#TeleormanLeaks explained: privacy, freedom of expression, and public interest

The European Union’s new privacy law, the General Data Protection Regulation, or GDPR, is being tested across Europe. The first GDPR privacy case in Romania began with an investigation that was published on November 5 about a corruption scandal involving a politician and his close relationships to a company being investigated for fraud. The Romanian data protection authority (ANSPDCP) sent a series of questions to the journalists who authored the article and asked for information which could reveal the article’s sources. The data protection authority also mentioned a possible penalty of up to €20 million, if the journalists didn’t comply. The data protection authority insists it acts independently, without any political interference, and that its raison d’etre is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.

The Association for Technology and Internet (ApTI) together with other 11 human rights and media organizations sent an open letter (available in English and Romanian) to the Romanian data protection authority (ANSPDCP). ApTI is a digital rights NGO and a member of the European Digital Rights (EDRi), which supports and promotes a free and open internet where human rights are guaranteed and protected. The letter calls ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demands for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.
At the same time, ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for the GDPR not to be misused in order to threaten media freedom in Romania.

What happened

#TeleormanLeaks is the name of the press story uncovering the link between Tel Drum, a road construction company based in Teleorman county, Romania, currently under investigation for fraud with European funds (based on a complaint sent by the European Anti-Fraud Office), and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies, known to have built a business empire in this county. The first part of the investigation was published on 5 November by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.

On 8 November, ANSPDCP sent a notice to RISE Project to ask 8 questions on the personal data included in the material posted on Facebook, including “the sources from where the personal data was obtained”. This sparked international outrage and the Organized Crime and Reporting Project (OCCRP), the European Commission as well as, nationally, dozens of journalists and media outlets reacted with strong concern. More details below on the controversies.

One day before the authority’s letter to RISE Project, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial prevention control department in the same company, filed a “right to be forgotten” claim to the ANSPDCP. It is important to note that apparently the ANSPDCP’s notice to RISE Project was not based on this complaint filed by this particular individual, but as the authority’s clarifications underline, the letter was issued based on a notice from a third party not directly affected by the case.

From the notice, it appears that ANSPDCP considers that it is entitled to invoke Articles 57 (1) (f) and 58 (1) (the task of a Data Protection Authority to handle and investigate complaints and the power to order the provision of any information required for the performance of these tasks) of the GDPR to ask where the information published on the Facebook post comes from. However, both “clarifications” published on their website fail to explain why the authority interpreted the situation not to fall under the derogations of Article 7 of the Romanian law 190/2018 (that implemented Article 85 of GDPR which requires reconciliation of the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes). Furthermore, ANSPDCP has not clarified the analysis it performed for reconciling the fundamental rights in question (legal details below).

GDPR and freedom of expression

Recital 153 of the GDPR states that in order to take account of the importance of the right to freedom of expression in a democratic society, it is necessary to interpret notions relating to this freedom — such as journalism — very broadly. In other words, GDPR cannot be used as a tool to carve out the enjoyment of other rights. All fundamental rights have equal standing and when a conflict arises, there needs to be a reconciliation of rights.

Member States and regulatory authorities must apply the larger European human rights framework and take into consideration the European Union Charter for Fundamental Rights, the European Convention on Human Rights as well as the European Court of Human Rights (ECtHR) jurisprudence.

As mentioned above, GDPR has an article (Article 85) which requires the reconciliation of the right to the protection of personal data with the right to freedom of expression, including processing for journalistic purpose and leaves it up to Member States to implement through national derogations or exemptions from certain provisions of GDPR.

What does the Romanian implementation of Article 85 of the GDPR look like?

In law no. 190/2018 implementing the GDPR, Romania opted to limit the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes (Article 7):

  • if it concerns personal data which was clearly made public by the data subject,
  • if the personal data is tightly connected to the data subject’s quality as a public person,
  • or if the personal data is tightly connected to the public character of the acts in which the data subject is involved.

This national implementation of the GDPR raises questions because it allows derogations from GDPR for journalistic purposes only in one of these three alternative scenarios, which are extremely limited. Personal data processing for journalistic activities is usually much wider than this. To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required to protect freedom of expression, in particular journalistic freedom and human rights jurisprudence in this regard, and will not lead to a uniform application of the GDPR at European level.

Does the Romanian data protection law / GDPR protect journalists from scenarios like this?

The exemption in Article 7 discussed above provides that “the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved.”

From the correspondence to RISE Project, we assume that ANSPDCP interpreted that it was not covered by Article 7 of law 190/2018 and that it considered that:

  • either the Facebook post was not written for journalistic purposes,
  • or that this situation is not covered by one of the narrow exceptions in Article 7.

Or even, in a much wider speculation, that ANSPDCP never intended to look into the journalistic activity, but they were rather interested in whether there had been an underlying abuse of personal data, and sought to find out who did not adequately protect the personal data that is now in the hands of the journalist.

That the data protection authority sought not to apply the exception in Article 7, is in itself questionable given the facts of the case. However, even if they had applied Article 7, the deficiencies in this exception outlined above, mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.

Was the Romanian data protection authority entitled to ask for the source of information?

Given the European Court of Human Rights jurisprudence on freedom of speech, it is questionable whether the ANSPDCP could have the right to ask for access to sources of a journalistic investigation. At the same time, the request, seems to be quite vague on this topic, asking for what looks to be standard information that they ask for in data protection cases, such as the source of the data or the storage support of the data. These questions appear to mirror the right to information in Articles 13 and 14 of GDPR, which list the information a data controller is required to provide to an individual, including the original source of the data.

However, in the second part of the request, ANSPDCP mentions its right to have access to the electronic storage support on which the personal data is stored (in the context of Article 58 (1) e) and f) of GDPR — a supervisory authority’s power to obtain access to all personal data and information necessary for the performance of its tasks and to obtain access to premises, including data processing equipment), which was specifically highlighted by the ANSPDCP. This can be interpreted as a request to find out where the data is stored, although this kind of access should be required only if it would be necessary for accomplishing its investigation attributions and must be done in accordance with Romanian procedural law.

What kinds of factors should be taken into account by data protection authorities when reconciling data protection and freedom of expression?

In order for a data protection authority such as ANSPDCP to be able to reconcile freedom of expression and data protection, there must first be an adequate exemption in the law. As discussed above, the narrow derogation in Article 7 of the Romanian law raises a number of concerns. For the law to then apply effectively and consistently, guidance and training are also important. The European Court of Human Rights (ECtHR) jurisprudence provides insight into the factors that need to be taken into account with regard to these two fundamental rights, such as (presented in more detail in ApTI’s report on ECtHR jurisprudence):

  • the contribution of the work to a public interest debate;
  • the subject of the work (e.g. the person/data subject);
  • the way the information was obtained and its veracity;
  • the prior behavior of the person involved;
  • the content, the form and the consequences of publishing the work;
  • the severity of the penalty imposed as a consequence of establishing that an infringement of privacy occurred.

This case from Romania demonstrates that it is essential that data protection authorities work to reconcile fundamental rights. This is why Privacy International, EDRi, ApTI, and others have called for guidance and intervention from the European Data Protection Board. Moreover, the data protection law should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.

Article written by Valentina Pavel, legal adviser and Mozilla Fellow working with Privacy International as host organisation, as well as an ApTI member.

This article was originally published on Privacy International’s website at https://www.privacyinternational.org/blog/2456/teleormanleaks-explained-privacy-freedom-expression-and-public-interest

Media reforms in Macedonia delayed due to more pressing security issues

This article has originally been published by EDRI-Gram on 12.09.2018. Photo by Yemc, Public Domain via Wikipedia.

Recent political developments have affected the implementation of the reforms in the area of freedom of expression in Macedonia. The focus of government institutions on overcoming political obstacles to joining NATO and the EU had put most other reforms on the backburner. (more…)

This week the European Parliament votes on whether to save the Internet or kill it

This week, on September 12, the European Parliament is going to vote on a bill that threatens to irreparably damage the Internet as we know it. Under the guise of copyright reform, there are are a number of “reforms” that are going to cripple fundamental rights online.

One of them is Article 11 of the bill, which it was desired to ban creating links to press articles unless one previously asks and receives permission to do so. Over the course of negotiations, it was watered down slightly from banning linking to banning displaying snippets of the linked content (a.k.a. quoting the article). Even just this would be a terrible change because it would create a disparity between how quoting online references (limited by article 11) and quoting offline/offline references (one of the cornerstone copyright exceptions in copyright laws worldwide without which the current copyright regimes would be unacceptable).

The other is Article 13 of the bill, which, as it is written now, would mandate the implementation of upload filters by all online platform service providers. This would have profound repercussions on fundamental rights such as freedom of speech, freedom of association and freedom of the press to name just a few. Starting from Article 13, it comes down to absurd consequences such as a de facto ban on memes, a ban on open-source code repositories such as GitHub and so on.

There are other issues too, such as Article 3 which would prevent the data mining of freely available online content.

There are just a couple of days left until the Plenary vote of the European Parliament. The #SaveYourInternet campaign is one of the multiple efforts trying to prevent this disaster from happening.

More details on this can be found here:

Intelligence sharing without effective oversight in Romania

Intelligence sharing, according to the US Department of Homeland Security (via. Wikipedia) is “the ability to exchange intelligence, information, data, or knowledge among Federal, state, local or private-sector entities as appropriate.” To this US-centric definition, Wikipedia adds “Intelligence sharing also involves intergovernmental bilateral or multilateral agreements and through international organizations. Intelligence sharing is meant to facilitate the use of actionable intelligence to a broader range of decision-makers.”

In the real world, however, intelligence sharing is, most of the time, an opaque process that lacks effective oversight and control.

One example of a completely out-of-control intelligence sharing operation is revealed in Edward Snowden‘s leaks. In the leaks there are documents that shed light on the fact that the NSA has been collaborating with intelligence agencies from 33 other countries at the time of the leaks. Were all those agreements between the parties of this network established following transparent procedures by democratically elected bodies? Given the parties involved and what we’re about to find out below, the answer is most likely “No”.

In Romania, the intelligence services were flatly denying any intelligence sharing with the NSA: “There was never any secret accord or protocol or deal between SRI, as the national authority for communications investigations and the NSA” was what then SRI (Romanian Intelligence Service) director George Maior was claiming. At all debates on various privacy-shredding SRI-supported bills, whenever their authority was contested by reasons of them being a militarized and completely opaque organization that is beyond effective oversight, they were always defaulting back to the position that they are overseen by a democratically elected body, namely the parliamentary SRI oversight committee. Replies that the parliamentary intelligence oversight committees were less intelligence oversight committees and to a much larger degree intelligence cheerleading committees were falling on deaf ears.

But, to paraphrase the Buddha, “three things cannot be long hidden: the sun, the moon, and the truth”. At the end of 2017, as a result of a open letter to the Romanian parliamentary intelligence oversight committees which was sent by the Association for Technology and Internet and Privacy International, the SRI parliamentary oversight committee gave a much more candid answer than anybody was expecting.

We find out that the committee can ask for access on anything, and the service is compelled to respond, but only if it is not about “the documents, data and information related to intelligence activities concerning national security which are currently taking place or which will be taking place in the future, considered as such by the Committee, at the recommendation of the Supreme Defence Council, as well as the information which could lead to breaking of the cover of operatives, to the identification of sources, of concrete methods and means of work used in intelligence gathering, to the extent that these do not infringe on the Constitution and standing legislation.” This isn’t even that big of a revelation, given that this is an excerpt of the regulation outlining the authority of the intelligence oversight committees – which is little to none when it comes to relevant current activities of the intelligence services. But that is not all. We find out that “[…] concerning the access of the Committee’s members to relevant information regarding state intelligence sharing, given its purview and the concrete situations which came to the attention of the Committee, these informations can be obtained upon request and with the accord of the involved parties.” So oversight happens only if “the involved parties” agree.

Then we find out that “the Committee’s competences are exercised only in relation to the SRI, not in relation with the Government/State. As a consequence, there is no general mandate given to the Committee to perform an independent control of the intelligence sharing activities of the Government/State.” – so it seems that the SRI parliamentary oversight committee publicly states that the intelligence sharing activities of the SRI flat out lack any oversight whatsoever.

Finally, we find out that “Intelligence sharing between SRI and partner intelligence services from other countries are done according to the rules established through cooperation protocols between SRI and similar foreign organizations, while respecting established norms.” If the previous quote may have not been clear enough, this one puts the issue to rest, clearly stating that the terms of all intelligence sharing agreements entered by the SRI are are completely at the latitude of the SRI and their partners, without any oversight, democratic or otherwise apart from “respecting established norms”. They could have skipped the “respecting established norms” altogether and it wouldn’t have made any difference.

So it seems that all those “crazy” people complaining about the lack or oversight weren’t, in fact, paranoid. They were just reading between the lines correctly.

New Comparative Analysis on Internet Blocking: Focus on Ukraine, Russia, and Turkey

The world we live in gave us global Internet, universal right to freedom of expression, but also selective application of national laws to online space. When starting the analysis a few questions were set out as a reference point: Is modern Internet still the same as it was constructed by its founders? How much discretion should the governments enjoy when deciding on the limitations of Internet freedom? These and many other collateral questions are subject of heated discussions at all international forums related to Internet governance and human rights. And while answers are not there, Internet freedom is in danger for many years in a row. If proper actions won’t be taken by international community, we may witness even worse decline of freedom of expression in the upcoming years, and very likely in the countries that gave no alarm signals before. There is also a common misbelief that blocking is something possible and feasible in technologically advanced countries. We decided to check whether technological sophistication and censoring policies always go hand in hand, using the examples of Ukraine, Russia, and Turkey.

The comparative analysis consistently unveils legal framework for Internet freedom, specifics of Internet blocking, statistics naming the most hostile governments, results of Internet freedom survey in Ukraine, as well as restrictive practices implemented in the region by Ukraine, Russia, and Turkey. It concludes with a number of recommendations addressed to the governments in order to ensure proper respect and protection for Internet freedom. 

Text is available in English and Ukrainian

The comparative analysis “Internet Blocking: Fragmenting Network & Violating Freedoms” was prepared by a non-governmental organisation “Digital Defenders Partners” (DDP) within the framework of the project “Securitization of Internet Freedom” implemented under the support of the American Bar Association Rule of Law Initiative (ABA ROLI).

Kezharovski: On Fake News, Hate Speech, State of Affairs in Macedonia, and Journalism

Opening remarks by Tomislav Kezharovski, journalist from Macedonia who had suffered political prosecution for his work, and is currently a fellow of Hamburg Foundation for Politically Persecuted People. This speech was given on 22 march 2017 at the session “The Faces of Free Expression” of the Second Regional Internet Freedom Summit in Struga, Macedonia.

Fake news are a wonderful tool for playing with people’s feelings.

Fake news are evil. Journalists ought to distance themselves from manipulative insidious tactics and should uncover those tactics. (more…)