Romania uses the EECC Directive implementation to extend communication surveillance

A new proposal to extend communication surveillance and to intercept encrypted communications was hidden by the Romanian Government in the national implementation of the European Electronic Communications Code (EECC Directive) and was passed without any discussion in the Romanian Chamber of Deputies on 7 December 2021.

By ApTI (guest author) · December 15, 2021

A new proposal to extend communication surveillance and to intercept encrypted communications was hidden by the Romanian Government in the national implementation of the European Electronic Communications Code (EECC Directive) and was passed without any discussion in the Romanian Chamber of Deputies on 7 December 2021.

The proposal to implement the EECC Directive was started almost one year ago when the draft law prepared by the Ministry of Transport and Communication was submitted for public consultation. Neither the first draft nor the discussion in the public debate, organised by the Ministry, or the second draft of the law published by the same Ministry in March 2021, discussed intercepting communications. 

Moving forward fast, on 2 October, just 3 days before the Government was dismissed by the Parliament, the project was adopted by the Government and the text was sent to the Parliament. From then onward, the project approval proceeded quickly – as the EECC Directive deadline was past due – so, the Chamber of Deputies adopted it with minimal changes.

Only then – and totally by chance – we discovered that in the 300-page long text, there is a hidden new article and a couple of definitions that were never presented or debated publicly, and that expand – in a bizarre way – the strict rules of communication interceptions already regulated in the Criminal Procedural Code (CPC).

Claiming that the objective was to “adapt the law to new technological realities”, the added text creates two new categories of providers that will be subject to notification to the Telecom authority (ANCOM):

  • providers of hosting “services in Romania”
  • “providers of interpersonal communications services, not based on numbering” with such a large and weird definition that would include key actors such as WhatsApp, Skype, Telegram and Signal, but also Chaturbate or in fact any chat system on a webpage.

For these new category providers, as well as for the rest of the general electronic communication networks and service providers, the newly added text obliges them to “support” not only the law enforcement authorities but also the “intelligence authorities” (I.e – a vague concept that has already been declared unclear and unconstitutional in the previous national data retention ruling from the Constitutional Court). 

The text also referrers not only to the CPC, but also to another vague text in the 1991 law on national security and then adds a list of obligations (some of them never included in the CPC), including:

  • allowing legal interceptions of communications, including supporting related costs;
  • allowing access to the content of encrypted communications transited in their own networks; 
  • proving traffic data information, as well as subscriber data and payment methods;
  • for hosting providers, allowing access to any hosted data – for copying it or extracting any information. 

Oddly enough, this is the first time that in a law or draft law the concept of “encrypted communications” appears, and an official from the Ministry of Justice claimed they were never consulted on this text. 

After the media reported on the text, the former Ministry of Digitisation acknowledged that they introduced the text because “in cases of threats to national security”, these new “alternative operators” need to be covered by the new legislation. Thus they needed to cover the “vacuum created due to advance of communications technology”.

The text is now in front of the Senate, which is the decisive chamber of the Parliament for this draft law. Several Committees in the Senate need to report on it by the end of the year, but the vote should take place at the latest in February 2022, when the Senate reconvenes after the winter break.

Unfortunately, only one party said that they will vote against it, the others have ignored the subject or claimed that this is needed for national security.

So this is how Romania wants to regulate the communication interceptions regime and “access to encrypted communication” in 2021-2022: vague texts with no public debate and including them in silence in another law that has nothing to do with it. 

The article is available in Romanian.

(Contribution by: Bogdan Manolea, Executive Director, EDRi member, ApTI)