National Internet Governance Forum will be held in Moldova


As a result of the recognition of the national initiative in the Republic of Moldova by the IGF international secretariat, has started the organization of the Internet Governance Forum (Moldova IGF 2020), which will be held on March 20, 2020 in the Digital Park.

The initiator of this significant event for the Internet community is the “Comunitatea Internet” Association supported by Ministry of Economy and Infrastructure of the Republic of Moldova. The General Prosecutor’s Office of the Republic of Moldova and a number of other key state institutions joined the open dialogue. International partners, including ICANN, IGFSA, SecDev Foundation, RIPE NCC, and SEEDIG, support MIGF. Among the national partners of the Forum are the Technical University of Moldova, Digital Park and private companies in the field of IT-technologies and telecommunications.

The MIGF 2020 Organizing Committee included representatives from four stakeholder groups: Government, technical community, private sector and civil society. In addition, a representative of an international organization is included in the Organizing Committee with observer status.

At the meeting of the Organizing Committee of the Moldova IGF, which was held last month, there were discussed current issues related to the preparation of the Forum and proposals from the Ministry of Economy and Infrastructure and other Government institutions, experts and other community members.

According to Alexei Marciuc, chairman of the Organizing Committee and national coordinator of MIGF, Moldova has become the 88th country in the world where the IGF initiative has started. In total, he said, today 125 national and regional initiatives, including 88 national Internet governance forums, 18 regional forums and 19 youth IGFs, have been recognized by the IGF international secretariat.

According to the expectations of the event organizers, guests and speakers will formulate and discuss current trends in Internet governance, as well as consider the new challenges that the participants in this process face. In addition, during the Forum, representatives of the SecDev Foundation will hold a cyber security and cyber hygiene master class for interested individuals.

One of the main objective of MIGF is to bring together different categories of participants, such as Government agencies, private sector, technical community, academia, civil society and international organizations. Within a multilateral, democratic and transparent process, they will discuss the most important issues of state policy in the field of Internet governance and security in a virtual environment. MIGF supports open discussions to determine a common approach to promoting the Internet and managing the risks and problems associated with its use and development.

During the MIGF, a series of plenary and panel sessions will be held, topics such as:

  • Internet governance in the context of digital transformation,
  • Internet governance and freedom in the digital space,
  • Trust and security in the digital future,
  •  Economic and social value of the Internet as a catalyst for digital technology,
  • Negative phenomena in the Internet space (cybercrime, hybrid war, propaganda, fake news) and their overcoming,
  • Use of the Internet in the context of the European standards for the protection of personal data (GDPR – General Data Protection Regulation).

The MIGF 2020 Organizing Committee invites everyone who is interested in discussing current Internet governance issues to participate in the national initiative. To register, use the online form on the event website. The organizers are also waiting for your ideas and suggestions through a form on the site or social networks.


#TeleormanLeaks explained: privacy, freedom of expression, and public interest

The European Union’s new privacy law, the General Data Protection Regulation, or GDPR, is being tested across Europe. The first GDPR privacy case in Romania began with an investigation that was published on November 5 about a corruption scandal involving a politician and his close relationships to a company being investigated for fraud. The Romanian data protection authority (ANSPDCP) sent a series of questions to the journalists who authored the article and asked for information which could reveal the article’s sources. The data protection authority also mentioned a possible penalty of up to €20 million, if the journalists didn’t comply. The data protection authority insists it acts independently, without any political interference, and that its raison d’etre is to “ensure a balance between the right to the protection of personal data, the freedom of expression and the right to information”.

The Association for Technology and Internet (ApTI) together with other 11 human rights and media organizations sent an open letter (available in English and Romanian) to the Romanian data protection authority (ANSPDCP). ApTI is a digital rights NGO and a member of the European Digital Rights (EDRi), which supports and promotes a free and open internet where human rights are guaranteed and protected. The letter calls ANSPDCP to carefully analyse GDPR cases that might endanger freedom of expression and demands for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.
At the same time, ApTI together with Privacy International, EDRi, and 15 other digital rights NGOs sent a letter to the European Data Protection Board, with ANSPDCP and the European Commission in copy, asking for the GDPR not to be misused in order to threaten media freedom in Romania.

What happened

#TeleormanLeaks is the name of the press story uncovering the link between Tel Drum, a road construction company based in Teleorman county, Romania, currently under investigation for fraud with European funds (based on a complaint sent by the European Anti-Fraud Office), and Liviu Dragnea, the president of the Social Democratic Party and president of the Chamber of Deputies, known to have built a business empire in this county. The first part of the investigation was published on 5 November by RISE Project, a Romanian investigative journalism outlet. A Facebook post was also published to promote the investigation, as a teaser.

On 8 November, ANSPDCP sent a notice to RISE Project to ask 8 questions on the personal data included in the material posted on Facebook, including “the sources from where the personal data was obtained”. This sparked international outrage and the Organized Crime and Reporting Project (OCCRP), the European Commission as well as, nationally, dozens of journalists and media outlets reacted with strong concern. More details below on the controversies.

One day before the authority’s letter to RISE Project, Romanian media reported that one of the key people involved in this scandal, currently the commercial director of Tel Drum and former head of the financial prevention control department in the same company, filed a “right to be forgotten” claim to the ANSPDCP. It is important to note that apparently the ANSPDCP’s notice to RISE Project was not based on this complaint filed by this particular individual, but as the authority’s clarifications underline, the letter was issued based on a notice from a third party not directly affected by the case.

From the notice, it appears that ANSPDCP considers that it is entitled to invoke Articles 57 (1) (f) and 58 (1) (the task of a Data Protection Authority to handle and investigate complaints and the power to order the provision of any information required for the performance of these tasks) of the GDPR to ask where the information published on the Facebook post comes from. However, both “clarifications” published on their website fail to explain why the authority interpreted the situation not to fall under the derogations of Article 7 of the Romanian law 190/2018 (that implemented Article 85 of GDPR which requires reconciliation of the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes). Furthermore, ANSPDCP has not clarified the analysis it performed for reconciling the fundamental rights in question (legal details below).

GDPR and freedom of expression

Recital 153 of the GDPR states that in order to take account of the importance of the right to freedom of expression in a democratic society, it is necessary to interpret notions relating to this freedom — such as journalism — very broadly. In other words, GDPR cannot be used as a tool to carve out the enjoyment of other rights. All fundamental rights have equal standing and when a conflict arises, there needs to be a reconciliation of rights.

Member States and regulatory authorities must apply the larger European human rights framework and take into consideration the European Union Charter for Fundamental Rights, the European Convention on Human Rights as well as the European Court of Human Rights (ECtHR) jurisprudence.

As mentioned above, GDPR has an article (Article 85) which requires the reconciliation of the right to the protection of personal data with the right to freedom of expression, including processing for journalistic purpose and leaves it up to Member States to implement through national derogations or exemptions from certain provisions of GDPR.

What does the Romanian implementation of Article 85 of the GDPR look like?

In law no. 190/2018 implementing the GDPR, Romania opted to limit the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes (Article 7):

  • if it concerns personal data which was clearly made public by the data subject,
  • if the personal data is tightly connected to the data subject’s quality as a public person,
  • or if the personal data is tightly connected to the public character of the acts in which the data subject is involved.

This national implementation of the GDPR raises questions because it allows derogations from GDPR for journalistic purposes only in one of these three alternative scenarios, which are extremely limited. Personal data processing for journalistic activities is usually much wider than this. To restrict derogations for journalistic purposes only to the three listed options falls short of the protections required to protect freedom of expression, in particular journalistic freedom and human rights jurisprudence in this regard, and will not lead to a uniform application of the GDPR at European level.

Does the Romanian data protection law / GDPR protect journalists from scenarios like this?

The exemption in Article 7 discussed above provides that “the processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out if it concerns personal data which have been made publicly manifested by the data subject or closely related to the person’s public status or the public character of the facts in which he or she is involved.”

From the correspondence to RISE Project, we assume that ANSPDCP interpreted that it was not covered by Article 7 of law 190/2018 and that it considered that:

  • either the Facebook post was not written for journalistic purposes,
  • or that this situation is not covered by one of the narrow exceptions in Article 7.

Or even, in a much wider speculation, that ANSPDCP never intended to look into the journalistic activity, but they were rather interested in whether there had been an underlying abuse of personal data, and sought to find out who did not adequately protect the personal data that is now in the hands of the journalist.

That the data protection authority sought not to apply the exception in Article 7, is in itself questionable given the facts of the case. However, even if they had applied Article 7, the deficiencies in this exception outlined above, mean that it is not guaranteed that there would have been adequate protection for freedom of expression and journalistic sources.

Was the Romanian data protection authority entitled to ask for the source of information?

Given the European Court of Human Rights jurisprudence on freedom of speech, it is questionable whether the ANSPDCP could have the right to ask for access to sources of a journalistic investigation. At the same time, the request, seems to be quite vague on this topic, asking for what looks to be standard information that they ask for in data protection cases, such as the source of the data or the storage support of the data. These questions appear to mirror the right to information in Articles 13 and 14 of GDPR, which list the information a data controller is required to provide to an individual, including the original source of the data.

However, in the second part of the request, ANSPDCP mentions its right to have access to the electronic storage support on which the personal data is stored (in the context of Article 58 (1) e) and f) of GDPR — a supervisory authority’s power to obtain access to all personal data and information necessary for the performance of its tasks and to obtain access to premises, including data processing equipment), which was specifically highlighted by the ANSPDCP. This can be interpreted as a request to find out where the data is stored, although this kind of access should be required only if it would be necessary for accomplishing its investigation attributions and must be done in accordance with Romanian procedural law.

What kinds of factors should be taken into account by data protection authorities when reconciling data protection and freedom of expression?

In order for a data protection authority such as ANSPDCP to be able to reconcile freedom of expression and data protection, there must first be an adequate exemption in the law. As discussed above, the narrow derogation in Article 7 of the Romanian law raises a number of concerns. For the law to then apply effectively and consistently, guidance and training are also important. The European Court of Human Rights (ECtHR) jurisprudence provides insight into the factors that need to be taken into account with regard to these two fundamental rights, such as (presented in more detail in ApTI’s report on ECtHR jurisprudence):

  • the contribution of the work to a public interest debate;
  • the subject of the work (e.g. the person/data subject);
  • the way the information was obtained and its veracity;
  • the prior behavior of the person involved;
  • the content, the form and the consequences of publishing the work;
  • the severity of the penalty imposed as a consequence of establishing that an infringement of privacy occurred.

This case from Romania demonstrates that it is essential that data protection authorities work to reconcile fundamental rights. This is why Privacy International, EDRi, ApTI, and others have called for guidance and intervention from the European Data Protection Board. Moreover, the data protection law should be used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporting.

Article written by Valentina Pavel, legal adviser and Mozilla Fellow working with Privacy International as host organisation, as well as an ApTI member.

This article was originally published on Privacy International’s website at https://www.privacyinternational.org/blog/2456/teleormanleaks-explained-privacy-freedom-expression-and-public-interest

Media reforms in Macedonia delayed due to more pressing security issues

This article has originally been published by EDRI-Gram on 12.09.2018. Photo by Yemc, Public Domain via Wikipedia.

Recent political developments have affected the implementation of the reforms in the area of freedom of expression in Macedonia. The focus of government institutions on overcoming political obstacles to joining NATO and the EU had put most other reforms on the backburner. (more…)

Second Regional Internet Freedom Summit to take place in Macedonia

Next week, from 22 to 24 March, ABA ROLI will host the second Regional Internet Freedom Summit, organized in cooperation with the members of the Internet Freedom Platform of Eastern and Central Europe and Eurasia.

More than 120 Internet freedom experts and human rights activists from Europe and Eurasia will gather together in Struga, #Macedonia, to discuss the latest developments in online freedom of expression, privacy, and cybersecurity. (more…)

Improving Legal Safeguards for Internet Freedom in Georgia


Balancing internet freedom and protecting citizens from harmful online activities and content can be complicated. In Georgia, this debate is playing out as authorities seek to update regulations to protect internet consumers and providers within the country. Originally adopted in 2006, Georgia’s “Regulation on Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications,” requires modification. The grounds for deeming content as unallowable are vague and leave room for interpretation. As a subgrantee of the American Bar Association Rule of Law Initiative (ABA ROLI), the Institute for the Development of Freedom of Information (IDFI), recently prepared seven legislative initiatives to help strike the balance between freedom and protection by better defining what can be considered inadmissible content. (more…)

6.5 Out of 10 Are Internet Users in Armenia


As of December 2016, 64.2% of the population in Armenia uses the internet. According to the Ministry of Transport, Communication and Information Technologies, in 2016, as compared to 2015, the number of internet users grew almost by 10%. In 2015, 55.29% of the population was using the internet. The most recent data on communications and technologies on the ministry’s website are from December 2016. (more…)