UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
By Law No. 64/2004, Romania has ratified the Council of Europe Convention on Cybercrime (ETS No. 185, 23 November 2001). Since that ratification, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data.
LAW NO. 506/2004
According to Article 4 of Law No. 506/2004 on personal data processing and privacy protection in the electronic communications sector, the interception or surveillance of communications and related traffic data may be made only by the relevant public authorities as set out in the applicable statutory provisions or by the parties to the communications, unless the latter have consented in writing to the interception or surveillance being made by other parties.
LAW NO. 51/1991
Interceptions may be made on the request of intelligence and security agencies under Article 15 of Law 51/1991 where there are threats to the national security.
LAW NO. 14.1992
According to Article 8 of Law No. 14/1992 on the Romanian Intelligence Service organisation, the National Interceptions Centre is legally empowered to ensure the relevant enforcement authorities have the technical permits to execute the technical surveillance warrants.
CRIMINAL PROCEDURE CODE
The following rules under Article 139(1) of the Criminal Procedure Code (Law No. 135/2010) regarding technical surveillance apply in relation to prosecuting certain categories of crime:
a. there is a reasonable suspicion that a serious crime is planned or has been committed;
b. the measure taken is proportionate to the restriction of the rights and freedoms that it entails; and
c. the relevant evidence could not be obtained otherwise or there is a danger for the safety of persons or valuables.
Furthermore, interceptions may be made based on warrants issued by the relevant court of law for a period of 30 days, which can be subject to further 30-day extensions granted by the court up to a total overall period of six months.
In exceptional cases, the prosecutor’s office may directly authorise the interception by order for no more than 48 hours (Article 141(1) and (2) of the Criminal Procedure Code). The relevant prosecutor’s office is to apply for the court’s confirmation of the interception within no more than 24 hours of the expiry of an interception order (Article 141(3) and (4) of the Criminal Procedure Code).
According to Article 142(2) of the Criminal Procedure Code (Law 135/2010), the service provider is to cooperate with the prosecutor’s office and the relevant authorities in order to enforce the technical surveillance (interception) warrants issued by the court.
ANCOM DECISION NO. 987/2012
According to Article 3.8 of Annex No. 1 to Decision No. 987/2012 of the National Authority for Management and Regulation in Communications (ANCOM) on the general authorisation for the provision of electronic communications networks and services, the service provider is inter alia obliged to:
i. technically allow the relevant authorities to perform interceptions and to make available all technical data regarding interceptions, in the format established by the authorities;
ii. duly cooperate with the relevant authorities involved in interceptions and ensure the confidentiality of interception operations;
iii. cooperate with the relevant authorities to implement security and audit criteria regarding the national communications interception system developed by them;
iv. take all necessary technical measures to enable interceptions in general and immediately enable the enforcement of interception warrants in particular;
v. place at the disposal of the relevant authorities the interception management servers and the administration and operation consoles it holds, as required to ensure interceptions; and
vi. bear the costs of the interception interface.
As per Article 8(2)(k) of the Government Emergency Ordinance No. 111/2011 on electronic communications, the conditions under which service providers are to bear the costs related to the interception interface are established by the general authorisation issued by ANCOM to the service provider.
Disclosure of Communications Data
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
With Law No. 64/2004, Romania has ratified the Council of Europe Convention on Cybercrime (ETS No. 185, 23 November 2001). Since that ratification, Romanian national laws have been amended to comply with the requirements for the collection, search, seizure, making available and interception of data.
LAW NO. 82/2012
Decision No. 440 of 8 July 8 2014, issued by the Romanian Constitutional Court, has been published in the Official Gazette Part I No. 653 of 4 September 2014. On grounds of unconstitutionality, the decision repealed Law No. 82/2012 on the retention of data generated and processed by providers of electronic communications network or service.
LAW NO. 506/2004
Law No. 235/2015 amending and supplementing Law No. 506/2004 on personal data processing and the protection of privacy in electronic communications was published in the Official Gazette Part I No. 767 of 14 October 2015.
According to Article 5(1) of Law No. 506/2004 as amended, traffic data for customers should be deleted or turned into anonymous data when the customers do not serve any more to a communications delivery, but not later than three years after the communications.
According to the newly introduced Article 121(1) of Law No. 506/2004, communications providers may be obliged to provide data regarding traffic, equipment identification and localisation on request of the courts of law, criminal investigation bodies and national security agencies, subject to prior authorisation from the relevant court.
If the request is made by national security agencies, the procedures set out in Articles 14, 15 and 17–23 of Law No. 51/1991 regarding Romania’s national security are to be observed, as detailed in Section 3 below.
According to Article 121(1), data disclosed as a result of such a request may not be erased or made anonymous by communications services providers if that is specified by the authority that has made the request, until the reasons that grounded the disclosure request have ceased and not more than five years after the date of the request or until the date of a final and binding court decision. The relevant authority must inform the communications services providers when the reasons that grounded the request have ceased.
CRIMINAL PROCEDURE CODE
Communications service providers have an obligation to disclose traffic and location data, according to Article 152(1) of the Criminal Procedure Code (Law No. 135/2010).
The latest wording of Article 152, amended 2 May 2016 by Law No. 75/2016 on the approval of the Government Emergency Ordinance No. 82/2014 on the amendment and supplementation of Law No. 135/2010 of the Criminal Procedure Code, states that a prosecutor may, based on previous court approval, order communications providers to disclose traffic and location data, when all the following conditions are fulfilled:
i. there are reasonable suspicions regarding the perpetration of one of the crimes that are expressly listed in letter paragraph (1) letter a) of Article 152;
ii. there are justified grounds to consider the data as evidence;
iii. the evidence cannot be obtained in any other way or its collection could prejudice the investigation or endanger persons or valuable goods; and
iv. the measure limits the subject’s fundamental rights, given the particularity of the case, in proportion to the importance of the information or of the evidence that is to be obtained, or the gravity of the crime
Under Article 138 of the Criminal Procedure Code (Law No. 135/2010), criminal prosecution bodies may access any computer system, either directly or by means of specialised software or networks, and may intercept any type of communication in order to identify evidence, where:
i. there is a reasonable suspicion about a serious offence/crime;
ii. the measure is in proportion to the restriction of the rights and freedoms that it entails; and
iii. the relevant evidence could not be obtained otherwise or there is a danger for the safety of persons or valuables.
According to Article 139(1) of the Criminal Procedure Code (Law No. 135/2010), access to computer systems requires a warrant to have been issued by the court.
In exceptional cases, the prosecutor’s office may directly authorise the access by order for no more than 48 hours (Article 141(1) and (2) of the Criminal Procedure Code).
According to letter b1) of Article 523 paragraph (1) of the Criminal Procedure Code (Law No. 135/2010), newly introduced by Law No. 75/2016 referred to above, communications providers may be requested to provide traffic and location data based on a court warrant throughout the procedures aiming to locate fugitives from justice. In accordance with Article 524, amended by the same Law No. 75/2016, the disclosure of such data may be made on the request of the relevant prosecutor if the relevant court finds that the identification, searches, localisation and finding of the fugitive cannot be made by other means or would otherwise be substantially delayed.
CIVIL PROCEDURE CODE
According to Article 297(1) of the Civil Procedure Code, in civil and commercial trials the court may issue orders for third parties holding relevant information to present it in court if it is necessary for the settlement of the case.
National Security and Emergency Powers
Article 13 of Law No. 51/1991 regarding Romania’s national security states that national security agencies may request communications data generated or processed by communications providers (other than the content of these communications) and retained by them under the law. Instances where communications providers may retain communications data are scarce and strictly regulated.
According to the newly introduced Article 121 of Law No. 506/2004 on personal data processing and privacy protection in the electronic communications sector, traffic data, equipment identification data and location data are to be disclosed among other on request of national security agencies in accordance with the legal provisions on data privacy, and subject to the procedure set out in Articles 14, 15 and 17-23 of Law No. 51/1991.
This disclosure may not be requested unless:
i. the following conditions are fulfilled:
a. there is no alternative way to learn about, prevent and counteract risks or national security threats;
b. the measures are necessary and proportional given the circumstances of the case; and
c. the authorisation provided by the law has been obtained; and
ii. an express authorisation and a warrant issued by the High Court of Cassation and Justice (Romania’s supreme court), on request of the prosecutor’s office attached to said court, are obtained; in exceptional cases (ie when a delay would severely prejudice the purpose of the envisaged activities) the authorisation may be issued by the prosecutor for a maximum of 48 hours, after which a court authorisation must be obtained.
Data disclosed following such a request may not be erased or made anonymous by communications services providers if so specified by the national security agency that has made the request, until the reasons that grounded the disclosure request have ceased and not more than five years since the date of the request or until the date of a final and binding court decision, as the case may be. The relevant agencies are to inform the communications services providers when the reasons that grounded the request have ceased.
Article 24 of Law No. 51/1991 also sets a general obligation for all public and private sector actors to provide support to national security agencies and allow them access to data held that may have an impact on national security. Nonetheless, insofar as communications services providers are concerned, such access should be deemed subject to the limitations and procedures described above.
Under Articles 1 and 3(c) of Law No. 132/1997 on requisitions, under exceptional circumstances (eg war, national emergency and disasters) public authorities and national defence forces can take temporary possession of any goods in order to gain access and use of the telecommunications systems.
According to Law No. 132/1997, the following instruments are required to requisition the assets of telecommunications networks:
i. a requisition plan drawn up by the local authorities before the relevant events occur (Article 5(2)); and
ii. a military order for hand-over to be issued at the date of the actual requisition (Article 13).
According to Article 18 of Government Emergency Ordinance No. 34/2008 on the National System for Emergency Calls, the providers of electronic communications are obliged to make available, free of charge, to the director of the National System for Emergency Calls an updated database with all telephone numbers, names and addresses of customers.
Oversight of the Use of Powers
In addition to those set out above, the following rules relate to remedies that may be sought following the use of these powers:
a. cost conditions related to an interception interface are to be borne by the service provider and may be challenged in court via administrative litigation; and
b. requisition measures may be challenged in court only with respect to the amount of the compensation.
SHUT-DOWN OF NETWORK AND SERVICES
Government Emergency Ordinance No. 111/2011
The Government Emergency Ordinance No. 111/2011 gives the telecom regulatory authority, ANCOM, the power to shut down Vodafone’s network or services (temporarily or permanently) in certain circumstances.
Article 9(2) of the same act provides that ANCOM may withdraw a general authorisation from a service provider where necessary in light of an international agreement entered into by Romania or required to protect the public interest. Under Article 135(1), withdrawal of the general authorisation may be made only after the decision is subjected to public debate; this consists of one or more public sessions where members of the industry, civil organisations and other relevant authorities are invited to submit their observations on the proposed measures; observations expressed during the public debate must then be observed by ANCOM.
Under Articles 147 and 148, ANCOM may revoke a service provider’s right to supply networks or certain communications services for between six months and three years and/or remove the service provider’s right to use numbering resources, radio frequencies and other technical resources:
- where that service provider has failed to comply with any of the terms of its general authorisation, frequency or licence numbering; or
- if it has failed to comply with certain obligations regarding monitoring spectrum usage, numbering resources or providing financial documents.
Under Article 141(1) ANCOM must notify the service provider before revoking or suspending its right to supply networks or communications services, or revoking or suspending its right to use numbering resources, radio frequencies or other technical resources.
BLOCKING OF URLS & IP ADDRESSES
Law No. 196/2003
Article 11(2) of Law No. 196/2003 provides that ANCOM may require an internet service provider, such as Vodafone, to block the URL or IP address of websites containing illicit content. Illicit content is pornographic content which lacks an appropriate age restriction warning or which contains child sex abuse, bestiality or necrophilia.
Government Emergency Ordinance No. 77/2009
Article 10(7) of Government Emergency Ordinance No. 77/2009 on gambling provides that network and internet service providers are obliged to comply with the decisions of the Gambling Monitoring Authority with respect to blocking access to unauthorised gambling websites in Romania.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Law No. 132/1997
Under Articles 1 and 3(c) of Law No. 132/1997, in exceptional circumstances public authorities and national defence forces can take temporary possession of any network assets in order to gain access to and use of a telecommunications network. Exceptional circumstances would be a national emergency such as a natural disaster or war. According to Article 5(1)(c), when making a requisition, a local authority must present its requisition plan (drawn up before the relevant events occur) and, where the requisition is made by national defence forces, the relevant force must present a military order for the possession of network assets issued at the date of the actual requisition.
Law No. 255/2010 enables public authorities to take possession of any type of land or building if this is required for public utility reasons. In order to expropriate the land or building, a decision of the government or local administration, setting out the details of the seizure and the amount of compensation to be awarded, must be presented.
Oversight of the Use of Powers (Censorship-related)
All decisions made by ANCOM or the Gambling Authorisation Commission can be challenged in court by administrative litigation proceedings.
Where a public authority or military force takes control of Vodafone’s network in accordance with Law No. 132/1997 or Law No. 255/2010, the party subject to requisition or expropriation may challenge in court the amount of compensation received for their losses arising from such expropriation, but not the decision itself to expropriate.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
The current legislation does not contain provisions explicitly requiring communications service providers (CSPs) to decrypt communications data. Nonetheless, such an obligation could be inferred from the various legal provisions enshrining general law enforcement assistance obligations to allow interception of communications content or to provide various other data.
Regarding the interception of content (see ‘Provision of real-time lawful interception assistance’ earlier in this chapter), Article 142 (2) of the Criminal Procedure Code provides an obligation for CSPs to cooperate with prosecutors and criminal investigation bodies, to the best of their capabilities, in order to execute technical surveillance warrants. Likewise, Article 3.8 of Decision No. 987/2012 of ANCOM sets out an obligation for CSPs to allow competent authorities to perform interceptions, as well as to make all technical data regarding interceptions available, to provide technical support in intercepting communications and, in general, to take all technical measures necessary to immediately execute interception warrants. It may, therefore, be inferred that interception should offer access to the decrypted version of the content, where the ability to decrypt is within the CSP’s technical competence (by holding the encryption key).
Regarding traffic and location data processed by CSPs (see ‘Disclosure of communications data’ earlier in this chapter) – in particular Articles 152; Articles 523–524; and Article 170(2) of the Criminal Procedure Code – it may be argued that where a CSP holds the encryption key, the traffic and location data it is legally obliged to provide should be decrypted so that the disclosure is effective.
Finally, there are other legal provisions, such as those concerning powers of national security or competition authorities, regulating in an equally broad manner such authorities’ rights to access certain types of data. These legal powers may apply in this context as well, depending on the scenario.
With a lack of any meaningful court practice on the matter to date, opinions between criminal law practitioners on the subject are, however, divided, there being also voices who hold the view that there are no legal grounds at present to support a decryption requirement.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
As described in detail above, the statutory law on law enforcement (Law No. 135/2010 regarding the Criminal Procedure Code) as well as other laws enshrining various rights to access data in favour of national security agencies and other authorities, contains no explicit provision regarding the legal authority of the government to order CSPs to decrypt data, whether encrypted by the CSPs themselves or by third parties.
However, to the extent that decryption of the data is within a CSP’s competence or control, and based on existing general provisions, it may be argued that the CSP should proceed to decryption when requested to ensure access to certain data.
With a lack of any meaningful court practice on this subject to date, opinions among criminal law practitioners are, however, divided, some favouring the view that there are no legal grounds at present to support a decryption requirement.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Under existing legislation, there is no explicit provision prohibiting a CSP from offering end-to-end encryption on its communications services.
Under the circumstances, this question should be considered from two angles, as follows.
Firstly, it should be considered whether, when facing a specific request for disclosure of encrypted data, the CSP would be also required to decrypt it. Arguably, as described in Questions 1 and 2 above, to the extent that decryption is within the CSP’s technical capabilities, a decryption request might be considered as grounded. However, to the extent that the decryption is not within CSP’s technical reach and capabilities, the risk that a decryption request (that is filed based on the general obligations of access to the data concerned described at Question 1) might be considered as grounded should be considerably smaller.
Secondly, it should be considered whether the fact that a CSP is setting up an end-to-end encryption service would, as a direct consequence, make it impossible to effectively enable the relevant authorities to access the data that they are entitled to request. This itself could be deemed a breach of the laws mentioned at (A) and (B).
Regarding the provisions of the statutory law on law enforcement, the risk should be remote, as long as the decryption is not within the CSP’s competence and technical capability.
Moreover, even if one could deem that failure to decrypt the data or failure altogether to provide data in a readable form, might amount to a breach of the CSP’s law enforcement related obligations, as a matter of principle this should not be considered as a criminal offence.
Likewise, setting up a service of end-to-end encryption while being aware that it may be used by persons perpetrating criminal offences should not by itself trigger a CSP’s criminal liability.
This is because the criminal offences concerned (ie the obstruction of justice, regulated by Article 271 of Law No. 286/2009 of the Criminal Code and the support to a person committing criminal offences, regulated by Article 269 of the Criminal Code) require, in principle, a direct intention on behalf of the CSP. In other words, in order to commit such offences, CSP would have to provide end-to-end encryption with the direct purpose of obstructing justice and of helping those who commit criminal offences.
Regarding the provisions of the communications legislation, these state, among other things, as mentioned in Questions 1 and 2, that a CSP is to provide support to relevant authorities and take all requisite technical measures to ensure that the interception of a communication takes place. Such a general obligation could eventually be construed as requiring the telecommunications operator to provide or ensure effective access, namely access to decrypted information. However, it may be argued that by setting up an end-to-end encryption service, the CSP has deliberately put itself in a position not to properly observe the said obligations, and thereby that it has breached them.
According to Articles 142 and 143 of Government Emergency Ordinance No. 111/2011 regarding electronic communications, such a breach could be sanctioned with a fine amounting to 2% of the company’s annual turnover (and 5% in case of repeated breaches), whenever a company’s annual turnover exceeds RON3,000,000 (the approximate equivalent of EUR660,000).
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
Based on publicly available information, there is no case where the government has used legislation predating the advent of commercial encryption to produce judgments that were consequently applied to its use.
Considering that all Romanian legislation previous to 1990 providing the government with powers similar to those granted to American authorities under the All Writs Act (ie national security legislation) has been abolished and replaced by new legislation during the 1990s, such a situation is unlikely to occur.