The European Parliament and the Council have adopted a number of legislative acts in various areas, in particular competition law, financial law and data protection, which oblige member states to fines and apply administrative measures in those areas. In Estonia, such violations have been penalised as criminal offences and most of them have been processed in misdemeanour proceedings. However, the maximum fines for misdemeanours amount to tens of thousands quite inadequate compared to tens of millions written into the European Union regulations and directives, which means that in Estonia the penalties for misdemeanours committed in the field of competition, financial services or data protection are no longer sufficient.
Estonian supervisory authorities have drawn attention to problems such as prosecuting legal persons, transferring evidence from state supervision proceedings to misdemeanour proceedings, etc. Ministry of Justice decided to draft a law that would allow the application of such fines in administrative proceedings[2] for Estonia to be able to fulfil its obligations under European Union law.
In administrative fine proceedings, the general principles of administrative procedure are followed, which will be supplemented by the specifications established in the Administrative Fines Act. Administrative fine proceedings may be initiated by an administrative authority either as an independent administrative procedure or also in the course of a state supervision procedure. An administrative fine can be challenged in an administrative court.[3]
Estonian law creates a new type of administrative sanction, which is an administrative fine. It applies in the case provided for by law for certain violations, and the amount of the fine may be relatively high, being comparable to the punishment prescribed for the offence or even higher. As a general rule, an administrative fine is prescribed to a legal person for an offence, unless a special law clearly provides that an administrative fine may also be imposed to a natural person. The reason is simple - in general, the infringements for which an administrative fine is imposed are those committed by legal persons in the course of their economic activities. In addition, the fines are too high for natural persons to have a punitive effect. However, there are several cases when it is also possible to impose an administrative fine on a natural person – for example a violation of the requirements for the processing of personal data by the controller or authorised processor.[4]
An administrative fine shall be imposed if the relevant preconditions are met. The infringer must be wrongfully liable for the infringement and the administrative fine must be proportionate to the infringement and the person's conduct. The decision to impose an administrative fine is a matter of discretion of the person conducting the proceedings, which means that even if all the preconditions for imposing a fine are met, the person conducting the proceedings may not impose a fine if they consider it impractical. To determin the amount of the fine, different aspects are considered – for example the gravity and duration of the infringement, the extent of the liability and the fault, as well as its financial situation, of the person who committed the infringement.. The decision on the administrative fine must be in writing and substantiated.[5]
The new administrative is likely to increase the volume of work in administrative courts, but it would also ease the work of judges, as cross-examination of evidence and litigation are easier if everything takes place as the same type of proceedings (administrative proceedings). Entrepreneurs' compliance with the law and their desire to avoid infringements is also likely to improve considerably, as the levels of administrative fines are higher than those that have been imposed in misdemeanour proceedings. In addition, imposing a fine becomes easier and faster. All this should also reduce the burden on supervisory authorities.[6]
In July 2019, it became public that the entire customer database of online store Charlot OÜ operating in Estonia, Latvia and Lithuania was breached. It was clear that the breach happened due to negligence. A total of 14,000 customers' first and last names, telephone numbers, e-mail addresses, passwords used in the online shop, addresses and, in some cases, personal identification codes were breached. When the person who discovered the breach informed the store owner, they denied initially that any breach had occurred, after which the person who discovered the breach notified both CERT.ee and the Data Protection Inspectorate (DPI). [7] As DPI has publicly acknowledged that they have no interest in engaging in court proceedings that current misdemeanour system requires, it is unlikely that a fine will be imposed on a company that grossly violated the principles of secure processing of personal data. If the concept of an administrative fine is adopted, DPI could impose a fine without the court.
Another example. The Financial Supervision Authority issued a precept to Swedbank AS, obliging the bank to improve the anti-money laundering (AML) control system measures. The Swedish Financial Supervisory Authority also conducted its own supervisory procedure to Swedbank, during which it became clear that Swedbank AB had not fully controlled or managed the implementation of AML measures in the Baltic subsidiaries[8]. In addition, it turned out that Swedbank AB did not meet the requirements for combating money laundering in Sweden. As a result of this supervisory procedure, the Swedish Financial Supervisory Authority decided to issue a warning to Swedbank AB and, in addition, a rather large fine of as much as SEK 4 billion (approximately 378 million euros).[9] This situation illustrates very well why the concept of administrative fine law is necessary for Estonia. If in Sweden it was immediately possible to impose a fine, then in Estonia the above-mentioned precept was issued first, and the company is initially given time to eliminate the deficiencies. Only when the precept is not complied with or is executed improperly, the Financial Supervision Authority may impose a penalty payment, the maximum limit of which is up to 32,000EUR in for a first time violation and up to 100,000EUR in any subsequent cases. It is clear that the means of the Estonian regulators to penalise such violations are relatively mild compared to other European countries.
Although the concept of administrative fine does not yet clearly define who will impose administrative fines, it is unlikely that a new central body will be established to impose and prosecute fines. The current supervisory authorities DPI, the Financial Supervision Authority and the Competition Authority will have the right to fine wrongdoings of legal entities.
[1] The concept of administrative law fine, 28.04.2020, p 1. Available on the web: https://www.aki.ee/sites/default/files/dokumendid/muu/haldustrahvioiguse_kontseptsioon.pdf (18.05.2020).
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] Ibid.
[6] Ibid.
[7] Liive, R. Toimus Eesti ajaloo suurim e-poe andmeleke: ripakil olid 14 000 eestlase isikuandmed. 03.07.19. Veebis kättesaadav: https://digi.geenius.ee/rubriik/uudis/toimus-eesti-ajaloo-suurim-e-poe-andmeleke-ripakil-olid-14-000-eestlase-isikuandmed/ (10.06.2020).
[8] Precept to Swedbank AS in order to bring its activities in compliance with the legislation regulating the activities of credit institutions. Finantsinspektsioon. 18.03.2020.a, nr 4.1.-1/40. On the web: https://www.fi.ee/sites/default/files/2020-03/ettekirjutus_swedbank_as-le.pdf (10.06.2020)
[9] Finantsinspektsioon. Swedbank will receive a fine and a precept for violating the anti-money laundering rules. 19.03.2020. On the web:: https://www.fi.ee/et/uudised/swedbank-saab-trahvi-ja-ettekirjutuse-rahapesu-vastu-voitlemise-reeglite-rikkumise-eest (10.06.2020).
