Recent events threatening the safety of EU citizens in some countries have again put the so-called Big Brother laws, concerning cyber-security, data retention and the registration of prepay cards, on the public agenda in Romania. The heated debate around some of the stipulations of the laws invite questions about where the line should be drawn as far as individual privacy is concerned and where fighting crime begins.
The Big Brother laws will be reanalyzed at the request of Romanian president Klaus Iohannis, who called for authorities to “find a balance between respecting individual freedoms and preventing terrorism, cybercrime and fighting corruption.”
In January the Romanian Constitutional Court rejected three bills – the data retention bill, the prepay card bill and the cyber-security law. Following the president’s plea, the laws will be reanalyzed by the Operative Council of Cybernetic Security.
“This initiative aims to surpass the blockage registered at the moment, to reach alignment with the decisions of the Constitutional Court and inform public opinion better regarding the legal measures and their effects. The new analysis of the legislation in this field will also include consultations with civil society, before starting a new legislative process at the level of Parliament, since the participation of representatives of civil society is indispensable for meeting those who have in the past been reticent about some stipulations,” ran an official statement from the president’s office.
The law on Romania’s cybernetic security was rejected by the Constitutional Court on the grounds that it goes against stipulations in the Romanian Constitution.
“The rapid reaction of the Romanian authorities shows us that they had used a moment when human rights were violated in order to push forward again some ideas of generalized surveillance that are disproportionate,” Bogdan Manolea, founder of the website www.legi-internet.ro and a member of the Association for Technology and Internet, told Business Review, in respect to the cybercrime and the prepay card laws.
The Court was reluctant to approve some of the stipulations of the laws involving the personal data of telecommunication users in Romania, since the local authorities have not yet found a formula that both ensures that citizens’ rights are respected while also strengthening national security.
“All the four fundamental aspects raised by NGOs regarding the cyber-security law, such as access to data, the relevant authority, very loose definitions and unclear obligations, were confirmed by the Constitutional Court, which ruled them unconstitutional. In fact, the Constitutional Court has declared unconstitutional many other aspects that were not raised at all by civil society,” Manolea told BR. “Before talking about the law, we need to clarify the principles underlining it, and have a real public consultation with the private, academic sector and civil society.”
The cyber-security law did not pass the Supreme Council for the Country’s Defense, which is one of the reasons why it was rejected by the Constitutional Court.
In that form, the bill required owners of cybernetic infrastructures to put data at the disposal of the Romanian Intelligence Service (SRI) but also other institutions, upon request. However, since the SRI is a military institution, the court decided that this flouted European norms.
According to the Court motivation for the decision, “the option to appoint a civil body as national authority in the field of cyber-security, instead of a military entity with intelligence activity, is justified, in order to prevent the risk of defying the purpose of the cyber-security law. The secret services should not use the law’s provisions to obtain data and information that violate the constitutional rights to privacy, a private family life and the privacy of correspondence. This is precisely what the submitted draft does not observe, by putting the Romanian Intelligence Service and its military structure, the National Center for Cybernetic Security, in charge.”
The law does not protect the rights of the citizens enough, said the Constitutional Court in its motivation. “The request for access to the retained data, to use it according to the purpose of the law which is formulated by the state institutions designated as authorities in cyber-security, is not dependent on authorization or approval from the judge, so there is no warranty regarding efficient data protection against the risk of abuse or against any access or illicit use of these data. This represents interference in the fundamental rights to privacy, a private family life and private correspondence,” stated the court.
The Constitutional Court concluded that the law is “not precise and predictable enough; the state interference in the constitutional rights to privacy, private family life, and the secret of correspondence, even though predicted by the law, is not formulated clearly, rigorously and exhaustively, to give citizens confidence in it, which is essential in a democratic society.”
Asked by BR, Manolea said there are countries that have no cyber-security law and others that do. “The United States is only proposing to have one now. Germany has also been discussing it but I believe most European states are waiting to see the result of the European directive that will probably be adopted in 2015, in order not to do the work twice.”
Meanwhile, the Romanian Intelligence Service protested against the decision of the Constitutional Court, claiming that the law does not allow state access to data related to the private life of individuals without previous authorization from a judge.
The SRI dismissed the “fears, speculation and accusations formulated in the public space” as lacking “any real grounds”.
At that time, George Maior, former chief of the SRI, lashed out against the Constitutional Court. “I wish to give a very serious warning that there is a moral responsibility somewhere, in this state, regarding the national security of Romanian citizens – not from the state, because I am no longer speaking about the state – but at the time when a catastrophe hits, I will know at whom I will point the finger,” he said.
Regarding the law on prepay card registration, Maior said it offers “an absolutely vital analysis capacity” to investigate certain national security threats, but since it was rejected, this created “a unique legislative void” and now the only alternative is to use the other instruments at their disposal.
“In Romania debates have started again in Parliament on the matter of the informatic law, but we are forgetting to talk about the principles that should underline the law. In the United States President Obama is barely daring to open discussion about this subject after the NSA failure,” commented Manolea on the website http://privacy.apti.ro/.
“This week I have learned that Germany is also discussing a law regarding cybernetic security. The first difference is that instead of hidden text and just ten days for comments, they do it exactly the other way round – the first draft has been out since March 2013, and the latest since December 2014. All are public. And they have not reached completion; they have not yet involved the states, since Germany is a federal state, so it will take at least another year. So what could they discuss for two years while we are preparing a law in just six months?” he wondered. “The purpose is the protection of IT security in companies that are considered critical infrastructure and the protection of citizens and their personal data.”
The analyst told BR that, with the exception of the necessary correction of article 152 in the Criminal Code, nothing is “urgent or immediately necessary”.
“Germany has been discussing a law on informatics security for two years and their IT systems are just fine,” he commented.