Intro

Lawyer Raul Felix Hodoș, who specialises in GDPR, believes that personal data should not be processed by authorities indefinitely and without a legal basis. Since 25 May 2018, when the GDPR was implemented across the European Union, all public institutions should have decided which personal data should still be kept and which should be destroyed. Unfortunately, this did not happen, reveals lawyer Raul Felix Hodoș in an interview for Justnews. He also says that in many public institutions there are people appointed as data protection officers who have absolutely no competence in this field, from assistant managers to town hall secretaries.

Justnews:

Personal data protection versus people’s life and integrity. I recently wrote about the case of Toyota cars with faulty airbags and where the Licensing Directorate invoked GDPR to refuse to provide updated owner information to Toyota.

Attorney Dr. Raul Felix Hodoș:

In general, all public institutions invoke GDPR when they don’t want to respond. We should have a balance between public and private interest. And, indeed, when we have a public interest, we have to balance to see if there is a balance there or not. There is a law, 190/2018, which comes to supplement and implement certain provisions of the General Data Protection Regulation.

This law is not well known, although it is law and should apply like any other law. Article 6 lays down certain safeguards when data is processed in the public interest, and these safeguards tell us, EU citizens, that our data is only used for what is necessary and when necessary. And no more.

There was for example a case at the CJEU, Bara and others v CNAS and ANAF, where they won on the basis that yes, it is normal for the state to communicate tax data to CNAS, but that they should have been notified. And the reasoning was given precisely on this need for balance: yes, it’s ok, there is a public interest there, but we should tell people that we are doing this, i.e. notify them so that they know from the beginning that their respective data will be processed in that way as well.

This case is a textbook one that could have been applied in any other similar situation afterwards. Why? Because it basically shows us that, when in good faith, public institutions still act for the citizen by processing his or her data, even when they do so in the interest of the state. In conclusion, we must always balance the public interest and the private interest.

Justnews:

Okay, but in the Toyota case, it was a private personal data controller.

Attorney Dr. Raul Felix Hodoș:

Any large entity or personal data controller, whether private or public, will try to minimise its efforts to protect data subjects’ data. Because every such effort involves establishing certain procedures, it involves hiring people to teach them how to implement those procedures. I try to understand the reluctance of the authorities. On the other hand, the recall of hundreds of thousands, millions of cars in order to avoid further tragedies is an argument that finds its legal basis in the GDPR.

You can demand that the private controller provide you with guarantees, you can do checks, this is where the book knowledge of the public entity’s data protection officer and his power to take responsibility from the position he has been appointed to comes into play. True, the simplest solution is the no-can-do solution.

Justnews:

Aren’t there people specialized on GDPR in public institutions, for example?

Attorney Dr. Raul Felix Hodoș:

A study done by our colleague Marius Dumitrescu on public institutions showed that, in practice, GDPR compliance in public institutions was very low. And I’ll explain why: when I am mayor and I am thinking about who else to hire in the town hall and what position, obviously this position will be given to a person who is close to me. This is what mayors and heads of institutions in general rely on, the idea that, yes, it is easy to hire, and in addition, the penalties for public institutions for non-compliance with data protection legislation are very, very low, unlike private operators. I mean we are talking about fines up to 200.000 lei for public body operators, but up to 20.000.000 euro or 4% of the global turnover, per group, for private ones.

Justnews:

How do things stand for private data operators?

Attorney Dr. Raul Felix Hodoș:

The regulation does not set out how much money you have to invest to comply with data protection. The regulation says that this protection has to be effective and then it is up to you as the manager, as the administrator of that company, to determine how to protect it. The regulation requires that data protection officers be persons who have a sound knowledge of data protection theory and practice and does not set any pre-existing conditions. You don’t necessarily have to be a lawyer, psychologist or computer scientist, but in Romania, the COR standard states that a data protection officer can be anyone who has graduated from university, has at least one year’s experience in a position requiring higher education and has completed a specialist course with 60 hours of theory and 120 hours of practice.

Justnews:

And are those people truly competent?

Attorney Dr. Raul Felix Hodoș:

We can’t say that this diploma gives competence or not. It is assumed that if you have that diploma, you are also competent. Coming back to public institutions, there are all kinds of people who have been appointed as data protection officers, they have a diploma, but they lack competence in this field, from an assistant manager to the secretary of the town hall.

Justnews:

Is there a market for personal data protection services?

Attorney Dr. Raul Felix Hodoș:

We have a market for data protection consultants. Unfortunately, however, the actors operating in this market are guided more by immediate financial gains and not necessarily by getting data protection in order, as the European legislator had in mind when imposing GDPR. True, we have a National Supervisory Authority for Personal Data Processing (ANSPDCP) that has a control apparatus. Unfortunately, it is undersized compared to the problems that are in this area of data protection and obviously the answers that the Authority gives are also quite distant in time, precisely because there are few people, even if good, but being few they are overloaded with tasks.

Justnews:

But the ANSPDCP, when a citizen approaches it, can it do more than point to a paragraph of law or regulation?

Attorney Dr. Raul Felix Hodoș:

This is about the capacity of the functional apparatus: this is the text of the law and you can understand what you want from it, that’s exactly how the ANAF does it, for example, or most Romanian authorities. It is a Romanian problem of the civil servant assuming an opinion.

Justnews:

Does the Authority give out hefty fines?

Attorney Dr. Raul Felix Hodoș:

If you remember the list of shame made by ANAF, otherwise full of mistakes, at least half of the people exposed were either in court with ANAF, or had other amounts and not those mentioned in the list. Basically, it was a unilateral decision set by ANAF, not by a court, as it should have been. Incidentally, ANAF was fined then by the Authority, but for a relatively modest amount, whereas in Bulgaria, ANAF there, when it lost a database of its taxpayers, was fined 5.1 million leva, or about 2.6 million euro. This shows that if we are in Europe, our authority, the authority in Bulgaria or the authority in the Netherlands or Germany should coordinate at European level. And basically we should have what happens in other countries with fines. Indeed, Romania is in third place in terms of the number of fines, but we do not have the highest fines. For example, in France and Ireland, fines are very, very high. And public entities have not been fined much in our country.

Justnews:

“The right to be forgotten”. How and when does it apply?

Attorney Dr. Raul Felix Hodoș:

There was a famous case Google Spain/Google Ireland versus Mario Costeja Gonzales and the Spanish Data Protection Authority, which was basically the basis of this “right to be forgotten”. In short, his real estate estate estate was in foreclosure by the IRS, that information was taken from real estate agency websites. But the man paid his dues and then asked the IRS to delete the ad. The tax authorities withdrew the ad, but the information about the sale was practically picked up and passed on, and went viral on other real estate websites. And then the man asked Google to remove the information from the search engine.

Google said we can’t, we can’t, and so on. A case before the CJEU followed, and the CJEU ruled that Google should be forced to change its search engine so that the gentleman could no longer be identified. Basically, that’s where this idea came from, the right to be forgotten, because classically, when you delete data from Google, it disappears from the search engine. They no longer exist on Google, but on the internet they can sometimes be found, if you know where to look in the flood of information. What matters most is the purpose for which that data was posted and how those who use it may or may not be entitled to use it.

Justnews:

Status of final criminal convictions. We have come across cases where lawyers, for example, with final criminal convictions have invoked GDPR in the case of final court decisions.

Attorney Dr. Raul Felix Hodoș:

When you are convicted of a criminal offence, you assume that you have a criminal record, the criminal record is made precisely so that others know about the situation you are in. I can’t hire a security guard if I don’t ask for a criminal record to see that he is clean or at least that he has no convictions for property crimes. There should be no problem with those facts being made public when there is a justifiable interest. Including the person’s name. Obviously, we won’t give his home address or the name and address of the company where he is employed or of his wife or children, because it no longer meets the public interest criterion. The public interest here is that other people, society as a whole, has a right to know who has broken its mandatory rules. Therefore, in criminal cases we have judges who say this, and the sentences they set, when the decisions are final, are entered in the criminal record.

Justnews:

Another interesting phenomenon has emerged: some courts have started to anonymise the names of litigants in civil proceedings, invoking GDPR. Under what conditions can the court be requested to anonymise the names of parties in the case?

Attorney Dr. Raul Felix Hodoș:

There is a whole debate here. We have Article 6 of Law 190/2018. When you talk about public interest, you are also talking about the lawyer who is the defender of a party in a case, especially where we are talking about the interests of minors, for example. The lawyer has a duty of confidentiality under the law and his own statute. But what happens to the data that the lawyer finds in the file? Can he use it in other cases? For example, of the opposing party. I have access, when studying the file, to the opposing party’s data. Can I use it in another file? Again, the answer should be: usually not. Why? Because when I use that data, I am processing it for a purpose other than the one for which I was allowed.

The access to the file was allowed to settle or prepare the defence in that file and not in another file. And again, I repeat, I am not talking about my client’s data. I am talking about the data of those in the file, for example, the data of a witness who I know was also in another file. Another situation may arise in relation to what we were discussing before about Mr Gonzales and the right to be forgotten. Basically, there is a precaution in limiting publicity strictly to what the Code of Civil Procedure says: the hearing is public, but it is public for those who are in court, it does not have to be public for the whole Internet.

Justnews:

Privacy, dignitary, public interest. Can a dignitary, in a civil case, get the judge to anonymize his name, because he is a public person?

Attorney Dr. Raul Felix Hodoș:

When I accept to be a dignitary, I also assume that my private life is practically restricted.

Justnews:

I agree with you up to a point. I have had cases where a child’s notes are published just because the parents are public persons.

Attorney Dr. Raul Felix Hodoș:

Any kind of personal data of a dignitary can be processed, but there has to be a proven public interest. But what the child does is not in the public interest, all the more so as the processing here extends to another person who has not assumed such a role. Moreover, we are often talking about sensitive data, minors’ data, health data, etc., crossing red lines, with irreparable subsequent consequences.

Justnews:

How long can a person’s data be processed?

Attorney Dr. Raul Felix Hodoș:

Personal data should not be processed indefinitely, without being told when it can be deleted. And here I draw a parallel with another issue that is not exactly constitutional. You have heard about the sex offenders register. This register is not just about those who commit offences at a certain time and from then on they will remain on the register. Which would be fair. It also refers to those who have committed those offences in their lifetime, say 60 years ago. If the individual is now 80 years old and the sexual offence happened when he was 20 years old, he remains registered, even if he is rehabilitated. However, only the more favourable criminal and misdemeanour law is retroactive, not the other types of law. Here, however, we have a worsening of the situation of these people by creating additional obligations that they did not have at the time of their conviction.

Then there are the asset declarations. When I sign that declaration of assets, I think that I am doing so for a specific purpose, that is, to show the wealth that I have acquired during my time in public office. These aspects can and must be checked by the N.I.A. It is not necessary to check them by the entire population that has access to the Internet, given that, as I said earlier, there must be a balance between the public and private interest. We must leave to the judges what belongs to the judges, even if we are talking here about officials of specialised institutions. Yes, we like to know everything about everyone, but sometimes we also have to trust the state authorities, perhaps precisely in order to save our private lives.

Justnews:

GDPR applies from May 2018, right?

Attorney Dr. Raul Felix Hodoș:

Yes, from 25 May 2018, and from that moment on, all public institutions should have seen which personal data should still be kept, and for those for which they had no legal basis, deletion was required. Unfortunately, this did not happen. Why? Because just as we leave something in the attic throughout our lives that we may need again, so did public institutions with our personal data. They may need it one day. That is why I was saying that this data often gets into the wrong hands and is used without right. That is why we need rehabilitation. And if we need rehabilitation in the criminal area, then this rehabilitation, I am talking in the sense of forgetfulness, all the more so should we have it for personal data.