I. Legal framework
Constitutional privacy and data protection framework
The Romanian Constitution1 adopted in 1991 recognises under Title II (Fundamental Rights, Freedoms, and Duties) the rights of privacy, inviolability of domicile, and freedom of conscience and expression. Article 26 of the Constitution states, "(1) Public authorities shall respect and protect the intimate, family and private life. (2) Any natural person has the right to freely dispose of himself unless by this he causes an infringement upon the rights and freedoms of others, on public order or morals." Article 27 states, "(1) The domicile and the residence are inviolable. No one may enter or remain in the domicile or residence of a person without consent. (2) Derogation from provisions under paragraph (1) is permissible by law, in the following circumstances: for carrying into execution a warrant for arrest or a court sentence; to remove any danger against the life, physical integrity, or assets of a person; to defend national security or public order; to prevent the spread of an epidemic. (3) Searches may be ordered only by a magistrate and carried out exclusively under observance of the legal procedure. (4) Searches at night time shall be prohibited, except in cases of flagrante delicto." Article 28 states, "Secrecy of the letters, telegrams, and other postal communications, of telephone conversations, and of any other legal means of communication is inviolable." According to Article 30, "(6) Freedom of expression shall not be prejudicial to the dignity, honour, privacy of person, and the right to one's own image."
The Romanian Constitutional Court had two important decisions taken in 2009 and 2010 regarding the interpretation of the right to privacy, as enshrined by the Constitution. The first is Decision No. 1258 of 8 October 20092 that considered unconstitutional the national implementation of the Data Retention Directive.3
The second decision is the Constitutional Court ruling 415 of 14 April 20104 regarding the unconstitutionality of the law establishing the National Agency of Integrity5 that obliged all the interest and income declarations of certain public servants to be published on the Internet. In this case, the Court considered that "the obligation stipulated by the law to publish the declarations of assets and interests on the Web pages of the entities where the persons, according to the legal provisions, have to submit them, as well as their transmission to the Agency to be published on its website, breach the right to respect and protection of private life ensured by Article 26 of the Fundamental Law as well as by article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, by the unjustified exposure, in an objective and sensible way, on the Internet page, of the data related to the assets and interests of people who, according to the law, have the obligation to submit declarations of assets and interests."
Privacy and data protection laws and regulations
In November 2001, the Parliament enacted Law No. 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector6 and Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data.7 These laws follow very closely the European Union Telecommunications Privacy (1997/66/EC) and Data Protection (1995/46/EC) Directives respectively. Romania joined the European Union on 1 January 2007.8
Law No. 676/2001 provides for specific conditions under which privacy is protected with respect to the processing of personal data in the telecommunications sector. In 2004, Law No. 676/2001 was, practically speaking, replaced by Law No. 506/2004,9 which closely follows Directive 2002/58/EC of the European Parliament and the Council on personal data processing and privacy protection in the electronic communications sector. This directive repealed and replaced Directive 1997/66/EC.10
Law No. 506/2004 divides the task of enforcing the personal data protection laws between two institutions: the National Regulatory Authority for Communication (later renamed the National Authority for Management and Regulations in Communications â€“ Romania, or ANCOM11) for issues related to electronic communications and the People's Advocate Office (later renamed the Data Protection Authority, or ANSPDCP), which handles issues related to privacy. In this sense, ANCOM has competence in relation to: security measures for electronic communication; non-compliance with invoice issuing conditions; infringement of the obligations regarding the presentation and restriction of calling; and connected line identification.
Law No. 677/2001applies to the processing of personal data, that is carried out totally or partially through automatic means, as well as to the processing of personal data through other means that are part of, or destined for, an evidence system.
A new civil code was approved in July 2010 by the Romanian Parliament.12 The Code has not come into force, and it is unclear when this will happen â€“ the Parliament needs to issue a new law to establish it. The code's new text includes provisions relating to private life and a series of articles stating the respect to private life, the right to dignity, the interdiction against public use of images, voice recordings, manuscripts, correspondence, or other personal documents without the owner's consent (except in cases where the use is legally allowed by the law because the material is of justified public interest). The new text also defines that a breach of someone's private life (Article 74 â€“ "Breaches of private life") includes: capturing or using a person's image or voice in a private space without the person's consent; broadcasting images representing private space interiors without the consent of the legal occupant; placing private life under observation by any means, except for the express cases provided by the law; broadcasting news, debates, inquiries, or written and audio-visual coverage of a person's private, personal or family life, without the person's consent; broadcasting materials including images of a person under treatment in medical assistance units as well as personal data related to health, diagnosis, prognosis, treatment, or other circumstances and facts related to the disease including autopsy results, without the consent of the person involved or, in case of the person's death, of that of his family or authorised persons; using, with malice, the name, image, voice, or likeness of another person; broadcasting or using correspondence, manuscripts, or other personal documents including data relating to the domicile, residence, or phone numbers of a person or his (her) family members, without the person's consent.13
Some of these provisions were criticised by several mass-media organisations14 as limiting freedom of expression, especially where there is a public interest for a specific case. The government's reply was to present a proposal in 2009 to add another, rather vague article to the draft. This would make all the above-mentioned privacy provisions concerning inapplicable if interfering with the right were "allowed by the law or international conventions and agreements regarding human rights to which Romania is part". It also says: "Exercising the constitutional rights and freedoms in good faith and by observing the international conventions and agreements Romania is part of, is not an infringement of the rights provided for by this section."
The civil code has not yet come into force. It may enter into force on 1 October 2011 if the law establishing this date, as suggested by the Ministry of Justice, is adopted by Parliament.15
In 2002, the National Audiovisual Council16 issued regulations regarding privacy and television and radio programs in Decision No. 80 of 13 August 2002, Regarding the Protection of Human Dignity and the Right to Protect One's Own Image. These established a few privacy principles. Article 6 states, "(1) Any person has a right to privacy, privacy of his family, his residence and correspondence. (2) The broadcasting of news, debates, inquiries, or audio-visual reports on a person's private and family life is prohibited without that person's approval." According to Article 7, "It is forbidden to broadcast images of a person in his or her own home or any other private place without that person's approval; (2) It is forbidden to broadcast images of a private property, filmed from the inside, without its owner's approval."17
In 2009 the Parliament adopted a new Penal code18 that includes a new crime called "Breaching privacy". Article 226 states: "(1) The harm unlawfully brought to private life by photographing, capturing, or recording images, listening in by technical means or audio recording a person within a home, a room, or an out-building related to it, or a private conversation, is punished with imprisonment from six months to a year or a fine. (2) Revealing, broadcasting, presenting, or transmitting unlawfully the sounds, conversations, or images covered by paragraph (1), to another person or to the public, is punished with imprisonment from three months to two years or a fine. (3) The criminal case starts at the complaint of the harmed person."19
Data protection authority
The new authority for protecting personal data, the National Authority for the Supervision of Personal Data Processing (ANSPDCP), was created by Law No. 102/2005,20 which replaced the previous supervisory authority (called "The People's Advocate").21 The law regulates the transfer of the database from the People's Advocate Office to the ANSPDCP. Due to the delay in creating the ANSPDCP, the Romanian Government issued Emergency Ordinance No. 131/2005, which delayed the authority's creation date until 31 December 2005.22 The new authority's internal regulations were adopted on 2 November 2005.23 The ANSPDCP opened in February 2006, and the new institution began to provide advice and help with respect to infringements of the personal data legislation.24 Starting with 21 January 2008, the authority of ANSPDCP was extended25 to include monitoring the implementation of Law No. 298/2008 on data retention.
The budgetary cuts of 2009 have significantly affected the activity of the Authority. The budget allocated for the year 2009 was insufficient to provide payment for the 50 people the ANSPDCP was supposed to hire. In fact, by August 2009, only 35 positions had been filled.26 The budget for 2009 did not allow the Authority to do any investigations outside Bucharest.27
Since June 2006, four decisions have been issued by the ANSPDCP regarding the application of the personal data legislation. These decisions establish standard notification forms (modified in 2008),28 categories of sensitive personal data processing operations,29 notification exemptions,30 and situations in which the simplified notification form for personal data processing may be used.31 In 2007, the ANSPDCP issued several orders. One order, for example, implemented the online registry of controllers; another abolished the notification fee.32 In 2007 the ANSPDCP also issued a decision regulating the transfer of personal data to third countries.33 In 2008 and 2009 the ANSPDCP continued to regulate the personal data processing notification regime34 by issuing a decision concerning the standard notification form and the procedure for the authorisation of health-related data processing.35 The decision also mandates that, in the absence of the subject's express written consent, an operator must first obtain authorisation from ANSPDCP before processing such data.
In 2008, the ANSPDCP applied sanctions against a legal firm for unlawful processing of personal data (they didn't respect an individual's right to be informed that his/her data are being processed) and against a financial private company for not having observed a client's right of intervention.
In 2009, ANSPDCP36 fined two mobile phone companies for sending SMS to their subscribers despite the fact that the subscribers had not opted to receive them37 as well as a financial company that sent unsolicited SMS messages to a former client.38 A private company was fined for having used video cameras to monitor access to public/private areas without having previously notified the authority. Furthermore, the company was fined for having used the images for other purposes than just surveillance.39
The Authority has made it clear several times that the practice, common to several commercial companies, of asking for the client's CNP (Personal numerical code â€“ a unique identifier for each physical person) on invoices is not supported by any legislation. The legislation covering the content of invoices40 does not imagine the introduction of the CNP on the invoice. And, according to the ANSPDCP, there are no provisions requiring the CNP for any other tax.41
The ANSPDCP also fined a local company that provided Internet Street View services because it did not notify the Authority or blur the collected personal data (faces, car numbers, etc.).42
In 2010, another telecommunications company was fined for having disclosed its subscribers' personal data to an insurance company without first asking for their consent.43
The ANSPDCP issued a decision in 2009 that established a framework for the processing of health-related personal data.44 In 2010, the Authority sanctioned Health Insurance House in Brasov county for posting its list of debtors on its website, some 30,000 local individuals along with their personal data (name, address, the number of their contracts).45
The Authority may be asked for its opinion on normative acts. For example, in 2008 it was consulted for 17 normative acts. However, such requests are not obligatory for an institution/body, and such opinions are not published on the ANSPDCP's website or in any official newspaper, not even Monitorul Oficial.
Between 2006 and 2009, the Authority carried out a series of activities in to elevate personal data protection awareness, most of them directed at the local public authorities. These awareness activities also included a joint conference with the Romanian Banks' Association regarding personal data protection and processing within the financial and banking sectors.46 The ANSPDCP has also been involved in awareness activities, usually in partnership with the public sector (Prefects' offices in several counties, Police Inspectorates), the private sector (professional associations in real estate, notaries public, Chambers of Commerce), and the educational sector (universities in Sibiu and Tg. Jiu).47
The ANSPDCP has also organised the "Open Doors Event" and several other events on the occasion of the European Data Protection Day (28 January).
According to a 2008 EU report on the citizens' perception regarding the protection of their personal data, Romanian citizens were poorly informed and educated about data protection issues.48 Only 42 percent of Romanians were concerned about giving their personal data online, about 36 percent answered they did not know whether legislation in the domain was enough to solve online personal data issues, 47 percent had no idea they had the right of access to their personal data retained by others and 79 percent did not know of the existence of the Romanian data protection authority.
Major privacy and data protection case law
At the beginning of 2010, the Bucharest Tribunal confirmed the decision of a local Bucharest court imposing upon the town hall of one of the Bucharest districts damages of â‚¬10,000 damages to a an individual whose personal data had been posted on the town hall's website identifying him as someone who had the right to free local transport. The website showed not only individuals' names, but also addresses, identification numbers, details of certain social cases, and details of medical conditions such as HIV infection.49
In 2009, the Bucharest Tribunal ruled that two publications50 had to pay moral and material damages to an actress for having infringed her right to private life and image by posting incorrect, unverified information about her in their publications. The decision was not final, however, and the publications decided to appeal.
Also in 2009, a famous couple obtained an interim judicial restraining order against a local tabloid, requiring it to take down photos taken by paparazzi during their holiday in France and prohibiting it from publishing photos of the couple during their private moments.51
- 1. Available in English at http://www.cdep.ro/pls/dic/act_show?ida=1&idl=2&tit=2#t2c2s0a26.
- 2. Curtea Constitutionala a Romaniei, Decision No. 1258 of 8 October 2009 on the objection of unconstitutionality of the provisions of Law No. 298/2008 on the retention of data generated or processed by the providers of publicly available electronic communications services or public communications networks, which also amends Law No. 506/2004 on the processing of personal data and privacy protection in the electronic communications sector, Official Monitor No. 798, 23 November 2009, available in Romanian at http://www.ccr.ro/decisions/pdf/ro/2009/D1258_09.pdf., An unofficial English translation of the Decision is available at http://www.legi-internet.ro/fileadmin/editor_folder/pdf/decision-constit.... The content of Decision 1258 is discussed infra in the text.
- 3. Law No. 298/2008 regarding the Retention of the Data Generated or Processed by the Public Electronic Communications Service Providers or Public Network Providers, as well as the modification of Law No. 506/2004 regarding the Personal Data Processing and Protection of Private Life in the Field of Electronic Communication Area, published in the Official Monitor No. 780, 21 November 2008, available in Romanian at http://www.legi-internet.ro/legislatie-itc/date-cu-caracter-personal/leg....
- 4. Official Monitor No. 294, 5 May 2010, Decision available in Romanian at http://www.legestart.ro/Decizia-415-2010-referitoare-exceptia-neconstitu....
- 5. Law No. 144/2007 for setting-up, organizing, and functioning of National Agency for Integrity - Official Monitor No. 359, 25 May 2007, text available in Romanian at http://www.dreptonline.ro/legislatie/lege_agentie_nationala_integritate_....
- 6. Official Monitor No. 800, 14 December 2001, available at http://www.riti-internews.ro/lg676.htm.
- 7. Official Monitor No. 790, 12 December 2001, available at http://www.avp.ro/leg677en.html.
- 8. See http://europa.eu/abc/european_countries/eu_members/romania/index_en.htm.
- 9. Law No. 506/2004, Official Monitor No. 1101, 25 November 2004, Romanian text available at http://www.legi-internet.ro/legislatie-itc/date-cu-caracter-personal/leg.... An English summary is available at http://www.glin.gov/view.action?glinID=119653.
- 10. Directive 2002/58/EC, Official Journal of the European Community L. 201, 31 July 2002.
- 11. See http://ancom.org.ro/index.aspx.
- 12. Official Monitor No. 511, 24 July 2009, text available in Romanian at http://www.avocatnet.ro/content/articles/id_16209/Noul-Cod-civil-2009-pu....
- 13. See Bogdan Manolea, Privacy in the New Draft Civil Code, 18 March 2009, at http://legi-internet.ro/blogs/index.php/2009/03/18/viata-privata-in-noul....
- 14. See Activewatch, Libertatea Presei Ã®n RomÃ¢nia 2009 (2009 Freedom of Press in Romania) Annual report,, 3 May 2010 available at http://www.activewatch.ro/uploads/FreeEx%20Publicatii%20/Raport%20Freeex... Annual report Hotnews.ro, "UPDATE: CJI, AMP, COM, CRP, AJR si MediaSind protesteaza fata de prevederile noului Cod Civil referitoare la presa: Guvernul dovedeste "opacitate" si comite "abuzuri" ("UPDATE CJI, AMP, COM, CRP, AJR and MediaSind are protesting against the provisions of the new civil code: The Government proves to be 'opaque' and makes 'abuses'."),16 March 2009, avalilable at http://economie.hotnews.ro/stiri-media_publicitate-5496874-update-cji-am....
- 15. Draft laws from the Minitry of Justice available at Hotnews.ro's website, at http://www.hotnews.ro/stiri-esential-7543964-predoiu-noul-cod-civil-noul....
- 16. See http://www.cna.ro/-English-.html.
- 17. Mariana Stoican, "Measures to Protect Human Dignity and Personal Image Rights," Radio Romania International, 2002, available at http://merlin.obs.coe.int/iris/2002/10/article21.en.html.
- 18. Law No. 286/2009 regarding the Penal Code, Official Monitor No 510, 24 July 2009. Full text available in Romanian at http://www.avocatnet.ro/UserFiles/articleFiles/noul-cod-penal-2009-text-....
- 19. The term "unlawfully" used in the text corresponds to the Romanian word "fara drept" which literally translated is "without right". This latter expression means that there may be some cases when interferences with the right to privacy is done in accordance with the law â€“ for example in case of a penal investigation with a judge approval.
- 20. Official Monitor No. 391, 9 May 2005, available in Romanian at http://www.legi-internet.ro/index.php/Legea_privind_infiintarea_org/82/0/.
- 21. See http://www.avp.ro/indexen.html.
- 22. Official Monitor No. 883, 3 October 2005, available at http://legi-internet.ro/blogs/index.php?title=autoritatea_naa_355_ionala....
- 23. Published in the Official Monitor No. 1004 of November 11 2005, available at http://legi-internet.ro/blogs/index.php?p=348&more=1&c=1&tb=1&pb=1#more348.
- 24. See http://www.ceecprivacy.org/main.php?s=2&k=romania.
- 25. See http://www.dataprotection.ro/index.jsp?page=Comunicat_presa_extindere_at....
- 26. Bogdan Manolea, Romania National Report â€“ EDRi , December 2009, available at http://www.ldh-france.org/IMG/pdf/ETUDE-ROUMANIE-EN.pdf.
- 27. ANSPDCP 2009 Annual Rapport, available in Romanian at http://www.dataprotection.ro/servlet/ViewDocument?id=623.
- 28. Decision No. 95/2008, Official Monitor No. 876, 24 December 2008.
- 29. Decision No. 89/2006, full text in Romanian and English summary available at http://www.glin.gov/view.action?glinID=184027#.
- 30. Decision No. 90/2006, full text in Romanian and English summary available at http://www.glin.gov/view.action?glinID=184028.
- 31. Decision No. 91/2006, full text in Romanian and English summary available at http://www.glin.gov/view.action?glinID=184029.
- 32. The abolishment was made by Government Emergency Ordinance No. 36/2007 â€“ Official Monitor No. 335, 17 May 2007. See http://legi-internet.ro/blogs/index.php?title=doua_vesti_bune_de_la_ansp....
- 33. See Decision No. 28/2007, available at http://www.dataprotection.ro/images/PDF/decizie_282007_en.pdf.
- 34. See http://m.cdep.ro/pls/legis/legis_pck.htp_act?ida=84675.
- 35. Decision No. 101/2008, Official Monitor Part I, No. 4, 19 January 2009.
- 36. See ANSPDCP 2009 Annual report, supra.
- 37. See "Romanian Authority Fines Vodafone for Spamming," Trading Markets, 2 March 2009, available at http://www.tradingmarkets.com/.site/news/Stock%20News/2201164/ and http://www.dataprotection.ro/index.jsp?page=Comunicat_presa_investigatie....
- 38. See http://www.dataprotection.ro/index.jsp?page=Comunicat_presa_investigatie....
- 39. See http://www.dataprotection.ro/index.jsp?page=Comunicat_de_presa_referitor....
- 40. Art. 155(5) of Title VI of the Fiscal Code transposing Art. 226 of Directive 112/2006/EC.
- 41. See Bogdan Manolea, "CNP-ul nu trebuie cerut de magazinele online," ("E-commerce businesses may not ask for the CNP"), 4 September 2009, at http://legi-internet.ro/blogs/index.php/2009/09/04/cnp-nu-trebuie-cerut-..., See also the ANSPDCP 2008 Annual report at http://www.dataprotection.ro/?page=Rapoarte%20anuale&lang=roand 2009 Annual report, supra.
- 42. See ANSPDCP 2009 Annual report, supra at 27-28.
- 43. See http://www.dataprotection.ro/index.jsp?page=stire_10052010&lang=ro.
- 44. Decision No. 101/2008, which entered into force on 1 January 2009, is described in English in Tuca Zbarcea Asociatii, "Legal Bulletin January 2009," at 6-7, available at http://brcconline.eu/library/Legal-Bulletin-Tuca_Zbarcea_&_Asociatii-Jan....
- 45. ANSPDCP, press release of 7 July 2010, available in Romanian at http://www.dataprotection.ro/?page=stire_03072010&lang=ro.
- 46. See ANSPDCP, Buletin Informativ trim. II, at 2, at http://www.dataprotection.ro/servlet/ViewDocument?id=391.
- 47. See supra http://www.ceecprivacy.org/main.php?s=2&k=romania.
- 48. See http://ec.europa.eu/public_opinion/flash/fl_225_en.pdf.
- 49. See "Romania: Moral damages for publishing personal data online," EDRi-gram No. 8.4, 24 February 2010, at http://www.edri.org/edrigram/number8.4/romanian-case-moral-damages-perso....
- 50. "Daniela Nane ar putea primi 150.000 de euro de la Spy ÅŸi Gardianul" ("Daniela Nane Could Receive 150.000 Euros from Spy and Gardianul"), MediaFax.ro, at http://www.mediafax.ro/life-inedit/daniela-nane-ar-putea-primi-150-000-d....
- 51. Diana Popescu, "Andreea Marin ÅŸi Åžtefan BÄƒnicÄƒ i-au bÄƒtut pe paparazzii care i-au filmat pe plajÄƒ" ("Andreea Marin and Åžtefan BÄƒnicÄƒ Have Won against the Paparazzi that Filmed Them on the Beach"), Gandul.ro, 3 March 2009, at http://www.gandul.info/media-advertising/andreea-marin-si-stefan-banica-... Activewatch, Libertatea Presei Ã®n RomÃ¢nia 2009, supra at 26.