The European Union’s new privacy law, the General Data Protection Regulation, or GDPR, is being tested across Europe. The first GDPR privacy case in Romania began with an investigation that was published on November 5 about a corruption scandal involving a politician and his close relationships to a company being investigated for fraud. The Romanian data protection authority (ANSPDCP) sent a series of questions to the journalists who authored the article and asked for information which could reveal the article’s sources. The data protection authority also mentioned a possible penalty of up to €20 million, if the journalists didn’t comply. The data protection authority insists it acts independently, without any political interference, and that its raison d’etre is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.
The Association for Technology and Internet (ApTI) together with other 11 human rights and media organizations sent an open letter (available in English and Romanian) to the Romanian data protection authority (ANSPDCP). ApTI is a digital rights NGO and a member of the European Digital Rights (EDRi), which supports and promotes a free and open internet where human rights are guaranteed and protected. The letter calls ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demands for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.
At the same time, ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for the GDPR not to be misused in order to threaten media freedom in Romania.
#TeleormanLeaks is the name of the press story uncovering the link between Tel Drum, a road construction company based in Teleorman county, Romania, currently under investigation for fraud with European funds (based on a complaint sent by the European Anti-Fraud Office), and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies, known to have built a business empire in this county. The first part of the investigation was published on 5 November by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.
On 8 November, ANSPDCP sent a notice to RISE Project to ask 8 questions on the personal data included in the material posted on Facebook, including “the sources from where the personal data was obtained”. This sparked international outrage and the Organized Crime and Reporting Project (OCCRP), the European Commission as well as, nationally, dozens of journalists and media outlets reacted with strong concern. More details below on the controversies.
One day before the authority’s letter to RISE Project, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial prevention control department in the same company, filed a “right to be forgotten” claim to the ANSPDCP. It is important to note that apparently the ANSPDCP’s notice to RISE Project was not based on this complaint filed by this particular individual, but as the authority’s clarifications underline, the letter was issued based on a notice from a third party not directly affected by the case.
From the notice, it appears that ANSPDCP considers that it is entitled to invoke Articles 57 (1) (f) and 58 (1) (the task of a Data Protection Authority to handle and investigate complaints and the power to order the provision of any information required for the performance of these tasks) of the GDPR to ask where the information published on the Facebook post comes from. However, both “clarifications” published on their website fail to explain why the authority interpreted the situation not to fall under the derogations of Article 7 of the Romanian law 190/2018 (that implemented Article 85 of GDPR which requires reconciliation of the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes). Furthermore, ANSPDCP has not clarified the analysis it performed for reconciling the fundamental rights in question (legal details below).
GDPR and freedom of expression
Recital 153 of the GDPR states that in order to take account of the importance of the right to freedom of expression in a democratic society, it is necessary to interpret notions relating to this freedom — such as journalism — very broadly. In other words, GDPR cannot be used as a tool to carve out the enjoyment of other rights. All fundamental rights have equal standing and when a conflict arises, there needs to be a reconciliation of rights.
Member States and regulatory authorities must apply the larger European human rights framework and take into consideration the European Union Charter for Fundamental Rights, the European Convention on Human Rights as well as the European Court of Human Rights (ECtHR) jurisprudence.
As mentioned above, GDPR has an article (Article 85) which requires the reconciliation of the right to the protection of personal data with the right to freedom of expression, including processing for journalistic purpose and leaves it up to Member States to implement through national derogations or exemptions from certain provisions of GDPR.
What does the Romanian implementation of Article 85 of the GDPR look like?
In law no. 190/2018 implementing the GDPR, Romania opted to limit the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes (Article 7):
- if it concerns personal data which was clearly made public by the data subject,
- if the personal data is tightly connected to the data subject’s quality as a public person,
- or if the personal data is tightly connected to the public character of the acts in which the data subject is involved.
This national implementation of the GDPR raises questions because it allows derogations from GDPR for journalistic purposes only in one of these three alternative scenarios, which are extremely limited. Personal data processing for journalistic activities is usually much wider than this. To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required to protect freedom of expression, in particular journalistic freedom and human rights jurisprudence in this regard, and will not lead to a uniform application of the GDPR at European level.
Does the Romanian data protection law / GDPR protect journalists from scenarios like this?
The exemption in Article 7 discussed above provides that “the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved.”
From the correspondence to RISE Project, we assume that ANSPDCP interpreted that it was not covered by Article 7 of law 190/2018 and that it considered that:
- either the Facebook post was not written for journalistic purposes,
- or that this situation is not covered by one of the narrow exceptions in Article 7.
Or even, in a much wider speculation, that ANSPDCP never intended to look into the journalistic activity, but they were rather interested in whether there had been an underlying abuse of personal data, and sought to find out who did not adequately protect the personal data that is now in the hands of the journalist.
That the data protection authority sought not to apply the exception in Article 7, is in itself questionable given the facts of the case. However, even if they had applied Article 7, the deficiencies in this exception outlined above, mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.
Was the Romanian data protection authority entitled to ask for the source of information?
Given the European Court of Human Rights jurisprudence on freedom of speech, it is questionable whether the ANSPDCP could have the right to ask for access to sources of a journalistic investigation. At the same time, the request, seems to be quite vague on this topic, asking for what looks to be standard information that they ask for in data protection cases, such as the source of the data or the storage support of the data. These questions appear to mirror the right to information in Articles 13 and 14 of GDPR, which list the information a data controller is required to provide to an individual, including the original source of the data.
However, in the second part of the request, ANSPDCP mentions its right to have access to the electronic storage support on which the personal data is stored (in the context of Article 58 (1) e) and f) of GDPR — a supervisory authority’s power to obtain access to all personal data and information necessary for the performance of its tasks and to obtain access to premises, including data processing equipment), which was specifically highlighted by the ANSPDCP. This can be interpreted as a request to find out where the data is stored, although this kind of access should be required only if it would be necessary for accomplishing its investigation attributions and must be done in accordance with Romanian procedural law.
What kinds of factors should be taken into account by data protection authorities when reconciling data protection and freedom of expression?
In order for a data protection authority such as ANSPDCP to be able to reconcile freedom of expression and data protection, there must first be an adequate exemption in the law. As discussed above, the narrow derogation in Article 7 of the Romanian law raises a number of concerns. For the law to then apply effectively and consistently, guidance and training are also important. The European Court of Human Rights (ECtHR) jurisprudence provides insight into the factors that need to be taken into account with regard to these two fundamental rights, such as (presented in more detail in ApTI’s report on ECtHR jurisprudence):
- the contribution of the work to a public interest debate;
- the subject of the work (e.g. the person/data subject);
- the way the information was obtained and its veracity;
- the prior behavior of the person involved;
- the content, the form and the consequences of publishing the work;
- the severity of the penalty imposed as a consequence of establishing that an infringement of privacy occurred.
This case from Romania demonstrates that it is essential that data protection authorities work to reconcile fundamental rights. This is why Privacy International, EDRi, ApTI, and others have called for guidance and intervention from the European Data Protection Board. Moreover, the data protection law should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.
Article written by Valentina Pavel, legal adviser and Mozilla Fellow working with Privacy International as host organisation, as well as an ApTI member.
This article was originally published on Privacy International’s website at https://www.privacyinternational.org/blog/2456/teleormanleaks-explained-privacy-freedom-expression-and-public-interest