Author: Matei-Eugen Vasile

#TeleormanLeaks explained: privacy, freedom of expression, and public interest

The European Union’s new privacy law, the General Data Protection Regulation, or GDPR, is being tested across Europe. The first GDPR privacy case in Romania began with an investigation that was published on November 5 about a corruption scandal involving a politician and his close relationships to a company being investigated for fraud. The Romanian data protection authority (ANSPDCP) sent a series of questions to the journalists who authored the article and asked for information which could reveal the article’s sources. The data protection authority also mentioned a possible penalty of up to €20 million, if the journalists didn’t comply. The data protection authority insists it acts independently, without any political interference, and that its raison d’etre is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.

The Association for Technology and Internet (ApTI) together with other 11 human rights and media organizations sent an open letter (available in English and Romanian) to the Romanian data protection authority (ANSPDCP). ApTI is a digital rights NGO and a member of the European Digital Rights (EDRi), which supports and promotes a free and open internet where human rights are guaranteed and protected. The letter calls ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demands for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.
At the same time, ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for the GDPR not to be misused in order to threaten media freedom in Romania.

What happened

#TeleormanLeaks is the name of the press story uncovering the link between Tel Drum, a road construction company based in Teleorman county, Romania, currently under investigation for fraud with European funds (based on a complaint sent by the European Anti-Fraud Office), and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies, known to have built a business empire in this county. The first part of the investigation was published on 5 November by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.

On 8 November, ANSPDCP sent a notice to RISE Project to ask 8 questions on the personal data included in the material posted on Facebook, including “the sources from where the personal data was obtained”. This sparked international outrage and the Organized Crime and Reporting Project (OCCRP), the European Commission as well as, nationally, dozens of journalists and media outlets reacted with strong concern. More details below on the controversies.

One day before the authority’s letter to RISE Project, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial prevention control department in the same company, filed a “right to be forgotten” claim to the ANSPDCP. It is important to note that apparently the ANSPDCP’s notice to RISE Project was not based on this complaint filed by this particular individual, but as the authority’s clarifications underline, the letter was issued based on a notice from a third party not directly affected by the case.

From the notice, it appears that ANSPDCP considers that it is entitled to invoke Articles 57 (1) (f) and 58 (1) (the task of a Data Protection Authority to handle and investigate complaints and the power to order the provision of any information required for the performance of these tasks) of the GDPR to ask where the information published on the Facebook post comes from. However, both “clarifications” published on their website fail to explain why the authority interpreted the situation not to fall under the derogations of Article 7 of the Romanian law 190/2018 (that implemented Article 85 of GDPR which requires reconciliation of the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes). Furthermore, ANSPDCP has not clarified the analysis it performed for reconciling the fundamental rights in question (legal details below).

GDPR and freedom of expression

Recital 153 of the GDPR states that in order to take account of the importance of the right to freedom of expression in a democratic society, it is necessary to interpret notions relating to this freedom — such as journalism — very broadly. In other words, GDPR cannot be used as a tool to carve out the enjoyment of other rights. All fundamental rights have equal standing and when a conflict arises, there needs to be a reconciliation of rights.

Member States and regulatory authorities must apply the larger European human rights framework and take into consideration the European Union Charter for Fundamental Rights, the European Convention on Human Rights as well as the European Court of Human Rights (ECtHR) jurisprudence.

As mentioned above, GDPR has an article (Article 85) which requires the reconciliation of the right to the protection of personal data with the right to freedom of expression, including processing for journalistic purpose and leaves it up to Member States to implement through national derogations or exemptions from certain provisions of GDPR.

What does the Romanian implementation of Article 85 of the GDPR look like?

In law no. 190/2018 implementing the GDPR, Romania opted to limit the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes (Article 7):

  • if it concerns personal data which was clearly made public by the data subject,
  • if the personal data is tightly connected to the data subject’s quality as a public person,
  • or if the personal data is tightly connected to the public character of the acts in which the data subject is involved.

This national implementation of the GDPR raises questions because it allows derogations from GDPR for journalistic purposes only in one of these three alternative scenarios, which are extremely limited. Personal data processing for journalistic activities is usually much wider than this. To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required to protect freedom of expression, in particular journalistic freedom and human rights jurisprudence in this regard, and will not lead to a uniform application of the GDPR at European level.

Does the Romanian data protection law / GDPR protect journalists from scenarios like this?

The exemption in Article 7 discussed above provides that “the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved.”

From the correspondence to RISE Project, we assume that ANSPDCP interpreted that it was not covered by Article 7 of law 190/2018 and that it considered that:

  • either the Facebook post was not written for journalistic purposes,
  • or that this situation is not covered by one of the narrow exceptions in Article 7.

Or even, in a much wider speculation, that ANSPDCP never intended to look into the journalistic activity, but they were rather interested in whether there had been an underlying abuse of personal data, and sought to find out who did not adequately protect the personal data that is now in the hands of the journalist.

That the data protection authority sought not to apply the exception in Article 7, is in itself questionable given the facts of the case. However, even if they had applied Article 7, the deficiencies in this exception outlined above, mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.

Was the Romanian data protection authority entitled to ask for the source of information?

Given the European Court of Human Rights jurisprudence on freedom of speech, it is questionable whether the ANSPDCP could have the right to ask for access to sources of a journalistic investigation. At the same time, the request, seems to be quite vague on this topic, asking for what looks to be standard information that they ask for in data protection cases, such as the source of the data or the storage support of the data. These questions appear to mirror the right to information in Articles 13 and 14 of GDPR, which list the information a data controller is required to provide to an individual, including the original source of the data.

However, in the second part of the request, ANSPDCP mentions its right to have access to the electronic storage support on which the personal data is stored (in the context of Article 58 (1) e) and f) of GDPR — a supervisory authority’s power to obtain access to all personal data and information necessary for the performance of its tasks and to obtain access to premises, including data processing equipment), which was specifically highlighted by the ANSPDCP. This can be interpreted as a request to find out where the data is stored, although this kind of access should be required only if it would be necessary for accomplishing its investigation attributions and must be done in accordance with Romanian procedural law.

What kinds of factors should be taken into account by data protection authorities when reconciling data protection and freedom of expression?

In order for a data protection authority such as ANSPDCP to be able to reconcile freedom of expression and data protection, there must first be an adequate exemption in the law. As discussed above, the narrow derogation in Article 7 of the Romanian law raises a number of concerns. For the law to then apply effectively and consistently, guidance and training are also important. The European Court of Human Rights (ECtHR) jurisprudence provides insight into the factors that need to be taken into account with regard to these two fundamental rights, such as (presented in more detail in ApTI’s report on ECtHR jurisprudence):

  • the contribution of the work to a public interest debate;
  • the subject of the work (e.g. the person/data subject);
  • the way the information was obtained and its veracity;
  • the prior behavior of the person involved;
  • the content, the form and the consequences of publishing the work;
  • the severity of the penalty imposed as a consequence of establishing that an infringement of privacy occurred.

This case from Romania demonstrates that it is essential that data protection authorities work to reconcile fundamental rights. This is why Privacy International, EDRi, ApTI, and others have called for guidance and intervention from the European Data Protection Board. Moreover, the data protection law should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.

Article written by Valentina Pavel, legal adviser and Mozilla Fellow working with Privacy International as host organisation, as well as an ApTI member.

This article was originally published on Privacy International’s website at

This week the European Parliament votes on whether to save the Internet or kill it

This week, on September 12, the European Parliament is going to vote on a bill that threatens to irreparably damage the Internet as we know it. Under the guise of copyright reform, there are are a number of “reforms” that are going to cripple fundamental rights online.

One of them is Article 11 of the bill, which it was desired to ban creating links to press articles unless one previously asks and receives permission to do so. Over the course of negotiations, it was watered down slightly from banning linking to banning displaying snippets of the linked content (a.k.a. quoting the article). Even just this would be a terrible change because it would create a disparity between how quoting online references (limited by article 11) and quoting offline/offline references (one of the cornerstone copyright exceptions in copyright laws worldwide without which the current copyright regimes would be unacceptable).

The other is Article 13 of the bill, which, as it is written now, would mandate the implementation of upload filters by all online platform service providers. This would have profound repercussions on fundamental rights such as freedom of speech, freedom of association and freedom of the press to name just a few. Starting from Article 13, it comes down to absurd consequences such as a de facto ban on memes, a ban on open-source code repositories such as GitHub and so on.

There are other issues too, such as Article 3 which would prevent the data mining of freely available online content.

There are just a couple of days left until the Plenary vote of the European Parliament. The #SaveYourInternet campaign is one of the multiple efforts trying to prevent this disaster from happening.

More details on this can be found here:

Intelligence sharing without effective oversight in Romania

Intelligence sharing, according to the US Department of Homeland Security (via. Wikipedia) is “the ability to exchange intelligence, information, data, or knowledge among Federal, state, local or private-sector entities as appropriate.” To this US-centric definition, Wikipedia adds “Intelligence sharing also involves intergovernmental bilateral or multilateral agreements and through international organizations. Intelligence sharing is meant to facilitate the use of actionable intelligence to a broader range of decision-makers.”

In the real world, however, intelligence sharing is, most of the time, an opaque process that lacks effective oversight and control.

One example of a completely out-of-control intelligence sharing operation is revealed in Edward Snowden‘s leaks. In the leaks there are documents that shed light on the fact that the NSA has been collaborating with intelligence agencies from 33 other countries at the time of the leaks. Were all those agreements between the parties of this network established following transparent procedures by democratically elected bodies? Given the parties involved and what we’re about to find out below, the answer is most likely “No”.

In Romania, the intelligence services were flatly denying any intelligence sharing with the NSA: “There was never any secret accord or protocol or deal between SRI, as the national authority for communications investigations and the NSA” was what then SRI (Romanian Intelligence Service) director George Maior was claiming. At all debates on various privacy-shredding SRI-supported bills, whenever their authority was contested by reasons of them being a militarized and completely opaque organization that is beyond effective oversight, they were always defaulting back to the position that they are overseen by a democratically elected body, namely the parliamentary SRI oversight committee. Replies that the parliamentary intelligence oversight committees were less intelligence oversight committees and to a much larger degree intelligence cheerleading committees were falling on deaf ears.

But, to paraphrase the Buddha, “three things cannot be long hidden: the sun, the moon, and the truth”. At the end of 2017, as a result of a open letter to the Romanian parliamentary intelligence oversight committees which was sent by the Association for Technology and Internet and Privacy International, the SRI parliamentary oversight committee gave a much more candid answer than anybody was expecting.

We find out that the committee can ask for access on anything, and the service is compelled to respond, but only if it is not about “the documents, data and information related to intelligence activities concerning national security which are currently taking place or which will be taking place in the future, considered as such by the Committee, at the recommendation of the Supreme Defence Council, as well as the information which could lead to breaking of the cover of operatives, to the identification of sources, of concrete methods and means of work used in intelligence gathering, to the extent that these do not infringe on the Constitution and standing legislation.” This isn’t even that big of a revelation, given that this is an excerpt of the regulation outlining the authority of the intelligence oversight committees – which is little to none when it comes to relevant current activities of the intelligence services. But that is not all. We find out that “[…] concerning the access of the Committee’s members to relevant information regarding state intelligence sharing, given its purview and the concrete situations which came to the attention of the Committee, these informations can be obtained upon request and with the accord of the involved parties.” So oversight happens only if “the involved parties” agree.

Then we find out that “the Committee’s competences are exercised only in relation to the SRI, not in relation with the Government/State. As a consequence, there is no general mandate given to the Committee to perform an independent control of the intelligence sharing activities of the Government/State.” – so it seems that the SRI parliamentary oversight committee publicly states that the intelligence sharing activities of the SRI flat out lack any oversight whatsoever.

Finally, we find out that “Intelligence sharing between SRI and partner intelligence services from other countries are done according to the rules established through cooperation protocols between SRI and similar foreign organizations, while respecting established norms.” If the previous quote may have not been clear enough, this one puts the issue to rest, clearly stating that the terms of all intelligence sharing agreements entered by the SRI are are completely at the latitude of the SRI and their partners, without any oversight, democratic or otherwise apart from “respecting established norms”. They could have skipped the “respecting established norms” altogether and it wouldn’t have made any difference.

So it seems that all those “crazy” people complaining about the lack or oversight weren’t, in fact, paranoid. They were just reading between the lines correctly.

Take the first steps in understanding online and offline freedom of expression

ApTI together with the Internet Freedom Network partners under the Internet Freedom Program launched It is a project with the purpose of teaching people about online and offline freedom of expression using the European Court of Human Rights jurisprudence. The project is accompanied by a brochure which you can download in .pdf format.

The Internet significantly changed our lives in many respects, including the way we access published information. But, most importantly, it enhanced our exercising of our freedom of expression both by allowing easy access to sources of information and by the liberalization of publishing any kind of information. This transformed freedom of expression, especially online, into something everybody is interested in.

How did the project came to be

First, the subject seems to be of interest not just for professional journalists but for all types of Internet users with various educational backgrounds and, usually, little legal knowledge. Nevertheless, they are all involved in communication on the Internet and they sometimes claim that their freedom of expression is being infringed upon.

Secondly, the decision making process in regard to the freedom of expression seems frequently rushed, without enough time being dedicated to real public debate and evidence-based policymaking. This is particularly true in some countries in South-Eastern Europe. As a consequence, fragments from ECHR argumentations and conclusions can be used as widely accepted references and, thus, as useful tools in debates.

Thirdly, being faced with the huge flow of available information nowadays, many users are looking for summarized, easy to understand information in order to form and opinion.

On the project’s page you can find out what freedom of expression is, what its limits are and why it is sometimes restricted by governments.


How to understand the project page and the brochure

The presented cases should be use only as a point of reference. The ECHR jurisprudence is always evolving, sometimes in self-contradictory ways. Sometimes it can be criticized because, sometimes, it can have disappointing results for supporters and advocates of the fundamental human right to the freedom of expression. Furthermore, the technological evolution of the Internet can change some fundamental assertions that today we hold as true.

The summarization of the current ECHR jurisprudence comes at a cost that needs to be mentioned. First, the information in this brochure in no way constitute legal advice. Secondly, the editors needed to limit the information they had in order to keep the brochure succinct enough, which is something that some legal professionals could consider as a limitation. Also, for brevity’s sake, we were forced to cover some important aspects only summarily, such as “hate speech” or “protection of journalistic sources”

Article by George Hari Popescu, ApTI Romania, original article in Romanian:

Romanian MEPs you’ve got mail! Over 100 postcards saying no to link tax and Internet censorship

FotoJetIn the last month, more and more Romanian voice are gathering to send out a clear message to decision makers: We don’t want link taxes and upload filters!

Besides calling and sending letters to Romanian MEPs to delete Articles 11&13 from the copyright reform proposal, EDRi member ApTI organised a series of activities to trigger more public attention regarding the damaging copyright reform proposals. Along with 57 other civil rights organizations, we also signed the Civil Liberties Union for Europe open letter to stop the censorship machine. (more…)

EU Copyright Reform Directive debate with MEP Victor Negrescu

Friday, June 23rd, ApTI along with ANBPR (The National Association of Librarians and Public Libraries of Romania) and CJI (The Center for Independent Journalism) organized a meeting about the European Commission’s Directive proposal on the copyright reform Directive. Romanian MEP Victor Negrescu took part in the event.

This came in the context of the Europe-wide effort to mitigate the damage that the EU Copyright Directive threatens to inflict on human rights and on the Internet in the EU. The biggest two problems are Article 11, which would introduce an ancillary right for press publishers, a.k.a. “the link tax” and Article 13, which would mandate all EU-based online platforms that allow user-made content to implement upload filters, under the guise of protecting copyrights. (more…)

Declaration on Development and Enhancement of Legal Frameworks in Eastern and Central Europe and Eurasia to Protect Internet Freedom

  • WHEREAS, we are civil society organizations in Eastern and Central Europe and Eurasia working for fostering of the freedom of expression, association and flow of information on the Internet
  • WHEREAS, the signatories met in Ohrid (October 2016) and Brussels (March 2017) and discussed common issues on Internet Freedom
  • WHEREAS, we share a common objective for a global Internet Freedom, based on our experiences of defending it in our countries;
  • WHEREAS we share common understanding that regional cooperation is essential to achieving this objective.