PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
By Law No. 64/2004, Romania has rati ed the Council of Europe Convention on Cybercrime (ETS No. 185, 23 November 2001). Since that rati cation, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data.
LAW NO. 506/2004
According to Article 4 of Law No. 506/2004 on personal data processing and privacy protection in the electronic communications sector, the interception or surveillance of communications and related traf c data may be made only by the relevant public authorities as set out in the applicable statutory provisions or by the parties to the communications, unless the latter have consented in writing to the interception or surveillance being made by other parties.
LAW NO. 51/1991
Interceptions may be made on the request of intelligence and security agencies under Article 15 of Law 51/1991 where there are threats to the national security.
LAW NO. 14.1992
According to Article 8 of Law No. 14/1992 on the Romanian Intelligence Service organisation, the National Interceptions Centre is legally empowered to ensure the relevant enforcement authorities have the technical permits to execute the technical surveillance warrants.
CRIMINAL PROCEDURE CODE
The following rules under Article 139(1) of the Criminal Procedure Code (Law No. 135/2010) regarding technical surveillance apply in relation to prosecuting certain categories of crime:
a. there is a reasonable suspicion that a serious crime is planned or has been committed;
b. the measure taken is proportionate to the restriction of the rights and freedoms that it entails; and
c. the relevant evidence could not be obtained otherwise or there is a danger for the safety of persons or valuables.
Furthermore, interceptions may be made based on warrants issued by the relevant court of law for a period of 30 days, which can be subject to further 30-day extensions granted by the court up to a total overall period of six months.
In exceptional cases, the prosecutor’s office may directly authorise the interception by order for no more than 48 hours (Article 141(1) and (2) of the Criminal Procedure Code). The relevant prosecutor’s office is to apply for the court’s confirmation of the interception within no more than 24 hours of the expiry of an interception order (Article 141(3) and (4) of the Criminal Procedure Code).
According to Article 142(2) of the Criminal Procedure Code (Law 135/2010), the service provider is to cooperate with the prosecutor’s of ce and the relevant authorities in order to enforce the technical surveillance (interception) warrants issued by the court.
ANCOM DECISION NO. 987/2012
According to Article 3.8 of Annex No. 1 to Decision No. 987/2012 of the National Authority for Management and Regulation in Communications (ANCOM) on the general authorisation for the provision of electronic communications networks and services, the service provider is inter alia obliged to:
i. technically allow the relevant authorities to perform interceptions and to make available all technical data regarding interceptions, in the format established by the authorities;
ii. duly cooperate with the relevant authorities involved in interceptions and ensure the con dentiality of interception operations;
iii. cooperate with the relevant authorities to implement security and audit criteria regarding the national communications interception system developed by them;
iv. take all necessary technical measures to enable interceptions in general and immediately enable the enforcement of interception warrants in particular;
v. place at the disposal of the relevant authorities the interception management servers and the administration and operation consoles it holds, as required to ensure interceptions; and
vi. bear the costs of the interception interface.
As per Article 8(2)(k) of the Government Emergency Ordinance No. 111/2011 on electronic communications, the conditions under which service providers are to bear the costs related to the interception interface are established by the general authorisation issued by ANCOM to the service provider.
DISCLOSURE OF COMMUNICATIONS DATA
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
With Law No. 64/2004, Romania has ratified the Council of Europe Convention on Cybercrime (ETS No. 185, 23 November 2001). Since that ratification, Romanian national laws have been amended to comply with the requirements for the collection, search, seizure, making available and interception of data.
LAW NO. 82/2012
Decision No. 440 of 8 July 8 2014, issued by the Romanian Constitutional Court, has been published in the Official Gazette Part I No. 653 of 4 September 2014. On grounds of unconstitutionality, the decision repealed Law No. 82/2012 on the retention of data generated and processed by providers of electronic communications network or service.
LAW NO. 506/2004
Law No. 235/2015 amending and supplementing Law No. 506/2004 on personal data processing and the protection of privacy in electronic communications was published in the Official Gazette Part I No. 767 of 14 October 2015.
According to Article 5(1) of Law No. 506/2004 as amended, traf c data for customers should be deleted or turned into anonymous data when the customers do not serve any more to a communications delivery, but not later than three years after the communications.
According to the newly introduced Article 121(1) of Law No. 506/2004, communications providers may be obliged to provide data regarding traffic, equipment identification and localisation on request of the courts of law, criminal investigation bodies and national security agencies, subject to prior authorisation from the relevant court.
If the request is made by national security agencies, the procedures set out in Articles 14, 15 and 17–23 of Law No. 51/1991 regarding Romania’s national security are to be observed, as detailed in Section 3 below.
According to Article 121(1), data disclosed as a result of such a request may not be erased or made anonymous by communications services providers if that is specified by the authority that has made the request, until the reasons that grounded the disclosure request have ceased and not more than ve years after the date of the request or until the date of a final and binding court decision. The relevant authority must inform the communications services providers when the reasons that grounded the request have ceased.
CRIMINAL PROCEDURE CODE
Communications service providers have an obligation to disclose traf c and location data, according to Article 152(1) of the Criminal Procedure Code (Law No. 135/2010).
The latest wording of Article 152, amended 2 May 2016 by Law No. 75/2016 on the approval of the Government Emergency Ordinance No. 82/2014 on the amendment and supplementation of Law No. 135/2010 of the Criminal Procedure Code, states that a prosecutor may, based on previous court approval, order communications providers to disclose traffic and location data, when all the following conditions are fulfilled:
i. there are reasonable suspicions regarding the perpetration of one of the crimes that are expressly listed in letter paragraph (1) letter a) of Article 152;
ii. there are justified grounds to consider the data as evidence;
iii. the evidence cannot be obtained in any other way or its collection could prejudice the investigation or endanger persons or valuable goods; and
iv. the measure limits the subject’s fundamental rights, given the particularity of the case, in proportion to the importance of the information or of the evidence that is to be obtained, or the gravity of the crime
Under Article 138 of the Criminal Procedure Code (Law No. 135/2010), criminal prosecution bodies may access any computer system, either directly or by means of specialised software or networks, and may intercept any type of communication in order to identify evidence, where:
i. there is a reasonable suspicion about a serious offence/crime;
ii. the measure is in proportion to the restriction of the rights and freedoms that it entails; and
iii. the relevant evidence could not be obtained otherwise or there is a danger for the safety of persons or valuables.
According to Article 139(1) of the Criminal Procedure Code (Law No. 135/2010), access to computer systems requires a warrant to have been issued by the court.
In exceptional cases, the prosecutor’s office may directly authorise the access by order for no more than 48 hours (Article 141(1) and (2) of the Criminal Procedure Code).
According to letter b1) of Article 523 paragraph (1) of the Criminal Procedure Code (Law No. 135/2010), newly introduced by Law No. 75/2016 referred to above, communications providers may be requested to provide traf c and location data based on a court warrant throughout the procedures aiming to locate fugitives from justice. In accordance with Article 524, amended by the same Law No. 75/2016, the disclosure of such data may be made on the request of the relevant prosecutor if the relevant court finds that the identification, searches, localisation and nding of the fugitive cannot be made by other means or would otherwise be substantially delayed.
CIVIL PROCEDURE CODE
According to Article 297(1) of the Civil Procedure Code, in civil and commercial trials the court may issue orders for third parties holding relevant information to present it in court if it is necessary for the settlement of the case.
NATIONAL SECURITY AND EMERGENCY POWERS
Article 13 of Law No. 51/1991 regarding Romania’s national security states that national security agencies may request communications data generated or processed by communications providers (other than the content of these communications) and retained by them under the law. Instances where communications providers may retain communications data are scarce and strictly regulated.
According to the newly introduced Article 121 of Law No. 506/2004 on personal data processing and privacy protection in the electronic communications sector, traf c data, equipment identification data and location data are to be disclosed among other on request of national security agencies in accordance with the legal provisions on data privacy, and subject to the procedure set out in Articles 14, 15 and 17-23 of Law No. 51/1991.
This disclosure may not be requested unless:
i. the following conditions are fulfilled:
a. there is no alternative way to learn about, prevent and counteract risks or national security threats;
b. the measures are necessary and proportional given the circumstances of the case; and
c. the authorisation provided by the law has been obtained; and
ii. an express authorisation and a warrant issued by the High Court of Cassation and Justice (Romania’s supreme court), on request of the prosecutor’s of ce attached to said court, are obtained; in exceptional cases (ie when a delay would severely prejudice the purpose of the envisaged activities) the authorisation may be issued by the prosecutor for a maximum of 48 hours, after which a court authorisation must be obtained.
Data disclosed following such a request may not be erased or made anonymous by communications services providers if so specified by the national security agency that has made the request, until the reasons that grounded the disclosure request have ceased and not more than ve years since the date of the request or until the date of a final and binding court decision, as the case may be. The relevant agencies are to inform the communications services providers when the reasons that grounded the request have ceased.
Article 24 of Law No. 51/1991 also sets a general obligation for all public and private sector actors to provide support to national security agencies and allow them access to data held that may have an impact on national security. Nonetheless, insofar as communications services providers are concerned, such access should be deemed subject to the limitations and procedures described above.
Under Articles 1 and 3(c) of Law No. 132/1997 on requisitions, under exceptional circumstances (eg war, national emergency and disasters) public authorities and national defence forces can take temporary possession of any goods in order to gain access and use of the telecommunications systems.
According to Law No. 132/1997, the following instruments are required to requisition the assets of telecommunications networks:
i. a requisition plan drawn up by the local authorities before the relevant events occur (Article 5(2)); and
ii. a military order for hand-over to be issued at the date of the actual requisition (Article 13).
According to Article 18 of Government Emergency Ordinance No. 34/2008 on the National System for Emergency Calls, the providers of electronic communications are obliged to make available, free of charge, to the director of the National System for Emergency Calls an updated database with all telephone numbers, names and addresses of customers.
OVERSIGHT OF THE USE OF THESE POWERS
In addition to those set out above, the following rules relate to remedies that may be sought following the use of these powers:
a. cost conditions related to an interception interface are to be borne by the service provider and may be challenged in court via administrative litigation; and
b. requisition measures may be challenged in court only with respect to the amount of the compensation.
CENSORSHIP RELATED POWERS
SHUT-DOWN OF NETWORK AND SERVICES
GOVERNMENT EMERGENCY ORDINANCE NO. 111/2011
The Government Emergency Ordinance No. 111/2011 gives the telecom regulatory authority, ANCOM, the power to shut down Vodafone’s network or services (temporarily or permanently) in certain circumstances.
Article 9(2) of the same act provides that ANCOM may withdraw a general authorisation from a service provider where necessary in light of an international agreement entered into by Romania or required to protect the public interest. Under Article 135(1), withdrawal of the general authorisation may be made only after the decision is subjected to public debate; this consists of one or more public sessions where members of the industry, civil organisations and other relevant authorities are invited to submit their observations on the proposed measures; observations expressed during the public debate must then be observed by ANCOM.
Under Articles 147 and 148, ANCOM may revoke a service provider’s right to supply networks or certain communications services for between six months and three years and/ or remove the service provider’s right to use numbering resources, radio frequencies and other technical resources:
• where that service provider has failed to comply with any of the terms of its general authorisation, frequency or licence numbering; or
• if it has failed to comply with certain obligations regarding monitoring spectrum usage, numbering resources or providing financial documents.
Under Article 141(1) ANCOM must notify the service provider before revoking or suspending its right to supply networks or communications services, or revoking or suspending its right to use numbering resources, radio frequencies or other technical resources.
BLOCKING OF URLS & IP ADDRESSES
LAW NO. 196/2003
Article 11(2) of Law No. 196/2003 provides that ANCOM may require an internet service provider, such as Vodafone, to block the URL or IP address of websites containing illicit content. Illicit content is pornographic content which lacks an appropriate age restriction warning or which contains child sex abuse, bestiality or necrophilia.
GOVERNMENT EMERGENCY oRDINANCE NO. 77/2009
Article 10(7) of Government Emergency Ordinance No. 77/2009 on gambling provides that network and internet service providers are obliged to comply with the decisions of the Gambling Monitoring Authority with respect to blocking access to unauthorised gambling websites in Romania.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
LAW NO. 132/1997
Under Articles 1 and 3(c) of Law No. 132/1997, in exceptional circumstances public authorities and national defence forces can take temporary possession of any network assets in order to gain access to and use of a telecommunications network. Exceptional circumstances would be a national emergency such as a natural disaster or war. According to Article 5(1)(c), when making a requisition, a local authority must present its requisition plan (drawn up before the relevant events occur) and, where the requisition is made by national defence forces, the relevant force must present a military order for the possession of network assets issued at the date of the actual requisition.
Law No. 255/2010 enables public authorities to take possession of any type of land or building if this is required for public utility reasons. In order to expropriate the land or building, a decision of the government or local administration, setting out the details of the seizure and the amount of compensation to be awarded, must be presented.
OVERSIGHT OF THE USE OF POWERS
All decisions made by ANCOM or the Gambling Authorisation Commission can be challenged in court by administrative litigation proceedings.
Where a public authority or military force takes control of Vodafone’s network in accordance with Law No. 132/1997 or Law No. 255/2010, the party subject to requisition or expropriation may challenge in court the amount of compensation received for their losses arising from such expropriation, but not the decision itself to expropriate.
This information was originally published in the Legal Annexe to the Vodafone Group Law Enforcement Disclosure Report in June of 2014, which was updated in May of 2017.