Romania: No communication without registration

By EDRi · July 2, 2014

Two bills initiated during the past month by the Romanian Government, with the direct and open support from the Romanian Secret Service (SRI), are attempting to kill any kind of electronic communication without prior identification and to expand dramatically the legal access to computer systems.

The first bill aims to make the registration of all prepaid mobile phone SIM cards mandatory. This is the fourth such attempt, using almost the same text, after the previous three attempts were rejected by the Parliament. However, this time the plan was better crafted in terms of political support: the new “urgent need” was directly pushed after the events in Ukraine last months by the Superior Council of Defence, a body that actually doesn’t have the power to suggest new laws, using a very vague notion of “preventing terrorist attacks”.

The new bill also includes the mandatory identification of all users of free WiFi networks. The text was formally adopted by the government and then pushed through the Senate in record time of five working days. After that, because it has been considered as extreme urgency, the Chamber of Deputies needed to debate and pass the law in just two days.

A quick reaction from several human rights NGOs, including EDRi-member ApTI, managed to get the IT&C Committee in the Chamber to call for a hearing on 11 June 2014. The Romanian Data Protection Authority was not invited, the text lacked any kind of basic assessment of human rights impact (actually the explanatory text says there is no impact on human rights) or event private business impact (even though it required mandatory registration of all current prepaid cards in just 6 months – there are 13 million active prepaid SIM cards in circulation and another 3 million inactive ones, a total of 16 million prepaid SIM cards).

Despite the general positive tone of the meeting on 11 June 2014, with questions from the MPs on the necessity and impact on privacy, and the public announcement that a second meeting will follow, the IT&C Committee adopted a much worse text in a meeting on 25 June with the Legal Committee, who did not discuss the text with anyone prior to its adoption. According to our sources, there was pressure by the Secretariat of the Chamber of Deputies to have the text adopted as soon as possible. On 2 July, the bill was adopted during the last extra-ordinary session of the Chamber of Deputies. At this point, the only chance for this bill not to come into force is for an exception of non-constitutionality to be raised to the Constitutional Court and for the Constitutional Court to strike it down.

The second bill that concerns cyber-security is in a much earlier stage from a legislative process perspective. It aims to give SRI the status of national competent authority in the field of “information security”, including specific rights to inspect and assess the information security standards to a not-defined-yet list of companies that own critical infrastructure. The invasiveness of the new provisions in all computer systems culminates with:

  • obligations for all private and public companies (irrespective of their size and importance) to have information security policies and organisational measures in place to protect their computers;
  •  the right for SRI and other nine public institutions to have access to the computer data held by those companies, at a simple “motivated request” from these institutions in their own attributions.

The cyber-security bill that is also being rushed , is contrary to all principles of the draft Network Information Service (NIS) directive. Nevertheless, the SRI representatives publicly stated that there are 18 victims of Internet fraud per second in the world, so they inferred that it should not take more than two weeks to debate this law. They also said the Internet is like the public roads, so computers need to be like cars in order to be allowed to access the Internet – to be registered and verified that they are technically fit. It seems that logical arguments are not the best tools to use in the Romanian public debate.

This law on the cyber-security was not yet voted by the committees of the Chamber of Deputies, so at least in theory the debated should be restarted in September 2014. But who knows if that will happen in practice…

Chamber of Deputies: File of the draft law on prepaid cards (only in Romanian)

“Let’s not talk about it”: how the mass surveillance debate was silenced in Romania (27.05.2014)

SRI wants “road rules” for the Internet (only in Romanian, 25.06.2014)

Updates on the prepaid cards and cybersecurity draft laws (only in Romanian, 30.06.2014)

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)