Romanian cybersecurity law sent to the Constitutional Court

By EDRi · January 14, 2015

A new law on cybersecurity, previously reported in the EDRi-gram, was adopted by the Romanian Parliament at the end of 2014. The law gives the Romanian Intelligence Agency (SRI) access to any computer data owned by private companies, without a court order.

The proposal was tacitly adopted by the Chamber of Deputies on 17 September. Also, although the law was not under emergency procedure, once in Senate, it received a two-day deadline for comments from the Defense Commission. The Human Rights Commission of the Senate was not asked to give its advice. Then silence. After three months of inactivity on the text, the cybersecurity law was suddenly adopted unanimously by the Senate on 19 December 2014.

The law which grants the Romanian Intelligence Agency (SRI) – along with eight other public institutions, most of them secret services – the possibility of “accessing data” from any IT system owned, possessed, managed, operated or used by legal persons. The access can be granted with only a simple “motivated request” from these institutions in their own attributions and without any judicial supervision.

The legal text does not specify what the types of data could be accessed nor details of the protection measures against possible abuses. It also fails to ensure that authorities which can request access to data but that do not fall under the national security exemption are obliged to have personal data protection policies in place. Other concerns are related to the prominent role of the SRI in information security and to the vague obligations for all computer systems used by legal persons. .

Following a strong protest right before Christmas organised by human rights NGOs, including EDRi-member ApTI, a group of Members of Parliament from the Liberal Party sent the law to the Constitutional Court for analysis. The Court will make a decision on 21 January 2015. ApTI is working on submitting an amicus curiae to support the unconstitutionality claims.

The situation regarding surveillance practices in Romania seems to have recently become even blurrier. Even as the events in France were unfolding, a special inter-institutional group formed by several ministries and SRI had already met a couple of times to decide about a revival of the surveillance laws declared unconstitutional in 2014 – the data retention law and the mandatory registration of telephony pre-paid cards. The General Prosecutor declared that “these laws are just the right type of instruments for preventing terrorist attacks”. His belief is that no measure is disproportionate when speaking about the possibility to firmly react against terrorists. “The right to life is more important” than the right to privacy or the right to communicate.

One proposal after the other, Romanian authorities seem to repeatedly prove that they learn nothing from the past.

Romanian version of EU cybersecurity directive allows warrantless access to data (24.01.2014)

13 NGOs ask to stop the cybersecurity law (only in Romanian, 21.12.2014)

General Prosecutor on the Big Brother Law: Between the right to life and the secrecy of correspondance, we choose the first one (only in Romanian, 08.01.2015)

ApTI: A major attack against human rights is used by the Romanian authorities as a pretext for limiting human rights (08.01.2015)

EDRi-gram: Romania: No communication without registration (02.07.2014)

(Contribution by Valentina Pavel and Bogdan Manolea, EDRi-member Association for Technology and Internet ApTI, Romania)