The Romanian Parliament recently passed a piece of legislation in view of transposing Directive 2016/680 on the protection of physical persons with regard to the processing of their personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (“Directive 2016/680”). The legislation is currently pending entry into force.
While the enactment does not materially deviate for the most part from the provisions of the Directive 2016/680, controversy was raised by a particular provision in the Romanian legislation which imposes that data access right should be awarded by authorities within a 60 days deadline.
Critics, among which 63 Parliament Members which have already taken the matter to the Romanian Constitutional Court, say such a law clashes with criminal procedure rules, notably Art. 145 of the Criminal Procedure Code, which allows suspects to find out of police technical surveillance measures having been deployed in criminal cases only after the measures are completed. Other concerns relate to potential obligations imposed on private entities, such as mobile phone companies, personal transport operators, etc., to cope with the rights of data subjects or even be obliged to disclose leak information to crime suspects.
We will briefly try to set the framework for a preliminary analysis as to whether the new Romanian legislation sets aside the checks and balances provided by Directive 2016/680, to the detriment of criminal investigations or not, and it is obviously to be seen further what the other market incumbents’ position will be, Constitutional Court of Romania included.
Scope of Directive 2016/680
As far as the scope of the directive is concerned, despite its apparent extensive ambit, the Directive essentially sets out to impose that, where personal data are processed in the course of a criminal investigation and of court proceedings, Member States shall provide for the exercise of the right to information, access and rectification or deletion of personal data to be carried out in accordance with their national rules and the relevant procedures for criminal investigations.
Notably, Article 2(3) of Directive 2016/680 (read in conjunction with Recital 14) limits the application of Directive 2016/680 to the processing of data in the course of an activity within the scope of EU law. As expressly provided by said Recital 14, activities concerning national security, activities of agencies or units dealing with national security issues and the processing of personal data by the Member States, when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union (TEU), should not be considered to be activities falling within the scope of Directive 2016/680.
Looking from a historical perspective, Directive 2016/680 does not appear at all “new”: Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (which Directive 2016/680 repeals and substitutes) provided similar rights, i.e. information to and access by the data subjects; the Council of Europe’s Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108/1981) has been for a long time a binding international instrument protecting individuals against abuses which may accompany the collection and processing of personal data, applying to all data processing carried out by the private and public sectors, such as investigative authorities; finally, Romania itself was involved in an ECHR case (Rotaru v. Romania), where the applicant complained - and the ECHR upheld - an infringement of his right to privacy as the Romanian authorities held personal data of him which contained wrong information, which the authorities had used, and that was impossible to correct.
So far, at least on the face of it, Directive 2016/680 does not bring to the table as a novelty data protection or data subjects’ rights in the context of criminal investigation. The new elements are rather the full alignment of principles relating to processing of personal data with those enshrined in the GDPR and the establishment of an independent supervisory authority entrusted with the task of monitoring the application of data protection law in criminal investigations within each Member State (most likely the same competent under the GDPR).
New obligations for authorities
But then, is there anything to be feared from the Romanian legislation transposing Directive 2016/680? In principle, Member States may provide higher safeguards than those established in the Directive for the protection of the rights and freedoms of the data subject (as provided in Art. 1 (3) of Directive 2016/680). Therefore, a national piece of legislation could impose full (or near-full) transparency on the part of authorities, while this may impact the secrecy of criminal investigations.
However, by briefly examining the new legislation, this does not appear to be the case. Indeed, there is a 60 days deadline rule which is applicable to authorities in addressing all data subjects’ requests. But, in the new law, there is also a provision similar to Art. 13 (3) of Directive 2016/680, allowing authorities to omit the provision of the information to the data subject in order to avoid obstructing official or legal inquiries, investigations or procedures.
Of course, it would have probably been best to directly embed the principles in Directive 2016/680 into the actual measures provided by the Romanian Criminal Procedure Code (such as police technical surveillance measures in the case criticized before the Romanian Constitutional Court). This is especially where Art. 13 (4) of Directive 2016/680 expressly “invites” Member States to adopt legislative measures in order to determine the actual measures which fall under the “denial of request” category. But, at least from the current state of facts, this does not mean that the Criminal Procedure Code is automatically overridden. A more practical issue for the authorities will be to formulate a “standard” reply of full-denial (as requested by the Romanian legislation), where the authorities want to keep secret the mere fact that the data subject is under investigation.
Finally, where various data processing measures are imposed by public authorities for reasons related to national security, it is arguable whether Directive 2016/680 is applicable altogether, as it results from Recital 14 (although the Romanian legislation transposing Directive 2016/680 does not refer to this particular case).
New obligations on private entities
As regards the impact of the Romanian legislation on private entities (such as telecom operators, internet and internet services providers, public transport operators etc.), first of all, Art. 3 (8) of Directive 2016/680 expressly provides that only competent public authorities may be controllers of data.
Therefore, as a rule, a provider of electronic communications which is obliged by a public authority to provide personal data of its clients should not be regarded as a controller under Directive 2016/680 and should not deal directly with requests from data subjects.
Nonetheless, it may not be excluded that, depending on the actual obligation incumbent on the private entity, such may be viewed as an entity entrusted by Member State law to exercise public authority and public powers. From this perspective, the case-law of the Court of Justice of the European Union has included for other purposes in this category various organizations or bodies which have special powers beyond those which result from the normal rules applicable to relations between individuals (see, for instance, Case C-180/04 Andrea Vassallo v. Azienda Ospedaliera Ospedale San Martino di Genova e Cliniche Universitarie Convenzionate (Reference for a preliminary ruling)). Therefore, it is not entirely far-fetched to see such a rationale applied by the European Court in relation to private entities under Directive 2016/680, especially where those private entities deploy various surveillance measures on behalf of authorities, and also have the liberty to decide the means of processing.
Even in case the interpretation above will not be upheld and such private entities will be regarded as mere processors, Directive 2016/680 may still trigger additional costs from having to update methods of handling paper files, meeting additional requirements for data sharing, adjusting to response times for data subject requests, expected increase, upgrading to prevent unauthorized processing of data and reporting to the data protection authority.
By Miruna Suciu, Managing Partner and Andrei Georgescu, Partner Suciu Popa Attorneys