Summary

The right to the protection of personal data is a fundamental right that has, inter alia, been established by the General Data Protection Regulation (GDPR) since May 2018, and specified in Estonia by the Personal Data Protection Act, which entered into force on 15 January 2019. Both of these legislative acts use the concept of ‘public interest’ in different contexts. The GDPR has also listed various situations that may concern public interest.

It is probably no surprise that ‘public interest’ and ‘interest of the public’ are not synonyms. However, ‘public interest’ may cover completely different situations even within a single Act, therefore placing those who interpret and implement the law in a difficult position. A balance needs to be found within fundamental rights in a situation in which the legislator has not expressed their will and purpose with sufficient clarity. The protection of personal data (the right to privacy), however, is everyone’s fundamental right, and any processing of such data infringes upon that right to a larger or smaller extent. This infringement must be regulated by law, while being clear, precise, and foreseeable for the persons towards whom the legislation is implemented.

When analysing what is defined in the General Data Protection Regulation as public interest or a task in the public interest, interpretations of Estonian law, case law, or jurisprudence cannot be used as a starting point. However, the Estonian interpretations may be used as a source of inspiration because generally, the Court of Justice aims to base its positions on the common understanding and constitutional principles of the Member States. Ultimately, however, the right to furnish the concept and draw the lines remains with the Court of Justice.