Romanian DPA leadership decided behind closed doors

The Romanian data protection authority (the ANSPDCP) has recently been the subject of worrying developments, and now the authority’s leadership is being decided in a hush-hush manner behind closed doors.

On 20 November 2018, the current President of the ANSPDCP, Mrs. Ancuţa Opre, was nominated for re-appointment by the Social Democratic Party (PSD, of which she used to be a member and which had nominated her also in 2013) and heard in the meeting of the Legal, Appointments, Labor, Immunities and Validations Committee of the Romanian Senate.[1] The hearing took place on Tuesday, at 10 am, with absolutely no prior information provided to the public.

Mrs. Opre was first appointed after being nominated by the Romanian Social Democratic Party on 26 June 2013 for a 5-year term of office[2], in spite of her not having any experience or qualifications related to personal data protection. It seems quite strange that after exceeding her mandate by almost 5 months she would be hurried up for re-appointment in the utmost secrecy, and also without any counter-candidates.

One of the members of the hearing Committee from an opposing party (USR) claims that the scheduling of the hearing was done on the previous Sunday evening, and that the names of the persons proposed for President and Vice-President of the ANSPDCP were not provided to the Committee members in advance.[3]

The GDPR requires the supervisory authorities to be independent, which also means that they must “remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody” (art. 51.2 GDPR). In my view the requirement for the ANSPDCP to be independent is not compatible with the lack of transparency concerning the appointment of the leader of the institution, with the fact that there is no competition whatsoever, not to mention the fact that the appointment is not made based on competencies.

Here is what the law regulating ANSPDCP (Law No. 102/2005, Article 6.2) requires:

The president and the vice-president are politically independent persons with a strong professional competence, including in the field of personal data protection, at least 10 years seniority in the field, a good reputation and high civic probity.

Mrs. Opre had no connection with the field of personal data protection prior to her appointment directly as the president of ANSPDCP in 2013. She ran for a parliamentary term in 2008, on behalf of PSD – the same party that later nominated her in management positions in public authorities, including president of ANSPDCP. Mrs. Opre seldom participates in any data protection conferences or events, and did not publish any articles or papers in the field. And if this wasn’t bad enough, she is undergoing criminal investigation for abuse in office related to her previous appointment as president of the Central Committee for Damages Appraisal within the National Authority for Property Restitution[4].

Take a minute and compare this to Helen Dixon from the Irish Data Protection Commision, Elizabeth Denham from the UK Information Commissioner’s Office, Isabelle Falque-Pierrotin from the French CNIL and many other examples of real leaders in the data protection world, whose voice is well established and sought after by professionals.

In addition to everything else, this scrambling for a highly opaque political decision comes in the midst of an incident which is now famous at the EU level[6] and was dubbed by the Council of Europe as a media freedom alert[7]. A few weeks ago the ANSPDCP led by Mrs. Opre has summoned a well-known journalists’ organization (RISE Project) to disclose their sources and prove (among others) that they provided data subjects with the information required by Art. 13-14 GDPR, in connection to documents published by RISE Project in an investigation which targeted PSD, the very same political party having close ties with Mrs. Opre[8]. The request for answers also mentioned the risk of high fines (20 M Eur), as well as a penalty fine of approx. 640 Eur per day for any delays in providing information. This has happened in spite of the fact that the Romanian GDPR Application Law (no. 190/2018) expressly regulates the journalistic exemption from the GDPR.

The ANSPDCP press releases which followed the RISE Project case[9] do not bring any clarity to how the supervisory authority will apply the journalistic exemption, since in this case the journalists were treated in the same way as any data controller. Moreover, the Authority takes the very simplistic approach that they had received a complaint from a data subject and thus need to investigate, prompting the natural question why they don’t perform any analysis of their own prior to acting upon dubious complaints received. For example, under article 10.3 of ANSPDCP’s procedure for handling complaints they need to verify ex oficio that they are materially competent to handle the complaint, whereas article 7 of the GDPR Implementation Law No. 190/2018 provides that the journalistic exemption applies with regard to the chapter providing the attributions of the DPA (see here the unofficial translation into English of the Romanian GDPR Implementation Law). The Authority also sends out rather standard requests for information to investigated entities, with very little (if any) tailoring to the situation at hand, which is unhelpful and confusing to the recipients of such requests – for example, asking how consent is obtained when the legal basis is different, or asking for proof of informing data subjects when the recipient is a press organisation.

These current events are eroding the trust in the Romanian data protection authority, in a country where that authority did not issue any guidance to help controllers understand and apply data protection rules, and where we see widespread skepticism against the GDPR.

In my view this is a very serious matter that needs to be looked into by the Commission, since it infringes the independence of the Romanian data protection authority and undermines the requirement of Article 55 GDPR that “each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State”.

 

I’m also very surprised how quiet everyone is on this matter – I did not find any critical piece written by someone in the field, even though the activity of the DPA should concern all of us.

Special thanks are due to Dana Ududec for massively helping out with the research behind this.

Leave a comment