GDPR misuse in Romania: “independence of DPA” and “transparency” – keywords or buzzwords?

Holiday Special, 17 December 2018 Issue

At the beginning of November 2018, the first GDPR-related privacy and freedom of expression case arose in Romania in connection to the publication by the RISE Project of several articles about a corruption investigation. The articles confirmed a close relationship between a road construction company that is currently under investigation for fraud, European funds, and a high-profile politician.

Shortly after the first article was published, the Romanian data protection authority (“ANSPDCP”), or DPA sent a series of questions to the RISE Project, including one asking about “the sources from where the personal data was obtained”. The DPA mentioned a possible penalty of up to €20 million if the journalists didn’t comply with its request, including a possible fine for “access to the data” under Article 83 (5) e) of the GDPR. This action provoked a strong response and raised concerns among multiple organisations, such as the Organized Crime and Corruption Reporting Project (OCCRP), the European Commission, and, nationally, among dozens of journalists and media outlets, as well as multiple civil society organisations.

Privacy International, European Digital Rights (EDRi), and the Association for Technology and Internet (ApTI), together with 15 other digital rights NGOs, sent a letter to the European Data Protection Board (EDPB), ANSPDCP, and the European Commission, asserting that the GDPR ought not to be misused to threaten media freedom in Romania. In response, ANSPDCP followed up by asking the EDPB to mandate that one of the sub-committee working groups issue a formal opinion regarding the reconciliation of rights in view of Article 85 of the GDPR. A discussion on this letter and the proposed mandate was on the plenary agenda of the EDPB in December; however, we are still awaiting a formal response.

Additionally, the Romanian DPA published two follow-up statements after sending the original letter to the RISE Project (available in English here and here) to clarify its actions. In both statements, ANSPDCP insists that it acts independently, without any political interference, and that the DPA can reconcile the rights in question because it “has consistently expressed and acted since its set up, in 2005, in order to ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.

However, there remain concerns with regard to the Romanian DPA’s independence, primarily due to the lack of transparency for the selection process for the president of ANSPDCP. Although the president’s mandate ended almost five months ago, just after the RISE Project scandal erupted, the DPA launched a new and completely non-transparent procedure to elect a president. Then, just a couple of weeks after the #TeleormanLeaks scandal broke, a fresh term in office for the former president was confirmed.

There was no call for proposals, only one candidate from the ruling party (the same political party involved in the corruption investigation), and a closed doors hearing that took place on November 20.

The hearing was spontaneously announced only two days in advance, on a non-working day (Sunday evening), and it took place without providing information about the proposed candidate to the members of the competent Committee of the Romanian Senate, one member of the committee claims. The whole procedure seemed a formality, which was then finalised by the Senate six days later, with no questions for the candidate. The Senate’s decision has been sent to the Constitutional Court by the opposition party.

Given this development, it is clear that we must ensure that “independence” and “transparency” are not mere words in the GDPR but have real meaning in practice.

Provided by: Valentina Pavel, legal adviser and Mozilla Fellow working with Privacy International as host organisation, as well as ApTI member.