In January last year, the Romanian Constitutional Court declared the cybersecurity law unconstitutional in its entirety. Details of the content of the law and the (lack of) transparency of the decision-making process have been previously covered on the EDRi website (for reference see here and here).
This year, a new cybersecurity law proposal has been published. The paradox is that the text of the law brings few changes. The same vague definitions are kept, the subjects of the law could be basically all legal persons in Romania and the same security institutions have been awarded with various responsibilities in the cybersecurity field. Still, we notice one improvement: access to data can be obtained only with a court order (in the previous version of the law access to the data at a simple reasoned request could be granted to nine different military type authorities, who all had responsibilities towards topics of cybersecurity). However, introducing the mandatory court order is only one small step and it does not make the law much less restrictive of fundamental rights.
Although the explanatory document accompanying the law mentions the fact that the law is meant to protect personal data in the digital field, neither the Law on data protection, nor the Romanian Data Protection Authority are even mentioned. Thus, there are only generic mandatory security breach notifications, irrespective of whether personal data have been affected as part of the breach.
What’s more, the explanatory document does not contain any reference to the Network Security Information (NIS) directive which has recently been agreed by the European institutions and it is only a few steps away from formal adoption. Therefore, the new cybersecurity proposal not only disregards the previous Constitutional Court decision, but it also does not appear to take the text of the directive into consideration. How is it possible for a member state to adopt a law that is automatically obliged to change again after a maximum of 21 months (given the period for implementation member states have to comply with after the NIS directive is formally adopted) if it is not in line with the European text?
The draft law was published on the Ministry for Communication and for Information Society website on 27 January 2016, but announced one day later. Although it is not specifically mentioned, presumably the period for public comments is the ministry’s very short standard consultation period of 10 days. The proposal also lacks a financial assessment and an impact study.
A day after its publication, on 28 January, the proposal attracted sufficient media coverage and the civil society reacted promptly by sending requests for a public debate and asking the ministry to extend the period for receiving public comments to 30 days, as it is bound to do by the requirements of the transparency law. The letter was also sent to the newly formed Ministry for Public Consultation and Social Dialogue, hoping that direct measures will be taken in this case to ensure that all the transparency obligations will be met.
This is how we spent part of the Data Protection Day. We hope yours was better!
Romanian Constitutional Court Decision nr. 17/2015 on cybersecurity law (21.012015)
Romanian Cybersecurity Law Sent to the Constitutional Court (29.012015)
Icing on the Cake: Romanian Cybersecurity Law Unconstitutional (29.01.2015)
Cybersecurity law proposal 2016 (draft text in Romanian)
Cybersecurity law proposal 2016 (explanatory memorandum in Romanian)
The new cybersecurity law and why it is no different than the other (in Romanian, 29.01.2016)
Letter asking for public debate (in Romanian)
The second version of the Romanian cybersecurity law or how we celebrated International Data Protection Day (in Romanian, 28.01.2015)
(Contribution by Valentina Pavel, ApTi)