My data protected? Managed? learn from Estonia

By 30. Juli 2018 No Comments

In May 25th 2018  the new law for protecting your personal data come into force – DSGVO (Datenschutz-Grundverordnung). Nothing really happened – despite all the e-mails to declare „my ok“ for their mailing-list or a newsletter. All seamed to be ok, all people reinsured that there is no legal detail missing. But am I more protected? What is about the data the city keeps from me? Well – last week I had a kind of reality effect – when my community of Köln send me the information about the storage of my data in accordance with the Basic Data Protection Ordinance. One envelope – but three different letters – all on ecological paper.

Three pages from three different departments: Wastemanagement, Taxdepartment and the department of municipal drainage.  More or less they all told me that they all, each for their department, gather all the information concerning my house, my person, my use of engery and water etc. and add information from official side and the correspondence we will have together. More or less this is the contrary to what Estonia wants to be – in Cologne, every department of the system copies my data and stores them again. It is a system that has no basic core but is decentralized. Interesting and also a bit of disappointing. They just digitalised the old data and kept the old storing system, communication system … from paper to digital. That was when Estonia was in 2010. Why could they not ask me if I like the next information digital and add my private e-mail address?

E-Governance in Ethonia

I attended the OECD Conference in Paris  14-16 Juni. Topic: Intangible Assets. I heard a very interesting speaker, Mr. Marten Kaevats from Estonia. Not all people know that Estonia is one of the most developed countries regarding data, digitalisation of citizen data and of course the technology of skype was developed in Tallinn before Microsoft bought the service. So most of the German mayors made a business trip to Tallinn to learn about their data management.

So what did Marten Caveats say? I took quite some notes and rearranged his speech the best I could – get an idea of his toughts.

on Twitter

„How to buildt a digital society is much wider – it actually has very little to do with technology, but with culture of people. Here a short video of Marten

In Estonia we are building an invisible Government. That means: It is a government has to interact with as least as possible. It is made to enable and not to punish them. We are on our way on building this and you can call that a platform hat helps its citizens and companies to make their live meaningful. This is a vision. We try to make this in reality in 4-5 years.

Yes cybersecurity is important, but for making this happen other strategically policies are important: Vision on data governance. With our independence we decided to skip paper bureaucracy and make a digital society. Critical components include a digital identity that identifies the people so to know that you are you. Second: How do you exchange data in a secure way? In Estonia we use a platform an exchange layer called ex-road. Technology actually has a small road, but very important part on this two innovation is the part of Data identity and Data exchange is that these are mandatory for all citizens, as this is critical to make this ecosystem work.

The data exchange layer is mandatory for all government authorities – where we have a very high-decentralized administration structure. All of these authorities had a very different structure – a big mass. We had to create a standard to get an overview what is going on. 2010 we started. In terms of cyber security there is one very important principle that Estonia implements: The once only policy.

From a citizen point of view: If you have given pieces of information of your data to the government or to the municipality the municipality should never ask that again. This is something that in paper based bureaucracy’s feels very different. Because whenever you get in contact with them, you have to fill out a forms with your name, your birthday, your address.  But the government already knows that – who you are, even the name of your children. So why should the government ask this again?

But the second point is also very important because of cyber security. The once only policy consists also with the idea that the data is only stored where it is generated in. The idea is that there are no copies. All of the different government authorities (236 different services ) they are responsible for keeping this piece of information accurate and correct. So the traffic register does not know your name, not your birthday, nor your address. The traffic register knows three thinks: you, the identity number, that this has a driver licence, and a particular vehicle.  Every citizen has a digital name, an identity number and this is public. The population register knows your name and your birthday.

And each and every time when a citizen interacts with the government all of this information is pulled together in real time and with consent from the citizen. In Estonia we have build our system with the idea that everyone owns its own data. The government merrily gives the service of keeping it. So the government authorities are not the owner of that information – but responsible for keeping it secure and private. This is the baseline foundation of Estonia since 2001.

Since 2005 we have online voting.

We can do everything online – beside marrying and buying and selling real estate. We skipped paper for 10 years ago. Our national sovereignty is not based on paper. This month we open Data Invest in Luxemburg, which can operate different national services, we can switch services from services from Estonia to Luxembourg online bases. So if there is an incident – fire, waterleage, electrical thing etc. we can switch from running services from the data-embassy, which is legally Estonian ground from Luxemburg.  This makes us the first country that can exist without physical land. This is by concept. We are the country in the cloud. This is a back-up and a cyber security item.

That is the last 17 years …. We use information not documents – which are over regulated. We use information like skypechat, snapchat and facebook which is under regulated. This means we can create this invisible government.

So in the future it is possible that if you give birth to a child the government will send you a message: Congratulate to your boy or girl within the first 10 minutes. You will receive the information about where you get the money from at what date and do not worry about the kindergarden, everything has ben taken care of. You have a line here to write the name of your child – but you have 3 month time to do so. The idea is that you do not have to apply for thinks that you are entitled to get it. To make this ecosystem happen, cybersecurity is key.


If we look to the future, AI is a topic. We started to work with blockchain technology in 2010. We used blockfiles in 2011 – we started in 2008 April. There are some myth. We are not based on blockchain but x-road, which is the exchange layer. (Video on x-road) But the blockchain provides us a critical component – that is what we call data-integrity. My personal blocktype is A Positive, and I do not mind if you know it. We need this if somebody tries to change data in governmental database – we will see it immediately and can track it. We get to know about hacks within 1 second. And everybody can go to the government web-side and see who has looked at the data and this comes from the blockchain.  So we have a track-record.  This is transparency.“ He went on and on — but this is the main point for me.

I do not know, but I could not find a document or a video that would explain me the system in Cologne, or in Germany. It might be more complex – it might also be more difficult to communicate – but it would be worth a try.

A few days ago my wallet was stolen and I had to report the theft to the police so that they could deliver it to me when it was found. The process took almost 1 hour because you had to check all the data on the papers. Then the police woman (Landespolizei NRW) told me to report the theft also to  (Bundespolizei)  federal police, as the networking would is not so optimal – and also to the city! I was shocked. But the federal police officer just smiled and said: „Everything in the system – we won’t record it again.“ And imagine: Three days later my red wallet was found and all the documents were inside. The money was gone – but I had all my cards and tickets back. It’s not that bad?

Translated with

Datenschutz der Stadt Köln

Portal oft he German Government: BSIFB

IT Planungsrat der Bundesregierung 

Zitat „Der zweite Standardisierungsbeschluss der Sommersitzung des IT-Planungsrats setzt einen Meilenstein für die Metadatenstruktur offener Verwaltungsdaten. Mit dem neuen Metadatenstandard als konforme Ableitung des europäischen Standards wird sich der Austausch zwischen den Datenportalen in Deutschland und Europa erheblich vereinfachen. ermöglicht einen reibungslosen Datenaustausch von der kommunalen Ebene über die der Bundesländer, Fachportale und die Bundesebene bis hin zum Europäischen Datenportal. Durch den neuen Standard werden offene Daten zukünftig nicht nur besser austauschbar sein, auch die Sichtbarkeit, Auffindbarkeit und die Nutzbarkeit der Daten verbessert sich.“

The second standardization decision of the summer meeting of the IT Planning Council sets a milestone for the metadata structure of open administrative data. With the new metadata standard as a conformal derivation of the European standard, the exchange between the data portals in Germany and Europe will be considerably simplified. enables a smooth data exchange from the municipal level to the federal states, subject portals and the federal level up to the European data portal. With the new standard, open data will not only be better exchangeable in the future, but also the visibility, findability and usability of the data will improve. Translated with