you page” for each user.[8] In addition to the convenience and efficiency that technology serves, digitization of personal data provides tremendous value for corporations to deliver services and products that directly addresses the consumer’s needs.[9]

The benefits of digitalizing personalized data present certain risks. The power to store, utilize, or sell personalized data to third parties becomes a coveted option because of the exceptional value that it could generate.[10] Naturally, compromised data in the hands of an ill-intended party creates chaos for compromised individuals. Most of these criminal activities encompass identity theft that potentially lead to personal property loss. In more extreme cases, access to lots of personalized data could implicate national security concerns for a whole country.[11] Countries like Estonia need a strong regulation regime for data privacy because so much of the country’s activities, along with private information of its citizens, is now available digitally.

Estonia’s approach to cybersecurity is a combination of European Union regulations, Estonia’s interpretations of EU law, and collaborative efforts between Estonia and the private sector to minimize the risk in digitization.[12] As a member of the EU, Estonia is subject to the EU’s data protection law under the General Data Protection Regulation (GDPR).[13] The GDPR is commonly held as “the toughest privacy and security law in the world.”[14] Notably, under the GDPR’s opt-in regime (as opposed to the United States’ opt-out regime), consumers must affirmatively consent to their personal data to be stored and used in particular ways before corporations can collect the data. Effectively, this allows individuals to decide the level of risk they are willing to assume with potential exposure of their data.

The GDPR was enacted to be intentionally broad, at least in comparison to the strong level of protection the law sought to provide. It sets the guidelines for the collection and processing of personal information, but leaves out certain interpretations and applications for EU members states to determine. In its compliance with the GDPR, Estonia enacted three main pieces of legislation: (1) the Personal Data Protection Act, (2) the Electronic Communications Act, and (3) the Information Society Services Act.[15] Collectively, the three Acts govern the collection, storage, and use of personal data in Estonia.[16]

Beyond the EU and the Estonian regulatory bodies, Estonia also attributes a significant part of their success in E-Governance to its collaboration with the private sector in executing its cybersecurity strategy. Through Estonia’s National Cyber Defense League, a voluntary structure with more than 150 experts participating, has simulated different security threat scenarios in defense exercises.[17] Among its objectives, the Cyber Defense League emphasizes “education and training in information security” as part of its overall strategy.[18] Children in Estonia have been placed through a digital education syllabus since 1998, raising the standards and skills for coding and entrepreneurship in technology fields.[19]

In sum, Estonian legislation imposes additional requirements beyond what is known as the world’s toughest privacy law— the GDPR. Even though Estonia remains susceptible to data breaches, Estonia still has established itself as one of the leading digital nations.[20] Hackers, however, will continuously test Estonia’s digital systems for vulnerabilities.[21] Faced with limited resources while regaining its independence from the Soviet Union, Estonia chose to fully commit to data privacy legislations, technological education, and digitization of government services delivery.[22] Today, Estonia’s comprehensive strategy to E-Governance is used as a model and replicated across different continents.[23]

[1] A Brief History of Email: Dedicated to Ray Tomlinson, Phrasee, https://phrasee.co/blog/a-brief-history-of-email/ (last visited Jan. 23, 2023).

[2] E-Government Surveys, UN (12th ed. 2022), https://desapublications.un.org/sites/default/files/publications/2022-09/Chapter%201.pdf.

[3] See generally, Dishit Duggar et al., Big Data Analytics in E-Governance and Other Aspects of Society, Encyc. Data Science & Mach. Learning (Oct. 2022).

[4] Suna Erdem, “Right, f*** it. We’ll do it ourselves”: The Sentence That Turned Estonia from Soviet Backwater to Digital Miracle, New Eur. (Jan. 27, 2022), https://www.theneweuropean.co.uk/estonia-and-its-digital-expansion-in-the-full-digital-nation/; Imtiaz Khan & Ali Shahaab, Estonia is a Digital Republic- What That Means and Why It May Be Everyone’s Future, Conversation, https://theconversation.com/estonia-is-a-digital-republic-what-that-means-and-why-it-may-be-everyones-future-145485 (last updated Oct. 12, 2020).

[5] E-Government Surveys, supra note 2.

[6] Erdem, supra note 4 (noting “some 99% of government services are online”).

[7] Apple, Apple Watch Series 8, https://www.apple.com/apple-watch-series-8/ (last visited Jan. 23, 2023).

[8] Kate O’Flaherty, All the Ways TikTok Tracks You and How to Stop It, Wired (Oct. 23, 2021), https://www.wired.co.uk/article/tiktok-data-privacy.

[9] Nidhi Arora et al., The Value of Getting Personalization Right— or Wrong— is Multiplying, McKinsey & Co. (Nov. 12, 2021), https://www.mckinsey.com/capabilities/growth-marketing-and-sales/our-insights/the-value-of-getting-personalization-right-or-wrong-is-multiplying.

[10] Id.

[11] Rachel Treisman, The FBI Alleges TikTok Poses National Security Concerns, NPR (Nov. 17, 2022), https://www.npr.org/2022/11/17/1137155540/fbi-tiktok-national-security-concerns-china.

[12] Freedom in the World Report— Estonia, Freedom House, https://freedomhouse.org/country/estonia/freedom-world/2022 (last visited Jan. 23, 2023).

[13] Urmas Kukk, Estonia— Data Protection Overview, Data Guidance (Mar. 2022), https://www.dataguidance.com/notes/estonia-data-protection-overview.

[14] Ben Wolford, What is GDPR, the EU’s New Data Protection Law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/ (last accessed Jan. 23, 2023).

[15] Mihkel Miidla & Kaupo Lepasepp, Data Protection in Estonia, BL. (Dec. 12, 2016).

[16] Id.

[17] See Freedom in the World Report— Estonia, supra note 12.

[18] Estonian Defence League’s Cyber Unit, Kaitseliit, https://www.kaitseliit.ee/en/cyber-unit (last updated Jan.23, 2023).

[19] See Erdem, supra note 4.

[20] See Dea Paraskevopoulos, Estonian E-State Has Experienced Several Hacking Incidents As of Late: What Are the Lessons Learned?, e-Estonia (Aug. 18, 2021), https://e-estonia.com/estonian-e-state-has-experienced-several-hacking-incidents-as-of-late-what-are-the-lessons-learned/ (citing major hacking incidents in 2007 and 2021).

[21] Id.

[22] See Population— Estonia, World Bank, https://data.worldbank.org/indicator/SP.POP.TOTL?locations=EE (last accessed Jan. 23, 2023).

[23] Kevin Tammearu, What the United States Can Learn from Estonia on E-Governance, CEPA (Aug. 31, 2021), https://cepa.org/comprehensive-reports/what-the-united-states-can-learn-from-estonia-on-e-governance/.