§ 1. Purpose of Act
(1) This Act provides for the requirements for information society service providers, the organisation of supervision and liability for violation of this Act.
(2) The provisions of the Administrative Procedure Act shall apply to the administrative procedure prescribed in this Act, taking into consideration the specifications arising from this Act.
(3) The provisions of this Act do not apply to issues related to the information society services which are regulated by the Electronic Communications Act, the Personal Data Protection Act and the Media Services Act.
[RT I, 06.01.2011, 1 - entry into force 16.01.2011]
§ 2. Definitions
In this Act, the following definitions are used:
1) “Information society services” are services provided in the form of economic or professional activities at the direct request of a recipient of the services, without the parties being simultaneously present at the same location, and such services involve the processing, storage or transmission of information by electronic means intended for the digital processing and storage of data. Information society services must be entirely transmitted, conveyed and received by electronic means of communication. Services provided by means of fax or telephone call and television or radio services are not information society services;
[RT I, 06.01.2011, 1 - entry into force 16.01.2011]
2) “regulated professional activity” is any professional activity the pursuit of which requires professional qualifications determined by law.
§ 3. Application of law of state of place of business
(1) Information society services provided through a place of business located in Estonia (hereinafter services) shall meet the requirements arising from Estonian law regardless of the Member State of the European Union or Member State of the European Economic Area in which the service is provided.
(2) The provision, in Estonia, of services belonging to the co-ordinated field through a place of business located in a Member State of the European Union or Member State of the European Economic Area are not subject to restriction, except in the case and to the extent justified for the protection of morality, public order, national security, public health and consumer rights.
(3) The restrictions specified in subsection 2 of this section shall meet the following conditions:
1) a restriction shall be established against a specific information society service which prejudices the objectives referred to in subsection 2 of this section or which presents a serious risk of prejudice to those objectives;
2) a restriction shall be proportionate to its objective;
3) before establishing a restriction, a competent Estonian body has asked the state of the location of the place of business to establish a restriction, and the latter has not established the restriction, or the restriction is inadequate;
4) a competent Estonian body has notified the European Commission and the relevant Member State of its intention to establish a restriction;
5) in the case of urgency, derogation from the conditions stipulated in clauses 3 and 4 of this subsection is permitted. In the case of urgency, the competent Estonian body shall notify the restriction in the shortest possible time to the European Commission and to the Member State, indicating the reasons for which it is considered that there is urgency;
[RT I, 22.06.2021, 13 - entry into force 02.07.2021]
6) clauses 3–5 of this subsection shall not apply to court proceedings.
(4) The provisions of subsection 2 of this section shall not apply to:
1) the freedom of the parties to choose the law applicable to their contract;
2) contractual obligations concerning consumer contracts;
3) copyright and related rights;
4) protection of semi-conductors;
5) protection of databases;
6) protection of industrial property rights;
7) formal requirements of the law valid in respect of transactions with rights in immovables;
8) the permissibility of commercial communications by electronic mail;
9) advertising of investment funds;
10) the insurers’ obligation to inform the competent body of the general and specific terms of obligatory insurance;
11) the insurers’ right of establishment and freedom of provision of services;
12) non-life and life insurance contracts which cover risks existing in Member States of the European Union;
13) the activities, as public authorities, of notaries, enforcement agents and other persons engaging in liberal professions in public law;
14) the representation of parties and of their interests in proceedings in court;
15) lotteries and gambling activities, including games of chance and betting transactions involving wagering a stake;
16) issue of electronic money by a company using the right provided by § 12 of the Electronic Money Institutions Act.
[RT I 2010, 2, 3 - entry into force 22.01.2010]
§ 31. Notification
(1) The European Commission shall be notified of:
1) legislation under preparation concerning requirements for information society services;
2) requirements for information society services established by stock exchange, regulated securities market and securities settlement system.
(2) Notification need not be given of legislation concerning the following:
1) requirements for electronic communications services which are regulated by the legislation of the European Union;
2) requirements for financial services which are regulated by the legislation of the European Union and which are listed non-exhaustively in Annex VI to the Directive 98/48/EC of the European Parliament and Council (OJ L 217, 5.8.1998, pp. 18–26).
(3) Notification need not be given of draft legislation which complies with the European Union approximation legislation or fulfils the obligations arising out of international agreements resulting in the adoption of common requirements for information society services in the European Union.
(4) Drafters of legislation subject to notification submit draft legislation to the authority which co-ordinates notification. Draft legislation shall be submitted to notification at such stage of proceedings which allows to make amendments to the draft legislation.
(5) The Government of the Republic shall establish the procedure for notification of draft legislation concerning requirements for information society services and of requirements for information society services established by stock exchange, regulated securities market and securities settlement system and shall appoint the authority which co-ordinates information exchange.
[RT I 2010, 31, 158 - entry into force 01.10.2010]
§ 4. Information to be submitted concerning service provider
(1) A service provider shall render directly and permanently accessible to the recipients of the service at least the following information:
1) the name of the service provider, its registry code and the name of the corresponding register, the service provider’s address and other contact details, including the electronic mail address;
2) its registration number if, for operation in the corresponding field of activity, registration in the register of economic activities is required by law, or its activity licence number;
3) if reference is made to the fee charged for the service, information on whether the fee includes taxes and delivery charges;
4) the value added tax identification number if the service provider is a person liable to value added tax.
[RT I, 22.06.2021, 13 - entry into force 01.09.2021]
(2) In addition to the provisions of subsection 1 of this section, a service provider engaged in a regulated professional activity shall render directly and permanently accessible to the recipients of the service the following information;
1) the name of any professional body or similar institution with which the service provider is registered in connection with the provided service;
2) the professional title and the Member State where it has been granted;
3) a reference to the applicable professional rules in the Member State of the location of its place of business, and the means to access them.
§ 5. Commercial communications
(1) "Commercial communication" is any information designed to promote, directly or indirectly, the goods, services or image of a person engaged in economic or professional activity.
[RT I 2010, 38, 230 - entry into force 10.07.2010]
(2) A commercial communication shall comply with the following conditions:
1) the commercial communication shall be clearly identifiable as such;
2) the person on whose behalf the commercial communication is made shall be clearly identifiable;
3) promotional offers, such as discounts, premiums and gifts, promotional competitions and games, shall be clearly identifiable as such;
4) the conditions for participation in the promotional offers and commercial lotteries specified in clause 3 of this section shall be presented clearly.
(3) The following are not commercial communications:
1) information allowing direct access to the activity of a natural or legal person, in particular a domain name or an electronic-mail address;
2) information relating to the image, goods or services of a person compiled independently of the person.
[RT I 2010, 38, 230 - entry into force 10.07.2010]
§ 6. [Repealed - RT I 2010, 38, 230 - entered into force 10.07.2010]
§ 7. Contracts concluded through public data communication network
Contracts between service providers and recipients of their services through public data communication networks, where the parties are not simultaneously present, shall be concluded pursuant to the provisions of § 621 of the Law of Obligations Act.
§ 8. Restricted liability upon mere transmission of information and provision of access to public data communications network
[Repealed – RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 9. Restricted liability upon temporary storage of information in cache memory
[Repealed – RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 10. Restricted liability upon provision of information storage service
[Repealed – RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 11. No obligation to monitor
(1) [Repealed – RT I, 21.06.2024, 1 – entry into force 01.07.2024]
(2) [Repealed - RT I 2006, 31, 234 - entered into force 16.07.2006]
(3) [Repealed – RT I, 21.06.2024, 1 – entry into force 01.07.2024]
(4) In order to establish the truth, service providers shall submit information at their disposal concerning the recipients of their information storage services to the Prosecutor's Office and investigative body, on the bases and pursuant to the procedure prescribed in the Code of Criminal Procedure, and to a security authority and a surveillance agency, on the bases and pursuant to the procedure provided by law, within the term specified thereby.
(5) In order to establish the truth, service providers shall provide the court, on the basis of single written requests thereof and on the bases and pursuant to the procedure prescribed in the Code of Civil Procedure, with information at their disposal on recipients of their information storage services within the term specified by the court. For the purposes of this section, single request is a request for the personal data of the recipient of services and for the fact of transmission of transmitted information, and the duration, method and format of transmitted information of the recipient of services in connection with a particular electronic mail, a particular electronic commentary or another communication session related to the transmission of a single message.
[RT I 2006, 31, 234 - entry into force 16.07.2006]
§ 12. State supervision
[RT I, 13.03.2014, 4 - entry into force 01.07.2014]
(1) State supervision over compliance with the requirements provided for in this Act for information that must be provided concerning service providers shall be exercised by the Consumer Protection and Technical Regulatory Authority.
[RT I, 12.12.2018, 3 - entry into force 01.01.2019]
(2) Supervision over compliance with the requirements provided for in Regulation (EU) No 2019/1150 of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.07.2019, p. 57–79) shall be exercised by the Consumer Protection and Technical Regulatory Authority.
[RT I, 22.06.2021, 13 - entry into force 02.07.2021]
(3) The Consumer Protection and Technical Regulatory Authority is the independent digital services coordinator within the meaning of Article 49(2) of Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, pp 1–102).
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
(4) The Consumer Protection and Technical Regulatory Authority exercises state supervision over compliance with the requirements provided in Regulation (EU) 2022/2065 of the European Parliament and of the Council.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
(5) State supervision over the implementation of the measures related to the removal of terrorist content and compliance with removal orders provided in Articles 3(3) and (6), 4(2) and (7), 6(1) and (2) and 14(5) of Regulation (EU) 2021/784 of the European Parliament and of the Council on addressing the dissemination of terrorist content online (OJ L 172, 17.05.2021, pp 79–109) is exercised by the Estonian Internal Security Service.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
(6) State supervision over the implementation of the technical requirements for the prevention of dissemination of terrorist content online, and the measures related to the preservation of content and reporting provided in Articles 5, 6(3), 7, 10, 11, 15(1) and 17 of Regulation (EU) No 2021/784 of the European Parliament and of the Council is exercised by the Consumer Protection and Technical Regulatory Authority.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 121. Cross-border supervision cooperation
The Consumer Protection and Technical Regulatory Authority participates in cross-border cooperation between the digital services coordinators of the Member States of the European Union and the European Commission in accordance with Chapter IV of Regulation (EU) 2022/2065 of the European Parliament and of the Council.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 121. Order to remove terrorist content online
(1) Removal orders provided in Article 3 of Regulation (EU) 2021/784 of the European Parliament and of the Council are issued and cross-border removal orders provided in Article 4 are scrutinised by the Estonian Internal Security Service.
(2) The information provided in Article 21(1) of Regulation (EU) 2021/784 of the European Parliament and of the Council is collected and submitted to the European Commission by the Ministry of the Interior.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 13. Specific state supervision measures
[RT I, 13.03.2014, 4 - entry into force 01.07.2014]
In order to exercise state supervision provided in this Act, a competent law enforcement agency may apply the special state supervision measures provided in §§ 30, 49, 50, 51 and 52 of the Law Enforcement Act on the grounds and in accordance with the procedure provided in the Law Enforcement Act.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 131. Right of Consumer Protection and Technical Regulatory Authority to request restriction of information society services
(1) Where the information disseminated to the public through information society services incites hatred, violence or discrimination on the basis of nationality, ethnic origin, language, religion or other circumstances specified in § 12 of the Constitution of the Republic of Estonia, incites war or justifies war crimes, and where it is necessary in order to ensure national security and there are no other effective possibilities for termination of the dissemination of such information and for averting the danger, the Consumer Protection and Technical Regulatory Authority has the right to issue a precept to a provider of information society services and to request the removal of information provided through information society services or restriction of access to the information, taking into account the specifications provided in subsections 2 and 3 of this section.
(2) A provider of publicly available electronic communications services providing Internet access is obliged, on the basis of a precept issued by the Consumer Protection and Technical Regulatory Authority, to disable the domain name specified in the precept in the name servers belonging thereto.
(3) The administrator of a domain register and the domain registrar are obliged, on the basis of a precept issued by the Consumer Protection and Technical Regulatory Authority, to disable access to a domain or to delete the registration of the domain name specified in the precept and to allow the authority to register the domain name in their own name.
[RT I, 06.08.2022, 2 – entry into force 16.08.2022]
§ 132. Orders to act against illegal content or to provide information
(1) The order of a law enforcement agency addressed to a provider of intermediary services to act against illegal content must comply with the conditions provided in Article 9(2) of Regulation (EU) 2022/2065 of the European Parliament and of the Council.
(2) The order of a law enforcement agency addressed to a provider of intermediary services to provide specific information about a specific recipient of the service must comply with the conditions provided in Article 10(2) of Regulation (EU) 2022/2065 of the European Parliament and of the Council.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 14. Non-compliance levy rates
[RT I, 13.03.2014, 4 - entry into force 01.07.2014]
(1) Upon failure to comply with a precept, the maximum rate of the non-compliance levy imposed pursuant to the procedure provided for in the Substitutional Performance and Non-Compliance Levies Act is 640 euros for natural persons and 100,000 euros for legal persons.
[RT I, 22.06.2021, 13 - entry into force 02.07.2021]
(2) Upon failure to comply with an injunction pursuant to Regulation (EU) 2022/2065 of the European Parliament and of the Council, the maximum rate of the non-compliance levy imposed pursuant to the procedure provided for in the Substitutional Performance and Non-Compliance Levies Act is five per cent of their average daily income in the preceding calendar year for providers of intermediary services who are natural persons and five per cent of their average daily worldwide turnover in the preceding financial year for providers of intermediary services who are legal persons, calculated from the date indicated in the relevant injunction.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 15. Transmission of non-conforming information
(1) The provision of information society services which do not conform to the requirements provided for in this Act for information that must be provided concerning service providers, for commercial communications or transmission thereof is punishable by a fine of up to 300 fine units.
(2) The same act, if committed by a legal person,
is punishable by a fine of up to 400,000 euros.
[RT I, 22.06.2021, 13 - entry into force 02.07.2021]
§ 151. [Repealed - RT I 2006, 21, 160 - entered into force 25.05.2006]
§ 152. Failure to comply with requirements provided for in Regulation (EU) No 2019/1150 of European Parliament and of Council
(1) Failure to comply with the requirements provided for in Articles 11 and 12 of Regulation (EU) No 2019/1150 of the European Parliament and of the Council
is punishable by a fine of up to 300 fine units.
(2) The same act, if committed by a legal person,
is punishable by a fine of up to 400,000 euros.
[RT I, 22.06.2021, 13 - entry into force 02.07.2021]
§ 153. Failure to comply with obligations provided in Regulation (EU) No 2022/2065 of European Parliament and of Council
(1) Failure to comply with the requirements provided in Articles 9–14, 16–18, 20–23, 25–28, 30–32 and 34–41 of Regulation (EU) 2022/2065 of the European Parliament and of the Council
is punishable by a fine of up to 300 fine units.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to six per cent of its worldwide turnover in the preceding financial year.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 154. Failure to comply with reporting obligation provided in Regulation (EU) No 2022/2065 of European Parliament and of Council
(1) Failure to comply with the reporting obligation provided in Articles 15, 24 and 42 of Regulation (EU) 2022/2065 of the European Parliament and of the Council or submission of incorrect, incomplete or misleading information
is punishable by a fine of up to one per cent of the income of the natural person in the preceding calendar year.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to one per cent of its worldwide turnover in the preceding financial year.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 155. Interference with exercise of state supervision over compliance with requirements provided in Regulation (EU) 2022/2065 of the European Parliament and of the Council
(1) Interference with exercise of state supervision over compliance with requirements provided in Regulation (EU) 2022/2065 of the European Parliament and of the Council, where the Consumer Protection and Technical Regulatory Authority is thereby refused access to premises or information, or submission of incorrect, incomplete or misleading information, or failure to reply or rectify incorrect, incomplete or misleading information
is punishable by a fine of up to one per cent of the income of the natural person in the preceding calendar year.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to one per cent of its worldwide turnover in the preceding financial year.
[RT I, 21.06.2024, 1 – entry into force 01.07.2024]
§ 156. Failure to comply with requirements provided in Article 3(3) and (6) and Article 4(2) and (7) of Regulation (EU) 2021/784 of the European Parliament and of the Council
(1) Failure to comply with the requirements provided in Article 3(3) and (6) and Article 4(2) and (7) of Regulation (EU) 2021/784 of the European Parliament and of the Council
is punishable by a fine of up to 300 fine units.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to 400,000 euros.
(3) An act provided in subsection 2 of this section, if committed repeatedly or systematically,
is punishable by a fine of up to four per cent of the global turnover of the hosting service provider in the preceding financial year.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 157. Failure to comply with requirements provided in Article 14(5) of Regulation (EU) 2021/784 of the European Parliament and of the Council
(1) Failure to comply with the requirements provided in Article 14(5) of Regulation (EU) 2021/784 of the European Parliament and of the Council
is punishable by a fine of up to 300 fine units.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to 1,200 euros.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 158. Failure to comply with requirements provided in Articles 5(1) to (3), (5) and (6), 6(3), 7, 10, 11, 15(1) and 17 of Regulation (EU) 2021/784 of the European Parliament and of the Council
(1) Failure to comply with the requirements provided in Articles 5(1) to (3), (5) and (6), 6(3), 7, 10, 11, 15(1) and 17 of Regulation (EU) 2021/784 of the European Parliament and of the Council
is punishable by a fine of up to 300 fine units.
(2) The same act, where committed by a legal person,
is punishable by a fine of up to 1,200 euros.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 16. Proceedings
(1) [Repealed – RT I, 12.07.2014, 1 - entry into force 01.01.2015]
(2) Extra-judicial proceedings concerning the misdemeanours provided in §§ 15, 152–155 and 158 of this Act are conducted by the Consumer Protection and Technical Regulatory Authority within the limits of its competence.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
(3) Extra-judicial proceedings concerning the misdemeanours provided in §§ 156 and 157 of this Act are conducted by the Estonian Internal Security Service within the limits of its competence.
[RT I, 04.07.2024, 3 – entry into force 14.07.2024]
§ 17. [Omitted from this text.]
§ 18. Entry into force of Act
This Act enters into force on 1 May 2004.