New data protection authority in Romania

By EDRi · May 24, 2005

Romania has adopted a new law to establish a data protection authority. In the last EU access progress report, Romania was severely criticised for failing to enforce privacy rules. “However, progress in implementing personal data protection rules has only been limited. There are grounds for concern regarding the enforcement of these rules: enforcement activities are far below levels in current Member States and additional posts have not been filled during the reporting period.”

The new law was initiated by the Ministry of European Integration in October 2004 and submitted to a formal public consultation. The draft was sent to the Parliament in December 2004. The law was quickly adopted by both chambers of the Parliament (Senate and Chamber of Deputies) with minor changes.

Law 102/2005 was finally published in the Official Monitor on 9 May 2005 and will enter into force 30 days after the publication date. The new data protection authority will be created in 45 days after the entry into force.

The new law replaces the current privacy office, residing within the Office of the Public Prosecutor for the ‘National Authority for the Control and Supervision of Personal Character Data Processing’ (ANSPDCP). The new Data Protection Authority should have at its disposal all necessary resources in order to ensure an efficient and correct promotion and implementation of the data protection law.

The DPA will have a President with the rank of Secretary of State and a Vice-President with the rank of Sub-Secretary of State, both appointed by the Romanian Senate (the Romanian upper chamber of parliament) for a 5 year term. The Permanent Bureau of the Senate will appoint the candidates for the 2 positions, after consulting proposals from parliamentary groups from the 2 parliamentary chambers. The candidates need to have a legal background and have at least 10 years of experience. The law also demands more subjective qualifications, such as ‘good reputation’ and ‘enjoys high civic integrity’. No minimum expertise in personal data protection or human rights is required, and candidates are not obliged to present a public activity plan before their appointment.

The law does not create any consultative role or even the obligatory opinion of the new authority on draft laws that are debated in public or in parliament. The only possibility for the new DPA to make recommendations on draft acts is in the yearly report it needs to present to the Senate.

The new authority will have a maximum of 50 employees but cannot have more than 37 employees in 2005. It remains to be seen how effective the new DPA will be, since the current 20 employees of the privacy office will just be shifted to this new institution and their tasks will exactly be the same as before. In fact, the main problem was not the fact that the institution was not independent enough, but because they didn’t care about it.

2004 Regular Report on Romania’s progress towards accession (Page 61)
http://europa.eu.int/comm/enlargement/report_2004/pdf/rr_ro_2004_en.pdf

Law 102/2005 (In Romanian only)
http://www.legi-internet.ro/autoritate_date_pers.htm

Research paper by Bogdan Manolea on the Institutional Framework for data protection in Romania (In English, 08.04.2005)
http://www.apti.ro/DataProtection_ro.pdf

(Contribution by Bogdan Manolea, legal advisor, Romania)