Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Intercepting telephone calls, opening correspondence, and other similar actions are regulated by Criminal Procedure Code and Law No. 51/1991 on National Security in Romania.1

The Criminal Procedure Code was modified several times. A new section (V1)on the use of audio and video recordings for interception purposes was introduced. The section establishes the conditions under which video and audio recordings may be made, including the interception of telephone calls. Therefore, according to Article 911of the Criminal Procedure Code, recordings on magnetic tape can be used as evidence if the following conditions are complied with: there are reasons to believe that a crime has been, or is about to be, committed; the criminal deed related to which the recording is made is a crime investigated ex-officio; the recording is useful in finding out the truth; and the authority that carries out the wiretap has been properly authorised to do so. The authority competent to issue such an authorisation is the President of the Court who would be competent to judge the case or another judge appointed by the President. The authorisation to wiretap is given for a period of up to 30 days and can only be extended for subsequent 30 days periods, and may not exceed a maximum period of 120 days. The law also compels law enforcement authorities to report specific information about their wiretapping: the authorisation given by the judge, the numbers of the telephones among which the calls take place, the names of the people carrying out the conversations, if known, the date and time at which each communication took place; and the item number of the roll or tape on which the recording is made.

The new Criminal Procedure Code adopted in 2010 will change these rules.2 It is not clear yet when it will enter into force, but no sooner than one year after its adoption. Article 138 of the new code establishes the special techniques of surveillance which are detailed in Articles 139-153. These include: interception of conversations and communications; access to a computer system; video, audio, or photographic surveillance; locating and tracking through technical means; obtaining lists of telephone calls; retaining, submitting, or searching postal correspondence; requiring and obtaining, according to the law, data relating to financial transactions as well as a person's financial data; the identity of the subscriber, owner, or user of a telecommunication system or of an access point to a computer. Basically, these special techniques need to be approved by a judge (specifically a judge of rights and liberties) at the request of a prosecutor for a maximum period of 30 days if certain conditions are met. One of these conditions is to investigate a crime listed in the Criminal Procedure Code or one that may be punishable by imprisonment for a minimum of seven years. In emergencies, the prosecutor can also authorise these special techniques for a period of 48 hours, after which the measures need to be approved by a judge. If the judge does not approve the techniques, then all the recorded data must be destroyed.

Chapter V of the new Criminal Procedure Code, which includes Articles 154-155, will regulate the data conservation, partly replacing some provisions ("Procedural Provisions regarding Cybercrime") of the Law No. 161/2003 on Anti-Corruption. The same conditions as those above will apply; the one difference is that the period for using these special techniques is extended to a maximum of 90 days.

Law No. 51/1991 on National Security in Romania allows the interception of calls in cases of crimes against the state and terrorism acts, but only as a result of a mandate issued3 by the Romanian Supreme Court (High Court of Cassation and Justice)

At the beginning of 2005, several cases appeared in the press with regard to the Romanian secret service intercepting the phone calls of journalists and other public figures. On 27 January 2005, the Chief of the Romanian Secret Service (SRI), Ioan Timofte, explained4 that the phone calls of a number of Romanian and foreign journalists in Romania were intercepted for several months. The reason was that they were suspected of sabotage and crimes against Romanian National security. The Romanian Press Club and the Board of the Foreign Press in Romania Association protested5 and demanded that SRI publicly announce the names of the monitored journalists. SRI refused, claiming that it cannot reveal information that may affect national security. The Defence Commissions in the Romanian Parliament, after hearing the testimony of the people involved, have concluded that the interceptions were legal.6 Another case involved the Anticorruption Prosecutor (PNA) from the Mures County (Andreea Ciuca, ex-president of the Mures Tribunal), who monitored the phones of more than 70 local journalists, local and national press headquarters, and lawyers for more than 13 months from 24 April 2003 to 25 May 2004.7 No information or explanation was offered by PNA.

According to the former director of a Romanian Secret Service unit, the cost of wiretapping one telephone line is €150 to €200 per hour8 including all interception and transcription costs. According to President Traian Basescu, approximately 6,370 telephones were wiretapped in 2005. Figures provided by the human rights organisation Helsinki Committee (APADOR-CH) show that, in 2002, a telephone line was wiretapped for an average of 220 days. Journalists from the newspaper Adevarul estimated that every intercept generates about 30 minutes of recorded conversation per day.9 If the average per day were to climb to 60 minutes, total government spending on wiretaps would double, reaching an amount higher than the annual budget for any Ministry in Romania. For example, in 2005, the Romanian Ministry of Culture had a budget of €235 million.

During the period from 1991 to 2003, the conversations of more than 20,000 persons were intercepted under judicial orders. Another 14,000 interception mandates were issued between 1991 and 2002 at the request of national security bodies. Out of the 5,500 watched persons, only 620 were sent to court and just 238 were found guilty.

In February 2006 public concern about illegal interception led the Parliamentary Commission that supervises the Romanian Secret Service's (SRI) activities to open a supervisory procedure to inspect the SRI wiretapping centres.10

In another case, also begun in February 2006, a judge of the Bucharest Tribunal ordered the SRI to produce all of the authorisations obtained for intercepting the phone calls of Romanian businessman Dinu Patriciu and other employees of the Rompetrol company.11 The judge eventually convicted SRI of breaching the right to privacy of correspondence and Article 8 of the European Convention of Human Rights. The court required SRI to pay moral damages of RON50,000 because of the very long period in which his phones were tapped -- a year and three months, with no real motives. Both the SRI and Patriciu appealed, and in May 2009, the Bucharest Court of Appeal upheld the Tribunal's decision.

The case has now reached the Supreme Court of Justice, which will have the final word. The trial started there in November 2009.12

National security legislation

In response to international terrorism events, Romania has adopted specific legislation that directly attempts to combat terrorism. Law No. 508/200413 establishes the conditions in which the Investigating Division on Terrorism and Organised Crime, a new unit created within the Prosecutor's Office from the Supreme Court of Justice, will operate. The unit has the authority to investigate crimes related to terrorism.

A law on combating and preventing terrorism was passed in November 2004 (Law No. 535/200414), changing the previous normative acts15 that were in force since 2001. The law allows the surveillance or interception of electronic communications, as well as investigation of computer systems, where there are activities that might be considered threats to national security. The surveillance activities need to be approved by the General Prosecutor within the Supreme Court of Justice and authorised by the Supreme Court's judges. The warrant for interception or investigation cannot exceed six months.

Data retention

Some provisions related to the recording of traffic data were introduced by the Law on Anti-Corruption No. 161/200316 in order to prevent and combat cybercrime. Under this law, applicable only to emergencies and properly motivated cases, law enforcement can expeditiously obtain the preservation of computer or traffic data if they could be destroyed or altered, and if there are good reasons to believe that a criminal offence by means of computer systems is being, or is about to be, committed, and for the purpose of gathering evidence or identifying the wrongdoers. During the criminal investigation, the preservation is undertaken by the prosecutor pursuant to an appropriate order and at the request of the investigative body or ex-officio, and during trial, by a court settlement. This order is valid for no longer than 90 days, and can be extended only once for a period not longer than 30 days. Earlier versions of the law would have required ISPs to retain internet traffic data for six months, but this provision was not included in the final law.17

In 2008, Romania adopted Law No. 298/2008, which mandates that telephone and Internet providers must retain certain data about their customers for six months and make this information available to investigators who have received court permission to access it.18 For telephone operators, the relevant data include incoming and outgoing telephone numbers, subscriber's address, location of called number, and call time and duration.19 For email and e-call providers, the relevant data include where the email is sent from; the time and date of Internet access; and the subscriber's IP address, physical address, and name.20 The retained information does not include content or websites visited.21 Several civil society groups called on the Ombudsman to "notify the Constitutional Court about the infringement of constitutional rights" posed by the law,22 but the Ombudsman did not consider that the law was unconstitutional and thus did not proceed with the notification.

The law was widely and strongly opposed and, as a result of a case introduced by a Romanian NGO, on 8 October 2009, the Constitutional Court decided that the law was unconstitutional23 because "even if indirectly" it breached Article 28 of the Romanian Constitution stipulating the secrecy of correspondence and Articles 25, 26, and 30 relating to the freedom of movement, privacy, and freedom of expression respectively.24

The Court stressed that under the new law "the physical and legal persons, mass users of the public electronic communication services or networks, are permanent subjects to…intrusion into their exercise of their private rights to correspondence and freedom of expression, without the possibility of a free, uncensored manifestation, except for direct communication, thus excluding the main communication means used nowadays." The Court also explained that the proportionality principle was not respected: "The Constitutional Court underlines that the justified use, under the conditions regulated by law 298/2008, is not the one that in itself harms in an unacceptable way the exercise of the right to privacy or the freedom of expression, but rather the legal obligation with a continuous character, generally applicable, of data retention. This operation equally addresses all the law's subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes."

The Constitutional Court also noted that the traffic data is personal data: "even though Law No. 298/2008 refers to data with a predominantly technical character, these are retained with the scope of providing information regarding a person and his private life".

National databases for law enforcement and security purposes

In 2008, Parliament approved legislation that permits DNA evidence related to 30 different crimes to be collected and stored in a database operated by the Forensic Institute -- General Police Inspectorate.25 Stored data can only be deleted on the court's or prosecutor's decision, raising the spectre of indefinitely stored information in the event that the court or prosecutor simply forgets to delete it.26 It is unclear, though, how the data was obtained before the law was in force. In practice, the Institute of Legal Medicine (IML) did conduct DNA tests and hold DNA samples. Secondary legislation still needs to be produced by the Ministry of Internal Affairs and the Ministry of Justice. According to the initial law, this needed to be ready by 14 November 2008. It is also not clear how access to the database will be made. This, too, should be explained in the (still unwritten) secondary legislation. The Romanian Data Protection Authority hasn't yet been consulted.

National and international data disclosure agreements

No specific information has been reported under this section.


Law No. 64/2004 was adopted to ratify the Cybercrime Convention, which was signed by Romania on 23 November 2001.27 Many provisions of this Convention, especially the definitions of the crimes, were incorporated into Title III (on Preventing and Fighting Cybercrime) of the Anti-Corruption Law No. 161/2003.28 Additional laws deal with privacy issues, such as the Patient's Rights Law29 or the Law on Combating and Preventing the Traffic of Human Beings.30

Critical infrastructure

No specific information has been reported under this section.

Territorial privacy

Video surveillance

In Romania, the implementation and use of CCTV in public places (especially in schools with unclear privacy settings or purposes31) is spreading fast due to the fact that Romanian legislation on the matter is quite unclear. According to Law No. 333/2003, CCTV may only be installed by authorised security companies.32 Draft secondary legislation that was published by the Romanian Data Protection Authority in order to regulate CCT has been withdrawn from their website with no further explanation.

Location privacy (GPS, mobile phones, location based services, etc.)

The 2009 annual report of the Romanian DPA notes that during that year the Authority investigated a Romanian company offering Street View services (the report does not give the company's name). This company has been fined an unspecified amount for not blurring the personal data in the application (such as the faces of the persons) and for improper information on data protection. The website contested the fine in court, but lost.33

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

In 2006, the Council Regulation (EC) No. 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, was transposed into Romanian law. The transposition law34 was never adopted until the end of 2008, when an Emergency Governmental Ordinance35 was adopted by the Government, repealing the law of 2006. Based on this ordinance, Romania started a pilot project in Ilfov county and began issuing passports with biometric data for all citizens over six years old on 1 January 2009 (the first ones were issued on 30 January).36

As revealed by an Inspection Report of the Romanian Data Protection Authority, the present implementation in the pilot project is infringing the Law on Data Protection, Thus, there are no procedures that explain how the biometric data can be gathered. The Passport Authority did not provide the ANSPDCP with any information. What is clear is that there is no special consent required, even though the data collected is sensitive. The Ilfov authorities gathered ten fingerprints and could not prove which two fingerprints were stored in the passport's chip. The General Passport Division (GPD) could not explain why it needed to keep the data for 30 days and why it had kept all the applications since the beginning of the year. GPD didn't have enough security measures implemented (username, password, access card for each user). There were no access logs. All the major problems presented above were rectified by the Authorities after an inspection by the ANSPDCP.37

Civil society and religious groups, organised as the "Coalition Against the Police State," organised a protest and an online petition that got more than 15,000 signatures.38 The protesters were particularly concerned that the government made this decision in the absence of any public debate about its social, economic, and religious impact."39 On February 18, the Romanian Appeal Court rejected a legal challenge brought by NGOs, and on March 3, the Legal Commission of the Senate issued a favourable opinion of the ordinance.40 By the middle of 2009, the Parliament approved the Emergency ordinance without any modifications.41 By the end of 2009 the system was implemented in almost all the other counties in Romania.

In recent years, the Bucharest transport authority (Regia Autonoma de Transport Bucurestior RATB) has implemented a series of smart cards for travellers that include an RFID chip.42 There is relatively little information about which data are collected and how they are processed (the website does not even have any kind of "Privacy Policy"). Initially, the cards were only nominal with the name and Personal Numerical Code (CNP) written on it. Now there are two types of cards; one nominal (with the name and first seven digits of the CNP on them) and the other without any name. It is unclear at this point if this is a purely anonymous system. RATB has announced that from the beginning of 2010 the old paper tickets would no longer be available, but so far they have not been withdrawn.

National ID and smart cards

No specific information has been reported under this section.

RFID tags

No specific information has been reported under this section.

Bodily privacy

Article 5 paragraph 3 of the Law No. 76/2008,43 which concerns the judicial decision on the forced taking of biological data from a suspect who refuses to supply it voluntarily, has been challenged in the Constitutional Court. The Constitutional Court rejected the motion, considering that "the person in question, has the right to decide upon the necessity of drawing biological samples from a certain category of people, that is the suspects. [...] The current scope is entirely in agreement with the requirements imposed by Art. 8 paragraph 2 of the Convention for the protection of human rights and fundamental freedoms and by Art. 53 of the Constitution, the involvement of the authority in the intimate and private life being justified".44