NordenBladet —
Minister of Justice and Digital Affairs Liisa-Ly Pakosta replied to the interpellation concerning Chinese intelligence access to Estonian residents’ data through apps and technology (No. 718), submitted by Members of the Riigikogu Lauri Laats, Vladimir Arhipov, Vadim Belobrovtsev and Aleksei Jevgrafov.
The interpellators referred to the cyber security yearbook of the Information System Authority which said that Chinese intelligence could also easily access the personal data of Estonian residents using technology and applications made in China. This raises serious questions about Estonia’s cyber security and data protection.
The interpellators wanted to know what measures had been implemented in the country to reduce the collection of data on Estonian residents through Chinese technology and applications.
Pakosta explained that she could not quite claim that when we had Chinese technology or an application, then data on Estonian residents was always collected through it. “This could be stated unequivocally only after a corresponding investigation and court decision,” Pakosta said.
She noted that Estonia had also repeatedly appealed to the European Union to uniformly impose relevant import or sales bans that would be justified specifically for devices that were manufactured for the indirect purpose of acquiring, collecting, and analysing information about the activities of Estonian citizens, as well as other European Union citizens. Sometimes it is also possible to collect information, for example, about views.
“However, the legal framework in Estonia is nevertheless quite comprehensive. From 2022, we have a requirement in the Electronic Communications Act that a communications service provider must obtain consent from the Consumer Protection and Technical Regulatory Authority for the hardware and software used in communications networks,” the minister emphasised. She added that perhaps the most important provision was that section 6 of the Cybersecurity Act imposed an obligation on many public sector institutions and businesses operating in critical areas to adhere to the principle of comprehensive protection. “This means that it is up to each institution and each company to identify the potential threats to its network and information system and to implement appropriate organisational and technical measures to protect the system. Among other things, devices that use illegal data harvesting or enable that must be avoided,” Pakosta explained.
She referred to the Cybersecurity Act which set out a number of obligations. The Estonian Information Security Standard has been developed to meet these obligations. This information security standard also imposes obligations on institutions and companies to assess the risks in both the hardware and software supply chains. The supply chain means that it is also necessary to monitor where purchases are made and whether these important risks have been mitigated at the various stages where a particular device is manufactured. “And of course these supply chain risks can be linked to the use of various Chinese technologies, equipment and applications,” the minister stated.
According to her, in summary it can be said that we have data protection regulations in place in the public sector and for businesses. But the question is rather how effectively we can implement these existing requirements. “The good news is that although we are all concerned here, Estonia is among the most successful countries in the world when it comes to cybersecurity in the public sector and private sector. So we have had a lot of things go right and well,” Pakosta noted.
However, she stated that, in the case of consumers who were private persons who should assess risks themselves and protect themselves from harmful activities that may be related to technological devices manufactured in unfriendly countries, their purchase or failure to secure them, that was more difficult from the state’s perspective.
Rain Epler, Aleksandr Tšaplõgin, Anastassia Kovalenko-Kõlvart and Mart Helme took the floor during the open microphone.
Substitute member Peeter Ernits took his oath of office before the Riigikogu.
Verbatim record of the sitting (in Estonian)
Video recordings of the sittings of the Riigikogu can be viewed at https://www.youtube.com/riigikogu.
(Please note that the recording will be uploaded with a delay.)
Riigikogu Press Service
Gunnar Paal,
+372 631 6351, +372 5190 2837
gunnar.paal@riigikogu.ee
Questions: press@riigikogu.ee
Link uudisele: The Riigikogu discussed issues relating to data protection
Source: Parliament of Estonia