The European Union’s new privacy law, the General Data Protection Regulation (GDPR) is being tested across Europe. The first GDPR privacy case in Romania began with an investigation that was published on November 5 about a corruption scandal involving a politician and his close relationships to a company being investigated for fraud.
Open letter calls for data protection and freedom of expression to be carefully balanced
The Romanian data protection authority (ANSPDCP) sent a series of questions to the journalists who authored the article and asked for information which could reveal the article’s sources. The data protection authority also mentioned a penalty of up to 20 million euros if the journalists did not comply. The data protection authority insists it acts independently, without any political interference, and that its raison d’etre is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.
The Association for Technology and Internet (ApTI) together with 11 other human rights and media organisations sent an open letter to ANSPDCP. ApTI is a digital rights NGO and a member of the European Digital Rights (EDRi), which supports and promotes a free and open internet where human rights are guaranteed and protected. The letter calls for ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demands an urgent and transparent mechanism to be put in place for assessing claims involving data processing operations for journalistic purposes.
At the same time, ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for GDPR not to be misused in order to threaten media freedom in Romania.
Romanian data protection authority questions Facebook post
The hashtag #TeleormanLeaks relates to a press story about the link between Tel Drum, a road construction company based in Teleorman County, Romania, which is currently being investigated for misusing European funds, and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies, who has a business empire in this county. The first part of the investigation was published on 5 November by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.
On 8 November, ANSPDCP sent a notice to RISE Project asking questions about the personal data included in the Facebook post, including where it came from. This sparked international outrage with the Organised Crime and Reporting Project (OCCRP), the European Commission and dozens of journalists and media outlets reacting with concern.
The day before the authority’s letter to RISE Project, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial prevention control department in the same company, had filed a “right to be forgotten” claim with the ANSPDCP. However, apparently the ANSPDCP’s notice to RISE Project was based on information from a third party rather than this notice specifically.
From the notice, it appears that based on GDPR, ANSPDCP considers itself entitled to ask where the information published on the Facebook post comes from. However, it failed to explain how this does not go against Romanian laws that protect freedom of expression, including using data for journalistic purposes. ANSPDCP has not clarified its analysis for reconciling the fundamental rights in question either.
GDPR and freedom of expression
Recital 153 of the GDPR states that the regulation cannot be used as a tool to carve out the enjoyment of other rights, including journalistic freedom of expression. All fundamental rights have equal standing and when a conflict arises, a reconciliation is necessary.
Member States and regulatory authorities must apply the larger European human rights framework and take into account the European Union Charter for Fundamental Rights, the European Convention on Human Rights as well as the European Court of Human Rights (ECtHR) jurisprudence.
Romania narrows down Article 85 of GDPR
The way Romania has implemented GDPR raises questions because it allows derogations from GDPR for journalistic purposes only in one three, very narrow, alternative scenarios, which are extremely limited. This is known as article 7. Personal data processing for journalistic activities is usually much broader than this. To restrict derogations for journalistic purposes only to three listed options falls short of what is required to protect freedom of expression, in particular journalistic freedom and human rights jurisprudence.
The authority’s intentions are opaque
The exemption in Article 7 discussed above provides that “the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which has been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved.”
From the correspondence to RISE Project, we assume that ANSPDCP considered that either the Facebook post was not written for journalistic purposes or that this situation is not covered by one of the narrow exceptions in Article 7.
It is also possible that ANSPDCP never intended to look into the journalistic activity, but was interested only in a possible breach of the underlying personal data. But even if the data protection had applied Article 7, its deficiencies mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.
The Romanian data protection authority may not have even been entitled to ask for the sources
Given the European Court of Human Rights jurisprudence on freedom of speech, it is questionable whether the ANSPDCP had the right to ask for sources in a journalistic investigation. At the same time, the request is quite vague. The authority seems to be looking for standard information in data protection cases, such as the source of the data or the storage support of the data.
However, in the second part of the request, ANSPDCP mentions its right to access the electronic storage support on which the personal data is stored. This can be interpreted as a request to find out where the data is stored, although this kind of access should be required only if it were necessary to accomplish its investigation attributions in accordance with Romanian procedural law.
Reconciling data protection and freedom of expression
In order for a data protection authority to reconcile freedom of expression and data protection, there must first be an adequate exemption in the law. As discussed above, the narrow derogation in Article 7 of the Romanian law raises a number of concerns. For the law to then be applied effectively and consistently, guidance and training are also important.
European Court of Human Rights (ECtHR) jurisprudence lists the factors that need to be taken into account with regard to these two fundamental rights. They include the contribution of the work to the public interest, the way information was obtained and the content, form and consequences of publishing the work.
In response to this case Privacy International, EDRi, ApTI, and others have called for guidance and intervention from the European Data Protection Board. This body should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.
