European Commission urged to investigate Romanian GDPR implementation
The Romanian law implementing the General Data Protection Regulation (GDPR) allows national political parties to process personal data, including sensitive data, in a manner that disregards citizen rights. Law no. 190/2018 excludes the need to acquire consent for processing personal data, including sensitive data. This effectively gives political parties a “carte blanche” to process political opinions and personal data unrestrictedly, with no real safeguards in place.
Civil society organisations across the EU have long warned that the “flexibilities” in GDPR allowing for diverging national implementation measures will lead to differences in the level of protection applicable in Member States. In Romania, the derogations allowed by Law no. 190/2018 are seriously weakening the protections and safeguards the Regulation envisions. They allow the State to disregard basic data protection principles and breach EU law. Paradoxically, they even lower the level of data protection provided by the previous national law which implemented the Data Protection Directive 95/46/EC which preceded the GDPR.
On 14 February 2019, the Association for Technology and Internet (ApTI) sent a complaint to the European Commission which outlined the following problems with Romania’s GDPR implementation law:
- Political parties and organisations are allowed to process personal data, including sensitive data without consent and appropriate safeguards, thus disregarding data protection principles.
The derogations prescribed under Romanian law allow political parties, citizen organisations belonging to national minorities and not-for-profit organisations to process special categories of personal data without explicit consent or appropriate safeguards.
The only processing requirements are (1) to inform the data subject that personal data processing is taking place, and (2) to show the mechanisms through which the data subjects can exercise their rights to rectification and deletion (which is mandatory anyway according to GDPR Articles 13-14).
In creating this consent exception, Romanian law seems to rely on Recital 56 of the GDPR, which states that political parties can compile personal data on people’s political opinions for reasons of public interest if the Member State’s electoral system requires them to do so. However, this is an explanatory text, not a binding provision, and it does not intend to eliminate the need for political parties and organisations to have and show a legal basis to process personal data. Concerningly, Romanian law no. 190/2018 excludes the need to have consent without indicating which legal basis does apply.
- Processing of personal data for journalistic purposes is very limited and could block publishing of public interest stories.
There are three situations in the Romanian law under which data can be processed for journalistic purposes: (1) if the processing concerns personal data which was clearly made public by the data subject; (2) if the personal data is tightly connected to the data subject’s quality as a public person; (3) if the personal data is tightly connected to the public character of the acts in which the data subject is involved.
If any of these situations applies, the GDPR (save for the chapter on sanctions) is entirely excluded from application.
These derogation scenarios are extremely limited compared with those permitted by the European Court of Justice and the European Court of Human Rights. Concerns have already been raised in relation to investigatory news outlet the RISE Project that the GDPR could be used as a tool to silence freedom of the press. The actions of the Romanian Data Protection Authority (DPA) in connection to RISE Project publication by seeking disclosure of the source of personal data that might reveal the journalists’ sources and also “access” to that data represent a clear threat to freedom of expression and information.
- Derogations for public authorities lead to a void in application of the GDPR in the public sector.
Under Romanian law 190/2019, the DPA must issue tailor-made “remedy plans” for public authorities engaged in data protection violations. In cases of non-compliance with these plans, the DPA can issue fines of between 10 000 and 200 000 RON (approximately between 2 104 EUR and 42 091 EUR). This is an incredibly low upper fine limit in comparison across the EU.
The issuing of remedy plans creates a problematic situation: no matter how serious the data violation is, the public authority will take no responsibility but will simply wait for the DPA to present its remedy plan. There is no incentive for the public authority to take active remediation measures or to think independently about how it could practically implement the GDPR. Evidence of this can be seen in practice already. The low fines also encourage the public authorities to continue “business as usual” without awarding more attention to individual protection.
Action and Response
These issues raise serious concerns about Romania’s ability to properly implement and enforce GDPR. ApTI’s complaint offers an important opportunity for the European Commission to firmly intervene and make sure that fundamental rights are protected and the application of the GDPR is consistent across all Member States.
The issues outlined above have been raised by Member of the European Parliament Sophie in’t Veld in a letter to the European Commission and in a Parliament hearing on the implementation of the GDPR. However, the European Data Protection Board (EDPB) and the European Commission have both failed to offer concrete action points in terms of redressing the incorrect application of the GDPR and the differences in implementation in different countries.
The problem with GDPR is particularly acute in Romania, but the issues are mirrored across the EU, as other Member States such as Spain and the UK have also used the derogation opportunities to implement GDPR in ways that do not adequately protect personal data.
GDPR is intended as a strong instrument to protect and guarantee rights; not just data protection and privacy but also freedom of expression and other political rights. However, its power is currently being diminished by poor national legislation and policy. We urge the European Commission, the EDPB and all national DPAs to take action to ensure that GDPR national implementing legislation fulfils its intended purpose.
By Valentina Pavel, Mozilla Fellow at Privacy International and Association for Technology and Internet (ApTI) member