Hacker News new | comments | ask | show | jobs | submit login
Romania orders investigative journalists to disclose sources under GDPR (occrp.org)
723 points by treewhistle 3 months ago | hide | past | web | favorite | 190 comments

This is particularly concerning given that GDPR specifically requires member states, in enforcing GDPR, allow exceptions for journalism and documents/data "in the public interest." Considering the funds at the center of these Facebook posts went missing from EU coffers its clear the information falls squarely within both exemptions. At least it's a civil case. The fines for non-compliance with the request will surely add up quickly but I suspect this will make its way through the court system and reach a just conclusion.

> This is particularly concerning given that GDPR specifically requires member states, in enforcing GDPR, allow exceptions for journalism and documents/data "in the public interest."

That may not apply, because of the clever (evil too, but also clever) way they are doing this.

If they were asking as data subjects where the data came from (which data subjects have a right to under Article 15 1(g)), then journalism and public interest exceptions should apply.

But that's not what they are doing. They aren't coming in as data subjects asking about the data held on them. They are coming in as an Article 51 supervisory authority in charge monitoring GDPR in their country. They are claiming to be doing the tasks Article 57 assigns to the supervisory authority, and exercising the powers Article 58 gives them for that.

Presumably, someone who the journalists wrote about alleged that the journalists were not complying with GDPR in how they obtained and used the data.

And so now the supervisory authority is investigating that. Article 58 gives them power "to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks". They can probably argue that in order to decide if a journalism or public interest exception applies, they have to know where the data came from and how it was obtained.

Assuming things are as corrupt as people have claimed, I'd expect they will go in, and if they obtain the information on the sources, they will rule that a journalism or public interest exception applies, and dismiss whatever sham GDPR complaint they had someone file to set this off.

> Presumably, someone who the journalists wrote about alleged that the journalists were not complying with GDPR in how they obtained and used the data.

That somebody is the chief of the ruling party, Liviu Dragnea, president of one houses of parliament, who almost got to be named prime minister if not for an earlier conviction for electoral fraud.

He was now found guilty in a second unrelated criminal probe, and is appealing the sentence while at the same time trying to steer the legislative process and pressure his own party to decriminalize a large swath of offenses pertaining to his case, namely abuse of public office.

The journalists have recovered a large trove of damaging documents that are related to yet another criminal case (3rd, if you're counting) in which he is being investigated.

The head of the data protection agency is a former colleague from the same party and is herself under criminal investigation for fraud. Yeah, so these are the watchers.

This is really interesting, too because of the decentralized implementation/enforcement.

Compare Romania's one sentence implementation of the journalism exception (translated by the EU website so perhaps not the best):

>In order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression, it may be carried out if it concerns personal data which have been made manifestly publicly disclosed by the data subject or closely related to the public personality of the person concerned or the public nature of the facts in which he is involved

With the U.K.'s implementation of that same exception [at Part 5]: http://www.legislation.gov.uk/ukpga/2018/12/schedule/2

The EU court will slap this down.

Your post makes it sound as if, no matter how corrupt this is, their demand is within the letter of the law.

If so, that is a pretty nasty unintended consequence.

That's exactly what he's saying.

Usual thing with these laws, within the letter of the law but not within the spirit of it.

They write laws with ink not ectoplasm.

Quis custodiet ipsos custodes?

When cheering on such laws, we should always ask ourselves whether we're cheering on the intent or the practical/potential effect. When viewed in the latter context, one might instead cheer on a much smaller, incremental approach towards such legislation (if at all).

No legislation (really, 'no additional legislation' - we're not starting from zero, nor is anarchy desirable) has as much consequence and is not qualitatively different than a little or a lot of legislation; there are downsides and unintended consequences to every option. There is still political and economic power to be had and which is exercised. The question is, do we want that power to be controlled democratically or to be arbitrarily exercised by the most powerful?

The latter is often appropriate; people should be free to do what they want unless others are affected significantly. But when it comes to privacy and freedom of speech, I don't think so.

> no additional legislation [...] has as much consequence and is not qualitatively different than a little or a lot of legislation

This cannot be generalized and is different depending upon the circumstance. In this case, I wholeheartedly disagree.

The difference is that the consequences of no new legislation are known (from experience), while the consequences of new legislation can be estimated, but with complex and far-reaching laws the practical effect is usually very different, with numerous unintended corner cases that can get very nasty. The problem is that politicians (and people in general) usually ignore that, and present it as a choice between how things work today, and how they think things will work once the law passes.

If we took into account the uncertainty properly, I think the balance would look very different, and many laws wouldn't pass simply because no-one would be able to vouch for the actual effects.

Laws should have some kind of escape clauses that kick in should unintended consequences start dominating the impact.

and what is "unintended"? Who gets to decide if a certain use of a law is unintended?

Laws are often intentionally pretty vague so that courts get to decide.

How about the polity?

>there are downsides and unintended consequences to every option

Even so, there are not the same "downsides and unintended consequence" to every option, nor they have the same impact for every option chosen.

So, this is not some "6 of one, half a dozen of the other" case.

>The question is, do we want that power to be controlled democratically or to be arbitrarily exercised by the most powerful?

Whatever we want, in practice, and for pragmatic reasons, we usually get just a mix of both. So it makes sense to have laws that don't give so much possibility for arbitrary execution, or don't give too much power when arbitrary executed.

I wonder which part of the GDPR they are using to demand sources. I have read the thing a couple of months ago and as I recall the thing is mostly about not sharing personal information without consent, does anyone else recall parts that grant governments new rights to demand the disclosure of personal information?

Journalism is the practice of collecting information about people and disseminating it without their consent. Otherwise you’re just redistributing press releases.

This brings up an interesting question: if I tell people about you, am I doing something illegal?

What if I remember something about you?

You are probably joking, but the GDPR (and also the 'right to be forgotten') is not and has never been about the actual memories of a natural person. You diary (if you have one) is also not included in its scope.

You can remember whatever you want, about anyone or anything.

What part of the GDPR specifically addresses that?

No part of the GDPR specifically allows you to remember things, but Article 2 (which limits the scope of the law to data processed as part of a filing system) does except processing for purely personal activities in 2(2)(c).


Thanks! 2.2:

"This Regulation does not apply to the processing of personal data:

* "in the course of an activity which falls outside the scope of Union law;

* "by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

* "by a natural person in the course of a purely personal or household activity;

* "by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."

So if you're a natural person working in a store you don't fall under this exception.

I thought the GDPR sign at the butcher shop was a joke?

I'm not sure exactly what GDPR means for the people whose job involves processing data, but I would think that independent of whatever rules apply to the employer as a data controller/processor, 2(2)(c) would except the employee's memory of what they did.

The part that says you have to be an entity (data controller or data processors) that matches a specific definition, not merely a person living their life.

Is a "data controller or data processor" well defined in the law? What in any way could somebody ever twist the wording to include a person living their life?

What if this person had a hobby of simply collecting and cataloging information bout people they come in contact with?

>What if this person had a hobby of simply collecting and cataloging information bout people they come in contact with?

Then they are a data controller.

"A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.


In essence, you are a data controller if you can answer YES to the following question: Do you keep or process any information about living people?"


It depends what you tell them.

You can read an English translation of the demand letter here:


Thanks for that. Some of those points are actually reasonable, and a journalist should be comfortably within rights to respond that sources need to be kept secret, and comment why/how/why not subjects were alerted to the publication (perhaps given a chance to comment).

Hopefully this'll go to court and set a precedent that more in line with the spirit of the gdpr.

I am not quite certain how much a precedent matters here.

Of the western world we have the US, UK, and Canada that employ common law where precedent really matters.

In most of the EU the system of civil law is used, where the judiciary is expected to be much more literal and to not perform much interpretation or reference to previous interpretations.

Civil law has a concept similar to the common law world's respect for prior judicial rulings, but weaker. It's called jurisprudence constante (a French phrase). The impact of a single ruling on future rulings is not huge, but a series of rulings all in accord will be treated as strongly persuasive.

It's still secondary to the statute and not 100% binding, but nevertheless it is a real part of the system.

Also, both the US and Canada have a civil law jurisdiction: Louisiana and Quebec, respectively.

Both do make some use of common law as well, but private law (governing relations between non-state parties) is even now predominantly civil law in both places.

If the original actors in this case were non-state parties, I expect that civil law would be applicable to a hypothetical Quebec version of this dispute. In Louisiana, same thing if the relevant law was at the state level rather than federal. (In Quebec, even federal laws are interpreted using civil law principles when covering private law topics.)

Aaaand then we have the Scandinavian systems which are somehow both.

This confuses me as well. When a company has information about a natural person and that person was not the source of the information that person has a right to request the source and the company must disclose it. As far as I know that request/disclosure does not extend to the member state enforcement agencies.

In this case, the person (a politician) did request it -- and the enforcement agencies (headed by pals of said politician) try to make sure they'll get it.

> its clear the information falls squarely within both exemptions

This is the problem with GDPR. Each member state decides what's clear and what's not. It may be appealable. But that's expensive, time- and attention-consuming and risky.

We need strong privacy regulation. One downside to a fragmented complain-investigate-fine regulatory structure (as opposed to strict liability or complain-mediate-investigate structures) is that these things happen, and when they happen they do so decisively.

All the regulation in the world won't do any good against a highly corrupt government like the one Romania is sadly facing at the moment.

> All the regulation in the world won't do any good against a highly corrupt government

It doesn't help to add arrows to their quiver. GDPR is a good law when a government can be trusted. It throws petrol on the fire in over-reaching states.

From my perspective, living in one of those highly corrupt governments, it's better to be in the EU and subject to the occasional malicious application of an otherwise well-meant law, that does benefit actual legitimate governments, than to be out of the EU and under Russian control with completely unchecked corruption. The hope is that over time, the mafia will grow into a form that steals money in the usual manner of western societies, skimming a bit off the top (e.g. tax fraud, etc.) and otherwise leaving a normally functioning society, rather than just taking everything and telling us to eat shit.

The problem, of course, is that the country can have a trusted government today, and one that is very much not trusted tomorrow. Historical examples are many.

What government can be trusted?

One which is effectively regulated. Separate police, courts, lawmakers, executive, etc., where they are incentivised to prevent corruption.

Could you name such government? I don't know about any single government in the world that isn't corrupt, only ones that are less corrupt than other ones, and that is not nearly enough.

A state that has something like the GDPR is, by that very fact, overreaching.

"It's OK though, government X will only use GDPR for good and they will go easy on small companies and individuals infringing it".

Literally the argument you would eventually see at the end of threads about GDPR. I don't know how many times I've said this, but it amazes me that people can feel so identified and represented by nation-state politics that they are so willing to trust their government.

I don't feel "identified and represented by nation-state politics", whatever that means. But I do trust my democratically elected government to some extent. At least, I trust it more that the companies GDPR is supposed to protect me from.

And you're building a strawman with GDPR supporters, I don't think anybody said that nobody would ever try to abuse it. The GDPR has explicit provisions protecting journalists. It remains to be seen how this particular case pans out and if they truly manage to get the journalists to expose their source (or get heavily fined). If the Romanian authorities really manages to get this through and the rest of the Eurogroup doesn't react then yeah, that's quite worrying.

Also note that it's not like without the GDPR those journalists would be able to work peacefully anyway:

>Dragnea invoked the European data protection legislation last year when he threatened RISE Project with a lawsuit after journalists published stories on his connections to Tel Drum SA executives and other Romanian business people indicted for corruption and fraud.

>The president of the PSD never sued but soon after these threats were made, the Romanian Anti-Fraud Authority (ANAF) raided RISE Project’s offices, saying they suspected the organization of fraud. The investigation carried out by ANAF never uncovered any such fraud.

>RISE Project discovered that the initial complaint ANAF used to target RISE was a forgery filed by a non-existent person, with a non-existent physical address who falsely claimed that she worked as an accountant at the media house.

Due process is not really the keyword here from what I understand from this article. Something tells me that if it wasn't about the GDPR it would be something else.

> At least, I trust it more that the companies GDPR is supposed to protect me from.

I can't imagine that's true for investigative journalists reporting on corrupt governments. Big corporations do plenty of harm, but mostly in large-scale aggregate effects (like manipulating prices, tracking online behavior to deliver ads, creating filter bubbles in social networks, etc.), but governments can and do throw people in jail or worse.

>And you're building a strawman with GDPR supporters, I don't think anybody said that nobody would ever try to abuse it.

I don't think the accusation is fair. All discussions I saw here about GDPR contained the line where opponents were raising the issues of trust to authorities, and supporters dismissing them.

> I trust it more that the companies GDPR is supposed to protect me from.

Agreed. Just.

>But I do trust my democratically elected government to some extent. At least, I trust it more that the companies GDPR is supposed to protect me from.

Stasi operated in Germany just a few decades ago. Romania had Ceaușescu. But no, it's the evil corporations that are dangerous. The governments would never abuse human rights or anything like that.

> At least, I trust it more that the companies GDPR is supposed to protect me from.

Not I when I step back and assess potential and actual harms done. This is especially true the larger-scoped the laws and power given.

> And you're building a strawman with GDPR supporters, I don't think anybody said that nobody would ever try to abuse it.

Right, and the commenter didn't assert they did. The commenter quoted a phrase I too would hear frequently and questioned the trust people place in their institutions. Is there a term for a straw man straw man?

> If the Romanian authorities really manages to get this through and the rest of the Eurogroup doesn't react then yeah

Can the use of it as a threatening tool not be enough to require reaction? Must it get through? Why so much toleration?

You do not elect the government. Not in most states anyway and certainly not in Romania or the EU. Most governments are majority governments and the EC commissioners are appointed, not elected.

I wouldn't trust them even if I elected them, because people and especially politicians holding public office can and will eventually turn rogue.

But I agree with you that if it wasn't the GDPR it would be something else: alleged tax fraud, money laundering, you name it. Stuff taken out of their own playbook. It's is just blackmail and racketeering executed by state insitutions. This is why we need strong checks and balances against state institutions and time limits for holding office against politicians.

I don't trust the companies that the GDPR is targeting either - who are more involved in my life on a day-to-day basis and can have as much or more effect on it, short of literally putting me in a cell. Information is power, and it's generally private companies wielding it. We exist in a society where companies and Government and the people all continually back each other up in oppressing people.

Fact of the matter is, that the GDPR is a pile of shit (it's basically an argument that only the Government should be allowed to amass and weaponise information, where I'd argue that nobody should be allowed to), but so is the mass centralisation of information in the hands of large, powerful entities that it's intended to target. And one would be entirely unnecessary and unwarranted without the other.

It's the fashion to twist laws to cover unconscionable behavior it seems. I'm only surprised Orban or Morawiecki didn't think of it first.

But it's no surprise when the press is called "the enemy of the people"

> This is the problem with GDPR. Each member state decides what's clear and what's not.

That's no so much a problem with GDPR as nation states.

The alternative is centralization of government which changes nothing except ensures that once corrupted its scale would affect what, at scale, could even be the entire world. It also gives bad actors a single target to focus all their energy (and influence) on. In my opinion the solution is to go in the opposite direction. I think the 'closer' to the people, both figuratively and literally, a government is, the more they tend to be held accountable. Romania's revolution against Ceausescu was a very clear, and quite literal, illustration of this.

As an aside, "nation state" is not a fancy way of saying country. It has a specific meaning denoting a mostly ethnically homogeneous nation. E.g. Belgium is most certainly not a nation state.

Not necessarily ethnically homogeneous; just one that explicitly endorses the ethnic nationalism of the dominant group. For example, Slovakia, Israel, and Lithuania all have substantial ethnic minorities (respectively Hungarian, Arab, and Russian) with varying degrees of protection for minority groups, yet are very much nation-states.

Nation states has problems. But I can't think of a better alternative:

- one world government? All the problems of nation states and then some. Plus nowhere to seek refuge. It's not like a government more powerful than all todays governments would magically become less corrupted.

- no government? Has it's own problems as well.

What we have today is a mess but IMO it's the price we have to pay to avoid the worst dictatorship imaginable on this earth or going back to the dark ages.

> That's no so much a problem with GDPR as nation states.

Out of GDPR and nation states, only one can be abolished.

>This is the problem with GDPR. Each member state decides what's clear and what's not.

That was a big problem with the Data Protection Directive (which the GDPR replaced).

But now the European Data Protection Board[0] (basically, the supervisory authorities from the member states and EEA member states, plus the European Data Protection Supervisor) can make sure that each supervisory authority is - approximately - following the same standards.

Each case gets filed in a common system by the lead authority investigating it and cases gets discussed between the Board members.

[0] https://edpb.europa.eu/

Well this was certainly an interesting link form the same page:


"But the victim of the brutal rape and murder was Bulgarian television journalist Viktoria Marinova — and her last broadcast was about the theft of hundreds of millions of euros from European Union-funded programs in her country.

Even those who had never heard of the so-called “GP scandal” certainly know about it now.

In the program, which aired just six days before she was killed, Marinova interviewed reporters from OCCRP’s Bulgarian partner, Bivol and its Romanian partner, the RISE Project."

This murder was most certainly not related to that report.


The 21 year old guy said he doesn't remember raping, robbing, or murdering her because he "blacked out" but he says he regrets it?

You believe that? That means he doesn't have to supply a single detail of how the rape and murder even happened. And the DNA evidence? Trivial to link to somebody in a corrupt system. If he's going to confess he needs to provide details, like if she was sodomized, where he hit her, etc. Plus what drugs was he on? Either he could still test positive or they can hair test him.

Sorry, my bad for not specifying that. Deaths of journalists are one of those things to always note.

Romania =/= Bulgaria

They are one of the best journalists in Romania, of course they want to shut it down. If this goes their way we are doomed not only because they shut down Rise Project but the entire media.

The entire non-afilliated and non-partisan media. Or what you'd otherwise call the free press. The rest it's just propaganda machines in the hands of special interests.

Not sure if I understand. How is a data privacy law being used to get an organization to reveal its sources? The article mentions something about the government needing to know how data were stored, but that’s all I could see that addressed this question.

Edit: Comments filled me in. The regulation seems to relate in part to people having the right to know who is collecting what data on them.

The source presumably had the information lawfully and, under GDPR, owed a duty to the subject of the information to (i) protect it from disclosure, and (ii) notify the subject of the information in the event of a breach or unlawful disclosure. However, GDPR does not extend that duty to protect/disclose when the data in question is being used for journalistic purposes. I suspect the corrupt government is just as eager to find the source of their leak as they are to bully these journalists into silence.

This is what the demand letter requests[1]:

- The purpose and legal basis of publishing on the Internet (Facebook) of personal data, at the adress https://www.facebook.com/notes/rise-project/teleormanleaks/1...

- The date/period of time when the said personal data was published on your Facebook account;

- The source from where the personal data published on Facebook was obtained;

- The support (electronic and/or physical) where you stored the documents/images published on Facebook;

- If the mobile storage devices (tablet, HDD, memory stick) were/are password protected or encrypted;

- If you have other information/documents containing personal data of the said people;

- If the personal data or documents that contain personal data of the said people were revealed in other circumstances - with the specification of these circumstances;

- The way in which you informed the said people, in conformity with Art. 13-14 of GDPR.

[1] https://www.occrp.org/en/16-other/other-articles/8876-englis...

edit: formatting

Still having trouble following. They're saying that:

"If you host someone's information for public view on a website, under the GPDR, you have to say where you got it. Therefore, if someone leaks our (the government's) information and you're hosting it, you must say who the leaker was."

Do I have that right?

Yes and no. GDPR only protects the data of natural persons, not the government. It's difficult to follow because the natural person in this case happens to be the leader of the ruling political party and the government's reason for using GDPR as an enforcement tool tenuous at best.

GDPR does two important things: it gives natural persons rights over the data collected about them[1] and creates requirements for when/how/why a company can collect data about natural persons as well as what can be done with it (called "processing").

GDPR requires companies get affirmative consent from individuals in order to collect information about them and to inform them about how that information is processed. Importantly, the definition of processing under GDPR includes gathering, disclosing, and disseminating information.

From reading the demand letter and not knowing much else about the case it seemed to me that the government is taking the position that the data transaction between the source and the journalists was unlawful because the subject owner of the data (the politician) did not consent and that whoever provided the information (assuming they were permitted to possess the data) did not fulfill their obligation to protect it.

If you take the journalism/politician/embezzlement piece out of the equation the logic makes more sense. If you live in the EU and someone gets a copy of your tax return and posts it on Facebook the government would do well to figure out how that person got your tax return and make sure your accountant (who rightly has a copy of your tax return) is sufficiently protecting your personal information. Where the logic falls apart is that GDPR is expressly not intended to apply to information collected for "journalistic purposes," as is the case in Romania.

[1] https://advisera.com/eugdpracademy/knowledgebase/8-data-subj...

> GDPR requires companies get affirmative consent from individuals in order to collect information

No it doesn't.

You're right. That's an oversimplification. GDPR requires a "lawful justification" to collect the information. The six justifications all speak to consent or fulfilling legal obligations (government investigation, court order, contract performance, etc). Consent is a critical component of GDPR, though, as evidenced by the hundreds of GDPR consent emails that swarmed our inboxes in May.

The consent emails are evidence that people in charge were mindlessly following some rules given by some consultants.

Not all of them were necessary, and some of them might be harmful to those sending them down the road: if they had a valid reason before but asked, question is what happens if the person on which data was collected rescinds their permission? Answering "you refuse, but we have a legit reason according to GDPR" is a recipe for bad PR at least.

Although the DPA can fine them for the leak/disclosure , what is the basis for asking the rest of the stuff (purpose, source) ? I dont think it's gdpr

They are trying to intimidate Rise with this letter. Rise seems to be determined not to cave. This will be interesting, but I do not think it will get to courts, the SDP leader needs a solution NOW. And I do not think EU will be happy if the first fine paid in the name of GDPR will be a journalistic organization trying to uncover corrupt politicians.

The current government operates more like Erdogan or Putin than an EU country. The same government appeals to "human rights regulations of the EU" to justify passing laws that save several heads of government from ongoing corruption trials.

They 're probably relying on "data access requests", which is their right under GDPR.

Muie PSD.

Crooked, corrupted political party trying to escape from a massive corruption scandal using GDPR. Shameful.

+1, now go ahead and donate here: https://www.riseproject.ro/donatii/

What is even more concerning is the fact that they still have so many supporters when they are so obviously up to their neck in corruption. Muie PSD.

Muie PSD!

Swearing and shaming isn't going to solve anything because these people have no shame. They're just going to use your swearing against you and call you hooligans on national TV, like they did with the people beaten up by the miners in ’91. If you are fed up with mainstream parties, support or join any of the resistance movements.

This is exactly what critics of GDPR feared will happen. Meanwhile, the pro-GDPR hysteria went on until the inevitable happened.

But hey, at least now every tiny blog will dump a huge pop up every time I visit telling me how important is my "privacy" to them.

Oh, which critics were worried about journalists?

I've read most if not all the GDPR topics on HN and all the GDPR critics I've read were basicslly worried about ad-funded businesses or an abstract concept of freedom from government control - as in let the market decide.

So it's far fetched to now claim that everyone was worried about journalism.

Furthermore, this is clearly political power abuse. Apparently the same organisation was raided for a "fraud" investigation. The problem's the corrupt government, not the privacy law.

Well, I'd say investigative journalists saw this coming :)

Here's a panel in May: https://eijc18dataharvest.sched.com/event/ETCN/gdpr-the-new-...

That "abstract concept" - well this is how it gets implemented in the real world.

A corrupt government and an overreaching regulation (look ma, two oxymorons in a single phrase!) and this is the price you pay for... for what? What did you actually gain from gdpr?

I believe this same government was in the news for essentially making bribes legal, as long as they were under a specific amount... and yet you think it's the GDPR of all things that enables their abuse?

The GDPR which mandates exceptions for journalism, by the way.

No, GDPR also enables this abuse. Because GDPR was the criticized one, not that govt.

Criticized for enabling this, for chilling effects on European startups, for solidifying the monopoly of huge web behemoths like Facebook and google, and for generally creating a shitty everyday browsing excperience.

All for the absolutely ZERO benefits GDPR brought so far...

I wouldn't say it has brought zero benefits. Many websites now offer the possibility of rejecting tracking cookies, many companies have reconsidered and modified how they are treating user data, and we now have the right to request all our personal data from companies. Hopefully the situation will improve further when a few misbehaving companies are fined.

>This is exactly what critics of GDPR feared will happen.

Can you support this please?

Where are all the people who were saying GDPR is fine to be underspecified because European governments are benevolent and will choose to be good even when they don't have to?

I don't see how this is a problem of underspecification.

It is a problem with under-specification, because GDPR is supposed to be just a guiding framework and each government should implement its own compatible laws.

I also was afraid the Romanian government (and other autocratic governments) will do a poor job translating the GDPR into national law.

That's not true; the GDPR is not a Directive, but a Regulation, meaning the actual text applies directly, it's not transposed by the national legislators.


That's correct, however the GDPR contains some clauses allowing each state to pass national laws to supplement it, and I expect most states will.

No law can be beneficial if the individuals and institutions applying it are corrupt and abusive.

In theory the Soviet Union and other communist governments had lots of laws outlining a fair and equal treatment of citizens, in practice they were disappearing people.

"We can't make perfect laws so no need to make good ones"

You're being lazy. This law has been under work for years, was going against massive corporate interests and was heavily lobbied against.

It's a minor miracle we have it at all.

The enemies of privacy, advertising drones, the brainwashed and careless love to attack it because it's hitting their pockets or making them click away some inconvenient pop-up.

This law was crappy from the beginning and plenty of people said so.

It protects the massive corporate interests while encumbering startups and offering governments another way to abuse people.

All that while bringing ZERO benefits. Please tell me ONE way my life is better since GDPR. It's been a little while, after all.

I know of a few companies that decided to stop selling customer data to data brokers due to GDPR. Now its impossible to know if you were specifically affected by exactly these companies' business practices. But if you're in the EU you would have to live a rather strange life not to be affected in some way.

One of these companies was an airline. They would share the price you paid (meal you chose, etc.) with among others, a company specializing in "individualized pricing". Meaning: if you flew business class, the telecom company might just not show you the cheaper options next time your contract is up for renewal.

Here's one benefit: you can request your personal data from every organization you have been interacting with.

It's strange to see the Romanian government try to use the GPDR to harass journalists. Governments have become increasingly shameless about going after the press so no cover is required.

The UK government [1] has done this to multiple journalists including the Guardian, BBC [2], Greenwald's partner famously among others under the 'terrorism act'.

The US govt [3] is liberally using subpoenas, court processes and threatening new laws [4] to force journalists to give up sources.

[1] https://www.theguardian.com/media/2016/mar/14/government-ter...

[2] https://www.independent.co.uk/news/uk/crime/police-use-terro...

[3] https://pressfreedomtracker.us/blog/increasing-number-journa...

[4] https://www.independent.co.uk/news/world/americas/us-politic...

[5] https://www.nytimes.com/2014/06/03/us/james-risen-faces-jail...

[6] https://archives.cjr.org/behind_the_news/press_subpoena_sour...

Is it really a revelation that governments cannot be trusted any more than corporations with our data? Their potential for abuse is even worse: you cannot opt-out of using government like you can a Facebook or a Google.

At least you can choose the government...

Fighting EU with their own tools such as GDPR. You should know also that these guys from romanian government been involved so much with changing laws and finding ways to avoid it until they become experts. On one hand they give social benefits and impression that people have sallary growth in order for government members to stay in power. Then they make their deals and cover their traces thru laws and other ‘justice system’.

Also be aware also on the multisystem universe called ‘parallel state’.. that guy Dragnea, dosen’t have any limits!

Because I have frequently seen conspiracy theories regarding George Soros even on HN, I want to take this opportunity to point out that the organisation reporting this is sponsored by him, via his Open Society Foundation.

It's also fairly representative of their projects. In the way that, having been marginally involved with some of the work they do in Eastern Europe, I went looking for information on their sponsors with the specific expectation of finding the OSF among them.

Your comment adds nothing to this discussion. Soros was NOT mentioned in this post or thread.

For some reason HN turned against WikiLeaks over the past few years, but this kind of thing is why Wikileaks is a good idea. Governments should not have the option of forcing journalists to do anything.

I’d describe it the opposite way. The lesson learned from Wikileaks was two-fold: use digital tools well, but be aware there’s always a physical pressure point. Wikileaks became more whacky after JA was tethered to an embassy. Similarly, in this case, the potential problem is fines for the reporters working with the material, not the chance that it could disappear.

Most journalistic outfits would have completely folded long before they reached the level of pressure that Assange has been dealing with for years now.

That's the point... when journalists upset governments, ugly things happen. The last person we should be blaming is Assange!

For some reason, reason being it turned into a Russian propaganda outlet.

And disseminating anti-semitic propaganda on their Twitter account.

It's not clear who posted that and it's a small blip in the overall stellar reputation of WL's journalism.

Still not seeing any evidence for this. WL would surely publish any high quality leaked info on Russia or on any US politicians regardless of party or stance on Russia.

Seriously, If you want to be a journalist reporting about own government corruption. Storing the data inside the local country is the worst option.

Why nobody thought about that?

OCCRP tech here. The data exists in at least four different legal regimes. This is a legal issue, and whatever supporting technical work can be done has been done.

> OCCRP tech here.

Thanks for your hard work! It would be great if you could share more in this discussion.

> The data exists in at least four different legal regimes.

Doesn't redundancy have a negative effect in this scenario? I would think four legal regimes would very approximately quadruple exposure. If they can't get you in one regime, they'll get you in another.

I'm also a bit confused by the use of a Facebook post to disseminate this information.

Journalist heroes must be convicted, brave and honest, but they do not need to be OPSEC experts. People who spend all day reading about PGP, and people who decide to risk retaliation by publicizing documents that have come to them, are both minority groups that rarely overlap (because then you'd have to have two unlikely traits, which is a lot less likely than having one.)

Language sidebar:

You might want to alter your word choice a bit. As an American, “must be convicted” reads as “must be found guilty in court”, which I’m pretty sure isn’t what you meant. Even changing the order to “brave, convicted and honest” would help — putting the ambiguous item in the middle of the list helps to clarify which meaning you intended.

>but they do not need to be OPSEC experts

This is evidently wrong.

They might need to be OPSEC experts if they want to publish two articles, but to publish one they do not. I'm pointing out that civic motivation and technical knowledge aren't correlated.

Predictable outcome from an over-reaching law :/ Definitely some good parts to it, but it went way beyond what it needed to.

And I'm tired of clicking cookie popups. I literally do not care.

> I'm tired of clicking cookie popups. I literally do not care.

That was the whole goal. Many of those cookie popups were not necessary, at least before the time where every website had extensive surveillance into what you were doing. You don’t need to put a popup for login cookies, for example. But websites loved doing it anyways because it would make their visitors annoyed and think that the cookie law was clearly stupid.

I challenge you to find one commercial website that only use cookies for login features.

The fact is that the cookie rules apply to more or less any website in the EU. In fact websites do not even comply with the regulation 100% since you cannot use tracking cookies until you have consent - but almost all websites just comply with the information part of the regulation.

AFAIK you do need to have the cookie popups, at least until the new ePrivacy directive comes into effect next year.

You need to notify users but it doesn't have to be a popup. A clear explanation on a privacy page that is clearly exposed in each page is fine.

s/law/government/. You do realize that corrupt governments abusing good laws is daily life in Romania?

I mean, you're in the US, so you should definitely know what that's like.

In USA, "good" laws are a tiny minority of the total. How could it be otherwise? We have thousands of scoundrels working all day long every day writing more of them.

> I mean, you're in the US, so you should definitely know what that's like.

Whataboutism aside, most definitely, hence the opposition to such "good" laws in the first place. The perspective of taking the good-with-the-bad status quo compared to the alternatives is rooted in rational precedence.

The way it looks, many laws are being torn apart in the US, including environmental protection, etc.

It's gonna be every man for himself, except that some of those "men" are corporations which will flatten the rest of you like cockroaches. Unless you're some CxO or something?

> many laws are being torn apart in the US

> It's gonna be every man for himself, except that some of those "men" are corporations which will flatten the rest of you like cockroaches.

Absurd hysteria, and then some.

The US economy is more regulated today than it was in the 1980s and 1990s, when it comes to both the environment and corporations in general. Even the banks are all under the direct control and supervision of the Federal Reserve now.

Somehow it must have been a miracle people survived the 1980s and 1990s. It was back in those mad max days, when anarchy ruled the day, and corporations just massacred people at will.

Back in reality, very little has changed in the last two years, other than the hysteria has increased dramatically. Even the vaunted regulatory cuts have been miniscule in scale, less than 0.1% of Federal regulations have been cut; mostly all that has occured is a slow down in regulatory accumulation. Trump has been flat-out lying about regulatory reductions.

Environmental regulations - and a narrow subset at that, almost entirely focused on energy - have been rolled back about four years so far, to Obama's second term.

I'm skeptical a President + party controlled House and Senate have ever done less than what Trump & Co. have done in the last two years. The sole major change under this administration has been the corporate tax cut.

> you're in the US, so you should definitely know what that's like.

Are you referring to immigration laws not being enforced in US? I think its much more complex that 'corrupt governments'.

Not sure where you got "immigration laws" from my post.

it was guess.

If a government is doing this, it doesn't belong in the EU at all.

edit: the 'subjects' of the government however do need them in the EU, so hopefully the EU can protect those citizens against their own government?


I can assure this will not happen in Bulgaria and in Turkey (which is not an EU member but has a similar data protection law), because disclosed sources might reveal possible sources and uncover state corruption, to the point of invalidating a whole election.

turkey is not in the EU

Turkey is not in the EU, but it has a similar enough data protection law (KVKK), and unlike GDPR, this also covers the government operators (they cannot make 'we have different interests' excuse here); and unlike former EU DPD, we have strict data protection officer requirements (actually even stricter than GDPR by having a central track record of DPOs).

sure but the kicker here is that romania's government is using the EU as an appeal to "higher power" to justify its actions, while Erdogan can't do that.

Hey Europe, that’s bot how journalism works. Without the basic protections of journalists, you don’t have journalism, you have state-controlled propganda.

Please don't equate Romania with the rest of Europe. If this story holds truth there will soon be talk in the remaining Europe to show Romania the door out of EU.

You should also know that many countries in Europe has less corruption than USA. https://en.m.wikipedia.org/wiki/Corruption_Perceptions_Index

> If this story holds truth there will soon be talk in the remaining Europe to show Romania the door out of EU

Are you serious? That's the last thing the EU wants. Strictly speaking it's not even possible (legally) to force a state to leave the EU.

I did not say EU. I said Europe. The behaviour from Romainian politicians is grossly unacceptable and inconceivable in most European nations. National politicians throughout Europe will talk about a EU without "bad apples" as they have in many other cases.

> to show Romania the door out of EU

> I did not say EU


Also, you want to punish a whole country for some corrupt politicians?

Did someone forget to stake Ceaushescu's body and pin it down with a big rock?

Is all the old repression and corruption coming back, now that the latest leaders are too young to remember what had to be done to reduce it, just a little bit?

It isn't coming back, it was there all along, and they're not leaders, they are members of one or several organised crime syndicates disguised as political parties.

I work in email security and the WHOIS information we relied on to find out domains bulk-registered by spammers/phishers has essentially gone dark because of GDPR.

The url should probably have the embedded tracking link removed. "?fbclid=IwAR3oyyn-S4AchYYnsQlw_jZASnHclQxLPwS66IsgF19W73WjtFXYU-FhuYM"

Wouldn't this just incentivize people to stop sharing information?

Well that didn’t take long.

They are trying it on.

The journalists should not cave.

Rise officially said they will not cave. Rise Project has exceptional investigative journalism and are very serious about their job.

Good to hear.


Nice way to kill a conversation and any hope of building something better.

Romania's institutions are corrupt and dysfunctional, there isn't much more to say than that. It would be nice for the EU to lean in, but it's unlikely to do so, given the rise of anti-EU populism. Those journalists need help.

Right... it’s not that power corrupts; it’s that power is good and corruption is just something that coincidentally keeps popping up everywhere where there is power.

Also, what conversation? The one-sided echo-chamber where dissenting opinions are immediately met with hostility and censorship?

Power doesn't corrupt. It's generally just narcissists and egotists who want power the most.

Anyone who disagrees with you and supports GDPR is a lemming?

> Lemmings talk about it critically ...

The only people I see blaming GDPR are GDPR critics. And, curiously, they all are repeating each other's arguments sort of like a herd of ...

I meant lemmings talking about the situation critically, but I also meant the second definition of critical.

It's almost like there were a lot of people warning about legal ramifications of GDPR and nobody listened.

Same thing with the meme law

you can't pass regulations requiring governments to protect personal data then get mad when a government goes to protect personal data. Who that data is about, whether a high-profile politician or an average joe, doesn't matter.

Either everyone is protected from third parties gathering data on them, or nobody is. Can't have it both ways.

To be clear, this has nothing to do with personal data protection and everything to do with journalists publishing evidence tying senior Romanian politicians to fraud and the embezzlement of public funds.

This is an issue of free speech and free press. Perverting the privacy regulations is just a means to an end for a corrupt government. Do not mistake that corruption for any sort of privacy protection.

Yeah. I'm entirely convinced that if not in GDPR, they would have found a method to go after these journalists in another law. GDPR has the added benefit of being able to blame it on "we have to comply with EU laws" though.

This quick pick of GDPR to abuse certainly says something about the potential for abuse and it's palatability for those that do abuse law.

> Can't have it both ways

Yes one can. One can simply exempt the law's application to certain people, e.g. the fourth estate. GDPR does that. The problem, here, is the government is judge, jury and executioner.

Well, technically, the state is always judge, jury and executioner. These functions may devolve to different parts of the state but they are always part of the state.

Which is to say that any law that grants journalists more freedom of expression than the average person is going to run up against the problem of state then aiming to define journalists as "the people we like".

It's like current employment, where it's illegal to fire someone on the grounds of race but legal to fire them "for no reason at all". That situation can protect people but it's clearly rather weak.

> technically, the state is always judge, jury and executioner

Pardon me, I meant to say "prosecutor, judge, jury and executioner." In jury trials, the jury is the jury. Not the government. And in American civil cases, the prosecutor is a private citizen's attorneys. Not the state.

GDPR's structure is highly state-reliant. It's analogous to securities regulation in the United States. Any complaint triggers an investigation by the state, with the state able to bring and decide on charges and fines.

If you trust your government, this isn't a big deal. If you don't trust your government, it is horrific.

> And in American civil cases, the prosecutor is a private citizen's attorneys. Not the state.

That's not entirely true, for example SEC enforcement is usually a civil action.

> That's not entirely true, for example SEC enforcement is usually a civil action

You are correct, I spoke too broadly.

Ironically, when discussing GDPR's regulatory structure, American securities law is my analogy. It's a high-cost structure. It deters new entrants and encourages bureaucracy. The cost is worth it, with securities, because the risks are so great.

GDPR is one way to do privacy regulation. From my American perspective, it's the wrong way because it implicitly trusts the government to act justly. But its results shouldn't detract from other fights to install reasonable privacy regulations.

And you should never trust your government.

" to certain people, e.g. the fourth estate"

And who exactly belongs to that category?

... is the issue.

It has to be defined based on activity, not a class of individuals wherein there's no real means to classify.

Who decides which organizations are part of the fourth estate? Is the NYT part of it? Bloggers? CNN? Breitbart? The Daily Stormer?

Art. 85 of the GDPR defines the exemptions in terms of how the data is used, not with respect to who uses it.

> For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations ... if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.

You can of course shift the argument to "what is journalism?", which does indeed have some fuzzy boundaries, but to claim that investigating and exposing widespread government corruption is anywhere near those fuzzy boundaries is a stretch, to say the least.

> Who decides which organizations are part of the fourth estate?

In the United States, given our Constitution enumerates certain freedoms for the press, there is a rich corpus of case law drawing this delineation. I am not sure if such a corpus exists in the EU, and am fairly certain it does not exist in every one of the EU's twenty-eight member states.

What delineation? It doesn't exist. Anyone can say "fuck the President". There is no extra special secret first amendment for journalists.

> What delineation? It doesn't exist.

The First Amendment says "Congress shall make no law...abridging the freedom of speech, or of the press..." [1]. The comma is the delineation. In case law, the exploration of this delineation has produced definitions with precedent [2].

More practically, the linked-to article explores "whether the 'institutional press' is entitled to greater freedom from governmental regulations or restrictions than are non-press individuals, groups, or associations," concluding "the speech and press clauses may be analyzed under an umbrella 'expression' standard, with little, if any, hazard of missing significant doctrinal differences." (TL; DR There is a line, but it does not appear to matter much.)

[1] https://law.justia.com/constitution/us/amendment-01/06-diffe...

[2] https://en.wikipedia.org/wiki/Freedom_of_the_press_in_the_Un...

This is basically the reason I don't like the idea of any law that treats journalists as some separate class or entity. Journalism is not something you should need a certain background to do, and any laws or exemptions made for it run the very real risk of being used to stifle competition or prop up state propaganda outfits.

All of them. Anyone who publishes is part of the 4th estate. People who exploit your personal data privately do not.

> Anyone who publishes is part of the 4th estate.

"Anyone who publishes" would be a lousy exemption for privacy requirements. Facebook puts out blog posts. Does that count as publishing?

The history of the freedom of the press in the United States [1] is worth perusing, particularly the recent case law.

[1] https://en.wikipedia.org/wiki/Freedom_of_the_press_in_the_Un...

facebook? twitter users? we are all the press

Well, yes, you actually can. Which is why exemptions exist to most regulations. Like, as the other commenter specified, exemptions to journalistic data for the GDPR.

exceptions are left entirely to local governments. That went well


Why not? You're claiming that this is a binary choice without explaining why.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact