Preparing for Rapid AI Change
Example: AI-Assisted Investigation
From three raw emails to a structured picture of the case.
Input
Three related emails
The raw material an investigator would otherwise read and cross-reference by hand.
Analysis
AI-Supported
- ▹Entity extraction
- ▹Relationship mapping
- ▹Timeline creation
- ▹Identification of key actors and events
Output
Structured picture
- ▹Visual knowledge graph
- ▹Structured overview of connections
- ▹Faster understanding of investigative context
Weighing the Hypotheses
Input to Insight
The same three emails that take time to read by hand become a structured graph the investigator can grasp at a glance.
Legal and Governance Principles
Four commitments keep the system lawful and accountable.
Human Oversight
- ▹Investigators remain responsible for all decisions
- ▹AI supports, but does not replace, human judgement
- ▹AI outputs can be reviewed, corrected or ignored
Transparency and Explainability
- ▹AI-generated outputs are clearly identified
- ▹Results include explanations and source references
- ▹Facts and AI-generated analysis remain separated
Data Protection
- ▹Personal data remains within the case file
- ▹Access is controlled and fully logged
- ▹Retention and deletion follow legal requirements
- ▹Secure on-premises deployment, no external cloud
Compliance by Design
- ▹LED (Law Enforcement Directive)
- ▹GDPR (where applicable)
- ▹EU AI Act
- ▹National legal requirements
- ▹Auditability and accountability
Traceability in Practice
Compliance Built into the Workflow
Explainable, Auditable Reasoning
The Compliance Reporter at Work
Provenance Graph and Legend
Compliance Report at a Glance
Legal Compliance
| Requirement | Implemented Measures and Solutions | System Feature |
|---|---|---|
| Data Protection and Privacy | ||
| Estonian Constitution § 26, § 43 · ECHR Art. 8 · CFR Art. 7, 8 · FI PL § 10 — Privacy and protection of personal data | Case-based data isolation; role-based access control (RBAC); encrypted communication-data storage; access only through court-order ID binding; all queries logged; automatic data-expiry checks. | Case isolation Court-order binding |
| LED Art. 4, Art. 8 · FI 1054/2018 § 4–6 — Processing principles and lawfulness | Lawfulness, fairness, purpose limitation and data minimisation: data is processed solely for law-enforcement purposes; each case file is strictly isolated; only abstract schemes are stored in the pattern database. | Purpose limitation |
| Estonian IKS § 20 · LED Art. 10 · FI 1054/2018 § 11 — Special categories of personal data | Special-category data (race, ethnicity, political views, religion, health, biometrics) processed only where strictly necessary and prescribed by law; automatic classification, restrictions and additional security measures. | Auto-classification |
| Estonian IKS § 43 · FI 1054/2018 § 31–32 — Security measures | Data encryption at rest (AES-256); RBAC-based role management; full audit logging; automatic backup. | Encryption + RBAC |
| GDPR Art. 5, 6 · FI Tietosuojalaki 1050/2018 § 4 (where applicable) | When processing administrative or non-criminal investigation data: data-subject consent or legitimate interest; mandatory data-subject notification. | Consent / basis check |
| Human Oversight and Automated Decision-Making | ||
| Estonian Constitution § 22 · FI PL § 21 — Presumption of innocence | AI does not make guilt-determining decisions; the system supports the investigator and does not replace court rulings. | No guilt scoring |
| LED Art. 11 · FI 1054/2018 § 13 — Automated decision-making | AI does not make automated decisions; all results are confirmed by the investigator; profile-based decisions without human intervention are prohibited. | Human-in-the-loop |
| EU AI Act Art. 14(1)–(4) · CFR Art. 41 · FI Hallintolaki § 6 — Human oversight and good administration | The investigator can override, correct or ignore AI output at any time; the system can be stopped with a “stop” button; the UI displays limitations and capabilities. Per Article 14(4)(b), prompts counter automation bias and over-reliance on AI output. | Override / stop Automation-bias prompts |
| Estonian KrMS § 211 · ECHR Art. 6 · FI ETL 805/2011 4:1 — Objectivity; duty to weigh exculpatory and incriminating evidence | Devil's-advocate and Socratic-questioning prompts force consideration of alternative and exculpatory explanations, surface disconfirming evidence and challenge premature closure, supporting the duty to investigate objectively. | Devil's advocate |
| EU AI Act Art. 9 — Risk-management system | Continuous risk-management process across the system lifecycle; identified risks are logged, assessed and mitigated; results recorded in the technical file. | Risk log |
| EU AI Act Art. 27 — Fundamental Rights Impact Assessment | Completed Fundamental Rights Impact Assessment (FRIA); technical documentation per Article 11; risk-assessment log; conformity declaration. | FRIA export |
| LED Art. 27 · GDPR Art. 35 · FI 1054/2018 § 20 — Data protection impact assessment | A DPIA is conducted for high-risk processing, separate from and complementary to the AI Act FRIA. | DPIA export |
| Transparency and Right to Explanation | ||
| Estonian Constitution § 15, § 24 · ECHR Art. 6, 13 · CFR Art. 47 · FI PL § 21 — Effective proceedings, fair trial and remedy | AI reasoning chain exportable (PDF/JSON); the reasoning graph enables step-by-step challenge of the decision process; outputs are transparent, explainable and accessible to the defence. | Reasoning graph |
| Estonian Constitution § 44(3) · FI 1054/2018 § 23 — Right to access data | Built-in Data Subject Access Request (DSAR) export; personal-data query report is generated automatically. | DSAR export |
| LED Art. 16 · FI 1054/2018 § 25 — Rectification and erasure | Inaccurate police data can be rectified or erased on request; corrections propagate through the provenance graph. | Provenance graph |
| EU AI Act Art. 86 — Right to explanation | Each AI output carries a process-level explanation: the reasoning graph shows the inference steps; the provenance graph shows inputs and sources. Model-internal XAI is rarely feasible and is not relied on. | Reasoning graph Provenance graph |
| EU AI Act Art. 13 — Transparency | The system user guide and UI explain AI capabilities, limitations and intended use cases. | User guide / UI |
| EU AI Act Art. 50 — User notification | Users are clearly informed they are interacting with AI; outputs are marked as AI-generated. | AI-output marking |
| FI Laki digitaalisten palvelujen tarjoamisesta 306/2019 § 7–§ 9 — Digital-service accessibility (Finland) | Public-facing service interfaces and AI-generated explanations meet statutory accessibility requirements (perceivable, understandable, operable); an accessibility statement is published. | Accessibility |
| Data Quality and Evidence | ||
| LED Art. 7 · FI 1054/2018 § 7–8 — Data quality | AI-based conclusions are clearly distinguished from facts; the investigator confirms data accuracy before further use. | Reasoning graph |
| LED Art. 6 · FI 1054/2018 § 8 — Categories of data subjects | Suspects, victims, witnesses and contacts are distinguished and labelled; AI outputs preserve these category tags. | Subject-category tags |
| EU AI Act Art. 10 · ECHR Art. 14 · CFR Art. 21 · FI Yhdenvertaisuuslaki 1325/2014 § 8 — Data governance and non-discrimination | Reference data is examined for bias and representativeness; data origin is traceable; safeguards against discriminatory outputs. | Bias checks Provenance graph |
| EU AI Act Art. 15 — Accuracy, robustness and cybersecurity | Accuracy is declared and monitored; robustness and cybersecurity controls; low-confidence outputs trigger fallback and human confirmation. | Confidence + fallback |
| Estonian KrMS § 63 · FI ETL 805/2011 — Concept of evidence | AI is an investigative aid; documents prepared by the investigator based on AI analysis may qualify as evidence within the meaning of § 63 (other document). | Provenance graph |
| Estonian KrMS § 64 · FI Pakkokeinolaki 806/2011 — Conditions for evidence collection | Full traceability is ensured: each AI output references the original source and maintains data integrity. | Provenance graph |
| Estonian KrMS § 146 — Procedural action protocol | Documents prepared with AI assistance comply with protocol format requirements: date, author, criminal-case number, course and results of the action. | Protocol format |
| Estonian KrMS § 150 — Audio and video recording | A report based on AI analysis may rely on material recorded under KrMS § 150; recordings are unaltered and added to the case file. | Unaltered recording |
| Security and Logging | ||
| Estonian IKS § 36 · LED Art. 25(1) · FI 1054/2018 § 19 · 906/2019 § 17 — Logging | Collection, modification, reading/query, transmission/disclosure, combination and deletion are automatically logged; logs ensure traceability, help detect unauthorised access, and are retained for at least 3 years. | Tamper-evident log |
| E-ITS · FI Tiedonhallintalaki 906/2019 ch. 4 — Security measures | Compliance with the Estonian information security standard (E-ITS): security class is determined by data confidentiality, integrity and availability; catalogue measures are applied. | Security class |
| FI Tiedonhallintalaki 906/2019 § 18 — Security-classified documents / Katakri (Finland) | Where the system handles security-classified material, statutory classification marking and Katakri-level controls apply, beyond the general information-security standard. | Security classification |
| Risk, Documentation and Governance | ||
| EU AI Act Art. 11 + Annex IV — Technical documentation | Full technical documentation is maintained and produced via the one-click compliance export. | Compliance export |
| LED Art. 24 · FI 1054/2018 § 18 — Records of processing activities | A record of processing activities is maintained; the provenance graph provides per-output processing records. | Provenance graph |
| LED Art. 41–46 · FI 1054/2018 § 45 — Supervisory authority | Processing is subject to oversight by the Data Protection Inspectorate (AKI); cooperation and audit support are built in. | Audit export |
| LED Ch. V (Art. 35–40) · FI 1054/2018 § 41–44 — Transfers to third countries | Cross-border transfers only on a valid legal basis; on-premises deployment keeps data within jurisdiction by default. | On-prem default |
| Model provenance and licensing | Local models (Gemma, EuroLLM) run on-premises under their respective open-weights licences; model versions and licences are recorded. | Model registry |
| FI Tiedonhallintalaki 906/2019 §§ 28a–28g · Hallintolaki 434/2003 §§ 53e–53g — Automated-decision deployment governance (Finland) | A public deployment decision (käyttöönottopäätös) is issued; processing rules are documented with an explicit non-discrimination demonstration; responsible persons are named; five-year traceability is kept; each automated decision is marked as such. | Deployment decision |
| FI Tiedonhallintalaki 906/2019 § 10–§ 11 — Information Management Board (Finland) | The system is subject to assessment by the Information Management Board (Tiedonhallintalautakunta) against 906/2019, an institutional oversight distinct from the Data Protection Ombudsman. | Board assessment |
| Cross-Jurisdiction Safeguards (Estonia · Finland · EU) Marquee obligations confirmed across all three jurisdictions. The full source-by-source mapping is in the Legal Jurisdiction Matrix appendix. |
||
| Estonian HMS § 56 · KrMS § 305¹ · FI Hallintolaki § 45 · PL § 21(2) — Reasoned and contestable decision | Every AI-assisted output that feeds an official act states the facts found, the evidence relied on and the provisions applied; a judgment may rest only on evidence the parties could examine. | Reasoned decision |
| Estonian KrMS § 126⁴, § 126¹³, § 126¹⁵ · FI Pakkokeinolaki 806/2011 10:60, 10:65 — Surveillance authorisation, notification and oversight | Covert measures require a prior scope-bound authorisation; the subject is notified once the authorisation expires; access is recorded for two-tier independent oversight. | Judicial authorisation Post-hoc notification |
| Estonian KrMS § 61, § 63 lg 2, § 305¹ · FI OK 17:1, 17:25 — Admissibility; AI inference is not evidence | AI output is labelled as inference with no predetermined evidentiary weight; unlawfully obtained material can be excluded; a conviction cannot rest on an unexaminable score. | AI-inference label |
| Estonian KrMS § 15² · FI 616/2019 — Police-data law-enforcement regime | Police processing follows the dedicated law-enforcement regime, not general data-protection rules: closed-purpose secondary use, class-specific retention, and shielded tactical and source data. | LED-mode processing |
| Estonian KorS § 7 · KrMS § 9 · FI ETL 805/2011 4:4–4:6 — Proportionality and minimum intervention | Each measure is the least intrusive that achieves the aim, proportionate to offence gravity, and stops once the aim is met. | Minimum intervention |
| EU AI Act Art. 25, Art. 26, Art. 43, Art. 49(4) — Deployer and provider duties on self-hosting | On-premises build or modification can flip the agency from deployer to provider; conformity assessment runs by internal control and the system is registered in the secure non-public section of the EU database. | Deployer duties EU DB (non-public) |
| Retention and Deletion | ||
| LED Art. 5 · FI 1054/2018 § 6(3) — Retention periods | Personal data is retained only as long as necessary for the purpose; the lifecycle graph tracks deadlines and notifies of expiry. | Lifecycle graph |
| EU AI Act Art. 12 — Log retention | AI-system logs are retained for at least 6 months; provenance and decision logs are exported to archive on the lifecycle schedule. | Lifecycle graph |
| Estonian ArhS § 13, § 7 · FI Arkistolaki 831/1994 § 7, § 13 — Records appraisal and archival rules | Documents subject to the archiving obligation are appraised and exported separately; retention/deletion schedules follow the archival rules and document type. | Lifecycle graph |
| FI Arkistolaki 831/1994 § 8, § 13 — National Archives appraisal (Finland) | Permanent-preservation decisions rest with the National Archives (Kansallisarkisto); retention logic defers to its appraisal; destruction is secure and data-protection-compliant. | Archives appraisal |
Retention Periods and Deletion
| Data Type | Retention Period | Legal Basis | Exception Possible? |
|---|---|---|---|
| Criminal Case File evidence, protocols |
10 yrs (general); 15 yrs (1st degree crimes); permanent (crimes against humanity) | KrMS § 209 lg 2; VVm § 6 lg 1–4 | Yes, if archival value ArhS § 2 §§ 3–4, § 8; VVm § 6 § 5 |
| Surveillance File wiretaps, surveillance |
Up to 50 years | KrMS § 12612 lg 3 | No KrMS § 126¹² lg 3 (strict limit) |
| Court File hearing protocols, decisions |
10 yrs (after entry into force) | KrMS § 1601 lg 6–7 | Yes, if archival value ArhS § 2 §§ 3–4; § 8 § 2 |
| DNA/Fingerprint Data | Until criminal record data is deleted | KrMS § 206; ECHR Art. 8 (S. and Marper v. UK) | Yes, on termination of proceedings (§ 200) KrMS § 206 (deletion from DNA / fingerprint registers) |
| AI reasoning logs provenance, decisions |
Min 6 months; technical docs 10 yrs after market withdrawal | EU AI Act Art. 12(1), Art. 18(1), Art. 19(1) | Yes, extendable upon challenge LED Art. 16(3)(a)(b); GDPR Art. 18(1) |
| Personal Data in case file | Until purpose is fulfilled | IKS § 17; LED Art. 4(1)(e), Art. 5 | No, except as prescribed by law IKS § 17 lg 2; § 25 lg 3–4 |
| Pattern Database Entries anonymous modus operandi |
Indefinite (no personal data) | LED Art. 4(1)(c) | Not applicable Anonymous data, GDPR does not apply |
| Audit Log who, when, what |
At least 3 years | IKS § 36; LED Art. 25(2) | Yes, extendable IKS § 36 lg 5; E-ITS security class |
| Protocols and Recordings interrogations, observations |
With case file (10–15 yrs) | KrMS § 146, § 148, § 150 lg 4 | Yes, with case file VVm § 6 (follows main document) |
| Public-sector Documents public information |
5–50 years (document type) | ArhS § 13, § 7; AvTS § 40 (access restriction) | Yes, if archival value ArhS § 7, § 8, § 13 |
Acronyms and Legal Sources
| Acronym | Full name | In English / what it is |
|---|---|---|
| Estonian legislation | ||
| PS | Eesti Vabariigi põhiseadus | Constitution of the Republic of Estonia |
| IKS | Isikuandmete kaitse seadus | Personal Data Protection Act |
| KrMS | Kriminaalmenetluse seadustik | Code of Criminal Procedure |
| AvTS | Avaliku teabe seadus | Public Information Act |
| ArhS | Arhiiviseadus | Archives Act |
| VVm | Vabariigi Valitsuse määrus | Government of the Republic regulation |
| E-ITS | Eesti infoturbestandard | Estonian Information Security Standard (replaced ISKE in 2023) |
| AKI | Andmekaitse Inspektsioon | Estonian Data Protection Inspectorate (supervisory authority) |
| HMS | Haldusmenetluse seadus | Administrative Procedure Act (duty to give reasons, discretion) |
| KorS | Korrakaitseseadus | Law Enforcement Act (state supervision, proportionality) |
| KüTS | Küberturvalisuse seadus | Cybersecurity Act (statutory basis of E-ITS, 24 h incident reporting) |
| VõrdKS | Võrdse kohtlemise seadus | Equal Treatment Act (non-discrimination, shared burden of proof) |
| KarS | Karistusseadustik | Penal Code (data-misuse and secrecy offences) |
| JAS | Julgeolekuasutuste seadus | Security Authorities Act (intelligence-data separation, oversight) |
| — | Keeleseadus | Language Act (Estonian as the language of administration) |
| Finnish legislation | ||
| PL | Perustuslaki (731/1999) | Constitution of Finland |
| 1054/2018 | Laki henkilötietojen käsittelystä rikosasioissa… | Act on the Processing of Personal Data in Criminal Matters (Finnish LED transposition) |
| ETL | Esitutkintalaki (805/2011) | Criminal Investigation Act (objectivity principle, ch. 4 § 1) |
| — | Tiedonhallintalaki (906/2019) | Information Management Act (security standard, ADM governance, board) |
| — | Hallintolaki (434/2003) | Administrative Procedure Act |
| — | Tietosuojalaki (1050/2018) | Data Protection Act (general; Tietosuojavaltuutettu = supervisory authority) |
| — | Arkistolaki (831/1994) | Archives Act (National Archives appraisal) |
| — | Pakkokeinolaki (806/2011) | Coercive Measures Act |
| — | Yhdenvertaisuuslaki (1325/2014) | Non-Discrimination Act |
| Julkri / Katakri | — | Finnish public-administration / national-security information-security criteria |
| OK | Oikeudenkäymiskaari (4/1734) | Code of Judicial Procedure (evidence in ch. 17, rewritten by 732/2015) |
| 616/2019 | Laki henkilötietojen käsittelystä poliisitoimessa | Act on the Processing of Personal Data in Police Matters (police-data lex specialis) |
| — | Julkisuuslaki (621/1999) | Act on the Openness of Government Activities (secrecy and classification marks) |
| — | Tasa-arvolaki (609/1986) | Act on Equality between Women and Men |
| 121/2019 | Laki tiedustelutoiminnan valvonnasta | Act on the Oversight of Intelligence Gathering (Intelligence Ombudsman) |
| EU and international | ||
| LED | Law Enforcement Directive — Directive (EU) 2016/680 | EU data-protection rules for police and criminal justice |
| GDPR | General Data Protection Regulation — Regulation (EU) 2016/679 | EU general data-protection law |
| EU AI Act | Regulation (EU) 2024/1689 | EU Artificial Intelligence Act |
| ECHR | European Convention on Human Rights | Council of Europe human-rights treaty (European Court of Human Rights) |
| CFR | Charter of Fundamental Rights of the European Union | EU fundamental-rights charter (assessed by the FRIA) |
| NIS2 | Directive (EU) 2022/2555 | EU network- and information-security directive (incident reporting) |
| Compliance and technical terms | ||
| FRIA | Fundamental Rights Impact Assessment | Deployer assessment under EU AI Act Art. 27 |
| DPIA | Data Protection Impact Assessment | Risk assessment under LED Art. 27 / GDPR Art. 35 |
| DSAR | Data Subject Access Request | An individual's request to access their personal data |
| RBAC | Role-Based Access Control | Access granted according to user role |
| XAI | Explainable AI | Model-internal interpretability (vs. process-level explanation) |
| AES | Advanced Encryption Standard | Symmetric encryption (AES-256, data at rest) |
| TLS | Transport Layer Security | Encrypted data transmission (TLS 1.3) |
Human Stays Responsible
The investigator can override, correct or ignore any AI output. The system advises; the decision stays with a person.
Facts vs Analysis
AI-generated analysis is kept visibly separate from established facts, so a reader always knows which is which.