That may not apply, because of the clever (evil too, but also clever) way they are doing this.
If they were asking as data subjects where the data came from (which data subjects have a right to under Article 15 1(g)), then journalism and public interest exceptions should apply.
But that's not what they are doing. They aren't coming in as data subjects asking about the data held on them. They are coming in as an Article 51 supervisory authority in charge monitoring GDPR in their country. They are claiming to be doing the tasks Article 57 assigns to the supervisory authority, and exercising the powers Article 58 gives them for that.
Presumably, someone who the journalists wrote about alleged that the journalists were not complying with GDPR in how they obtained and used the data.
And so now the supervisory authority is investigating that. Article 58 gives them power "to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks". They can probably argue that in order to decide if a journalism or public interest exception applies, they have to know where the data came from and how it was obtained.
Assuming things are as corrupt as people have claimed, I'd expect they will go in, and if they obtain the information on the sources, they will rule that a journalism or public interest exception applies, and dismiss whatever sham GDPR complaint they had someone file to set this off.
That somebody is the chief of the ruling party, Liviu Dragnea, president of one houses of parliament, who almost got to be named prime minister if not for an earlier conviction for electoral fraud.
He was now found guilty in a second unrelated criminal probe, and is appealing the sentence while at the same time trying to steer the legislative process and pressure his own party to decriminalize a large swath of offenses pertaining to his case, namely abuse of public office.
The journalists have recovered a large trove of damaging documents that are related to yet another criminal case (3rd, if you're counting) in which he is being investigated.
The head of the data protection agency is a former colleague from the same party and is herself under criminal investigation for fraud. Yeah, so these are the watchers.
Compare Romania's one sentence implementation of the journalism exception (translated by the EU website so perhaps not the best):
>In order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression, it may be carried out if it concerns personal data which have been made manifestly publicly disclosed by the data subject or closely related to the public personality of the person concerned or the public nature of the facts in which he is involved
With the U.K.'s implementation of that same exception [at Part 5]: http://www.legislation.gov.uk/ukpga/2018/12/schedule/2
If so, that is a pretty nasty unintended consequence.
When cheering on such laws, we should always ask ourselves whether we're cheering on the intent or the practical/potential effect. When viewed in the latter context, one might instead cheer on a much smaller, incremental approach towards such legislation (if at all).
The latter is often appropriate; people should be free to do what they want unless others are affected significantly. But when it comes to privacy and freedom of speech, I don't think so.
This cannot be generalized and is different depending upon the circumstance. In this case, I wholeheartedly disagree.
If we took into account the uncertainty properly, I think the balance would look very different, and many laws wouldn't pass simply because no-one would be able to vouch for the actual effects.
Even so, there are not the same "downsides and unintended consequence" to every option, nor they have the same impact for every option chosen.
So, this is not some "6 of one, half a dozen of the other" case.
>The question is, do we want that power to be controlled democratically or to be arbitrarily exercised by the most powerful?
Whatever we want, in practice, and for pragmatic reasons, we usually get just a mix of both. So it makes sense to have laws that don't give so much possibility for arbitrary execution, or don't give too much power when arbitrary executed.
You can remember whatever you want, about anyone or anything.
"This Regulation does not apply to the processing of personal data:
* "in the course of an activity which falls outside the scope of Union law;
* "by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
* "by a natural person in the course of a purely personal or household activity;
* "by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."
I thought the GDPR sign at the butcher shop was a joke?
What if this person had a hobby of simply collecting and cataloging information bout people they come in contact with?
Then they are a data controller.
"A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.
In essence, you are a data controller if you can answer YES to the following question:
Do you keep or process any information about living people?"
Hopefully this'll go to court and set a precedent that more in line with the spirit of the gdpr.
Of the western world we have the US, UK, and Canada that employ common law where precedent really matters.
In most of the EU the system of civil law is used, where the judiciary is expected to be much more literal and to not perform much interpretation or reference to previous interpretations.
It's still secondary to the statute and not 100% binding, but nevertheless it is a real part of the system.
Also, both the US and Canada have a civil law jurisdiction: Louisiana and Quebec, respectively.
Both do make some use of common law as well, but private law (governing relations between non-state parties) is even now predominantly civil law in both places.
If the original actors in this case were non-state parties, I expect that civil law would be applicable to a hypothetical Quebec version of this dispute. In Louisiana, same thing if the relevant law was at the state level rather than federal. (In Quebec, even federal laws are interpreted using civil law principles when covering private law topics.)
This is the problem with GDPR. Each member state decides what's clear and what's not. It may be appealable. But that's expensive, time- and attention-consuming and risky.
We need strong privacy regulation. One downside to a fragmented complain-investigate-fine regulatory structure (as opposed to strict liability or complain-mediate-investigate structures) is that these things happen, and when they happen they do so decisively.
It doesn't help to add arrows to their quiver. GDPR is a good law when a government can be trusted. It throws petrol on the fire in over-reaching states.
Literally the argument you would eventually see at the end of threads about GDPR. I don't know how many times I've said this, but it amazes me that people can feel so identified and represented by nation-state politics that they are so willing to trust their government.
And you're building a strawman with GDPR supporters, I don't think anybody said that nobody would ever try to abuse it. The GDPR has explicit provisions protecting journalists. It remains to be seen how this particular case pans out and if they truly manage to get the journalists to expose their source (or get heavily fined). If the Romanian authorities really manages to get this through and the rest of the Eurogroup doesn't react then yeah, that's quite worrying.
Also note that it's not like without the GDPR those journalists would be able to work peacefully anyway:
>Dragnea invoked the European data protection legislation last year when he threatened RISE Project with a lawsuit after journalists published stories on his connections to Tel Drum SA executives and other Romanian business people indicted for corruption and fraud.
>The president of the PSD never sued but soon after these threats were made, the Romanian Anti-Fraud Authority (ANAF) raided RISE Project’s offices, saying they suspected the organization of fraud. The investigation carried out by ANAF never uncovered any such fraud.
>RISE Project discovered that the initial complaint ANAF used to target RISE was a forgery filed by a non-existent person, with a non-existent physical address who falsely claimed that she worked as an accountant at the media house.
Due process is not really the keyword here from what I understand from this article. Something tells me that if it wasn't about the GDPR it would be something else.
I can't imagine that's true for investigative journalists reporting on corrupt governments. Big corporations do plenty of harm, but mostly in large-scale aggregate effects (like manipulating prices, tracking online behavior to deliver ads, creating filter bubbles in social networks, etc.), but governments can and do throw people in jail or worse.
I don't think the accusation is fair. All discussions I saw here about GDPR contained the line where opponents were raising the issues of trust to authorities, and supporters dismissing them.
Stasi operated in Germany just a few decades ago. Romania had Ceaușescu. But no, it's the evil corporations that are dangerous. The governments would never abuse human rights or anything like that.
Not I when I step back and assess potential and actual harms done. This is especially true the larger-scoped the laws and power given.
> And you're building a strawman with GDPR supporters, I don't think anybody said that nobody would ever try to abuse it.
Right, and the commenter didn't assert they did. The commenter quoted a phrase I too would hear frequently and questioned the trust people place in their institutions. Is there a term for a straw man straw man?
> If the Romanian authorities really manages to get this through and the rest of the Eurogroup doesn't react then yeah
Can the use of it as a threatening tool not be enough to require reaction? Must it get through? Why so much toleration?
I wouldn't trust them even if I elected them, because people and especially politicians holding public office can and will eventually turn rogue.
But I agree with you that if it wasn't the GDPR it would be something else: alleged tax fraud, money laundering, you name it. Stuff taken out of their own playbook. It's is just blackmail and racketeering executed by state insitutions. This is why we need strong checks and balances against state institutions and time limits for holding office against politicians.
Fact of the matter is, that the GDPR is a pile of shit (it's basically an argument that only the Government should be allowed to amass and weaponise information, where I'd argue that nobody should be allowed to), but so is the mass centralisation of information in the hands of large, powerful entities that it's intended to target. And one would be entirely unnecessary and unwarranted without the other.
But it's no surprise when the press is called "the enemy of the people"
That's no so much a problem with GDPR as nation states.
As an aside, "nation state" is not a fancy way of saying country. It has a specific meaning denoting a mostly ethnically homogeneous nation. E.g. Belgium is most certainly not a nation state.
- one world government? All the problems of nation states and then some. Plus nowhere to seek refuge. It's not like a government more powerful than all todays governments would magically become less corrupted.
- no government? Has it's own problems as well.
What we have today is a mess but IMO it's the price we have to pay to avoid the worst dictatorship imaginable on this earth or going back to the dark ages.
Out of GDPR and nation states, only one can be abolished.
That was a big problem with the Data Protection Directive (which the GDPR replaced).
But now the European Data Protection Board (basically, the supervisory authorities from the member states and EEA member states, plus the European Data Protection Supervisor) can make sure that each supervisory authority is - approximately - following the same standards.
Each case gets filed in a common system by the lead authority investigating it and cases gets discussed between the Board members.
"But the victim of the brutal rape and murder was Bulgarian television journalist Viktoria Marinova — and her last broadcast was about the theft of hundreds of millions of euros from European Union-funded programs in her country.
Even those who had never heard of the so-called “GP scandal” certainly know about it now.
In the program, which aired just six days before she was killed, Marinova interviewed reporters from OCCRP’s Bulgarian partner, Bivol and its Romanian partner, the RISE Project."
You believe that? That means he doesn't have to supply a single detail of how the rape and murder even happened. And the DNA evidence? Trivial to link to somebody in a corrupt system. If he's going to confess he needs to provide details, like if she was sodomized, where he hit her, etc. Plus what drugs was he on? Either he could still test positive or they can hair test him.
Romania =/= Bulgaria
Edit: Comments filled me in. The regulation seems to relate in part to people having the right to know who is collecting what data on them.
This is what the demand letter requests:
- The purpose and legal basis of publishing on the Internet (Facebook) of personal data, at the adress https://www.facebook.com/notes/rise-project/teleormanleaks/1...
- The date/period of time when the said personal data was published on your Facebook account;
- The source from where the personal data published on Facebook was obtained;
- The support (electronic and/or physical) where you stored the documents/images published on Facebook;
- If the mobile storage devices (tablet, HDD, memory stick) were/are password protected or encrypted;
- If you have other information/documents containing personal data of the said people;
- If the personal data or documents that contain personal data of the said people were revealed in other circumstances - with the specification of these circumstances;
- The way in which you informed the said people, in conformity with Art. 13-14 of GDPR.
"If you host someone's information for public view on a website, under the GPDR, you have to say where you got it. Therefore, if someone leaks our (the government's) information and you're hosting it, you must say who the leaker was."
Do I have that right?
GDPR does two important things: it gives natural persons rights over the data collected about them and creates requirements for when/how/why a company can collect data about natural persons as well as what can be done with it (called "processing").
GDPR requires companies get affirmative consent from individuals in order to collect information about them and to inform them about how that information is processed. Importantly, the definition of processing under GDPR includes gathering, disclosing, and disseminating information.
From reading the demand letter and not knowing much else about the case it seemed to me that the government is taking the position that the data transaction between the source and the journalists was unlawful because the subject owner of the data (the politician) did not consent and that whoever provided the information (assuming they were permitted to possess the data) did not fulfill their obligation to protect it.
If you take the journalism/politician/embezzlement piece out of the equation the logic makes more sense. If you live in the EU and someone gets a copy of your tax return and posts it on Facebook the government would do well to figure out how that person got your tax return and make sure your accountant (who rightly has a copy of your tax return) is sufficiently protecting your personal information. Where the logic falls apart is that GDPR is expressly not intended to apply to information collected for "journalistic purposes," as is the case in Romania.
No it doesn't.
Not all of them were necessary, and some of them might be harmful to those sending them down the road: if they had a valid reason before but asked, question is what happens if the person on which data was collected rescinds their permission? Answering "you refuse, but we have a legit reason according to GDPR" is a recipe for bad PR at least.
Crooked, corrupted political party trying to escape from a massive corruption scandal using GDPR. Shameful.
But hey, at least now every tiny blog will dump a huge pop up every time I visit telling me how important is my "privacy" to them.
I've read most if not all the GDPR topics on HN and all the GDPR critics I've read were basicslly worried about ad-funded businesses or an abstract concept of freedom from government control - as in let the market decide.
So it's far fetched to now claim that everyone was worried about journalism.
Furthermore, this is clearly political power abuse. Apparently the same organisation was raided for a "fraud" investigation. The problem's the corrupt government, not the privacy law.
Here's a panel in May: https://eijc18dataharvest.sched.com/event/ETCN/gdpr-the-new-...
A corrupt government and an overreaching regulation (look ma, two oxymorons in a single phrase!) and this is the price you pay for... for what? What did you actually gain from gdpr?
The GDPR which mandates exceptions for journalism, by the way.
Criticized for enabling this, for chilling effects on European startups, for solidifying the monopoly of huge web behemoths like Facebook and google, and for generally creating a shitty everyday browsing excperience.
All for the absolutely ZERO benefits GDPR brought so far...
Can you support this please?
I also was afraid the Romanian government (and other autocratic governments) will do a poor job translating the GDPR into national law.
In theory the Soviet Union and other communist governments had lots of laws outlining a fair and equal treatment of citizens, in practice they were disappearing people.
It's a minor miracle we have it at all.
The enemies of privacy, advertising drones, the brainwashed and careless love to attack it because it's hitting their pockets or making them click away some inconvenient pop-up.
It protects the massive corporate interests while encumbering startups and offering governments another way to abuse people.
All that while bringing ZERO benefits. Please tell me ONE way my life is better since GDPR. It's been a little while, after all.
One of these companies was an airline. They would share the price you paid (meal you chose, etc.) with among others, a company specializing in "individualized pricing". Meaning: if you flew business class, the telecom company might just not show you the cheaper options next time your contract is up for renewal.
The UK government  has done this to multiple journalists including the Guardian, BBC , Greenwald's partner famously among others under the 'terrorism act'.
The US govt  is liberally using subpoenas, court processes and threatening new laws  to force journalists to give up sources.
Also be aware also on the multisystem universe called ‘parallel state’.. that guy Dragnea, dosen’t have any limits!
It's also fairly representative of their projects. In the way that, having been marginally involved with some of the work they do in Eastern Europe, I went looking for information on their sponsors with the specific expectation of finding the OSF among them.
That's the point... when journalists upset governments, ugly things happen. The last person we should be blaming is Assange!
Why nobody thought about that?
Thanks for your hard work! It would be great if you could share more in this discussion.
> The data exists in at least four different legal regimes.
Doesn't redundancy have a negative effect in this scenario? I would think four legal regimes would very approximately quadruple exposure. If they can't get you in one regime, they'll get you in another.
You might want to alter your word choice a bit. As an American, “must be convicted” reads as “must be found guilty in court”, which I’m pretty sure isn’t what you meant. Even changing the order to “brave, convicted and honest” would help — putting the ambiguous item in the middle of the list helps to clarify which meaning you intended.
This is evidently wrong.
And I'm tired of clicking cookie popups. I literally do not care.
That was the whole goal. Many of those cookie popups were not necessary, at least before the time where every website had extensive surveillance into what you were doing. You don’t need to put a popup for login cookies, for example. But websites loved doing it anyways because it would make their visitors annoyed and think that the cookie law was clearly stupid.
The fact is that the cookie rules apply to more or less any website in the EU. In fact websites do not even comply with the regulation 100% since you cannot use tracking cookies until you have consent - but almost all websites just comply with the information part of the regulation.
I mean, you're in the US, so you should definitely know what that's like.
Whataboutism aside, most definitely, hence the opposition to such "good" laws in the first place. The perspective of taking the good-with-the-bad status quo compared to the alternatives is rooted in rational precedence.
It's gonna be every man for himself, except that some of those "men" are corporations which will flatten the rest of you like cockroaches. Unless you're some CxO or something?
> It's gonna be every man for himself, except that some of those "men" are corporations which will flatten the rest of you like cockroaches.
Absurd hysteria, and then some.
The US economy is more regulated today than it was in the 1980s and 1990s, when it comes to both the environment and corporations in general. Even the banks are all under the direct control and supervision of the Federal Reserve now.
Somehow it must have been a miracle people survived the 1980s and 1990s. It was back in those mad max days, when anarchy ruled the day, and corporations just massacred people at will.
Back in reality, very little has changed in the last two years, other than the hysteria has increased dramatically. Even the vaunted regulatory cuts have been miniscule in scale, less than 0.1% of Federal regulations have been cut; mostly all that has occured is a slow down in regulatory accumulation. Trump has been flat-out lying about regulatory reductions.
Environmental regulations - and a narrow subset at that, almost entirely focused on energy - have been rolled back about four years so far, to Obama's second term.
I'm skeptical a President + party controlled House and Senate have ever done less than what Trump & Co. have done in the last two years. The sole major change under this administration has been the corporate tax cut.
Are you referring to immigration laws not being enforced in US? I think its much more complex that 'corrupt governments'.
edit: the 'subjects' of the government however do need them in the EU, so hopefully the EU can protect those citizens against their own government?
You should also know that many countries in Europe has less corruption than USA. https://en.m.wikipedia.org/wiki/Corruption_Perceptions_Index
Are you serious? That's the last thing the EU wants. Strictly speaking it's not even possible (legally) to force a state to leave the EU.
> I did not say EU
Also, you want to punish a whole country for some corrupt politicians?
Is all the old repression and corruption coming back, now that the latest leaders are too young to remember what had to be done to reduce it, just a little bit?
The journalists should not cave.
Romania's institutions are corrupt and dysfunctional, there isn't much more to say than that. It would be nice for the EU to lean in, but it's unlikely to do so, given the rise of anti-EU populism. Those journalists need help.
Also, what conversation? The one-sided echo-chamber where dissenting opinions are immediately met with hostility and censorship?
> Lemmings talk about it critically ...
The only people I see blaming GDPR are GDPR critics. And, curiously, they all are repeating each other's arguments sort of like a herd of ...
Same thing with the meme law
Either everyone is protected from third parties gathering data on them, or nobody is. Can't have it both ways.
This is an issue of free speech and free press. Perverting the privacy regulations is just a means to an end for a corrupt government. Do not mistake that corruption for any sort of privacy protection.
Yes one can. One can simply exempt the law's application to certain people, e.g. the fourth estate. GDPR does that. The problem, here, is the government is judge, jury and executioner.
Which is to say that any law that grants journalists more freedom of expression than the average person is going to run up against the problem of state then aiming to define journalists as "the people we like".
It's like current employment, where it's illegal to fire someone on the grounds of race but legal to fire them "for no reason at all". That situation can protect people but it's clearly rather weak.
Pardon me, I meant to say "prosecutor, judge, jury and executioner." In jury trials, the jury is the jury. Not the government. And in American civil cases, the prosecutor is a private citizen's attorneys. Not the state.
GDPR's structure is highly state-reliant. It's analogous to securities regulation in the United States. Any complaint triggers an investigation by the state, with the state able to bring and decide on charges and fines.
If you trust your government, this isn't a big deal. If you don't trust your government, it is horrific.
That's not entirely true, for example SEC enforcement is usually a civil action.
You are correct, I spoke too broadly.
Ironically, when discussing GDPR's regulatory structure, American securities law is my analogy. It's a high-cost structure. It deters new entrants and encourages bureaucracy. The cost is worth it, with securities, because the risks are so great.
GDPR is one way to do privacy regulation. From my American perspective, it's the wrong way because it implicitly trusts the government to act justly. But its results shouldn't detract from other fights to install reasonable privacy regulations.
And who exactly belongs to that category?
... is the issue.
It has to be defined based on activity, not a class of individuals wherein there's no real means to classify.
> For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations ... if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
You can of course shift the argument to "what is journalism?", which does indeed have some fuzzy boundaries, but to claim that investigating and exposing widespread government corruption is anywhere near those fuzzy boundaries is a stretch, to say the least.
In the United States, given our Constitution enumerates certain freedoms for the press, there is a rich corpus of case law drawing this delineation. I am not sure if such a corpus exists in the EU, and am fairly certain it does not exist in every one of the EU's twenty-eight member states.
The First Amendment says "Congress shall make no law...abridging the freedom of speech, or of the press..." . The comma is the delineation. In case law, the exploration of this delineation has produced definitions with precedent .
More practically, the linked-to article explores "whether the 'institutional press' is entitled to greater freedom from governmental regulations or restrictions than are non-press individuals, groups, or associations," concluding "the speech and press clauses may be analyzed under an umbrella 'expression' standard, with little, if any, hazard of missing significant doctrinal differences." (TL; DR There is a line, but it does not appear to matter much.)
"Anyone who publishes" would be a lousy exemption for privacy requirements. Facebook puts out blog posts. Does that count as publishing?
The history of the freedom of the press in the United States  is worth perusing, particularly the recent case law.