The first big General Data Protection Regulation (GDPR) privacy case broke out in Romania at the beginning of November 2018 in connection with an article about a corruption scandal involving a politician and his relationship with a company investigated for fraud.
The Romanian Data Protection Authority (ANSPDCP) sent a series of questions to the journalists who published information about the scandal, asking for their “sources” and mentioning a possible penalty − the biggest one since the entry into force of the GDPR in May 2018: up to 20,000,000 euro. ANSPDCP claims that it acts independently, without any political interference, and that its entire raison d’etre ever since its establishment in 2005 is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.
#TeleormanLeaks is the name of the press story uncovering the link between Tel Drum, a road construction company based in Teleorman county in Romania, (currently under investigation for fraud with European funds, based on a complaint sent by the European Anti-Fraud Office – OLAF), and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies. The first part of the investigation was published on 5 November 2018 by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.
On 8 November, ANSPDCP sent a notice to RISE Project to ask eight questions on the personal data included in the material posted on Facebook, including “the sources from where the personal data was obtained”. This sparked international outrage, the Organized Crime and Corruption Reporting Project (OCCRP), the European Commission, and dozens of journalists and media outlets reacted strongly.
One day before the authority’s letter, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial department in the same company, filed a “right to be forgotten” claim to ANSPDCP. It is important to note that apparently the ANSPDCP’s notice to RISE Project was not based on this complaint filed by this employee, but as the authority’s clarifications underline, they issued their letter based on a notice from a third party not directly affected by the case.
ANSPDCP considered that it was entitled to invoke Articles 57 (1) (f) and 58 (1) of the GDPR and ask for information about the source of the information published in the Facebook post. However, in both “clarifications” published on its website, the authority fails to explain why it considers that the situation does not fall under the derogations of Article 7 of law 190/2018 (that implemented Article 85 of GDPR), nor does it share its analysis for reconciling the fundamental rights in question.
In law no. 190/2018 implementing the GDPR, Romania opted to limit the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes (Article 7):
- if it concerns personal data which was clearly made public by the data subject;
- if the personal data is tightly connected to the data subject’s quality as a public person;
- or if the personal data is tightly connected to the public character of the acts in which the data subject is involved.
This national implementation of the GDPR is questionable because it allows derogations from GDPR only on data processing for journalistic purposes only in one of these three alternative scenarios, which are extremely limited. Personal data processing for journalistic activities is usually much wider than this. To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required to protect freedom of expression, failing to respect, in particular, journalistic freedom and human rights jurisprudence in this regard. Such an approach also will not lead to a uniform application of the GDPR at European level.
From the correspondence to RISE Project, it can be assumed that ANSPDCP interpreted that it was not covered by Article 7 of law 190/2018 and that it considered that:
- either the Facebook post was not written for journalistic purposes;
- or that this situation is not covered by one of the narrow exceptions in Article 7.
Speculating more broadly, perhaps ANSPDCP never intended to look into the journalistic activity, but they were rather interested in whether there had been an underlying abuse of personal data, and sought to find out who did not adequately protect the personal data that is now in the hands of the journalist.
That the data protection authority sought not to apply the exception in Article 7, is in itself questionable. However, even if they had applied Article 7, the deficiencies in this exception outlined above mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.
ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for the GDPR not to be misused in order to threaten media freedom in Romania.
At national level, ApTI together with other 11 local human rights and media organisations sent an open letter calling on ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demanding for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.
This case demonstrates that it is essential that data protection authorities work to reconcile fundamental rights. Data protection law should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.
#TeleormanLeaks explained: privacy, freedom of expression, and public interest (21.11.2018)
Data protection law is not a tool to undermine freedom of the media (21.11.2018)
Legislative and Jurisprudential Guidelines for Internet Freedom – Best practices study
Asociația pentru Tehnologie și Internet (ApTI)
(Contribution by Valentina Pavel, Mozilla Fellow and EDRi member ApTI, Romania)