On the eve of the EU reform package on data protection rules coming into force, the wide disparities between the ways different public bodies process and manage citizens’ personal data have become apparent at the national and local levels.
In line with EU rules, the Romanian legislative framework on data protection regulates the fair and legal processing of personal data by public authorities. However, in recent years, the conduct of Romanian authorities in this respect has become not only a matter of public debate but also the object of judgments by the European Court of Justice and the Romanian Supreme Court, as well as of the Romanian Data Protection Authority’s sanctions. Below is a high-level overview of the status quo.
Data Transfers Between Authorities
In a case that led to a preliminary ruling by the European Court of Justice (Case C-201/14), data regarding a citizen’s income was transferred by the Romanian Tax Authority to the Romanian National Health Insurance Fund to enable the latter to collect health insurance contributions. The citizen complained her data was transferred and used for purposes other than those for which it had been collected, without her prior explicit consent, and in the absence of any prior notice regarding such processing.
The European Court of Justice found that Articles 10, 11, and 13 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as to preclude national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and its subsequent processing without the data subjects having been informed of that transfer or processing.
In spite of the European Court of Justice’s decision, so far the public bodies involved have made no announcement regarding the renewal of the personal data transfer protocols or the implementation of fair processing procedures.
Data Disclosures by Tax Authorities
The Romanian Data Protection Authority has found in a number of cases that publishing lists of debtors by public authorities for the purpose of communicating such debts was excessive compared to the aim pursued. Despite these findings, in another event that stirred public outcry in Romania, the Romanian Tax Authority published a list of debtors including names and surnames, places of residence, and outstanding tax obligations.
Although the publishing of this information was provided for by law and thus met the condition for legitimate processing laid down by Directive 95/46/EC, the proportionality of the measure with its goal of deterring, preventing, and mitigating tax debt has been called into question and is subject to pending litigation.
Data Protection by Courts of Law
Romanian courts themselves have made headlines for failing to observe data protection obligations. Although procedural guarantees based on the rights to privacy and data protection have been introduced in the latest versions of the criminal and civil procedure codes, Romanian courts have repeatedly violated the rights of data subjects by publishing court sentences without anonymizing the personal data they contained.
However, insofar as public court sessions remain the rule and there are no express mechanisms to protect privacy in such cases or indeed to prevent other parties to the trial from disclosing case documents obtained from opposing parties, litigation remains a hot potato. Good litigation strategy should therefore include carefully weighed thoughts on data privacy.
Other bodies such as the Trade Registry or the Competition Council seem to have integrated data protection into their institutional culture and developed adequate systems for the preservation of a healthy balance between the need for administrative transparency and the protection of personal data. Others simply use personal data protection as grounds to refuse access to information the disclosure of which is requested as a matter of public interest. In similar cases, the Romanian Supreme Court decided, however, that refusals are unjustified as long as the personal data can be anonymized.
In light of the above, it remains to be seen if the increased sanctions provided for by the General Data Protection Regulation will prove to be enough of an incentive for all Romanian public authorities to act consistently with regard to personal data protection.
By Alina Popescu, Co-Managing Partner, and Teodor Chirvase, Associate, Maravela | Asociatii
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.