New Romanian cybersecurity law in force despite heavy criticism

The Constitutional Court of Romania declared the new cybersecurity law constitutional despite criticism from civil society about the repercussions for investigative journalists,security companies, and for regular citizens.

By ApTI (guest author) · May 3, 2023

A new cybersecurity law, heavily criticised by the Romanian civil society, was nonetheless declared constitutional by the Constitutional Court in Romania.

The contents of the new cybersecurity law were first made public in a leak published by a Romanian press outlet called G4Media in May 2022. The leak contained ten laws that increased the powers of the Romanian security services. The cybersecurity law was one of them, and it was the first one to go through the Romanian Parliament in December 2022 in an ultra-fast process that only took ten days.

Problematic provisions

The cybersecurity law introduces several provisions that EDRi-member ApTI heavily criticised, along with other organisations in the civic society:

  • It mandates that any service that is of “public interest” or “publicly available” – including those operated by natural persons – must implement a series of cybersecurity provisions. Thisincludes reporting all security breaches within 48 hours to a central portal accessible to 11 public bodies, including all intelligence services. If the owner fails to do so, they risk hefty fines – from 1% of their turnover, even on the first legal breach. This category now includes any one-person-media and a law office;
  • It mandates that anyone offering “cybersecurity services” to report on the cybersecurity vulnerabilities, threats or risks of their clients if one of 11 Romanian authorities, including intelligence services, asks them to with a simple letter. There is no need for a judicial warrant, but the service provider may not share personal data or information on the content of communications;
  • It also adds to the list of threats to national security the concepts of “cyberattacks to national infrastructure” and “disinformation and propaganda campaigns that might affect the constitutional order”, so intelligence services now can look at whatever they think falls in that category. No definition is offered for these terms.

ApTI took part in a public debate centred on the cybersecurity law, as well as public exchanges with the Ministry of Research, Innovation and Digitalization, that proposed it. The arguments put forth by the Ministry culminated in them calling any security vulnerability “an illicit act”.

Constitutional court disappoints

After the vote in the Romanian Parliament, a coalition of civil society organisationssent an open letter to the Romanian Ombudsman, asking them to notify the Constitutional Court about civil society’s concerns. In the end, both the Ombudsman, as well as a coalition of two opposition political parties notified the court. Their arguments echoed ApTI’s concerns.

On 28 February 2023, the Constitutional Court , nonetheless, declared the cybersecurity draft law to be constitutional, with only a minority of two judges confirming the remarks by civil society The decision from the majority includes some bizarre statements including  “cybersecurity is part of national security and national defence” and therefore all its analysis must be based on this assumption, taking into consideration that the European Court of Human Rights mentions “national security” in art.8 (2),art.10 and art.11 as the first legitimate purpose to restrict rights and liberties.

The president of Romania promulgated it into law – so as of 14 march 2023, the cybersecurity law is now is in force as law 58 .

What will this law mean for citizens?

ApTI worries about what this law will mean for investigative journalists, for Romanian security companies, and for regular citizens.

Security flaws and vulnerabilities are not a matter of if’, but a matter of when. There is no completely secure system, and professionals know that security is achieved by layering multiple forms of defence and of monitoring. When the Government states that vulnerabilities are “illicit acts”, the unspoken message is that these vulnerabilities will be used against citizens.

The mandate that cybersecurity companies and freelancersreport the vulnerabilities of their clients risks rendering the cybersecurity industry of Romania completely noncompetitive. Which company would ask for a security audit from a Romanian company, knowing that there is a risk that the secret service (or anyone of the rest of 10 public bodies) might ask for a copy of the audit report?

Finally, terms such as “disinformation” and “propaganda” campaigns are vague, and increase the powers of the intelligence services to surveil citizens. As the judicial branch approves 99% of the wiretapping requests from intelligence services, this would mean that,de facto, there is no limitation of their power.

Contribution by: EDRi member, ApTI