In recent years, Romania has become a more prominent investment location for data centre providers on account of country’s sustained economic growth, the proliferation of the IT&C infrastructure, coupled with Romania’s highly skilled workforce in the IT&C industry and the overall lower operating costs as compared to other countries.
Drawing upon our team’s extensive expertise in data protection applicable regulations affecting various industries, a number of foreign data centre providers retained Țuca Zbârcea & Asociații for advice on the legal implications of moving data centres/servers to Romania. When prospecting the idea of locating data centres / servers in Romania, services providers should take into account that certain regulatory requirements may apply, especially those concerning data protection/security, including the rules on the governmental access to data. We shall briefly outline below a few of the most common regulatory issues raised by our clients, together with a few recommendations in connection thereto.
How to Determine Whether Romanian Data Protection Law Applies
Law No. 677/2001 on processing of personal data shall apply to data controllers not based in Romania to the extent they use equipment, automated or otherwise, located on Romanian territory, unless such equipment is only used for transiting the data through Romanian territory. These provisions seem conflicting with the provisions of the EU Data Protection Directive, under which national law becomes relevant when data controllers established in a non-EU Member State make use of equipment situated on the territory of EU Member States. This inconsistency between the national law and the EU directive may be explained by the fact that Law No. 677/2001 was enacted before Romania’s accession to the EU of harmonised data protection rules throughout EU countries, which justified the limitation of the crossborder scope of national laws for the processing carried out by controllers established in EU Member States, and undertakings processing in other EU Member States.
Although the provisions of Law No. 677/2001 were not formally amended, one may construe that, starting with Romania’s accession to the EU, the aforementioned national provisions of the applicable law should be read by reference to the EU Data Protection Directive. Even though no official decision / act was issued, such approach appears to be shared in practice by the Romanian data protection authority. Therefore, when considering using data centres located in Romania, foreign data controllers should take into account the following rules as regards the applicable law:
- Processing activities carried out by data controllers established in other EU countries will continue to be governed by the laws of the EU country where such entity is established; and;
- Processing activities carried out by a non-EU data controller will be governed by the Romanian data protection legislation.
When a foreign data centre owner does not qualify as data controller, but as a data processor (e.g. will act merely as cloud provider), it will not be directly bound to comply with the Romanian data protection legislation. However, if the customer is a Romanian entity acting as a data controller (e.g. cloud customer), the service provider will have to indirectly comply with the Romanian legal framework. That is because the customers usually request the provider, under the contract, to comply with the Romanian data protection laws and standards (or, if the provider is an EU-based entity, with the EU data protection laws and standards).
Data Security and Cloud Computing
Data security is one of the most common issues listed in connection with the use of cloud computing. According to Article 21(3) of Law No. 677/2001, cloud customers should choose cloud providers implementing adequate technical and organisational security measures to protect personal data, and who are able to demonstrate accountability, which means ensuring availability (reliable access to personal data), integrity (data is authentic and has not been maliciously or accidentally altered), confidentiality (by appropriate means such as encryption, authorisation mechanisms and strong authentication), transparency, purpose limitation, inevitability (the cloud provider and the subcontractors are obliged to support the customer in facilitating the exercise of data subjects’ rights), portability and responsibility (reliable monitoring and comprehensive logging mechanisms).
Cloud customers (i.e. usually the data controllers) are aware of the importance and advantages of secured cloud services. Therefore, any risks related to data security breaches are usually covered under specific contractual safeguards, such as:
- Specifying the security measures that the cloud provider must comply with, depending on the risks arising out from the processing and on the nature of the data to be protected;
- Subject and time frame of the cloud service, extent, manner and purpose of the processing of personal data by the cloud provider, as well as the types of personal data processed;
- Conditions for returning the (personal) data or destroying it once the service is concluded;
- Confidentiality clauses; Prohibiting the disclosure of data to third parties, except for subcontractors specifically allowed under the data processing agreement;
- Cloud provider’s responsibility to notify the cloud customer, in the event of any data breach which affects the cloud client’s data; etc.
Data security may be ensured not only by contractual safeguards, but also by way of factual safeguards. Therefore, the cloud customer(s) will thoroughly verify the selected cloud vendor(s)’s data security policy, as well as the track record of dealing with past security incidents (if any). Such verification may refer not only to potential security incidents, but also to how they were handled, how fast the security breaches were notified and remedied, and what measures have been implemented by the cloud provider in order to prevent recurrence thereof. Where sensitive data is involved (meaning any data subject to a special regime, be it commercial secret, banking secret or other), factual security measures may be a keystone of the cloud customer’s choice in favour of a certain cloud service provider.
Therefore, a solution which is highly recommended by the industry, and also more frequently sought by cloud customers, is the unidirectional encryption of data. Although the encryption services are usually required from a third party, encryption services provided by the cloud providers themselves are well appreciated by cloud customers (as they guarantee the reliability of the services rendered by the could provider).
Compliance With Law Enforcement Disclosure Requests
Nowadays, various governmental authorities throughout the world are aiming to gain more control and access to data which is stored by/in possession of various services providers (e.g. cloud providers, internet content providers). Therefore, service providers are more and more concerned to clarify the means of protecting the individuals’ private life (including from the government’s illicit intrusion), but also to ensure compliance with the relevant legal framework. The most common issues raised by our clients in this respect may be summarised as follows:
- Competent bodies allowed to request access to data - under the Romanian Code of Criminal Procedure, any private individual or legal entity on Romanian territory is bound to disclose, at the request of the enforcement bodies (namely, prosecutors, criminal investigation bodies of the judicial police and special crime investigation units) and the courts of law, the communications data held in their possession or under their control, which are stored on computer systems or communications data storage media. Furthermore, the private individual or legal entity should allow the law enforcement bodies: (i) to access their premises, and (ii) to install the law enforcement bodies’ own equipment and/or (iii) to access their local servers;
- Disclosure of encryption keys - although there is no express reference to encryption keys (e.g. necessary for accessing certain data stored on the servers), in light of the broad obligation to make available any communications data, it can be reasonably construed that such data also entails the obligation to provide the required means to make the data readable and enable the law enforcement bodies to use the data;
- Means to challenge the data access request ordered by Romanian bodies - providers should be aware that an illegal/abusive request for information made by the law enforcement bodies may be challenged by means of a complaint settled by the chief prosecutor of the prosecutor’s office investigating the criminal case. Furthermore, we note that a request of information under a non-legal process is not allowed. The law enforcement bodies are entitled to request and obtain the disclosure of such information only by complying with a specific legal process which essentially requires the issuance of an order by a criminal prosecution body or an order/decision of a court of law;
- Preventing the access to data requested directly by foreign government bodies - providers should be aware that generally speaking, there are no “blocking statutes” in Romania (imposing criminal or civil penalties on in-country persons complying with orders/requests issued by foreign authorities), which may be used to prevent the disclosure of data following a request for production of data made directly by a foreign government authority, without first going through the Romanian government. However, in certain cases, the requirements under the data protection law may hinder the provision of such data to a foreign government body. For example, the transfer of personal data to unsafe countries is allowed only under certain conditions (e.g. data subject’s consent, or based on adequate contractual clauses and subject to approval by the Romanian data protection authority). Therefore, any direct request from foreign authorities for the production of data should be carefully assessed on a case-by-case basis, so as to avoid any potential sanctions under the data protection legislation.