Estonia
AI behavior law: bot and agent disclosure, crawler and training-data rules, automated-agent transactions, and algorithmic decision-making.
Summary
Estonia follows the standard EU pattern but is notable for its advanced e-governance stance and a strong open-data culture. The Penal Code (Karistusseadustik) §217 criminalises illegal obtaining of access to a computer system; related provisions cover computer data interference (§206) and system interference (§207). The key element of §217 is obtaining access "without authorisation"; Estonia's CoE Octopus profile confirms the security-mechanism-bypass interpretation consistent with the Budapest Convention. The Copyright Act (Autoriõiguse seadus, amended December 2021, in force January 2022) transposed DSM Directive 2019/790 including the dual-track TDM exceptions. The full EU sui generis database right applies. GDPR is enforced by the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI). EU AI Act applies from August 2025. Estonia's proactive open-data policy reduces friction for crawling government-published content but does not alter the core scraping-law framework.
Automated-access legality
Carried forward from the crawler-law index. Governs whether automated clients may access public websites in this jurisdiction.
| Dimension | Value |
|---|---|
| Authorization test | security mechanism bypass |
| Public-page carve-out | yes |
| Terms-of-service browsewrap enforceable | notice dependent |
| Terms-of-service clickwrap enforceable | yes |
| Copyright exception model | tdm dual track |
| Text and data mining — commercial status | with optout |
| Text and data mining — opt-out mechanism | robots txt |
| robots.txt legal weight | evidentiary |
| AI training-specific law | binding |
| Privacy regime | GDPR |
| Trespass to chattels | not recognized |
Last reviewed: 2026-05-23. Confidence: medium. Fast-moving area — verify before relying. Not legal advice.