Estonia’s Data Governance Lesson for Digital States

Patient confidentiality, banking secrecy and the rule-of-law problem inside digital public infrastructure

Estonia is not a weak digital state. That is exactly why its data governance failures matter.

The United Nations E-Government Survey 2024 ranks Estonia second globally by the E-Government Development Index, behind Denmark. Estonia’s position is not built on a shallow public-service website layer. It reflects a mature digital state architecture in which identity, registries, authentication, signatures, service portals, and data exchange operate at a national scale.

In the Estonian context, digital identity does not primarily refer to an identity wallet. It means a unique personal identifier, civil registry records, strong authentication, qualified electronic signatures, and a public administration model in which much of the data exchange occurs through X-Road rather than through user-held wallets.

That is why the Estonian cases are globally important.

If a highly ranked digital state can expose document photographs, misconfigure its state portal, permit questionable access to banking secrecy, leave patient-confidentiality access routes insufficiently controlled, struggle with population-register governance and still export a confident digital-government model abroad, then the issue is no longer whether digital government can fail.

The sharper question is what happens when less mature digital states copy the infrastructure without copying the legal discipline.

This does not mean that software replaces law. It means that public systems must execute legal authority faithfully. If legal mandate, institutional responsibility, data minimisation, audit trails and remedy are not embedded into architecture, the platform will eventually do things the legal order never properly authorised.

This is the control logic behind the Seven Layer Model for Digital Public Infrastructure: lawful digital public infrastructure begins with legal authority and ends with enforceable oversight and remedy. Code may execute public authority. It cannot create it.

The Estonian cases are not one scandal

The cases below are not an exhaustive inventory. They are selected because each exposes a different governance failure mode.

Some cases concern state-side exposure and configuration failures. The RIA document photograph theft was a state data breach through legacy weakness: identity data with biometric and impersonation value was exposed, even though authentication and signing mechanisms were not compromised. The eesti.ee 2021 database exposure was a state portal visibility failure involving data on 336,733 people. The eesti.ee 2023 user-data display incident was a state portal configuration failure where around 300 logged-in users could see another person’s data for a short period.

Other cases concern official access to secrecy-protected data. The banking secrecy access case is best understood as an access-governance and legal-basis failure: authorities could make tens of thousands of bank-data queries before the rules, controls and external oversight were sufficiently mature. The TEHIK patient-confidentiality access case is one of the clearest reported access-governance examples in the health domain. The concern is not a classic breach or a proven pattern of mass misuse. The concern is that highly sensitive health data could be requested through a formal proceeding-based route, while the system holder reportedly did not assess the substantive necessity of the request.

A third group concerns canonical and institutional data governance. The Pere Sihtkapital and population-register case exposed the governance risk of using canonical civil-registry data for policy research or demographic targeting. It should be treated carefully as a disputed population-register processing case, not as a simple final finding of unlawful processing. The Viljandi Hospital case should also be mentioned cautiously. It belongs less as evidence of a confirmed violation and more as an example of how sensitive health-data processing can generate difficult institutional, consent and governance questions.

A fourth group concerns health and identity ecosystem risk beyond the state’s direct perimeter. The Asper Biogene incident raised serious health and genetic-data concerns. ERR reported a lawyer’s assessment that the incident involved 10,000 people and 42 healthcare actors, including hospitals and health-service providers. The Apotheka and Allium UPI breach was not a state breach, but it matters for the national identity-risk surface because it affected identifiers, contact data and purchase-related records in a health-adjacent ecosystem. The .ee email and password exposure shows that identity risk does not stop at official systems. Public-sector and critical-service-related accounts can become part of a wider credential-risk environment.

The deeper pattern is that data governance can fail through hacking, outdated design, bad configuration, excessive visibility, normal official access, weak legal basis, private-sector exposure and poor remedy design.

A digital state does not fail only when an attacker breaks in. It can also fail when an authorised user can see too much, when a system routes data without a clear mandate, when a portal displays another person’s information, or when a person cannot meaningfully find out who accessed their data and why.

Patient confidentiality and banking secrecy are the centre of the problem

The TEHIK patient-confidentiality case and the enforcement-register banking secrecy case should be read together

They are not classic cybersecurity incidents. They are more constitutionally significant than a conventional intrusion, because they concern secrecy-protected data becoming reachable through official access channels.

In the banking secrecy case, the Chancellor of Justice found that authorities accessed banking secrecy through the enforcement register without a proper legal basis. The system enabled tens of thousands of bank-data queries while external control and substantive justification checks were not sufficiently mature.

In the TEHIK case, the concern is structurally similar. Postimees reported a route through which investigative bodies could request highly sensitive health data from TEHIK through a proceeding-based request, while TEHIK stated that it does not have competence to assess whether processing is substantively necessary. The article also reported that such requests do not appear in Personal Data Tracker and that the person is not otherwise notified. At the same time, the police and prosecutor’s office stated that they use health data only with the person’s consent. That distinction matters: the case should be treated as a structural access-governance risk, not as a proven finding of mass misuse

Banking secrecy and patient confidentiality are not ordinary privacy interests.

Banking secrecy protects the person’s financial life: income, transactions, relationships, habits, vulnerabilities and associations.

Patient confidentiality protects the person’s ability to seek care without fearing that health, injury, diagnosis, medication, genetic or treatment information will travel into another state function without strict legal control.

When these secrecy regimes are reached through official systems, the question is not only whether an official had a username and password. The question is whether the system enforced legal necessity before the data moved.

• Who checked the legal basis?

• Who checked the connection to a concrete proceeding?

• Who checked proportionality?

• Who notified the person, unless a lawful restriction applied?

• Who could later prove that the access was justified?

• Who could correct, reverse or remedy misuse?

If these questions are answered only after the fact, the digital state has a governance gap. If they cannot be answered at all, the digital state has converted secrecy-protected information into ordinary retrievable data.

That is a rule-of-law problem, not only a data protection problem.

The export problem: technology-first advice travels badly

There is also a harder question Estonia should face.

Estonia does not only operate a digital state at home. Estonia also exports digital-government expertise, methods, platforms and confidence. The e-Governance Academy describes work across 147 countries and presents digital transformation as a way to build successful digital societies. That international reach creates responsibility.

When the Estonian digital-government story is presented abroad as a practical, technology-first alternative to heavier legal architecture, the lesson can become dangerously incomplete. The message often sounds attractive: start with infrastructure, keep the design simple, avoid copying the European approach too literally, build fast, connect registers, launch services and improve later.

There is value in simplicity. No country should copy another legal system mechanically. African states should not be told to reproduce European institutional complexity just to digitise public services

But that is not the same as saying legal safeguards can wait.

African governments and African citizens are not asking for weaker confidentiality. They are not asking for patient records, bank data, civil registry records or identity data to become easier for officials to retrieve simply because a platform is easy to deploy. They want digital public services that work. They also want health data to remain confidential, financial data to remain protected, civil registration data to remain controlled and remedies to be real when state systems overreach.

That is the point Estonia’s own cases now make difficult to ignore.

If Estonia can face unresolved questions around banking secrecy and patient confidentiality despite mature institutions, then a technology-first export model becomes risky in countries where courts, regulators, audit bodies, procurement controls and administrative records may be less mature.

• A simple system is not automatically a safer system.

• A fast data exchange layer is not automatically a lawful data exchange layer.

• A national identifier is not automatically a governed identity system.

• A service portal is not automatically an accountability mechanism.

• A log is not automatically a remedy.

Otherwise, the receiving country may inherit the most powerful part of the model without the part that makes it legitimate.

That would be a poor bargain for any country. It would be especially dangerous for states building digital public infrastructure under donor pressure, vendor pressure, political pressure or rapid-delivery pressure.

African nations do not need a lighter version of rights. They need governance that fits their legal systems, their institutions, their social risks and their constitutional choices. That means confidentiality, access control, auditability, purpose limitation, independent oversight and remedy must be designed from the beginning, not promised for a later phase.

The lesson is not copy Europe.

The lesson is also not copy Estonia.

Estonia’s strength makes the warning sharper

Estonia is widely recognised because it built many of the things other countries still want: reliable identity, digital signatures, online public services, data exchange and a strong public narrative of trust.

The UN report describes Estonia as having a robust digital government infrastructure and a comprehensive digital identity system enabling online access to public services. That is why these incidents should not be dismissed as local embarrassment.

A less mature digital state may have fragmented registries, manual workarounds and weak interoperability. Those problems are serious, but they also limit scale. A mature digital state reduces friction. That is beneficial when the rules are lawful, narrow and enforceable. It is dangerous when access rights, data flows or legal bases are wrong.

Digital maturity increases the blast radius of poor governance.

A wrongly configured portal can expose more people. A broad official access route can be used thousands of times. A health or pharmacy breach can be combined with civil-registry and contact data. A weak audit model can leave people unable to reconstruct what happened. A legal ambiguity can become executable at national scale.

Law is the code

The phrase law before code captures the same discipline from another angle.

Public digital infrastructure begins in law, not software. Code may execute public authority, but it cannot create that authority.

Law is the code means that a public system should be able to prove the legal basis, mandate, purpose, data necessity, decision attribution, audit trail and remedy for each sensitive data event.

That proof cannot sit in a policy document. It must be embedded into how the system operates.

Patient confidentiality and banking secrecy make this concrete. A system should not treat a patient record or bank statement as just another dataset once it sits behind an official interface. The confidentiality or secrecy obligation must travel with the record. It must shape who can request it, what proof is required, what fields can be disclosed, whether a judge or other independent authority must approve access, how the person is notified and what remedy exists if the access was wrong.

Each access route should be traceable to a specific legal basis or public mandate. Each accountable institution should be named, competent and compellable. Each access request should be bound to a defined proceeding, service event, task or statutory duty. Each data release should be limited at field level, not granted as broad dataset access by default.

Each user role should be contextual, time-bound and tied to the purpose of access.

Each audit trail should reconstruct who accessed what, why, when and under which authority. Each person should have meaningful transparency where the lawful context allows it. Each remedy should allow a person to challenge, correct, reverse and escalate the consequences of misuse.

This is why data exchange governance cannot be reduced to plumbing. As argued in Data Exchange Governance: Plumbing Does Not Grant Access, a data exchange layer connects institutions, but it does not transfer ownership of sector data or create entitlement to receive it.

That principle fits Estonia particularly well.

The Seven Layers reading of the Estonian cases

The Estonian incidents can be read through the Seven Layers model more usefully than through a single breach narrative.

The legal authority layer is visible in the banking secrecy, patient confidentiality and population-register cases. They show the risk of broad, immature or insufficiently operationalised legal bases. The required control is specific legal authority for each access category, with scope, purpose and reviewability.

The institutional mandate layer is visible where responsibility becomes dispersed across ministries, agencies, processors, vendors, sector bodies and investigative authorities. The required control is a named controller, custodian, operator and supervisory authority for each data flow.

The canonical records layer is visible where civil registry records, identifiers, role records, health records and financial records become authoritative inputs into public action. These are not ordinary datasets. They are authoritative or secrecy-protected records that shape a person’s legal, social, financial and bodily life. The required control is stewardship, correction at source, provenance and downstream correction propagation

The service logic layer is visible in old portals and access functions that encode outdated assumptions or excessive visibility. The required control is versioned rules, change control, data minimisation and pre-deployment review..

The execution environment layer is visible in session isolation, cache behaviour, configuration changes and request-handling routes. Authentication may work, while the system still displays the wrong data or processes a sensitive request without enforcing the right legal threshold. The required control is secure configuration management, necessity validation, testing, monitoring and rollback capacity.

The public interface layer is visible where a citizen portal shows data without giving the person meaningful control or explanation, or where access to secrecy-protected data leaves no meaningful notice to the person. The required control is clear receipts, access-history views, user-facing explanations and challenge routes where lawful restrictions do not apply.

The oversight and remedy layer is visible in the limits of logging after harm. A log is not enough if the person cannot obtain correction, reversal, compensation or meaningful institutional response. The required control is independent oversight, enforceable audit access, complaint handling, reversal propagation and supervisory orders that can force architectural correction.

This layer-by-layer reading helps avoid two mistakes.

The first mistake is treating every incident as a cybersecurity issue. The second is treating every incident as a data protection issue only.

In public digital infrastructure, data governance is a legal, institutional, technical and remedial discipline at the same time.

What less mature digital states should learn

The wrong lesson is that countries should avoid digital government. The right lesson is that countries should not digitise public authority faster than they can govern it.

A country that introduces a unique identifier must also regulate identifier use, disclosure and linkage. A country that creates a civil registry must define stewardship, correction and evidentiary status. A country that builds strong authentication must remember that authentication proves who is acting, not whether the act is lawful. A country that deploys a data exchange layer must prevent platform membership from becoming an access right. A country that introduces digital signatures must still define the legal effect, mandate and contestability of each transaction.

A country that digitises patient confidentiality or banking secrecy must ensure that those protections do not disappear merely because the information has entered a central platform or data exchange environment.

For lower-capacity environments, the risk is even sharper. If Estonia can face these issues with mature institutions and strong digital capability, then a country with weaker supervision, weaker procurement, weaker cybersecurity, weaker courts or weaker administrative records may face the same problems with fewer safeguards and less public visibility.

Digital government failure in such environments may not appear as one dramatic breach. It may appear as routine surveillance, invisible exclusion, wrongful benefit denial, unauthorised profiling, informal official access, data resale, coercive identity checks, vendor lock-in or unappealable automated decisions.

The governance question is therefore not whether the platform works. The governance question is whether the system can prove that it was allowed to work in that way.

What regulation must do in practice

A credible digital state needs more than a data protection statute. It needs enforceable governance across the full lifecycle of public digital infrastructure.

The European data protection framework is built around lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability. The hard part is not repeating those principles. The hard part is converting them into access logic, field-level controls, audit trails, procurement clauses, supervisory powers and remedies.

Cybersecurity rules matter as well. The NIS2 framework raises the European level of cybersecurity ambition through wider sectoral scope, risk-management duties, reporting requirements, supervision and enforcement.

Public digital infrastructure needs one further insight: lawful access is also a security issue. A system that blocks attackers but allows excessive official access is still unsafe for public power.

Electronic identification and trust-services rules matter too. The European electronic identification and trust-services framework supports digital identity, authentication, qualified trust services and cross-border recognition. Yet authentication and signatures do not by themselves prove purpose legality. A person may be strongly authenticated and a transaction may be strongly signed, while the underlying data access still lacks lawful purpose, necessity or remedy.

Data-sharing rules also need institutional discipline. The Data Governance Act is relevant because it treats data governance as a structured condition for trustworthy data sharing. The Data Act is relevant because it recognises public-sector access to private-sector data only for specific public-interest purposes, such as responding to a public emergency.

These instruments do not solve the problem by citation. They matter only when they are converted into operational controls.

In practical terms, personal data protection must become access logic, impact assessment, accountability and remedy. Public-sector access law must define which authority may access which data, for which task, under which procedure and with which evidence. Patient-confidentiality law must ensure that health data does not become easier to access merely because it is stored in a central health information system. Banking-secrecy law must ensure that financial data does not become ordinary administrative data merely because it is technically retrievable through a public register or data exchange channel.

Registry law must define authoritative record status, correction rights, custodianship, retention and propagation of corrections. Sectoral secrecy law must add stricter rules for health, genetic, financial, biometric, child and population-register data. Cybersecurity law must cover risk management, incident reporting, supply-chain control, secure configuration and supervision.

Digital identity and trust-services law must cover assurance, authentication, signatures, seals, certificates, revocation, liability and cross-border recognition. Data exchange governance must include data-sharing registers, access agreements, field-level authorisation, purpose catalogues and change control. Procurement law must make security, auditability, portability, incident duties and vendor accountability enforceable. Transparency and audit law must require tamper-evident logs, citizen-facing access histories where appropriate and regulator-readable evidence. Remedy law must support correction, reversal, compensation, appeal, independent review and supervisory orders that can force architectural change.

SafeDPI points in the same direction

The Universal DPI Safeguards Initiative is relevant because it treats digital public infrastructure as a lifecycle governance problem.

It focuses on systems provided by, or on behalf of, government or through public-private partnerships at societal scale and in the public interest. Its principles are directly relevant to the Estonian lessons: do no harm, transparency and accountability, rule of law, effective remedy and redress, data privacy by design, data security by design, data protection during use and inclusive governance.

Its process catalogue is even more practical. It refers to enforceable frameworks, transparent documentation of data-sharing arrangements, data protection impact assessments, use-case registration, purpose limitation, strict data minimisation, cybersecurity frameworks, third-party audits, auditable data trails for dispute resolution and independent remedies.

That is the right vocabulary. It also shows why a digital government cannot rely on trust narratives alone.

Trust must be engineered as evidence, supervision and remedy.

The practical test every digital state should pass

Every sensitive public-sector data flow should pass one test:

Can the state prove that the right actor accessed the right data, about the right person, for the right purpose, under the right legal authority, at the right time, with the right audit trail and the right remedy?

For secrecy-protected data, the test must be even stricter.

Can the state prove that patient confidentiality or banking secrecy was not bypassed merely because a technical access path existed?

If the answer is no, the country does not yet have data governance.

It has data movement.

Data movement can make government faster. Data governance makes government legitimate.

The real risk is digitised illegality

Data leaks are serious. The deeper risk, however, is not only leakage.

The deeper risk is digitised illegality: unlawful or excessive access becoming normal through ordinary interfaces.

This is more dangerous than a single breach because it can become routine. An official logs in. A query runs. A record appears. A decision follows.

The system looks normal, but the legal basis, necessity or remedy may be missing.

When that happens, the state does not merely mishandle data. It changes the relationship between person and authority.

People begin to assume that any official can see everything. They hesitate before using health services. They worry that financial, family, employment or genetic information may travel beyond its proper context. They lose confidence that public institutions know the limits of their own power.

That is when digital government stops being an efficiency project and becomes a rule-of-law problem.

Estonia should be treated as a governance lesson, not a scandal list

Estonia remains one of the world’s most important digital government cases. That is why its incidents should be studied seriously rather than used as cheap criticism.

The lesson for Estonia is to move from trusted infrastructure to enforceable infrastructure. The lesson for other countries is to build legal authority, institutional mandate, canonical records, service logic, execution evidence, public interface rights and remedy as one system from the beginning.

Patient confidentiality and banking secrecy show the point most clearly. If secrecy-protected data becomes retrievable through ordinary official channels without embedded necessity, proportionality, notice and remedy, then the digital state has confused access with authority.

This is also the responsibility that comes with exporting the Estonian model. Countries in Africa and elsewhere may want speed, simplicity and practical infrastructure. They may not want to copy Europe’s full institutional complexity. But they still want confidentiality. They still want lawful access. They still want patient records, bank data, civil registries and identity systems to be protected from informal retrieval, weak oversight and invisible state access.

A digital public infrastructure model that exports technology without enforceable legal authority exports risk.

Law is the code because public infrastructure should not merely process data. It should process authority.

If the law does not travel with the data, the architecture will eventually make decisions the legal order never approved.

Frequently asked questions

What is the data governance problem shown by the Estonian cases?

The problem is the recurring gap between legal authority, institutional responsibility, technical access, auditability and remedy.

The Estonian cases show that a digital state can have strong authentication and data exchange while still facing failures in access governance, legacy exposure, configuration control and enforceable oversight.

Why are patient confidentiality and banking secrecy central to the article?

They are central because they show the same failure pattern in two highly protected domains.

Patient confidentiality protects trust between the person and healthcare. Banking secrecy protects financial privacy and autonomy.

If either can be reached through official systems without sufficiently embedded legal necessity, proportionality, notice and remedy, the problem is not only data protection. It is rule-of-law architecture.

Were all these cases state data breaches?

No.

The RIA document photograph theft and eesti.ee incidents are state-side failures. The banking secrecy and TEHIK patient-confidentiality cases are best treated as access-governance and legal-basis failures. The Pere Sihtkapital case is a disputed population-register processing case. Asper Biogene and Apotheka are ecosystem incidents, not simple state breaches.

Why does Estonia’s high ranking matter?

It matters because Estonia is not a low-capacity digital state.

What does law is the code mean?

It means that public digital systems must execute legal authority, not merely technical workflow.

Legal basis, mandate, purpose, data minimisation, attribution, audit trail and remedy must be built into the system.

Why is X-Road not the main problem?

X-Road-style data exchange is infrastructure. It routes requests and responses.

The governance issue is whether each data disclosure has lawful authority, a competent institution, necessity, field-level limitation, auditability and remedy.

What should African countries take from Estonia’s example?

They should take the discipline, not just the infrastructure.

The lesson is not to copy Europe mechanically or to copy Estonia mechanically. The lesson is to build legal authority, confidentiality, access control, auditability and remedy into the architecture before data starts moving at scale.

What is the main lesson for countries building digital public infrastructure?

Do not copy digital rails without copying governance discipline.

Identity, data exchange, portals, authentication and signatures increase state capacity. They also increase harm if legal authority and remedy are weak.