A new law (no. 235/2015) amending the legislation governing the processing of personal data and privacy in the electronic communications sector was published in the Official Gazette on 14 October 2015 and has entered into force (the “New Retention Law”). This article reviews the main changes introduced by the New Retention Law and also examines a recently proposed draft of secondary data protection legislation, which has yet to be enacted.
Purpose of the New Retention Law
The New Retention Law has been enacted to implement a Romanian Constitutional Court decision from 2014 (the “Constitutional Court Decision”), which declared unconstitutional the local legislation transposing Directive 2006/24/EC (the “Previous Retention Law”), ruling that such legislation may give rise to abuses in accessing and using retained data. The Court of Justice of the European Union invalidated this Directive in 2014, on the grounds that its provisions infringe fundamental rights concerning the respect for privacy and the protection of personal data.
The New Retention Law seeks to regulate access to data held by providers of public networks for electronic communications and providers of electronic communications services (the “Providers”). In addition, the New Retention Law aims at providing objective criteria for regulating:
- the access and use of personal data by public authorities and institutions, in particular the provisions relating to the obligation to obtain prior authorisation issued by courts for such access. Previously such authorisation by the courts was not required; and
- the types of personal data that must be processed and retained by electronic communications providers, including traffic data, equipment identification data and localisation data of their users and subscribers (the “Retained Data”).
Amendments and potential consequences under the New Retention Law
The New Retention Law introduces the following main changes:
Definition of Retained Data
The New Retention Law introduces the concept of ‘equipment identification data’ in addition to the previously existing concepts of traffic data and location data (both of which have to be retained by the Providers). However, privacy specialists already consider ‘equipment identification data’ as already included in the obligation to retain traffic and location data (including from global positioning systems). This refers to technical data held by the Providers concerning the localisation of the user’s communication equipment used by the Providers for the purposes of invoicing, preventing commercial disputes or transmitting communications by way of an electronic communication network.
Thus, the New Retention Law appears to introduce ambiguity to the types of data to be retained by the Providers. Aside from Retained Data, the Providers have no further obligations to use such retained data, except for specific requests made according with the relevant legislation.
The maximum period Retained Data may be retained by the Providers
The Providers must delete and make anonymous Retained Data when such data is no longer needed, but no later than three (3) years as of the date of the communication (i.e., the date of exchange or transmission of information between users via a publicly available electronic communications service). Retained Data from prepaid users of Providers may be processed only for a period of three (3) years from the date of communication.
An increase in the above period may be requested by courts, prosecution units, national defence and security bodies. Such a request must be accompanied by a notice regarding the necessity of retaining such data for purpose of identifying and conserving evidence (i) during on-going criminal investigations (regardless of the type of criminal offence investigated) or (ii) for national defence and security reasons. In such case, the data cannot be kept by the Providers for more than five (5) years from the date of the request or until the court delivers a final ruling.
Approval of request for access to Retained Data
Access to Retained Data may be granted only in accordance with the legal restrictions with the prior authorisation of the court, in which case the Providers must communicate the requested Retained Data within a maximum of 48 hours as of the competent public authorities’ request. An exception from the above-mentioned approval conditions and timeframe is provided for state bodies with powers in national security and defence (e.g. internal specialised bodies within the Romanian Intelligence Service, the Ministry of National Defence, the Ministry of Justice, the Ministry of internal Affairs), as per the specific legislation in this respect. This approval process was implemented in the New Retention Law in response to the Constitutional Court’s decision. The Court had criticised the fact that the Previous Retention Law permitted access to Retained Data without a court approval.
Form of access to Retained Data
Responses to requests for access to Retained Data may be given in hard copy or in electronic format. All requests and responses submitted in electronic format must be signed with a certified electronic signature. This obligation may give rise to certain timing and cost issues if the Provider does not have the possibility to use a certified electronic signature.
If the Retained Data is given in hard copy, this may result in increased time and costs relating to preparing the information for transfer, transferring it to the requesting entity, and reviewing and storing such information. The Providers have a confidentiality obligation when processing requests for access to Retained Data.
Draft legislation for amending data protection secondary legislation
Secondary data protection legislation may also undergo changes, as a new draft for amending the related secondary legislation (the “Draft Data Protection Legislation”) has been published on the website of the Romanian Data Protection Authority for public consultation.
As the Draft Data Protection Legislation is still under public consultation, it may undergo further amendments before being enacted and entering into force. Below is a review of its current wording and possible implications.
Unclear wording within the Draft Data Protection Legislation
The Draft Data Protection Legislation appears aimed at establishing the categories of personal data processing operations for which registration with the competent bodies is mandatory.
However, the Draft Data Protection Legislation seems to be rather unclear at this moment, as it provides the possibility for the Romanian Data Protection Authority to establish only the exemptions to the obligation for registering data processing operations, and not the situations where data protection processing operations must be registered. The secondary legislation currently in force establishes the exemptions to the registration obligation.
In addition, the Draft Legislation states that it does not affect the obligation to notify personal data processing operations provided by other legislation (i.e., it seems that the personal data processing operations provided by the Draft Legislation are not exhaustive).
Potential consequences of the Draft Data Protection Legislation
If the final approved version of the Draft Data Protection Legislation establishes the limited situations in which personal data processing operation are to be registered by the Providers with the Romanian Data Protection Authority, the entrance into force of this Draft Data Protection Legislation may lead to a significant decrease in the number of cases where registrations are required.
View of the Romanian Data Protection Authority
Following informal discussions with the Romanian Data Protection Authority, it appears that only the processing operations provided by the Draft Legislation will need to be registered. In such case, this would limit the obligation to register the processing of personal data to the types of processing operations provided in the Draft Data Protection Legislation.