ApTI submits complaint on Romanian GDPR implementation
In November 2018, the RISE Project case showed that the Romanian Data Protection Authority (ANSPDCP or Romanian DPA) was unprepared to respond to cases that involve both the right to freedom of expression and the right to privacy. RISE Project’s investigative journalism story #TeleormanLeaks was an important signal that the General Data Protection Regulation (GDPR) must not be used to limit freedom of expression and stop public interest stories from being published in media. In other words, the GDPR should not be a lever to silence free press and to require the disclosure of journalistic sources.
On 14 February 2019, Romanian EDRi member ApTI sent a formal complaint to the European Commission on the problematic derogations in the Romanian implementation law of the GDPR. It is important for the European Commission to act promptly and to ensure a consistent level of protection for all European citizens.
The key points the complaint raises are:
1. Political parties and organisations have a blank cheque to process personal and sensitive data
Cambridge Analytica showed us how political opinions can be influenced by microtargeting, and how democratic procedures can be manipulated. The Romanian implementation law of GDPR allows political parties in Romania to process personal data, including sensitive data, by simply informing the individual and therefore disregarding basic European data protection principles (Article 9 of Law no. 190/2018). In practical terms, this leads to legitimising activities such as Cambridge Analytica which poses major risks not only for individual protection, but also for ensuring free democratic processes.
2. Processing personal data for journalistic purposes is limited and poses threats to freedom of expression
Romania adopted three limited scenarios in which personal data can be processed for journalistic purposes (Article 7 of Law no. 190/2018):
- if it concerns personal data which was clearly made public by the data subject;
- if the personal data is tightly connected to the data subject’s quality as a public person;
- if the personal data is tightly connected to the public character of the acts in which the data subject is involved.
To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required for safeguarding freedom of expression, in particular journalistic freedom and human rights jurisprudence in this regard. By limiting the scenarios to these ones only, many other legitimate uses can be hindered and may lead to data protection complaints which would be, in fact, a tool for censorship. That is not the spirit of the GDPR and it should not be reflected in the Romanian implementation law. If not reformed, this interpretation of the GDPR will create imbalances regarding how freedom of speech is implemented in connection with the data protection laws at European level, and could lead to a race to the bottom where data protection could be used as an excuse to limit press freedom.
3. Lack of practical implementation in the public sector
In case of a data protection violation by a public authority, the national DPA has to issue a remedy plan on how the public authority should address the harm. The remedy plan will also have an implementation deadline. It’s only ten days after this deadline has passed, when the DPA can issue a fine. The Romanian implementation of the GDPR has substantially reduced the fines for public sector between 10 000 and up to 200 000 RON (approximately between 2173 EUR and 43 478 EUR; Articles 13 and 14 of Law no. 190/2018).
Although Member States are allowed by Article 83 (7) of the GDPR to introduce special rules for public bodies, such a provision cannot be considered an appropriate safeguard for individual protection. Public authorities will lack motivation to implement the Regulation and will passively wait for tailor made remedies. This will add extra burden on the Romanian DPA, which is already under-staffed and under-resourced.
As a result of this provision, no matter how serious the data protection violation by public authorities is, any adequate and proportionate sanctions will be postponed until after a tailor made remedy plan will be presented by the Romanian DPA. Additionally, this way of handling data protection violations in the public sector can lead to the DPA being reluctant to restart investigations in the same public institution since the first action that the DPA needs to take is to issue a remedy plan.
Context triggering the complaint: Journalism and the GDPR
In 2018, the Romanian DPA’s request to RISE Project, an investigative journalism outlet, to reveal “journalistic sources” and “access” to data sparked a wave of reactions. The European Commission, the European Data Protection Board (EDPB) and civil society reminded that the right to privacy is not an absolute right and it needs to be reconciled with other fundamental human rights. The GDPR makes it clear that the right to protection of personal data must be considered in relation to its function in society and be reconciled with other fundamental rights, such as the right to freedom of expression and information. Article 85 of the GDPR obliges EU Member States to provide derogations and exemptions to reconcile the right to the protection of personal data with the right to freedom of expression, including journalistic purposes. Moreover, in a democratic society it is important that notions related to freedom of expression, such as journalism, are interpreted broadly.
However, the provisions for processing personal data for journalistic purposes in the Romanian implementation of the GDPR are only part of the problem. As a whole, the derogations introduced by national Law 190/2018 raise serious problems about respecting data protection principles, ensuring individual protection, and guaranteeing democratic processes.
All of these issues raise serious concerns around Romania’s ability to ensure the independence and impartiality of its DPA. Moreover, the way the authority acted in the RISE Project case is highly questionable, and reveals systemic issues, posing questions of a potentially politically-ordered intervention. Additionally, the lack of transparency for reappointing the President of the DPA for another mandate, behind closed doors and without the members of the Parliamentary Committee knowing the candidatures in advance, adds more concern regarding the independence of the DPA.
ApTI’s complaint urges the European Commission to launch a full investigation on the Romanian implementation of the GDPR and its practical application and to ensure a correct and consistent implementation.
TeleormanLeaks: Privacy vs freedom of expression (21.11.2018) https://edri.org/teleormanleaks-privacy-vs-freedom-of-expression/
Freedom of speech must be understood correctly within the framework of personal data protection (13.11.2018)
TeleormanLeaks: C O N Ț I N U T U L by Rise Project (only in Romanian, 05.11.2018)
The full text of the complaint to the European Commission on the Romanian implementation of the GDPR is available in English (14.02.2019)
OCCPR English Translation of the Letter from the Romanian Data Protection Authority to RISE Project (9.11.2018)
European Commission Midday Press briefing on data protection and Romania (12.11.2018)
European Data Protection Board reply to Civil Society Organizations letter from 19 November 2018 on Misuse of GDPR threatens media freedom in Romania (23.01.2019)
Civil Society Organisations letter on Misuse of GDPR threatens media freedom in Romania (19.11.2018)
(Contribution by Valentina Pavel, Mozilla Fellow and EDRi member ApTI, Romania)