Romania: The aftermath of the second CCR data retention ruling

By EDRi · October 8, 2014

As previously reported in the EDRi-gram, the Romanian Constitutional Court (CCR) ruled in its decision no. 440 on 8 July 2014 that the second Romanian data retention law (no. 82/2012) was not constitutional. The full reasoning for this was published in the Official Journal on 4 September 2014 in Romanian. EDRi-member ApTI is working on the translation of the text, and an English version will follow soon.

The first data retention law (298/2008) was declared unconstitutional by the CCR decision 1258/2009. The case of the second data retention law was put on the agenda of the CCR after two judges from two different lower courts (from the towns of Targoviste and Constanta) questioned ex officio whether the second Romanian data retention law 82/2012 was unconstitutional. The second data retention law could not be challenged directly in front of the CCR because of a political decision that the measure was a major obligation from the EU.

The reasoning of the decision declaring the second data retention law unconstitutional is based on the previous decision of the CCR, but also follows closely the ECJ decision from 8 April 2014 that nullified the Data retention Directive. It also quotes the similar decisions from Constitutional Courts of Germany, Czech Republic and Bulgaria.

There are at least three novelties compared to the 2009 data retention decision of the CCR that need to be mentioned:

Firstly the new CCR decision states clearly that access to the retained data by the secret services must be made only with a judicial approval. The judicial approval is seen as a guarantee of an efficient protection of retained data against any risk of abuse. The lack of this judicial approval (see paragraph 63-67 of the decision) is a breach of the right to privacy, as enshrined in the Romanian Constitution. This has been one of the key issues in the debate in the past, at least from a civil society standpoint – and, until now, the secret services had unlimited access to all retained data, without any real restrictions.

Secondly, CCR follows closely the ECJ decision on proportionality issues and rules that the first step – retaining and storing the data – is not, of itself, a breach of the right to privacy, as the Romanian Constitution does not forbid “the preventive storing, without a specific justification, of traffic and location data”. However the access to such data and its usage must be proportionate and this is where the Romanian law fails to meet its purpose (see paragraph 58-61 of the decision).

Thirdly, the CCR decision does not oblige the telecom companies and Internet Service Providers (ISP) to delete the retained data, but they have an obligation not to collect it any more. The ruling only limits the access of judicial authorities and secret services until a new law that meets the necessary safeguards is in place. However, the ruling goes even further by prohibiting the access of judicial authorities and secret services to data retained even for billing and interconnection. (see paragraph 78-80 of the decision). The CCR declared as constitutional the text of the Penal Procedural Code (art 152), which mandates a judicial approval for access to retained data, but just considered it “inapplicable” until a new data retention law will be in place.

The last point was actually an open invitation to adopt a new data retention law, but – as already reported in the EDRi-gram – it triggered a lot of critical comments from secret services and the prosecutors’ office, who said they are now in a “legal vacuum”.

Up until this point the authorities haven’t publicly announced any details regarding a new data retention law, but it is widely suspected that they are working on drafting it behind closed doors. A new data retention law will most probably be back on the agenda very soon. Whether lessons will be learned, both regarding the need for meaningful safeguards and the need for a public debate will be seen.

Full CCR decision 440/2014 (only in Romanian, 04.09.2014)

EDRi-gram: Romanian Parliament adopts the data retention law. Again. (23.05.2012)

EDRi-gram: Romania: Mandatory prepaid SIM registration ruled unconstitutional (24.09.2014)

EDRi-gram: Romanian NGOs demand stopping data retention in Europe (26.01.2011)

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)