← Back to the deck (Legal and Governance Principles)
Reference appendix to the Legal and Governance Principles slide. For each obligation cluster it maps the Estonian, Finnish and EU primary sources that bind an AI assistant used in criminal investigations, with the verbatim statutory heading and what the source requires of the system. Sections were verified against primary text (Riigi Teataja consolidations, the Finlex Akoma Ntoso XML API, EUR-Lex CELEX 32024R1689, HUDOC and CURIA). Items that could not be verified verbatim are marked ⚠ unverified.
An AI-assisted output that feeds an official act must carry human-intelligible reasons: the facts found, the evidence relied on and the provisions applied. Reasoned decision
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | HMS § 56 Haldusakti põhjendamine; KrMS § 305¹ Lawful and reasoned court judgment; KrMS § 312 Main part of court judgment | Adverse or discretionary acts need written factual and legal reasons; a judgment may rest only on evidence the parties could examine; facts must be mapped to the evidence behind them. "The model flagged it" is not lawful reasoning. |
| Finland | Hallintolaki 434/2003 § 45 Päätöksen perusteleminen (with § 44); Perustuslaki 731/1999 § 21(2) Oikeusturva | The decision must state facts, evidence and applied provisions in plain language; the reasoned-decision limb of § 21(2) is a constitutional floor. |
| EU | AI Act Art. 26 (deployer use), Art. 86 Right to explanation; LED Art. 11 | The deployer must enable affected persons to obtain an explanation of decisions taken with the system. |
The system may inform a decision but not exhaust the official's discretion or decide on its own. No solo automation Discretion preserved
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | HMS § 4 Kaalutlusõigus; IKS § 21 Automatiseeritud töötlemine; Põhiseadus § 14 (duty to guarantee rights) | Discretion is exercised by a human within the authorisation; solely-automated adverse decisions and special-category profiling are barred; § 14 grounds the human-oversight and accountability duty. |
| Finland | Perustuslaki § 22 Perusoikeuksien turvaaminen; 1054/2018 § 13 Automatisoidut yksittäispäätökset; PeVL 62/2018 vp & 7/2019 vp ⚠ | Positive duty to build in safeguards; no decision by automated means alone; a named official bears responsibility (virkavastuu). |
| EU | AI Act Art. 14 Human oversight; Art. 26(2) (deployer assigns oversight) | Oversight measures let a person override, correct or stop the system; the deployer assigns competent, trained oversight staff. |
A "neutral" model with disparate impact is unlawful unless objectively justified; proxy and profiling bias must be tested. Bias checks Equal-treatment check
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | Põhiseadus § 12 (equality); VõrdKS § 3 Võrdse kohtlemise põhimõte, § 8 Jagatud tõendamiskohustus | Equality reaches proxy bias; the authority carries a shared burden to disprove discrimination (§ 8(3) narrows this before criminal and administrative courts). |
| Finland | Yhdenvertaisuuslaki 1325/2014 § 5 (active duty + equality plan); Tasa-arvolaki 609/1986 § 7 Syrjinnän kielto | Authorities must assess group impacts, keep an equality plan, and avoid indirect discrimination through "neutral" criteria. |
| EU | AI Act Art. 10 and Art. 10(5) (bias-detection data); CFR Art. 21; ECHR Art. 14 | Examine training data for bias; special-category data may be used for bias correction only on the LED basis, with safeguards. |
Each measure must be suitable, necessary and the least intrusive that achieves the aim, and stop once the aim is met. Minimum intervention Proportionality check
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | KorS § 7 (proportionality), § 9 (rights and dignity); KrMS § 9 (minimum intervention); KrMS § 126¹ (ultima ratio for surveillance); Põhiseadus § 11 | State supervision uses the least harmful suitable and necessary measure, only as long as its aim is unmet; surveillance is permitted only when other measures fail. |
| Finland | Esitutkintalaki 805/2011 4:4 Suhteellisuusperiaate, 4:5 Vähimmän haitan periaate, 4:6 Hienotunteisuusperiaate; Pakkokeinolaki 806/2011 1:2–1:4 | Measures must be proportionate to offence gravity, cause no needless harm, and respect the dignity of those affected. |
| EU | CFR Art. 52(1); AI Act risk-based approach (Art. 9) | Any limitation of a Charter right must be necessary and proportionate; residual risks are managed across the lifecycle. |
Covert measures need a prior scope-bound authorisation, later notice to the subject, and effective independent oversight. Judicial authorisation Post-hoc notification Independent oversight
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | KrMS § 126⁴ Jälitustoiminguks loa andmine, § 126¹³ Jälitustoimingust teavitamine, § 126¹⁵ Järelevalve, § 126¹⁷ (surveillance information system); JAS § 32, § 36 | Prosecutor or preliminary-investigation judge authorises each measure; the subject is notified on expiry with appeal information; oversight is two-tier (prosecutor and a Riigikogu committee); a statutory information system records access. Intelligence and criminal data stay separated. |
| Finland | Pakkokeinolaki 806/2011 10:55–56 Ylimääräinen tieto, 10:57 Tietojen hävittäminen, 10:60 Salaisen pakkokeinon käytöstä ilmoittaminen, 10:65 oversight; Poliisilaki 872/2011 5a:44–45 (intelligence-to-crime firewall); Laki 121/2019 (Intelligence Ombudsman) | Incidental "excess" information is filtered by per-offence eligibility; covert data is destroyed and the subject notified; the Intelligence Ombudsman can inspect and order a measure stopped. |
| EU / ECtHR | ECtHR Szabó & Vissy, Big Brother Watch, Roman Zakharov; CJEU La Quadrature du Net, Tele2/Watson, Ligue des droits humains | Minimum safeguards: clear grounds, prior independent authorisation, notification where feasible, and human review of automated hits without opaque self-learning criteria. |
An AI inference has no predetermined evidentiary weight; unlawfully obtained material can be excluded; a conviction cannot rest on an unexaminable score. AI-inference label Exclusionary-rule tag
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | KrMS § 61 Tõendite hindamine (free evaluation), § 63 lg 2 (exclusion of unlawful evidence), § 305¹ (examinable-evidence-only judgment) | The court evaluates evidence on its inner conviction; AI output is labelled as inference, not proof; a judgment rests exclusively on evidence the parties could examine. |
| Finland | Oikeudenkäymiskaari 4/1734 17:1 (vapaa todistusharkinta), 17:25 hyödyntämiskielto, 17:18 (self-incrimination), 17:24 (hearsay bar). Chapter 17 rewritten by 732/2015. | Free evaluation of evidence; a balancing test may exclude unlawfully obtained material; self-incriminating and hearsay material is restricted. |
| EU / ECtHR | ECHR Art. 6 (fair trial); CFR Art. 47, 48 | Equality of arms and the right to contest require that an inference be traceable to its source so it can be challenged. |
Police processing is governed by a dedicated law-enforcement regime, not general data-protection rules. LED-mode processing
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | KrMS § 15² Isikuandmete töötlemine kriminaalmenetluses; IKS law-enforcement chapter | Criminal-procedure personal data is processed in law-enforcement mode, with every rights-restriction recorded and joint-controller roles set. |
| Finland | Laki 616/2019 (henkilötietojen käsittely poliisitoimessa) § 5, § 13 (purpose binding), § 15 (special-category), § 33–40 (retention), § 39 (error flagging), § 42 (access limits), § 9 (source protection) | The binding special law for police data: secondary use only within a closed purpose list; class-specific retention clocks; tactical and source data shielded from subject access. This regime was absent from the deck table. |
| EU | LED Art. 6 (categories of data subjects), Art. 7 (data quality), Art. 10 (sensitive data) | Distinguish suspects, witnesses and victims; keep data accurate; gate sensitive data behind strict necessity. |
Safeguards are engineered in from the design stage; a data protection officer oversees the system; breaches are reported promptly. Privacy by design Breach notification DPO designation
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | IKS § 33 Lõimitud andmekaitse ja vaikimisi andmekaitse, § 40 Andmekaitsespetsialisti määramine, § 44 (breach notification to AKI within 72 h) | Build privacy controls into the architecture; appoint a data protection officer over the tool; notify the Inspectorate within 72 hours and subjects on high risk. |
| Finland | 1054/2018 § 15 Sisäänrakennettu ja oletusarvoinen tietosuoja, § 21 (prior consultation), § 34 (breach within 72 h), § 38 Tietosuojavastaavan nimeäminen | Deploying AI as a new technique with residual high risk triggers prior consultation with the Ombudsman; a data protection officer advises and monitors. |
| EU | LED Art. 27 (DPIA), Art. 30–31 (breach), Art. 32 (DPO); GDPR Art. 25 (by design) | Run a data-protection impact assessment, notify breaches, and designate a data protection officer. |
The security standard has a statutory mandate, with auditable conformity and prompt incident reporting. Conformity audit Incident reporting
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | KüTS § 7 Turvameetmed (statutory basis of E-ITS, via § 3(4)), § 8 (incident notification to RIA within 24 h). Note: KüTS § 9 is repealed. | State authorities apply the Estonian Information Security Standard under § 7; significant cyber incidents are reported to the Information System Authority within 24 hours. |
| Finland | Tiedonhallintalaki 906/2019 § 13 (information security); Katakri / Julkri criteria; cyber-incident reporting to Traficom | Information security follows the management-act baseline and national security-audit criteria, with incident reporting duties. |
| EU | AI Act Art. 15 (accuracy, robustness, cybersecurity); NIS2 Directive (EU) 2022/2555 | Cybersecurity controls match the risk; incident-reporting obligations apply to essential and important entities. |
Case data is classified for internal use, official documents are registered, and access requests follow statutory rules. Internal-use marking Document register
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | AvTS § 35 Teabe asutusesiseseks tunnistamise alused, § 11/§ 12 (document register), § 43¹(3) (once-only principle) | Criminal-proceeding data and investigative methods must be marked internal-use; official documents are registered and searchable; authoritative data is reused, not re-collected. |
| Finland | Julkisuuslaki 621/1999 § 24 (secrecy categories), § 25 Salassapito- ja luokitusmerkintä; Tiedonhallintalaki 906/2019 § 25 Rekisteröinti asiarekisteriin, § 28 Kuvaus asiakirjajulkisuuden toteuttamiseksi | Outputs carry correct secrecy and classification marks; AI-created documents are registered without delay; a public description lists data stores and search criteria. |
| EU | CFR Art. 8 (data protection); LED Art. 25 (logging) | Access to investigative data is controlled and logged. |
Official documents and responses are produced in the required official language. Official-language output
| Jurisdiction | Primary source | What it requires |
|---|---|---|
| Estonia | Põhiseadus § 51, § 52; Keeleseadus § 10 Asjaajamiskeel, § 4 ⚠ | The language of public administration is Estonian; official text follows the literary standard. There is no general bilingual duty. |
| Finland | Hallintolaki 434/2003 § 26 Tulkitseminen ja kääntäminen; Perustuslaki § 17 | Finnish and Swedish are national languages; interpretation and translation are provided in authority-initiated matters. |
| EU | CFR Art. 21 (non-discrimination on language), Art. 22 (linguistic diversity) | Linguistic diversity is respected; language must not become a ground of discrimination. |
Building or substantially modifying the system on-premises can flip the agency from deployer to provider, adding the full provider duty set. Deployer duties Value-chain role
| Source | Article | What it requires |
|---|---|---|
| EU AI Act — deployer | Art. 26 Obligations of deployers (26(1)–(12)); Art. 4 (AI literacy) | Use per instructions, assign human oversight, monitor and suspend on risk, keep logs for at least six months, inform affected workers and persons, cooperate with authorities, and feed the data-protection impact assessment. |
| EU AI Act — value chain | Art. 25 Responsibilities along the AI value chain | Substantial on-premises build or modification can make the agency a provider, with the duties below. |
| EU AI Act — provider | Art. 16; Art. 17 (QMS); Art. 18 (documentation, 10 years); Art. 19 (logs); Art. 20 (corrective action); Art. 43 Conformity assessment (internal control, Annex VI); Art. 47 EU declaration of conformity; Art. 48 CE marking; Art. 72 (post-market monitoring); Art. 73 (serious-incident reporting) | Run a quality-management system, keep technical documentation, perform internal-control conformity assessment, sign the declaration of conformity, affix the CE marking, and run post-market monitoring with serious-incident reporting. |
A law-enforcement high-risk system is registered in the secure, non-public section of the EU database. EU DB (non-public)
| Source | Article | What it requires |
|---|---|---|
| EU AI Act | Art. 49(4) Registration (cross-referenced in Art. 71(4)); Art. 49(3) (deployer registration) | For law-enforcement systems under Annex III points 1, 6 and 7, registration goes to the secure non-public section of the EU database. (Annex III point 8, justice, is registered in the public section.) The deck's earlier reference to "Art. 71(8)" does not exist; the correct basis is Art. 49(4). |