Data protection law is not a tool to undermine freedom of the media

Privacy International, European Digital Rights, and the Association for Technology and Internet (ApTI) together with 15 other digital rights organisations sent a letter on Monday 21 November 2018, to the European Data Protection Board (EDPB), with copies to the Romanian Data Protection Authority (ANSPDCP), and the European Commission, asking for the General Data Protection Regulation (GDPR) not to be misused in order to threaten media freedom in Romania.

Shortly after a journalistic investigation was published by Romanian media outlet RISE Project, the ANSPDCP sent them a letter requesting “the source from where the personal data was obtained from” and "access" to that data. In case of non-compliance, the authority warns about the possibility to apply a fine of up to 20 million euros.

The signatories to the letter urge the EDPB to consider whether such a request is in compliance with the GDPR. The three main points of our letter are:

• GDPR must not be used as a tool to silence journalists

• The protection of personal data must be considered in relation to its function in society and be reconciled with other fundamental rights, such as the right to freedom of expression and information

• Data protection authorities have the obligation to apply the GDPR in a manner that is compliant with the European human rights framework in its entirety (taking into consideration the EU Charter of Fundamental Rights, the European Convention of Human Rights as well as relevant jurisprudence).

At national level, ApTI together with 11 other Romanian civil society organisations also sent a letter to the ANSPCP to carefully analyse GDPR cases that might endanger freedom of expression and to demand for an urgent and transparent mechanism to be put in place when assessing claims involving data processing operations for journalistic purposes.

On 5 November, the RISE Project published the first episode of an investigation related to a corruption scandal, revealing close links between a road construction company, currently under investigation for fraud involving European funds (based on a complaint sent by the European Anti-Fraud Office), and Liviu Dragnea, the president of the Social Democratic Party. To promote the investigation, the RISE Project published a teaser on their Facebook account. On 8 November, the ANSPDCP sent them a request to specify different aspects related to the publishing of personal data on Facebook, among which the source of information where the personal data was obtained from. This triggered strong concerns from national and international media investigation organisations as well as from the European Commission's Chief Spokesperson, Margaritis Schinas.

Article 85 of the GDPR obliges Member States to provide derogations and exemptions to reconcile the right to the protection of personal data with the right to freedom of expression, including journalistic purposes. Article 7, of the Romanian law no. 190/2018 implementing the GDPR, limits the exceptions of Article 85 to the following alternative scenarios in which data processing activities can be performed for journalistic purposes: 

• if it concerns personal data which was clearly made public by the data subject;

• if the personal data is tightly connected to the data subject’s quality as a public person; or

• if the personal data is tightly connected to the public character of the acts in which the data subject is involved

Given that personal data processing for journalistic activities can be much wider than these scenarios, the signatories urge EDPB to consider whether Romanian law no. 190/2018 and its implementation in this case reconcile the right to the protection of personal data with the right to freedom of expression and information, in accordance with Article 85 of GDPR.