Data Protection Laws and Freedom of Expression: Romania
Constitutional/Primary Law Background - see also ECHR and EU Charter
Article 30 of the contemporary Romanian Constitution (1991 as revised 2003) prohibits censorship or the banning of any publication, states that freedom of the press includes the freedom to establish publications and establishes as inviolable the freedom to express ideas, opinions and beliefs and of creation through public communication. These rights are stated to be without prejudice to individual dignity, honour, privacy and image right, the potential for the mass media to account for their source of financing under law and also for legal liability of a wide range of actors including owners of the means of reproduction is established. The article also requires certain expression to be prohibited including incitement to discrimination and to ethnic, racial, class or religious hatred. Whilst there is no constitutional right to data protection as such, Article 26 requires public authorities to respect and protect private and family life, Article 28 declares inviolability the confidentiality of means of communication and Article 27 the inviolability of domicile and declares that entry requires the resident’s consent. The last right is subject to enumerated exceptions under law, with searches requiring a judicial order (and only possible during night time in cases of a flagrante delicto).
The Constitution of 1866 outlawed censorship/preventive measures and the suspension or suppression of publications and guaranted the right to communication and publish ideas and opinions but also required each newspaper to have a legally responsible manager/editor and established that abuses would be dealt with ex post through the penal code (with a jury for press offences) (art 24). Subject to legally authorised exceptions, it also guaranteed the inviolability of domicile (art 15) and the secrecy of letters and telegrams (art 25). The current rights provisions trace back to the adoption of the democratic constitution in 1991.
First -Generation Statutory Law
Romania did not adopt any data protection statute during the first-generation period.
|
Second-Generation Statutory Law
Law No. 677/2011 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data was adopted in 2001. At that time, Romania was not a member of the European Union yet, which it only joined on 1 January 2007.
Special Expression Derogation
Romanian law provided for minimal derogation from data protection provisions for processing carried out for exclusively journalistic, literary or artistic purposes. Data quality principles as well as proactive transparency rules applied without restrictions. The proactive transparency rule applicable to cases of indirect collection of data was subject to rule-bound exemptions. Romanian law accordingly provided an exemption only where enforcement ‘might reveal the source of the information’ (Law No. 677/2011, art. 12(3)). Similarly, the retroactive transparency rule could only be derogated from for the protection of the confidentiality of the source of information held by journalists (ibid, art. 13(6)). Sensitive information rules applied to the media unless the data were manifestly made public by the data subject or were closely related to the quality of the person as a public figure or the public nature of the facts involved (ibid, art. 11). The exemption from the legitimating ground condition is only available if certain specific circumstances or rules are satisfied, that is, in so far as data is ‘manifestly made public by the data subject or are closely related to the public figure quality of the personal concerned or the public nature of the facts involved’ (ibid, art 11). No special provision was provided for with regard to requirement to notify processing to the Data Protection Authority. The international data transfer condition’s applicability depended on whether ‘the data were made public expressly by the data subject or are related to the data subject’s public quality or to the public character of the facts he/she is involved in’ (ibid, art. 29(6)).
Broad Expression Derogation
There was no relevant provision.
Personal Exemption
The Romanian Data Protection Act did not apply to personal data processing, carried out by natural persons exclusively for their use but expressly only if the data in question was not intended to be disclosed (ibid, art. 2(6)).
Knowledge Facilitation Framework
Pursuant to the Romanian Data Protection Act, the further processing of personal data for statistical, historical or scientific research was not considered incompatible with the purpose for which they were initially collected, if this was carried out according to the provisions of the Act, including those referring to the notification submitted to the supervisory authority, as well as according to the guarantees regarding personal data processing set out by the relevant legal provisions on statistical activity or the historical or scientific research (ibid at. 4(1)(b)). No exemption for knowledge facilitation purposes was granted from the proactive direct transparency rule. In contrast, a full exemption was provided from the proactive indirect transparency rule on the basis of disproportionate effort, if the processing of data was carried out for ‘statistical, historical or scientific research, or in any other situation’ (ibid, art. 12(4)). Moreover, a very narrow exemption was provided from the reactive transparency rule (subject access) for the processing of health data for scientific purposes (ibid, art. 13(5)). There were no exemptions from the sensitive data restrictions, although there was a provision authorising the processing of health data where necessary for the protection of public health where this processing had obtained preliminarily authorized by the supervisory authority and was performed by medical staff who were under a pledge of professional confidentiality (ibid art. 9). No exemptions were provided from the international data transfer, notification and legitimating ground conditions.
|
Third-Generation Statutory Law
Law No. 190/2018 on Implementing Measures to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such data and Repealing Directive 95/46/EC (General Data Protection Regulation) was adopted in 2018.
Special Expression Derogation
Romania provides for an exemption from potentially all of the substantive data protection which depends on certain pre-defined restrictive conditions being met. In sum, a derogation can only apply where the personal data ‘were manifestly made public by the data subject themselves or related to the public nature of the data subject or of the facts in which they are involved’ (Law No. 190/2018, art. 7). This special expression provision explicitly establishes its priority over the knowledge facilitation framework.
Broad Expression
There is no relevant provision.
Personal Exemption – see GDPR, art. 2(2)(c)
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Article 8 of Law No.190/2018 exempts the processing for archiving purposes in the public interest and also scientific or historical research purposes from Arts. 15 (access rights of the data subject), 16 (right to rectification) and 18 (right to restriction of processing) GDPR and for public interest archiving purposes from Arts. 15-16 and 18-21 (right to restriction of processing, notification requirement, right to data portability, and right to object to the processing of personal data) GDPR. All derogations are, however, subject to three conditions: (i) compliance with the listed GDPR provisions must render it impossible or seriously affect the achievement of the specific purpose; (ii) such derogations must be necessary to achieve the specific purpose; and (iii) the appropriate safeguards provided for in Art. 89 GDPR must be complied with. No other special provisions are set including any legal basis for processing sensitive data or criminal-related data as defined in Article 9(1) and Article 10 GDPR.
|