Finding a suitcase full of documents is every journalist's dream. But for the investigative outlet Rise Project, it quickly turned into a legal nightmare after Romanian authorities filed a complaint under the EU General Data Protection Regulation (GDPR) ordering the outlet to reveal its sources or pay a fine of up to 20 million euros (US$23 million).
The GDPR is an EU regulation covering how companies protect personal data and giving control to individuals over their data. Analysts, however, said they think that the Romanian authority is abusing the law, which was set up to protect the data privacy of EU citizens, not to curtail the press.
The problems for Rise Project started in November, when it published a teaser on Facebook about its investigation into allegations of corruption involving Liviu Dragnea, the president of the ruling party. The Facebook post showed the contents of a suitcase that the Rise Project said it received from an anonymous source in the fall, containing documents, files, emails, photos from a memory stick, and a tablet that appeared to establish links between a local road construction company, Tel Drum SA, and Dragnea.
Romania's anti-corruption directorate a year earlier had charged Dragnea with setting up an organized crime group to defraud millions of euros of EU funds. Dragnea has denied the charges and denied having links with Tel Drum, according to reports.
A few days after the Facebook post, the Romanian Data Protection Authority-- the state body responsible for the protection of personal data privacy--sent a letter (English translation here) to Rise Project alleging that the outlet had breached data privacy rules. The authority cited the GDPR and ordered the journalists to explain how and when they obtained the information, who their source was, how they stored the documents, and what other personal information they had on Dragnea, Tel Drum executives, and their friends. The authority demanded that the reporters return the information within 10 days or face a fine of 644 euros for each day of delay. Failure to comply would result in a fine of up to 20 million euros, the letter said.
"There is a history of government authorities using legal means to intimidate and harass us," said Paul Radu, the co-founder of Rise Project, which is part of the international Organized Crime and Corruption Reporting Project (OCCRP). Radu told CPJ that the speed at which the authority reacted was surprising as many cases submitted by citizens linger for months without action. Radu said he believes political motives were behind the move, adding that the head of the data protection authority, Ancuța Gianina Opre, was appointed by the ruling party and is indicted by the anti-corruption directorate in an unrelated case for abuse of office in a previous job at a different state body.
In an email to CPJ, the data protection authority denied that the order was politically motivated and emphasized that the body was "an autonomous and independent public authority in the performance of its tasks and the exercise of its powers."
Dragnea has mocked the investigative outlet's report, arriving in parliament on November 5 with a suitcase that he said contained "donuts from Rise Project." He added that what the Rise Project journalists presented was a lie and had nothing to do with him.
It isn't the first time Rise Project has faced action over its reporting on Dragnea. On July 6, 2017--the day the outlet had announced it would publish an article on a separate investigation into Dragnea--the Romanian Anti-Fraud Authority raided its office on accusations of suspected fraud, according to rights groups. The anti-fraud investigation failed to find evidence of wrongdoing, according to reports. Dragnea had previously warned journalists covering that corruption case that that he was ready to fight back, even saying in a TV interview that "peace is over."
The ruling party spokesperson did not immediately respond to CPJ's request for comment.
Raluca Radu, (no relation to Paul Radu) a journalism professor at the University of Bucharest, said that the latest action against the Rise Project fits into a pattern in Romania. "The legislative framework is nice and European, but often these very same laws are misused by the authorities to pressure journalists," she said, adding that in the past three years, the attacks seemed to intensify. Raluca Radu said that what made the current case difficult was that the legal right to protect sources was still weak in Romania because it is enshrined only in the audiovisual code for radio and TV, and not for print or online outlets.
"The Romanian authority not only wrongly interprets EU regulation, but clearly contradicts the law and its objectives," said Estelle Massé, a senior policy analyst at the international advocacy organization Access Now.
Massé said that the GDPR established a fine balance between the protection of personal data and the fundamental right to freedom of the expression and information, and made a clear exception for data acquired for journalistic purposes. Article 85 of the GDPR says that EU states need to "provide for exemptions or derogations" when data is processed "for journalistic purposes."
In response to questions from CPJ, the Romanian data protection authority cited a paragraph of Romanian law--aimed to comply with the GDPR and approved in 2018--as a basis for its request to the Rise Project, and emphasized that the authority's "actions fall exclusively within the legal competences, without prejudice to the freedom of the press."
"The member state cannot interpret the law as it wants, this is clearly a case of abusing the law," said Massé, adding that a member state cannot ultimately contradict the jurisprudence and guidance given by the EU.
Massé said that a similar situation arose in Spain, where the government failed to implement the GDPR in line with EU jurisprudence by passing legislation allowing political parties to use personal data obtained from web pages and other publicly accessible sources. Advocacy groups have warned that the new law could pave the way for parties to create "ideological profiles."
"We expect the EU's Data Protection Board and the European Commission to push the Romanian authority to rectify the error they have done," Massé said. The role of the Commission is to make sure that the regulation is properly implemented. "If all those efforts fail, the last resort will be litigation at the EU courts," she said.
The EU's Data Protection Board refused to comment to CPJ on the Rise Project case as no decision was reached among the board members. However, during a general media briefing last year, European Commission spokesperson Margaritis Schinas said that "the GDPR clearly states that data protection has to be balanced against freedom of expression and information." In response to a question about the action against Rise Project, he said that using the EU regulation "would be a clear abuse of the regulation."
Paul Radu, from the Rise Project, said that the outlet's lawyers have responded to the Romanian authority's questions, without revealing sources, and said they were up to a legal battle if needed. "We will keep on working as before, these threats will not deter us," he said.
[Reporting from Berlin]