Icing on the cake: Romanian cybersecurity law unconstitutional

By EDRi · January 28, 2015

A cake: The Romanian cybersecurity law was declared unconstitutional on 21 January 2015. As previously reported in the EDRi-gram, EDRi member ApTI, together with 14 other NGOs filed an amicus curiae brief which provided the arguments against the constitutionality of this law.

Icing on the cake- The Constitutional Court’s reasoning states that the cybersecurity law is entirely unconstitutional. The Court notes even more grounds of unconstitutionality than were brought to its attention.

The Court clearly specified that any access to computer data can be made only with a court order. Among the most significant aspects of the ruling is the fact that the Court stated that it is unconstitutional for the Romanian Intelligence Agency (SRI) to be the designated as the authority in charge of cybersecurity (paragraph 44-48). This statement is in line with the proposal for a directive concerning measures to ensure a high common level of network and information security (NIS Directive) which was voted by the European Parliament in March 2014 and to which the Court’s decision repeatedly referred.

Moreover, the decision states that authorities such as the SRI, the Ministry of National Defence, the Ministry of Internal Affairs, the National Registry for State Intelligence Information, the External Intelligence Service, the Special Telecommunications Service (STS) andthe Security and Protection Service (SPP), should not be excluded from security audits and security notifications (paragraphs 71-73).

A cherry on the icing: Additionally, when it comes to establishing what the security notifications should look like, the Court ruling says that it should be taken into consideration if the notification (or other documents accompanying it) contains personal data such as an IP address (paragraph 75). That is to say the Romanian Constitutional Court recognises that an IP address needs to be considered personal data.

Following the Constitutional Court’s decision, the Head of SRI reacted with a cascade of questionable declarations. Among other things, he attacked the Constitutional Court for its verdicts regarding its surveillance laws, and declared that everyone opposing these laws will be responsible for the next terrorist attack.

A second cherry on the icing: Although there have been speculations that the President Klaus Iohannis has asked the Head of SRI George Maior to resign, took the decision to resign from his position on 27 January 2015.

Nevertheless, it’s not yet the time to celebrate the victory. The Executive President of the Social Democrat Party, Liviu Dragnea, warns us not to be “autistic” about the cybersecurity issue. He is not willing to give up the idea of adopting a cybersecurity law, and wants to immediately find a solution to do that. Moreover, the Minister of Justice, Robert Cazanciuc, declared that very soon (i.e. during the coming months) new proposals will be put on the table.

So apparently, we will soon have new drafts for data retention law, cybersecurity law and mandatory registration of pre-paid SIM cards. Presumably prepared in secret.

EDRi-gram: Romanian Cybersecurity law sent to the Constitutional Court (14.01.2015)

Romanian Constitutional Court press release on the unconstitutionality of the cybersecurity claims (only in Romanian, 21.01.2015)

Intervention to the Romanian Constitutional Court (CCR) in support of the unconstitutionality claims of the cybersecurity law (only in Romanian, 19.01.2015)

Romanian Constitutional Court Decision no. 17 from 21 January 2015 on the unconstitutionality claims of the cybersecurity law (only in Romanian, 27.01.2015)

George Maior resigned as Head of SRI (only in Romanian, 27.01.2015)

Dragnea, about the cybersecurity laws, I don’t want to give up the idea – let’s not be autistic about this (only in Romanian, 22.01.2015)

Law on cybersecurity declared unconstitutional. ALL OF IT (only in Romanian, 21.01.2015)

(Contribution by Valentina Pavel, EDRi member ApTI, Romania)