e-Governance in Estonia: Balancing Citizen Data Privacy, Security and e-Service Accessibility

Data Privacy

By Eric Blake Jackson

How can governments provide effective e-services to the public, while also protecting the privacy of citizens and securing their data from inside and outsider threats? What can we learn from Estonia? a small country with big ideas on digital governance and innovation leadership. 

In the age of COVID-19 and the limited nature of face-to-face contact, digitalization of public services has never been more important for the public sector at all levels. As governments seek greater efficiency and innovative solutions for citizens, they are increasingly embracing online services, or e-services, such as tax declarations, voting, land registration, vaccine passports, medical insurance, permits, prescription databases and hundreds more. 

However, digital transformation in the public sector is a challenging and resource-intensive process. Citizens expect their government to provide high-quality services while simultaneously protecting their privacy and personal information. This is even more difficult due to the current global cybersecurity environment. Powerful state-sanctioned hackers routinely breach government information systems and access constituent data. So, the problem becomes: how does a government provide quality, comprehensive e-services on the one hand, while on the other hand, ensure citizen data is protected and not misused for illicit purposes? 

The answer may lie in the small Baltic nation of Estonia. Over the past two decades Estonia’s leadership has implemented an innovative architecture that combines secure digital identity, public key infrastructure (PKI), and interoperable data exchange to form an accountable and accessible e-service environment. 

According to the 2020 U.N. e-Government Development Index[1], Estonia ranks first in the world in e-government development and third in the U.N.’s e-Participation Index.

One of the main reasons for this position is Estonia’s implementation of two intertwined cornerstones of secure digital government: e-identification (eID) and national public key infrastructure (PKI).

While rankings alone don’t tell the whole story, it’s fair to say Estonia is recognized as a global leader in the e-government domain. One of the main reasons for this position is Estonia’s implementation of two intertwined cornerstones of secure digital government: e-identification (eID) and national public key infrastructure (PKI). In order for citizens to access public e-services, individuals must be able to authenticate their identity and digitally verify their intent to receive services. Without such identification, it’s impossible for public service provision, or any form of secure government-to-citizen interaction to occur digitally. Thus, in Estonia, it’s mandatory for Estonian citizens to have a physical eID card who are above the age of 15[2].

Let’s start from the beginning. The first thing an Estonian receives when they are born is an immutable, eleven-digit National Identification Code (NIC). The NIC serves as a primary identifier electronically and physically. Along with it, each citizen above the age of 15 gets a physical eID card embedded with a microchip containing 384-bit ECC public key encryption[3].

Think of the NIC as a general identifier that everyone knows, but on the other hand, a citizen or resident also holds private keys that are secret and verify an individual’s intent to receive an e-service or legally sign documentation through digital signature. The private keys are also protected by two secret pin codes: Pin 1 and Pin 2 which act as verifiers. Pin code 1 is used for signing into services, pin code two is used to commit any transactions or sign digitally, meaning even if an unauthorized individual knows a person’s NIC, he or she would also have to have both pin codes to do any damage. In contrast to the United States, only one social security number is used as not only an identifier but also a verifier, and thus lacks two-factor security. Consequently, a social security number is an extremely insecure identifying mechanism compared to the Estonian model.

Moreover, the Estonian government has multiple avenues for citizens to electronically identify themselves securely in different contexts: mobile phone (mobileID), online (digiID), and for residents of Estonia, smartID is used. The result is an extremely robust digital identity ecosystem that allows for flexibility for e-identity authentication and also the ability to provide legally binding digital signatures, which are equivalent to hand-written ones based on the EU’s electronic IDentification, Authentication and trust Services regulation (e-IDAS)[4]

It can’t be overstated how important eID is to Estonian e-service provision. Take for example tax declaration. In Estonia an individual can use mobileID to login into a state-sponsored tax declaration portal application through Pin 1 and can digitally sign his or her income statement as legitimate using Pin 2. As a result, the tax declaration process can take less than two minutes online assuming the income statement is accurate. 

In Estonia an individual can use mobileID to login into a state-sponsored tax declaration portal application through Pin 1 and can digitally sign his or her income statement as legitimate using Pin 2.

From an organizational perspective, the Estonian Police and Border Guard is in charge of securing and distributing the physical eID cards, while the State Information Authority develops eID strategy and handles procurement. Although Estonian public sector entities are the primary stakeholders, Estonia’s eID framework is built on trust between government and citizens. For instance, based on the amended 2018 Personal Data Protection Act any official who processes a citizen’s data must inform the citizen of the purpose while also providing the person their name and contact information, unless for the purpose of criminal investigation[5]. Subsequently, this legislation provides an important legal safeguard complementing Estonia’s e-service provision. 

Another way Estonian legislation creates an efficient environment for e-service uptake is the legally mandated “once only principle”. The concept is simple: an individual should only be asked once and only once by the state to provide personal information. This ensures maximum efficiency for citizens, as they don’t have to repeatedly give the same information to different government agencies, and the public sector doesn’t have to retain duplicate records.

The third component for providing effective e-services while also ensuring the privacy and data of citizens is secure interoperable data exchange. The frictionless exchange of data is a primary catalyst for providing digital services. Without it, it is difficult to provide integrated e-services as interoperable data flows enable the seamless delivery of different public services. In the Estonian public and private sector, this occurs via the X-Road platform[6]. Developed in 2001, the X-Road is an open-source solution that has enabled over 600+ Estonian public/private sector entities to exchange data amongst one another over encrypted public internet. 

Each Estonian ministry in the X-Road ecosystem can choose what type of information system they want to use for database implementation.

A key tenet of X-Road is decentralization. Each Estonian ministry in the X-Road ecosystem can choose what type of information system they want to use for database implementation. As there is no one “super” database ministries are connected to, single points of failure are mitigated. This is a crucial architecture, as e-services should be consistently available 99 percent of the time. From a security perspective, public/private sector entities install a security server which facilitates connections, encrypts data payloads, and decrypts data payloads.

To further ensure the integrity of data and transaction processes in the Estonian X-Road, time-stamping and real-time auditing is conducted by an extremely lightweight blockchain, called Keyless Signature Infrastructure (KSI). This provides an important cyber forensic mechanism which logs X-Road event data in an unchangeable way. However, X-Road should not be misconstrued as blockchain technology whatsoever as it uses REST API protocols to exchange data. In sum, citizens or residents who use an eID or some of the associated alternatives can conduct any government service except buying or selling real estate and getting married or divorced.

While eID, national PKI and the X-Road have been operational in Estonia since nearly 2002, new technologies and architectures have been proposed for integration into the Estonian e-government ecosystem. One of these technologies is artificial intelligence (AI). Estonia has put AI at the forefront of public service provision through its national AI strategy, which envisions a network of interconnected virtual assistants, chatbots, and virtual agents who will provide an interface for citizens to access public services as well as decision support systems in instances where legal and ethical barriers do not prevent it. In addition to a generalized vision, AI was implemented in over 41 specific uses-cases[7] by the Estonian government in 2020, with more planned in the future.

Forward-thinking leadership has also been exhibited by Estonian Chief Technology Officer, Kristo Vaher. As outlined in his 2019 publication, Next Generation Digital Government architecture[8], the ubiquity of virtual assistants like Alexa and Siri provides an innovative channel for accessing e-services. For example, Estonia envisions a new service paradigm where a citizen would be notified their passport is about to expire through Alexa. Through simple voice commands, a citizen would tell Alexa to renew it for them, trigging automated backend administrative processes necessary for passport renewal.

Although this article outlines the core components which make Estonian e-service provision successful, this is not to say everything is perfect. Like in many countries, COVID-19 has exposed shortcomings in Estonia’s digital infrastructure, primarily in the healthcare sector. However, citizens have been able to access digital services throughout the pandemic unabated, and for countries looking to develop their public sector digital maturity, Estonia provides concrete solutions and principles that should be considered. 

About the Author

Eric Blake JacksonEric Blake Jackson is an early-stage PhD candidate at TalTech University for Next Generation Digital State research group in interoperability governance and public sector digital transformation. Previously, he served as an intern at the E-Governance Academy in Tallinn, Estonia and was a 2015 Fulbright Fellow. He holds an MSc in Engineering from TalTech University and a B.A. in Political Science from Nebraska Wesleyan University.


The views expressed in this article are those of the authors and do not necessarily reflect the views or policies of The World Financial Review.