Currently, the draft law transposing into national legislation the European Electronic Communications Code (Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018) is approaching the moment of the final vote in the Romanian Senate. The bill has already been voted in the Chamber of Deputies in December 2021. Details on the Senate website:
The bill is very important bill and needs to be passed as soon as possible, but the industry and civil society have found that – in addition to the provisions transposing the European directive – harmful or at least inappropriate provisions have been mingled into the draft. Below is the content of a letter sent by ANISP to Senate in an attempt to correct the harmful aspects:
Ladies and gentlemen, members of the Senate
The National Association of Internet Service Providers in Romania (abbreviated ANISP), having its registered office in Calea Floreasca no. 169, building X, ground floor, sector 1, Bucharest, tel./fax: 021-316.10.33, e-mail: office /at/ anisp.ro, registered […],
We respectfully ask you to take all the measures available to you as senators in the Romanian Parliament,
to remove and / or amend the following provisions of the draft law to improve and supplement regulations in the field of electronic communications and to establish measures facilitating the development of electronic communications networks, (we submit our comments on the form available today, the 11th of February, 2022, a form that received a number of amendments in the specialized committees – on top of the form adopted by the Chamber of Deputies):
”28. After Article 10, two new Articles, Articles 10^1 and 10^2, are inserted with the following wording:
In Article 10^2, paragraph 1 is amended to read as follows:
(1) Providers of electronic hosting services using IP resources have the obligation to support law enforcement bodies and bodies with responsibilities in the field of national security within the limits of their competences, for the implementation of technical supervision methods or authorization acts provided in accordance with the provisions of Law no. 135/2010 on the Code of Criminal Procedure, as subsequently amended and supplemented, and of Law no. 51/1991 on national security, republished, with subsequent amendments and completions, respectively:
a. to allow the legal interception of communications, including to bear the related costs;
– unchanged (n.n.: unchanged from the form adopted by the Chamber of Deputies. ANISP observation: Transferring any costs, arbitrarily, without limits – to service providers is an abuse. The phrase “including to bear the related costs” should be deleted.)
b. to grant, at the request of the authorized bodies, under the conditions of this law, the decrypted content of communications transited in their own networks (ANISP observation: This provision conflicts with the provisions of the Code of Criminal Procedure. According art. 38 CCP, para. (1), points (a) and (j), interception and obtaining of traffic data are “special methods of surveillance.” Then, according to Article 170 CCP:
(1) If there is a reasonable suspicion as to the preparation or commission of an offense and there are grounds for believing that an object or document may serve as evidence, the prosecuting authority or the court may disposes of the natural or legal person in whose possession it is to present and deliver them, under proof.
(2) Also, under the conditions of par. (1), the criminal investigation body or the court may order that:…
b) any provider of public electronic communications networks or providers of electronic communications services intended for the public to communicate certain data concerning subscribers, users and the services provided, under its control, other than the content of communications and those provided in art. 138 para. (1) lit. j). [contradiction!]
It is also generally technically impossible for providers to decrypt encrypted communications that pass through their network. The expression “decrypted content” implies that the content has been encrypted by an entity, and the provider should have decryption solutions that may not even be available to the most powerful intelligence agencies in the world.
Such a provision makes sense only if the provider of the communications service is also the one who provides encryption services, but even in this case there is no certainty of the technical possibility.
It should also be noted that “providers of electronic hosting services with IP resources” often do not have a network, but only physical or virtual server(s), so “communications transited in their own networks” might make no sense. );
c. to provide the information retained or stored regarding traffic data, identification data of subscribers or customers, payment methods and access history with the related time points;
– unchanged (n.n. unchanged from the form adopted by the Chamber of Deputies. ANISP observation: These activities must be carried out within the limits allowed by Law 506/2004, which requires the deletion and / or anonymisation of traffic data. See also Decision 440/2014 of the Constitutional Court of Of Romania, repealing Law 82/2012 for similar provisions (general and disproportionate – in contradiction with both the Romanian Constitution and the Judgment of the Court of Justice of the European Union of 8 April 2014, in related cases C-293/12 – Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others – and C-594/12 – Karntner Landesregierung and Others).
d. is deleted.
(2) The obligations provided in par. (1) lit. a) – c) shall apply accordingly to providers of electronic communications networks or services. (ANISP remark: this provision also conflicts with the provisions of the Code of Criminal Procedure – see note to paragraph (1), letter b) above)
(3) Providers of electronic hosting services with IP resources and providers of interpersonal communications services not based on numbers are required to provide information within 60 days of the start of the provision of services. ANCOM containing at least the following:
a) the identification data of the supplier;
b) the contact details of the supplier;
c) the type of electronic hosting service provided.
(4) ANCOM publishes on its website the types of electronic hosting services for which the providers of electronic hosting services with IP resources have the obligations provided by this article.
(5) Any modification of the data transmitted according to par. (3) shall be communicated to ANCOM within 10 days from the date of occurrence of the event.
(6) ANCOM’s decision may establish that the information provided in par. (3) has to be made in a certain format. ” (ANISP observation: points 3, 4, 5 and 6 infringe Article 4 of Directive 2000/31 / EC of the European Parliament and of the Council on aspects of information society services: Article 4 – Principle of exclusion of prior authorization – ( 1. Member States shall ensure that access to and operation of the information service provider’s activity cannot be subject to prior authorization or any other requirement having equivalent effect. )
In conclusion, we consider that provisions such as those proposed in art. 10^2 above should not be included in the law transposing the European Code of Electronic Communications. These provisions must be exposed to a real public debate, they must be correlated with the legislation on personal data protection, with the provisions of the Code of Criminal Procedure, with the provisions of the decisions of the Constitutional Court, with other applicable normative acts and only subsequently introduced in the Code of Criminal Procedure as an extension of the existing provisions (already applicable to service providers and electronic communications networks) to providers of electronic hosting services with IP resources.
Comments are closed.