[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Romania

Constitutional Privacy Framework

The Romanian Constitution[4238] adopted in 1991 recognizes under Title II (Fundamental Rights, Freedoms and Duties) the rights of privacy, inviolability of domicile, freedom of conscience and expression. Article 26 of the Constitution states, "(1) Public authorities shall respect and protect intimacy, family and private life. (2) Any natural person has the right to freely dispose of himself unless by this he causes an infringement upon the rights and freedoms of others, on public order or morals." Article 27 states, "(1) The domicile and the residence are inviolable. No one may enter or remain in the domicile or residence of a person without consent. (2) Derogation from provisions under paragraph (1) is permissible by law, in the following circumstances: for carrying into execution a warrant for arrest or a court sentence; to remove any danger against the life, physical integrity or assets of a person; to defend national security or public order; to prevent the spread of an epidemic. (3) Searches may be ordered only by a magistrate and carried out exclusively under observance of the legal procedure. (4) Searches at night time shall be prohibited, except in cases of flagrante delicto." Article 28 states, "Secrecy of the letters, telegrams and other postal communications, of telephone conversations and of any other legal means of communication is inviolable." According to Article 30, "(6) Freedom of expression shall not be prejudicial to the dignity, honour, privacy of person, and the right to one's own image."

Data Protection Framework

In November 2001, the Parliament enacted Law No. 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector[4239] and Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data.[4240] These laws follow very closely the European Union Telecommunications Privacy (1997/66/EC) and Data Protection (1995/46/EC) Directives respectively. Romania joined the European Union on January 1, 2007.[4241]

Law No. 676/2001 provides for specific conditions under which privacy is protected with respect to the processing of personal data in the telecommunications sector. In 2004, Law No. 676/2001[4242] was practically replaced by Law No. 506/2004 closely following Directive 2002/58/EC of the European Parliament and the Council on personal data processing and privacy protection in the electronic communications sector.[4243]

Law No. 506/2004 divides the task of enforcing the personal data protection law, between two institutions: the National Regulatory Authority for Communication (NRAC) for issues related to electronic communications and the People’s Advocate Office with regard to issues related to privacy. In this sense, the National Regulatory Authority for Communication (NRAC) has competence in relation to: security measures for electronic communication; non-compliance with invoice issuing conditions; infringement of the obligations regarding the presentation and restriction of calling and connected line identification.

Law No. 677/2001 applies to the processing of personal data, made, totally or partially, through automatic means, as well as to the processing through means other than automatic, which are part of, or destined to, an evidence system.

Supervisory Authority

The new Authority for protecting personal data, the National Authority for the Supervision of Personal Data Processing (ANSPDCP), was created by Law no. 102/2005,[4244] which replaced the previous supervisory authority (also called "The People's Advocate").[4245] The law regulates the transfer of the database from the People's Advocate Office to the ANSPDCP. Due to the delay in creating the ANSPDCP, the Romanian Government issued an Emergency Ordinance no. 131/2005 that delayed the time for creating the authority until December 31, 2005.[4246] The internal regulations of the new authority were adopted on November 2, 2005.[4247] The ANSPDCP opened in February 2006, and the new institution began to provide advice and help for the infringement of the personal data legislation.[4248]

Since June 2006, four decisions have been issued by the ANSPDCP for the application of the personal data legislation. These decisions establish standard notification forms,[4249] categories of sensitive personal data processing operations,[4250] notification exemptions,[4251] and situations in which the simplified notification form for personal data processing may be used.[4252] In 2007, the ANSPDCP issued two orders. The first implements an online registry of controllers and the second abolishes the notification fee.[4253] Also in 2007 the ANSPDCP issued a decision regulating the transfer of personal data to third countries.[4254]

The authority started a series of activities in 2006 – 2007 to elevate personal data protection awareness, most of them directed to the local public authorities. The awareness activities also included a joint conference with the Romanian Banks’ Association regarding personal data protection and processing within the financial and banking sectors.[4255]

In 2002, Law No. 365/2002 on Electronic Commerce[4256] adopted the opt-in principle for unsolicited commercial e-mails ("spam").[4257] Law No. 506/2004 also regulates spam. The law states that the use of electronic mail for the purposes of direct marketing without the prior explicit consent of the user will be sanctioned with a fine between ROL 50 million (approx. EUR 1,250) and ROL 1 billion (approx. EUR 25,000). For companies with a turnover that exceeds ROL 50 billion, the fine could amount to as much as 2% of revenues. Other provisions regulate the subscribers' right to choose not to be included in printed or electronic directories and to consent to use of personal data in the directory. Companies that infringe this right are subject to a fine between ROL 300 million (approx. EUR 7,500) and ROL 1billion (approx. EUR 25,000). The new law further stipulates that the provider of a publicly available electronic communications service must take appropriate measures to safeguard the security of its services, and to inform subscribers and users in relation to any risk of a security breach.[4258]

In 2002, the National Audiovisual Council[4259] issued regulations regarding privacy and television and radio programs in Decision No. 80 of August 13, 2002 Regarding the Protection of Human Dignity and the Right to Protect One's Own Image established a few privacy principles: Article 6 states, "(1) Any person has a right to privacy, privacy of his family, his residence and correspondence. (2) The broadcasting of news, debates, inquiries or audio-visual reports on a person's private and family life is prohibited without that person's approval." According to Article 7, "It is forbidden to broadcast images of a person in his or her own home or any other private places without that person's approval; (2) It is forbidden to broadcast images of a private property, filmed from the inside, without its owner's approval."

Law No. 451/2004 concerning temporal marks has been added to the Romanian portfolio of laws regulating electronic and Internet activity. A temporal mark shows when an electronic document is created or signed. The registration of temporal marks must be maintained for at least 10 years.

It is usually used to verify an electronic signature, the validity of the electronic signature certificate in the Internet auctions and when there is a requirement for a certain date for the copyrighted materials. The law also regulates the liability of temporal mark services providers, who are responsible for losses suffered by customers as a result of the provider's failure to comply with the provisions of the law. Providers are required to contract a liability insurance policy or obtain a warranty certificate from a financial institution. The Law entered into force on December 5, 2004.[4260]

Wiretapping and Surveillance Rules

The interception of telephone calls, the opening of correspondence and other similar actions are regulated by Law No. 51/1991 on National Security in Romania and Law No. 26/1994 on Police Organization.[4261] Article 13 of Law No. 51/1991 allows the interception of calls in case of crimes against the state, only as a result of a mandate issued by the General Prosecutor of the Office related to the Supreme Court. The mandate has a maximum duration of six months with the possibility of extension by up to three months by the General Prosecutor. According to Article 16 of the same law, the means to obtain information may not infringe citizens' fundamental rights and freedoms, i.e., their private life, honor or reputation, or to subject those rights and freedoms to legal restrictions. The citizens who believe that their rights have been infringed, can appeal to the Commissions of Human Rights of the two Chambers of the Parliament. According to Article 17 of Law No. 26/1994, which aims at preventing organized crime and serious infringements in the interest of a criminal investigation, the police can require the Prosecutor's Office to intercept calls and open correspondence pursuant to Law No. 51/1991.

In 1996, the Criminal Code was modified by Law No. 41/1996, which introduced a new section on the use of audio and video recordings for interception purposes. The section establishes the conditions under which video and audio recordings may be carried out, including the interception of telephone calls. Therefore, according to Article 91 of the Criminal Code, the recordings on magnetic tape can be used as evidence if the following conditions are complied with: there are reasons to believe that a crime has been, or is about to be, committed; the criminal deed related to which the recording is made is a crime investigated ex-officio; the use and efficiency in finding out the truth; and the authority that carries out the wiretap has been properly authorized to do so. The authority competent to issue such an authorization is the prosecutor designated by the General Prosecutor of the Office related to the Court of Appeals. The authorization to wiretap is given for a period of up to 30 days. The authorization can only be extended for very substantiated reasons.

The law also compels law enforcement authorities to report specific information about their wiretapping: the authorization given by the prosecutor, the number of the telephones among which the calls take place, the names of the people carrying out the conversations, and, if known, the date and time at which each communication took place, and the item number of the roll or tape on which the recording is made.

Similar provisions related to the recording of traffic data were introduced by the Law on Anti-Corruption No. 161/2003[4262] in order to prevent and combat cybercrime. The law provides that, only in emergency and properly motivated cases, law enforcement can expeditiously obtain the preservation of computer or traffic data if they could be destroyed or altered, and if there are good reasons to believe that a criminal offense by means of computer systems is being, or is about to be, committed, and for the purpose of gathering evidence or identifying the wrongdoers. During the criminal investigation, the preservation is undertaken by the prosecutor, pursuant to an appropriate ordinance and at the request of the investigative body or ex-officio, and during trial, by a court settlement. This ordinance is valid only for no longer than 90 days, and can be exceeded only once by a period not longer than 30 days.

Law No. 64/2004 was adopted to ratify the Cybercrime Convention on November 23, 2001.[4263] Many provisions of this Convention, especially the definitions of the crimes, were incorporated into Title III (on Preventing and Fighting Cybercrime) of the Anti-Corruption Law No. 161/2003.[4264] Additional laws deal with privacy issues, such as the Patient's Rights Law[4265] or the Law on Combating and Preventing the Traffic of Human Beings.[4266]

At the beginning of 2005, several cases appeared in the press with regard to that the Romanian secret service intercepting phone call of journalists and other public figures. On January 27, 2005, the Chief of the Romanian Secret Service (SRI) Ioan Timofte explained[4267] that several phones of some Romanian and foreign journalists in Romania were intercepted for several months. The reason was that they were suspected for sabotage and crimes against Romanian National security. The Romanian Press Club and the Board of the Foreign Press in Romania Association have protested[4268] and demanded SRI to publicly announce the name of the journalists that were supervised. SRI refused the demand, claiming that they cannot reveal information that may affect national security. The Defense Commissions in the Romanian Parliament, after a hearing of the people involved have considered that the interceptions were legal.[4269] Another case involved the Anticorruption Prosecutor (PNA) from the Mures County (Andreea Ciuca, ex-president for the Mures Tribunal) who has monitored the phones of more than 70 local journalists, local and national press headquarters and lawyers for more than 13 months from April 24, 2003 to May 25, 2004.[4270] No relevant information was offered by PNA to explain this case.

According to the former director of a Romanian Secret Service unit, the cost for wiretapping one telephone line is 150 - 200 EUR per hour.[4271] This amount includes all interception and transcription costs. According to President Traian Basescu, approximately 6,370 telephones were wiretapped in 2005. Some figures given by the human rights organisation Helsinki Committee (APADOR-CH) show that, in 2002, a telephone line was wiretapped for an average of 220 days. Journalists from the newspaper "Adevarul" estimated that every intercept generates about 30 minutes of recorded conversation per day.[4272] If the average per day would climb to 60 minutes, the total government spending on wiretaps would double, to an amount higher than the annual budget for any Ministry in Romania. For example, in 2005, the Romanian Ministry of Culture had a budget of 235 million EUR.

During the period from 1991 – 2003, the conversations of more than 20,000 persons were intercepted with a judicial order. Another 14,000 interception mandates were issued between 1991 and 2002 at the request of national security bodies. Out of the 5,500 watched persons, only 620 were sent to court and just 238 were condemned.

In February 2006 the Parliament Commission that supervises the SRI activities has opened a supervision procedure to inspect the SRI wiretapping centres, after public concern about illegal interceptions.[4273] In March 2007, a judge ordered the Romanian Secret Service (SRI) to produce all of the authorizations obtained for wiretapping Romanian businessman Dinu Patriciu’s phone calls.[4274]

A first draft law for the implementation of the data retention directive was presented at the end of April 2007 by the Romanian Ministry of Communications and Information Technology for public consultation.[4275] The draft would transpose the European Directive on data retention into national law. The public consultation ended on May 10, 2007, but the text was not yet approved by the Government. The text proposes a 12-month period of traffic data retention, without any explanatory reports, and has received criticism from ISPs and other telecom operators that believe it puts a high financial burden on providers. The draft clearly specifies that the content of the communications cannot be retained by the operators. The retained data should be deleted at the end of the 12 month period.[4276]

The retained data can be accessed by prosecutors only in the penal cases related to organized crime and terrorism crimes and with a proper specific judged-approved access authorization. The prosecutor can ask, through a specific ordinance, for access to the data as a provisional measure, if this is necessary due to specific circumstances that could otherwise put in danger the penal investigation. However, the prosecutor's decision together with the data must be confirmed by a judge within 48 hours.

Anti-terrorism Measures

Following the international events with regard to terrorism, Romania has adopted specific legislation that directly attempts to combat terrorism. Law No. 508/2004[4277] establishes the conditions in which the Investigating Division on Terrorism and Organized Crime, a new unit created within the Prosecutor's Office from the Supreme Court of Justice, will operate. The unit has the authority to investigate the crimes related to terrorism.

A law on combating and preventing terrorism was passed in November 2004 (Law No. 535/2004[4278]), changing the previous normative acts[4279] that were in force since 2001. The law offers the possibility for the surveillance or interception of electronic communications, as well as for investigation of computer systems, if there are activities that might be considered threats to national security. These activities need to be approved by the Prosecutor General Prosecutor within the Supreme Court of Justice and authorized by the Supreme Court's judges. The warrant for interception or investigation cannot exceed six months.

A new anti-terrorism and organized crime act was adopted at the end of 2006 without any public debate.[4280] The act gave more powers to the Prosecutors Department for Investigations on Organized Crime and Terrorism (DIICOT) and would allow prosecutors to monitor traffic data from electronic communications providers without warrants.[4281]

Open Government

The Law regarding Free Access to Information of Public Interest was approved in October 2001. The law allows any person to ask for information from public authorities and state companies. The authorities must respond in a maximum of 30 days. There are exemptions for national security, public safety and order, deliberations of authorities, and personal data. Those whose requests have been denied can appeal to the agency concerned or to a court. The Law was amended twice in 2006. The amendments bring “any authority or public institution which uses or manages public financial resources, any state company (régie autonome), national company, as well as any commercial society under the authority of a central or local public authority to which the Romanian state or a territorial-administrative unit is single or major shareholder” within the scope of the Law, also makes procurement contracts publicly accessible.[4282]

The 1999 Law on the Access to the Personal File and the Disclosure of the Securitate as a Political Police[4283] allows Romanian citizens to access their Securitate (secret police) files. It also allows public access to the files of those aspiring for public office. The law sets up the National Council for the Search of Security Archives (CNSAS)[4284] to administer the Securitate archives.

The Law on Protecting Classified Information was enacted in April 2002 at the behest of North Atlantic Treaty Organization.[4285] Its drafters used an expansive view of classification that will limit access to records under the access to information law. The law was strongly criticized by the Opposition and civil society.[4286]

In the draft of the new Penal Code, an article provides that the infringement of a person's right to privacy by using remote means of interception to get data, information, images or sounds from home or other similar private property without its owner's consent or by breaking the law, is punished with an imprisonment of two to five years. It is also prohibited to disseminate data, information, images or sounds obtained in one of the ways set out in Paragraph 1 of Article 204. Some Romanian NGOs[4287] have requested the elimination of this article, because, in its current wording, it limits the freedom of expression and the debate of matters of public interest. The new version of the Penal Code[4288] will enter into force on June 29, 2005. The former Article 204 is now replaced by Article 209, which provides that it is not a crime to make a photo or to film a building from public places."[4289]

International Obligations

Romania signed the European Union Association Agreement in 1993, became founding member of the WTO in 1995 and joined the CEFTA in 1997. Romania also signed the Council of Europe Cybercrime Convention on November 23, 2001, and ratified it by adopting Law No. 64/2004.[4290]

In 2001, Law No. 682/2001 was enacted to ratify the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108). The Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Regarding Supervisory Authorities and Transborder Data Flows, was adopted in Strasbourg on November 18, 2001 and was ratified by Law No. 55/2005.[4291]

[4238] <http://www.cdep.ro/pls/dic/act_show?ida=1&idl=2&tit=2#t2c2s0a26>.

[4239] <http://www.riti-internews.ro/lg676.htm>.
[4240] <http://www.avp.ro/leg677en.html>.
[4241] <http://europa.eu/abc/european_countries/eu_members/romania/index_en.htm>.

[4242] Official Monitor no. 1101, November 25, 2005.
[4243] Directive 2002/58/EC, Official Journal of the European Community no.L.201/31.07.2002.

[4244] Official Monitor, No. 391 of May 9, 2005, available at <http://www.legi-internet.ro/index.php/Legea_privind_infiintarea_org/82/0/> (in Romanian).
[4245] See <http://www.avp.ro>.
[4246] Official Monitor No. 883 of October 3, 2005, available at <http://legi-internet.ro/blogs/index.php?title=autoritatea_naa_355_ionala_de_supraveghe&more=1&c=1&tb=1&pb=1>.
[4247] Published in the Official Monitor No. 1004 of November 11, 2005, available at <http://legi-internet.ro/blogs/index.php?p=348&more=1&c=1&tb=1&pb=1#more348>.
[4248] See press release at <http://www.dataprotection.ro/index.php?option=com_content&task=view&id=4&Itemid=57>. See <www.dataprotection.ro>.

[4249] Decision no. 60/2006, available at <http://www.dataprotection.ro/images/PDF/Decizie_60.pdf>.
[4250] Decision no. 89/2006, available at <http://www.dataprotection.ro/images/PDF/Decizie_89.pdf>.
[4251] Decision no. 90/2006, available at <http://www.dataprotection.ro/images/PDF/Decizie_90.pdf>.
[4252] Decision no. 91/2006, available at <http://www.dataprotection.ro/images/PDF/Decizie_91.pdf>.
[4253] The abolishment was made by Government Emergency Ordinance no. 36/2007 – Official Monitor no. 335 from 17 May 2007. See <http://www.dataprotection.ro/index.php?option=com_content&task=view&id=97&Itemid=57> and <http://legi-internet.ro/blogs/index.php?title=doua_vesti_bune_de_la_anspdcp&more=1&c=1&tb=1&pb=1>.
[4254] See Decision no. 28/2007, available at <http://www.dataprotection.ro/images/PDF/decizie_282007_en.pdf>.

[4255] See <http://www.dataprotection.ro/index.php?option=com_content&task=view&id=103&Itemid=57>.

[4256] Available at <http://www.legi-internet.ro\en\e-commerce.htm>.
[4257] Art. 6 (1) provide that "commercial communications through electronic mail are forbidden, except where the recipient has expressly consented to receive such communications."
[4258] Romania Legal Market Newsletter, December 2004, available at<http://www.salans.com/publications/pdf/pub1450lang1.pdf>.

[4259] <http://www.cna.ro>.

[4260] Romania Legal Market Newsletter, December 2004, available at <http://www.salans.com/publications/pdf/pub1450lang1.pdf>.

[4261] Nicolae Volonciu, Penal Procedure Treatise, 509-514 (Ed. Padeia 1999).

[4262] Official Monitor No. 279, April 21, 2003, available at <http://www.legi-internet.ro/en/cybercrime.htm>.

[4263] Official Monitor No. 343, April 20, 2004, available at <http://www.legi-internet.ro/ratifcybercrime.htm> (in Romanian).
[4264] Official Monitor No. 279, April 21, 2003, available at <http://www.legi-internet.ro/en/cybercrime.htm>.
[4265] Law No. 46/2003, Chapter IV.
[4266] Law No. 678/2001, Article 26, Paragraph 2.

[4267] Dan Bucura, Gabriela Stefan, "There are paid and recruited journalists by foreign information services," Adevarul, January 27, 2005.
[4268] Hotnews.ro, "SRI Does Not Publicize the Bames of the Surveilled Journalists," February 1 2005, available at <http://www.hotnews.ro/articol_14162-SRI-nu-face-publice-numele-ziaristilor-urmariti.htm>.
[4269] Ion M. Ionita, "Virgil Ardelean Pretends That the Intention to Intercept Journalists Calls Started from a Provocation," Adevarul, January 27, 2005.
[4270] Adina Anghelescu, Razvan Savaliuc, "PNA has illegally intercepted the journalists phones," Ziua, February 3, 2005.

[4271] EDRi-gram, March 1, 2006, available at <http://www.edri.org/edrigram/number4.4/romania>. More info in Romanian at <http://legi-internet.ro/blogs/index.php?title=cine_si_cit_ne_asculta&more=1&c=1&tb=1&pb=1>.
[4272] See <http://www.adevarulonline.ro/arhiva/2006/Februarie/1343/174646.html>.

[4273] See <http://www.ziua.ro/display.php?id=194466&data=2006-02-24>.
[4274] See <http://www.ziua.ro/display.php?id=193913&data=2006-02-16>; see also <http://www.atac-online.ro/la-zi_/sri---in-boxa-acuzatilor_2514>.

[4275] “First Draft on Telecommunications Law in Romania,” EDRi-gram, May 9, 2007, available at <http://www.edri.org/edrigram/number5.9/data-retention-romania>.
[4276] EDRI - Member APTI - Romania - Opinion of the draft data retention law, May 9, 2007, available at
<http://www.apti.ro/opinie_APTI_Legedatetrafic_9052007.pdf> (in Romanian).

[4277] Official Monitor No. 1089, November 23, 2004.

[4278] Official Monitor No. 1161, December 8, 2004.
[4279] Emergency Ordinance No .141/2001 on Punishing Terrorist Acts, Official Monitor No. 691, October 31, 2001.

[4280] Emergency Government Ordinance 131/2006, Published in the Official Monitor No. 1046 of December 29, 2006, entered into force January 1, 2007.
[4281] See <http://www.cdep.ro/pls/proiecte/upl_pck.proiect?cam=2&idp=8037>. See also <http://www.edri.org/edrigram/number5.2/romania-diicot>.

[4282] Law no 371/2006 and Law no 380/2006.

[4283] Law No. 187/1999.
[4284] <http://www.cnsas.ro/indexeng.html>.

[4285] Law No. 182/2002, Official Monitor, April 12, 2002, available at <http://www.crji.go.ro/legeainfclas.htm> (in Romanian).
[4286] See The Association for the Defense of Human Rights in Romania – The Helsinki Committee (APADOR-CH). The Limits to Information in Romanian, available at <http://www.apador.org>.

[4287] Such as APADOR-CH and the Association for Promoting and Protecting the Freedom of Expression (APPLE).
[4288] Official Monitor No. 575, June 29, 2004.
[4289] "Practically, it may be considered a crime even if a journalist takes pictures of an official's villa without permission because the villa is inside the yard and taking pictures of whatever is inside the yard violates the official's right to privacy. Of course, not listing these deeds as crimes does not mean that privacy remains unprotected, only that it has to be protected by civil, not criminal laws. If there is no political will to eliminate this incrimination, the draft should at least be modified by introducing a provision to stipulate that the deed is not a crime if it refers to aspects of private life impeaching over a person's capacity to exercise a public function." APADOR–CH Report on 2003.

[4290] Official Monitor No. 343, April 20, 2004, available at <http://www.legi-internet.ro/ratifcybercrime.htm> (in Romanian).

[4291] E-mail from Virgil Cristian Cristea, supra.