The European Union’s General Data Protection Regulation (GDPR) was meant to protect and empower all EU citizens’ data privacy. It wasn’t meant to be used as a tool to abuse journalists.
However, this is exactly what seems to have happened in Romania. Rise Project, a Romanian team of investigative journalists working on anti-corruption stories that follow the money, were recently threatened with a fine of up to 20 million EUR by the Romanian data protection authority, if they do not cease the publication of a series of investigations, give access to all related data and expose their sources.
A Most Dubious Politician
A letter issued by the Romanian Data protection authority on November 8th makes specific reference to a Facebook post on the Rise Project page, written five days earlier. In the Facebook post, the Rise Project journalists announced:
“We inform you that #TeleormanLeaks is a reality. A suitcase with essential information from inside the Tel Drum corporation, to which the National Anticorruption Agency prosecutors did not have access when they searched the headquarters of the company as well as the company’s electronic devices last year, was found in the rural area of Teleorman county, by a local, on the local’s property.”
The post opens with a picture of Liviu Dragnea in Brazil. Mr Dragnea is the president of the ruling Romanian party, the Social Democrat Party (PSD) and a key figure in Romanian politics. Due to a criminal lawsuit for trying to fix the results of a referendum, Dragnea could not become Prime Minister in January 2017, when his party came to power. He managed to install (until now) three different persons in the position instead. In June 2018, Mr Dragnea was sentenced to three and a half years in prison in a second criminal trial for using public funds designated for child protection programs in Teleorman county to finance positions in his own party.
And the list goes on. In recent years, Romanian journalists have uncovered many other instances of possible corruption relating to Liviu Dragnea and his family. Still, when the above-mentioned briefcase was found, the story attracted more attention than usual. The reason: While there had been speculations that Tel Drum (a large Romanian construction company) and were somehow in cahoots with the family of Liviu Dragnea, definite evidence was lacking. Rise Projects investigation seemed to change that. The Facebook post is effectively a teaser for a future series of articles based on the electronic and paper documents found in the suitcase.
When Rise Project published the first article about the content of the #TeleormanLeaks suitcase on November 5, the response was overwhelming. Mihai Munteanu, one of the journalists who wrote the article, told EJO that Rise Project simply could not handle the high traffic generated by the story.
How GDPR Can Affect Investigative Work
Yet, the general public were not the only ones to take notice. The state saw Rise Projects reporting, too – and tried to wield the powers of the GDPR against the journalists.
The notification of the Romanian data protection authority makes explicit reference to the “EU Regulation 2016/679 of the European Parliament and Council from April 27th 2016 regarding the protection of natural people from the processing of personal data and the free circulation of this data” – more commonly known as GDPR.
More specifically, the referenced articles are Art. 14 of the GDPR regarding information on natural persons that were obtained from a third party, Art. 57, on the scope, and Art. 58, on the jurisdiction of the data protection authorities. Another reference is made to the law that established the Romanian data protection authority in 2005 “in order to defend the fundamental rights and liberties of natural persons, especially the right to intimate, private and family life, related to personal data processing”.
What does all this mean? In a nutshell, the Romanian data protection authority decided it is entitled to ask investigative journalists for the reason why they published personal data of natural persons on Facebook. The authorities further felt entitled to ask, among other things, about the source of the data, how and where the data is stored, and if the persons the data can be linked to were informed.
One can, however, also put this differently: In essence, a state-funded authority asked journalists to explain why they did a certain investigative piece.
And it asked the journalists to expose their protected sources, to give the state access to all data relating to the investigation and to stop publishing. The consequence if they chose to resist: a fine of up to 20 million EUR, as indicated by Art. 83 of the GDPR.
This interference by a national data protection authority in a journalistic investigation is, in fact, abusive, in line with the very same EU Regulation on personal data. On November 12, during the European Commission Media Briefing, Mr. Margaritis Schinas, the Deputy Director General of EC Communication, made this clear:
“The right to the protection of personal data is not an absolute right. In General Data Protection Regulation, art. 85 clearly states that data protection has to be balanced against freedom of expression and information [EJO emphasis]. Using the General Data Protection Regulation against these other fundamental rights would be a clear abuse of the regulation. Therefore, it is of utmost importance that Romanian authorities implement that obligation in national law, to provide exceptions and derogations to protect journalist sources in particular from the powers of the National Data Protection Authority where necessary and to respect the freedom of expression and information in relation to the media”.
While the developments in the Rise Project case are still ongoing, the story shines a light on the potential abuse of regulations and laws which are meant to protect and aid citizens. Back in March, OCCRP reported how freedom of information requests may have lead to the murder of Slovak investigative reporter Ján Kuciak and his partner Martina Kušnírová. Similarly, the so-called “right to be forgotten”, was initially used by some politicians and public officials to hide results of past journalistic investigations on their wrongdoings. The GDPR, it seems, is only the latest tool in this arsenal.
You may also be interested in Guns, Crime, Politics…and Media: Investigative Journalism in Eastern Europe.