Podcast 🎧 & blog: With the data tracker, visibility prevents misuse

Written by Federico Plantera

The topic of data protection spans the entire spectrum of the internet, from when users surf the web to when they benefit from efficient online services as citizens.

Cookie banners, privacy policies, GDPR compliance notices – all and more. And yet, for how practical the concept and its implications are, it still remains quite abstract for many. The rules exist, across the globe, actually, but the reality of what happens to your data most often stays invisible.

Estonia has taken a different approach. Through the Data Tracker, every Estonian citizen can log in and clearly see who has accessed their personal data in government registers, when it was accessed, and for what purpose.

In this episode of the Digital Government Podcast, we speak with Maarja Kirss, Head of Cooperation at the Estonian Data Protection Inspectorate (DPI), about what happens when transparency becomes a working system for the government.

Complaints, but mostly just questions

Since GDPR came into force in 2018, the Inspectorate has seen complaints and questions triple. But Kirss emphasises a distinction: questions now outnumber complaints.

“The number of complaints that we are receiving is actually smaller than the number of questions. People just want to know, “Is it allowed to do like that?”, she explains. “The Inspectorate receives over 3,000 inquiries per year. When compared with other European data protection authorities, the per capita rate is higher,” as per own calculations on EU data.

This evolution didn’t happen by accident. Three years ago, the Inspectorate received extra funding that enabled it to focus on outreach and public understanding. “We finally received some extra funding, and we were able to start with special departments whose main responsibility was awareness raising. And doing trainings and communication – not only for the data controllers and processors, but also for the data subjects, for everybody,” Kirss recalls. “Now we have some resources to be strategic and to see the big picture.”

Experience with an incident

A major turning point, however, was in December 2024: Estonia experienced its largest ever data breach, when hackers exploited a vulnerability in pharmacy software to steal personal data of approximately 750,000 people – more than half the country’s population. The breach exposed names, addresses, personal identification codes, phone numbers connected with the customer card, and medical device purchases.

The incident triggered an immediate government response. Estonia’s State Information System Authority identified the vulnerability and collaborated with the affected pharmacy chain to patch the systems, while the Data Protection Inspectorate provided guidance on protective measures that citizens could take to mitigate the risk. The pharmacy chain, as the data processor, moved quickly to inform affected individuals and explain what data was compromised, rather than attempting to minimise or conceal the breach’s scope.

“The main idea is that if something is leaked, you don’t know what happens next. But dealing with this kind of situation also raised awareness and the level of alert. Because people started reasoning further over what happened.”

The gap between rights and practice

A privacy policy is more than a formal requirement or a legal safeguard for organisations. It is the primary place where individuals can understand what data is collected about them, why it is needed, how it is used, with whom it is shared, and how long it is retained. In short, it explains the life cycle of personal data. Access to this information gives people a degree of control over their digital lives and, by extension, over their privacy.

The impact of data protection is not limited to moments when something goes wrong, such as a data breach or cybercrime. The everyday use of the internet, including downloading apps, browsing websites, and submitting requests for services, constantly involves the collection of personal data. These routine interactions shape people’s daily experience online, often in ways they are barely aware of.

Regulatory frameworks like the GDPR have significantly strengthened individuals’ formal rights. However, rights that exist on paper do not automatically translate into meaningful protection in practice. One persistent challenge, as Kirss points out, is that privacy policies are frequently written in a way that ordinary users cannot realistically read or understand.

“GDPR says that privacy policy should be easy, readable, and accessible,” she points out. “Sometimes, at events or public sessions, I ask a question – ‘please raise your hand if you have read the privacy policy of the very last app you used.’ And usually no one raises their hand.”

She recounts a telling example. One of her teenage children wanted to download a new app. “I said you are allowed to download it only if you read the privacy policy before. After reading the first few lines, he closed the policy and decided, “Never mind, I don’t need this app.” Not because the data processing was invasive, but because it was objectively difficult to read the privacy policy.”

How it works: visibility as prevention

This is where the Data Tracker enters as a practical mechanism, at least for public services. Rather than requiring citizens to parse legal documents, it creates visibility through logged access records that can be checked in the eesti.ee app or portal. However, it is important to note that the Data Tracker, of course, covers only government-held information; users cannot see if a private company, such as Meta or Google, has accessed their data.

Every access by a government database or register is recorded and can be reviewed by the citizen, but the tool does not track how private businesses use your information – unless they are explicitly participating in the provision of that given public service.

The system works on two levels. First, it gives citizens control of their data shared with the government. If someone notices unusual access, they can investigate and, if needed, file a complaint with the Inspectorate.

Second, it disciplines institutions proactively. “It’s not only a factual but also a preventive mechanism, before violations could occur,” says Kirss. When officials know that any access to personal data will be recorded and can be checked by citizens, casual misuse becomes harder.

The classic example involves curiosity-driven access. A doctor views the medical records of, say a neighbour, who isn’t their patient. The Data Tracker makes such actions visible. When violations occur, penalties are modest, typically up to €100. The amount isn’t the deterrent. But what matters is the awareness that actions are logged and carry consequences.

Trust, and what citizens can do

Kirss offers straightforward advice for citizens who are submitting customer applications: “I think the most important thing to remember is not to be afraid and ask questions. Just ask, ‘why do you need my data?’ Sometimes service providers ask for data that is not even necessary for the service provision.”

As a second piece of advice, and more at large, “Don’t automatically click accept all when faced with cookie banners. You can actually choose,” says Kirss. See how many vendors want access to your browsing patterns. “Taking that moment before you act, asking questions, thinking through the different paths, this is the most important thing.”

For Kirss, the lesson Estonia offers centres on trust as an earned and fragile asset that requires systematic, strategic effort to build and maintain. “Looking at the big picture from the state’s point of view means that everything related to data protection has to be strategic and systematic, because this is how we gain trust from society. And this is one of the most important things,” she explains. In practice, it means embedding transparency and accountability into the entire architecture of digital government.

For government services, especially, the boundaries are clear and non-negotiable. “When we are speaking about what the data processing authorities do, it has to be done just the way the law says. And you are not allowed to do something more or else, because doing this, you are breaking that trust.” Once trust is broken, citizens simply stop using those digital services, with an impact that doesn’t take into account the technical sophistication involved. Trust, rather than being a byproduct of good technology, is still the foundation that makes digital government viable at all.

The Data Tracker embodies this approach by making data processing visible and accountable. Citizens get a tool for oversight. Institutions get signals that their actions are logged and can be questioned. It’s that kind of clarity that builds legitimacy, rather than making digital government a leap of faith. With it, efficiency and rights protection can coexist in a sustainable manner.

Interested in more?  

Listen to all Digital Government Podcast episodes >>> https://ega.ee/digital-government-podcast/