With majority of votes, the Romanian Constitutional Court decided that the cybersecurity law is unconstitutional. This represents the 4th attempt to pass laws violating human rights under the pretext of fighting terrorism.
The Association for Technology and Internet (ApTI) together with 14 other NGOs filed an amicus curiae to support the unconstitutionality claims (in Romanian). In its press release (in Romanian), the Constitutional Court mentioned not only the articles which were brought into attention by the civil society groups, but also showed that putting the National Security Agency (SRI) in charge of cybersecurity is also unconstitutional.
Background information about the cybersecurity law is available here.
A new law on cybersecurity, previously reported in the EDRi-gram, was adopted by the Romanian Parliament at the end of 2014. The law gives the Romanian Intelligence Agency (SRI) access to any computer data owned by private companies, without a court order. The law was sent to the Constitutional Court for analysis and it will be judged on 21 January 2015.
Moreover, the situation regarding surveillance practices in Romania seems to have recently become even blurrier. Even as the events in France were unfolding, a special inter-institutional group formed by several ministries and SRI had already met a couple of times to decide about a revival of the surveillance laws declared unconstitutional in 2014 – the data retention law and the mandatory registration of telephony prepaid cards.
Today, 8 January 2015, the Ministry for Information Society called an inter-institutional working group to urgently analyze CJUE data retention decision’s impact on national law. Using the terrorist attacks in France as pretext, Romanian authorities are pushing for the urgent adoption of a package of mass surveillance measures which violate fundamental rights.
This comes in the context of the Parliament's unanimous vote on the Law on cybersecurity which states that 'owners of a cyber infrastructure' (basically every legal person with a computer) needs to allow access to data at the simple demand of 9 different Romanian security and intelligence agencies. The cybersecurity law was sent to the Constitutional Court on the 23rd of December 2014.
So far, the Romanian Constitutional Court declared the data retention law unconstitutional two times. The last decision was on the 8th of July 2015 (see some remarks in English here and in Romanian here). At the same time, the Court also declared unconstitutional the law for registering pre-pay SIM cards and Wi-Fi users by Decision no. 461 of 16 September 2014 (available here in Romanian). This was the 4th attempt to introduce this kind of law in the last 3 years.
Civil society and private parties are left out of any discussion.