After facing an intense backlash from a number of industries, the Romanian Chamber of Deputies has agreed to amend the initial draft law on processing of health data that will allow more leeway for insurers when calculating risk. Under the initial draft law [see link to the previous article] the processing of genetic, biometric or health data for the purposes of an automated decision-making process or profiling could only be performed by or under the control of public authorities. Moreover, the interdiction could not be lifted even with the consent of the data subject.

This had provoked fierce criticism from many business quarters, most notably the insurance industry, where profiling of health data is an inherent part of calculating the risk of a life or health insurance policy. Bowing to such pressure, the Chamber of Deputies has now decided on a more workable version of the draft. This provides that the processing of genetic, biometric or health data for the purposes of an automated decision-making process or profiling may be done with the explicit consent of the data subject, or where processing is carried out on the basis of express legal provisions, as long as adequate safeguards have been put in place.

The revised version also substantially reduces fines for public authorities in breach of the General Data Protection Regulation, namely to RON 200,000 (about EUR 45,000). In addition, in stark contrast to the private sector (where entities may be fined immediately after a breach has been discovered), public authorities can only be fined if they fail to comply with a remedy plan proposed by the Romanian Data Protection Authority, which must be implemented over a period of 60 to 120 days.