ROM-2014-3-006

461/2014

16/09/2014

précis décision abrégée

DECISION No. 461

of 16 September 2014

on the objection of unconstitutionality of the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications

Published in the Official Gazette no. 775 of 24 October 2014

Augustin Zegrean

— President

Valer Dorneanu

— Judge

Toni Greblã

— Judge

Petre Lãzãroiu

— Judge

Mircea ?tefan Minea

— Judge

Daniel Marius Morar

— Judge

Mona-Maria Pivniceru

— Judge

Puskás Valentin Zoltán

— Judge

Tudorel Toader

— Judge

Mihaela Senia Costinescu

— Assistant-Magistrate-in-chief

1. The case at issue is the settlement of the objection of unconstitutionality of the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, objection raised by the Advocate of the People, on the grounds of the provisions of Article 146 (a) of the Constitution and of Article (15) of Law no. 47/1992 on the organization and operation of the Constitutional Court.

2. The referral of unconstitutionality has been sent through Letter no. 6.835 of 9 July 2014, registered with the Constitutional Court under no. 3.093 of 9 July 2014 and constitutes the subject matter of the File no. 695A/2014.

3. As grounds for the objection of unconstitutionality, the author claims that the provisions of the impugned law are contrary to Article 147 (4) of the Constitution, as the legislative solution on the obligation to store personal data for a period of 6 months as from the time of their retention is a constitutional flaw in the light of the reasons held in the Constitutional Court’s Decision no. 1.258/2009. It is essentially indicated that, on the time-limit for storage of personal data, the Constitutional Court has indicated in the reasons of its Decision that the obligation to retain data, for a period of 6 months, covered by Law no. 298/2008, as an exception or derogation from the principle of protecting personal data and confidentiality thereof, by its nature, extent and scope, deprives this principle of content, susceptible to affect, even indirectly, the exercise of fundamental rights and freedoms, especially of the right to personal, private and family life, of the right to secrecy of correspondence and freedom of expression, in a way which does not comply with the requirements covered by Article 53 of the Constitution of Romania. Consequently, the author of the referral considers that Parliament shall observe those set out by the Constitutional Court in the reasons and the operative part of the decision delivered in that matter.

4. As for the infringement of the principle that personal, family and private life shall be ensured and protected by public authorities, and of the principle of proportionality expressly laid down by Article 53(2) of the Constitution, the Advocate of the People considers, in accordance with the case-law of the Constitutional Court, that the implementation of a rule on the processing of personal data is susceptible to deprive Article 26 of the Constitution of content, namely a rule regarding the continuous retention of personal data, for a period of 6 months as from the time of their interception. As a result, the regulation of a positive obligation regarding the continuous limitation on the exercise of the right to personal, family and private life infringes its substance. The individuals, mass users of electronic communications services or of public communications networks, are permanently subject to this interference in the exercise of their rights. However, in the matter of personal rights, the rule is to ensure and guarantee their observance, respectively of confidentiality, and the State having, in this respect, mostly negative obligations, of abstention, by which, insofar possible, its interference should be avoided in the exercise of such right or freedom. But the legal obligation that requires the continuous retention of personal data makes the exception to the principle of effective protection of the right to personal, family and private life, absolute as a rule. Consequently, the examination in this case of the principle of proportionality is also necessary, which represents another mandatory requirement needed to be complied with in cases of limitation on the exercise of certain fundamental rights and freedom strictly provided for by Article 53(2) of the Constitution.

5. It is also claimed that the impugned law applies widely – practically on all individuals who use publicly available electronic communications services or public communications networks, so it cannot be considered as being in compliance with the provisions of the Constitution and of the Convention for the Protection of Human Rights and Fundamental Freedoms on the guarantee of rights to personal, family and private life. The individual rights cannot be exercised in absurdum, but can be subject to limitations that are justified by the aim pursued.

6. Relating to the infringement of Article 1(5) of the Constitution, the Advocate of the People indicates that the constitutional provisions are generally binding, imposed to all subjects of law, including to the legislative power which, in its law-making process, must comply with the Basic Law of the country and ensure the quality of legislation. In order to be enforced within its meaning, it is obvious that a regulatory act shall be accurate, foreseeable and, in the same time, it shall ensure the legal certainty of its recipients. However, the Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications does not regulate the objective criteria on which the period of personal data storage shall be established, so as the limitation to the strict minimum required shall be ensured. Moreover, the impugned law does not provide sufficient guarantees in order to ensure an efficient protection for the data against abuse and against any access or illicit use of personal data.

7. In conclusion, the Advocate of the People asks the Constitutional Court to ascertain the unconstitutionality of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, as a whole, in relation to Articles 1(5), 26, 53(2) and 147(4) of the Constitution of Romania.

8. In accordance with the provisions of Article 16(2) of Law no. 47/1992 on the organization and operation of the Constitutional Court, the referral has been notified to the presidents of the two Chambers of Parliament, as well as to the Government, in order to communicate their viewpoint.

9. The President of the Chamber of Deputies communicated its viewpoint through Letter no. 2/3.963/4 September 2014, registered with the Constitutional Court under no. 4.006 of 4 September 2014, which indicates that the referral of unconstitutionality is unfounded. As grounds for it, it is indicated that the impugned legal provisions meet the requirements on accuracy, clarity and unequivocally of the regulation to which the Constitutional Court refers to in Decision no. 1.258/2009, being precisely determined the area of those data necessary for the identification of the users who are individuals or companies.

10. The President of the Chamber of Deputies indicates that, as the personal data processing has an identification function, the provisions of Law no. 677/2001 for the protection of persons concerning the processing of personal data and free movement of such data, as subsequently amended and supplemented, are expressly enforceable. Therefore, these data benefit from a proper regulatory protection, developed on the basis of the constitutional fundamentals, by law, as required by the Basic Law. Given that, through the impugned law it is regulated the exercise of certain rights in order to their proportional conciliation, in a democratic and pluralistic society, with the exercise of other rights and freedoms of citizens referred to in Article 53(1) of the Constitution, as well as with the requirement of the protection of public order and national security, laid down by the same article.

11. It is further pointed out that even the infringement of Article 1(5) of the Constitution of Romania cannot be supported because the adopted law violates the principle of legality. On the contrary, it establishes a well-defined legal framework in a clear, accurate, foreseeable and predictable manner, which concerns the fight against organized crime and especially the cross-border one, as well as the terrorist acts. From this teleological point of view, it is obvious that the impugned rules fully comply with the principle of proportionality which shall be observed by any action of the State, including the standardisation one. Thus, the aim of the impugned provisions – their mediated result – complies with the necessary relation of adequacy with both de facto and de jure reasons which have justified their adoption and their object – their immediate result –, as long as it consists in the creation of a normal and civic security climate aiming at ensuring the protection of the people, of material goods and of structural values of the democratic society, including individual security, in the national specific context.

12. The President of the Senate and the Government have not sent their viewpoint on the objection of unconstitutionality.

THE COURT,

having examined the objection of unconstitutionality, the report drawn up by the Judge-Rapporteur, the viewpoint of the Chamber of Deputies, the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, as well as the provisions of the Constitution, holds as follows:

     13. The Court has been legally referred to and is competent, according to the provisions of Article 146(a) of the Constitution and of Articles 1, 10, 15, 16 and 18 of Law no. 47/1992, to adjudicate on the constitutionality of the impugned legal provisions.

     14. The subject-matter of the constitutional review, as it results from the formulated referral, is represented by the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, published in the Official Gazette of Romania, Part I, no. 925 of 27 December 2011. The legal provisions regulate the registration of persons who use prepaid cards, the collection and storage of data for the users of communications services, the conditions under which the specific technical operations are carried out and the appropriate responsibilities of the providers of electronic communications services, the enforcement of certain sanctions for the infringement of certain obligations laid down by law. Also, through the impugned law, the companies providing Internet access points for public are in charge of both the identification of the users connected to such access points and the storage of personal data for a period of 6 months as from the time of their retention, obtained through the retention of the user’s identification data or telephone number, through bank card payment or any other identification procedure which, directly or indirectly, ensures that the user’s identity is known.

     15. The alleged violation of the constitutional provisions of Article 1(5) on the observance of law and the supremacy of the Constitution, of Article 26 on the personal, family and private life, of Article 53(2) on the limitation of the exercise of certain rights or freedoms and of Article 147(4) on the effects of the Constitutional Court’s Decisions.

     16. For the purpose of adjudicating on the objection of unconstitutionality, the Court deems necessary a short history of European and national legislation regarding the retention and storage of data generated or processed in relation to the supply of publicly available electronic communications services or of public communications networks.

     17. Thus, for the purpose of ensuring free movement of personal data within the European Union, the European institutions have adopted several legal documents or advisory rules requiring that Member States should protect the individuals’ rights and freedoms on the processing of personal data, especially the right to private life.

     18. Within the European Union, the storage and use of data for law enforcement have been addressed for the first time by Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 on the processing of personal data and protection for private life in telecommunications sector. This directive has provided for the first time the possibility that Member States should adopt, if necessary, such legislative measures for the protection of public security, defence or public order, including the economic welfare of the State when activities aim at the security of the State and the enforcement of criminal law.

     19. An important document of this point of view is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of confidentiality in the electronic communications sector (Directive on confidentiality and electronic communications) pursuant to which the relevant provisions of Member States are harmonised, in order to ensure an equivalent level of protection of fundamental rights and freedoms, especially of the right to confidentiality of personal data in the sector of processing of personal data in electronic communications sector and free movement of such data and related services within the European Union. The principle of general application required by the Directive establishes that such traffic data generated by the use of electronic communications services must be erased or made anonymous when those data are no longer needed for the transmission of a communication, except where, and only for so long as, they are needed for billing purposes, or where the consent of the subscriber or user has been obtained.

     20. The same Directive indicates that, in certain conditions, Member States may limit the scope of this principle by providing rules for certain necessary restrictions, appropriate and proportional, owned by a democratic society, required by the guarantee of national security, defence, public security or the prevention, the research, the detection and the prosecution of offenders or of the non-authorised use of electronic communications systems. In this respect, in the Conclusions of the Council of Justice and Home Affairs in December 2002, it has been indicated that it is essential that Member States adopt a uniform and harmonised legal regime meeting the requirements imposed by the achievement of the balance between the personal and social interest, in conjunction with the general principles necessary for the operation of the rule of law.

     21. Subsequently, it has been adopted Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the storage of data generated or processed in relation to the supply of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. The legal framework regulated by this directive refers solely to those data generated or processed as a result of a communication or of a communications service and not to data comprising the content of this information.

22. In terms of Article 14 of Directive 2006/24/EC, the European Commission prepared a report to the Council and to the European Parliament – COM(2011) 225 final of 18 April 2011, where it analysed the way in which Member States enforced the directive and its impact on economic operators and consumers. It indicates that “The proportion of mobile telephony users using prepaid services varies across the EU. Some Member States have claimed that anonymous prepaid SIM cards, especially where purchased in another Member State, could also be used by those involved in criminal activity as a means of avoiding identification in criminal investigation. Six Member States (Denmark, Spain, Italy, Greece, Slovakia and Bulgaria) have adopted measures requiring the registration of prepaid SIM cards. These and other Member States (Poland, Cyprus, Lithuania) have argued in favour of an EU-wide measure for mandatory registration of the identity of users of prepaid services. No evidence has been provided as to the effectiveness of those national measures. Potential limitations have been highlighted, for example, in cases of identity theft or where a SIM card is purchased by a third party or a user roams with a card purchased in a third country. Overall the Commission is not convinced of the need for action in this area at an EU level at this stage.

23. In 2008, Directive 2006/24/EC was transposed to the national legislation through Law no. 298/2008 on retention of data generated or processed by providers of publicly available electronic communications services or of public electronic communications networks, as well as for amending and supplementing Law no. 506/2004 on the processing of personal data and protection of private life in the sector of electronic communications, published in the Official Gazette of Romania, Part I, no. 780 of 21 November 2008. However, after having carried out a constitutional review started on the grounds of an exception of unconstitutionality, the law was ascertained as unfounded through the Constitutional Court’s Decision no. 1.258 of 8 October 2009, published in the Official Gazette of Romania, Part I, no. 798 of 23 November 2009.

24. The second transposition of Directive 2006/24/EC was achieved in 2012, through Law no. 82/2012 on retention of data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services, as well as for amending and supplementing Law no. 506/2004 on the processing of personal data and protection of private life in the sector of electronic communications, republished in the Official Gazette of Romania, Part I, no. 211 of 25 March 2014. Law no. 82/2012 does not contain any provision on prepaid SIM cards or on the connection to publicly available Internet access points.

25. It was declared the invalidity of Directive 2006/24/EC by Judgment of 8 April 2014 of the Court of Justice of the European Union, delivered in Joined Cases C-293/12 – Digital Rights Ireland LTD against Minister for Communications, Marine and natural Resources and Others and C-594/12 – Kartner Landesregierung and Others. By the delivered Judgment, the European court found that the analysed directive violated the provisions of Articles 7, 8 and 52(2) of the Charter of Fundamental Rights of the European Union enshrining the right to respect for private life, the right to the protection of personal data and the principle of proportionality.

26. Recently, after having carried out the constitutional review of Law no. 82/2012, by Decision no. 440 of 8 July 2014, published in the Official Gazette of Romania, Part I, no. 653 of 4 September 2014, the Constitutional Court has ascertained the unconstitutionality of the national law.

27. The Court has found that the Government Emergency Ordinance no. 111/2011, published in the Official Gazette of Romania, Part I, no. 925 of 27 December 2011, approved as amended and supplemented by Law no. 140/2012, regulates the general matter of electronic communications. The Emergency Ordinance transposes a series of directives regulating the authorization of electronic communications networks and services (Directive 200/20/EC of the European Parliament and of the Council of 7 March 2002), a common regulatory framework for electronic communications networks and services (Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002), the access to, and the interconnection of, electronic communications networks and associated infrastructure (Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002), the universal service and users’ right relating to electronic communications networks and services (Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002), as well as other directives amending and supplementing the above-mentioned regulatory acts. The Emergency Ordinance mainly regulates the rights and obligations of providers of electronic communications networks and services, the regime of limited resources, the end-users’ rights, the universal service, the obligations of providers of electronic communications networks and services with significant market power.

28. The Government of Romania, as the initiator of the bill amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, law subject to this constitutional review, has considered the supplement of the legislative framework in the matter of electronic communications. The expected changes by the new regulation envisage the registration of persons who use prepaid cards, the identification of users connected to Internet access points made available by companies, the collection and storage of data for the users of communications services, the conditions under which the specific technical operations are carried out and the appropriate responsibilities of the providers of electronic communications services, the time-limit for storage of personal data, as well as the enforcement of certain sanctions for the infringement of certain obligations laid down by law. The legislative action has been grounded in the need for the adoption of certain measures meant to facilitate the activities of criminal investigations or those for the awareness, the prevention and the fight against risks or threats to national security.

29. Concerning the proposed measures, the Legislative Council has given a favorable opinion on the bill by Opinion no. 353 of 7 July 2014, but it has indicated several normative acts regulating this sector, mainly Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector, as well as Law no. 82/2012 on retention of data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services, as well as for amending and supplementing Law no. 506/2004 on the processing of personal data and protection of private life in the sector of electronic communications. The Legislative Council has noted that certain rules of this bill are similar to those of Law no. 82/2012, therefore it results in a double regulation. Consequently, taking into account the regulatory object of this bill subject to be given an opinion, as well as the provisions of Law no. 82/2012, it has submitted to the initiator the possibility to reconsider the regulatory act as a bill amending and supplementing that law, considering that, on the contrary, the enforcement of its provisions would be susceptible to create technical and practical difficulties. However, the bill has been adopted by the Parliament of Romania, in the wording initiated by the Government.

30. Prerequisites of constitutional review. Although the regulatory object of the impugned law is the amendment of the general regulatory framework on electronic communications, after having examined the reasons set out by the initiator of the bill in “The Explanatory Memorandum” of the Legislative Council’s opinion, as well as the amendments made through the provisions of the law, it results that, in fact, the regulatory act supplements the legislative framework on retention of data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services, regulated by Law no. 82/2012. In this respect, the Constitutional Court ascertains that the legislature has misunderstood the way in which it should be enforced the rules of legislative techniques needed to draft the regulatory acts which are expressly provided for in Law no. 24/2000.

31. Concerning the provisions of Law no. 82/2012, after having carried out the constitutional review, by Decision no. 440 of 8 July 2014, the Court has ascertained the unconstitutionality of this regulatory act, as a whole, solution which has been grounded on the following considerations, as a matter of principle: “the provisions of Articles 26, 28 and 30 of the Constitution regulate the right to personal, family and private life, to secrecy of correspondence, as well as to freedom of expression, conditions in which the purpose of the regulation of the impugned law falls within the scope of protection of these constitutional texts. The impugned law, creating problems relating to the protection of the constitutional rights invoked, represents a legislative intervention in their scope, reasoned even by the purpose of this law, which coincides, at national level, with that of Directive 2006/24/EC and consists in the prevention, discovery and research of serious crimes by criminal prosecution bodies, courts and State bodies empowered to protect national security, purpose completely achieved by the law subject to constitutional review.

Having analysed the provisions of Law no. 82/2012, as well as the considerations, as a matter of principle, contained in the Judgment of the Court of Justice of the European Union of 8 April 2014, by which Directive 2006/24/EC has been declared invalid, and in the Constitutional Court’s Decision no. 1.258 of 8 October 2009, the Court holds that they also apply, in principle, to Law no. 82/2012.

First of all, the interference with the fundamental rights regarding personal, family and private life, secrecy of correspondence and freedom of expression is wide-ranging and must be considered as being extremely serious, and the circumstance that the retention of data and their subsequent use are performed without the subscriber or the registered user being informed about this is susceptible to give the persons concerned the feeling that their private life makes the object of a constant supervision.

Secondly, the data subject to the purpose of the regulation, although they have a predominantly technical nature, are retained for the supply of information on the person and his/her private life. Even if, pursuant to Article 1 (3) of the law, it does not also apply to the content of the communication or information consulted during the use of an electronic communications network, the other data retained, aiming at the identification of the caller and the called party, respectively the user and the recipient of information communicated electronically, of the source, destination, date, hour and duration of a communication, type of communication, the communication equipment or devices used by the user, the location of mobile communication equipment, as well as of other “necessary data” — undefined in the law —, are susceptible to interfere with the free expression of the right to communication or to  expression. Specifically, the considered data lead to very accurate conclusions on the private life of the persons whose data have been retained, conclusions that may relate to habits of daily life, to permanent or temporary residence, to daily or other travels, to performed activities, to the social relations of these persons and the social environments frequented by them. Or, such limitation on the exercise of the right to personal, family and private life and to secrecy of correspondence, as well as to freedom of expression must occur in a clear, predictable and unequivocal manner, so as to be removed, if possible, the occurrence of arbitrariness or abuse committed by authorities in this area. 

Thirdly, the impugned law does not contain clear and accurate rules regarding the content and application of the retention and use measure, so that the persons whose data have been retained would benefit from sufficient guarantees to ensure efficient protection against abuses and any access or illicit use. Therefore, the law does not stipulate objective criteria to limit to the strict minimum required the number of persons who have access to and can subsequently use the retained data, that the access of national authorities to stored data is not always conditioned by the prior control carried out by a court or by an independent administrative entity, limiting this access and their use to the strict minimum required for the achievement of the pursued objective. The legal guarantees on the actual use of retained data are not sufficient and adequate as to remove the fear that personal rights, of private nature, are violated, so that their occurrence would take place in an acceptable manner.” (Paragraphs 53, 54, 55, 56 and 57)

32. Moreover, having analysed the mechanism of the retention of data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services, the Court has distinguished two stages, the former being that of retention and storage of data, and the latter that of the access to such data and their use. Thus, “Retention and storage of data, which naturally is the first chronological operation, are the obligation of providers of electronic communications networks and of publicly available electronic communications services. This operation is a technical one, being automatically achieved based on software as long as law stipulates that suppliers appointed by law must retain those data. Since under Directive 2006/24/EC and Law no. 82/2012, the purpose of retention and storage is general, aiming at ensuring national security, defence, as well as at prevention, investigation, detection and criminal prosecution of serious crimes, retention and storage not being related to and determined by a real case, it appears to be evident the continuous nature of the obligation of providers of electronic communications networks and services to retain these data for the whole period expressly stipulated by the legislation in force, respectively for a period of 6 months, according to Law no. 82/2012. Likewise, at this stage, as it is only about retention and storage of a mass of information, the identification or location of the subjects of an electronic communication is not actually achieved, following to take place in the second stage, after being allowed the access to data and their use.

The Court claims that precisely due to the nature and specifics of the first stage, as the legislature considers necessary the retention and storage of data, solely this operation itself is not contrary to the right to personal, family and private life, or to secrecy of correspondence. Neither the Constitution nor the case-law of the Constitutional Court do not forbid the preventive storage, without a specific occasion, of traffic and location data, provided however that the access to these data and their use should be accompanied by guarantees and observe the principle of proportionality.” (Paragraphs 59 and 60).

33. Given the amendments proposed by the law subject to this constitutional review, the reasons held by the Court as the grounds for the solution of unconstitutionality of the provisions of Law no. 82/2012, as well as the fact that, regarding the mechanism of data retention, the impugned provisions aim at the first stage of retention and storage of data by providers of mobile telephony using prepaid cards, respectively by providers of Internet access points, The Court is to analyse to what extent the grounds of Decision no. 440 of 8 July 2014 are also applicable to this case.

34. The analysis of the impugned provisions. Article I (1) of law envisages the supplement of the provisions of Article 4 of the Government Emergency Ordinance no. 111/2011 on the definition of certain terms, with three definitions, points 55, 56 and 57, as follows “55. data needed to identify a subscriber or a user – the telephone number or the identifier of the communications service with advance and subsequent payment, together with the surname, forename and personal identification code, series and number of the identity document, namely the issuing country – for foreign persons –, the name and code of tax identification – for companies, as well as the surname, forename and the personal identification code of the legal representative of the company, where applicable;

56. identifier of the service – the sole identification code assigned for an Internet service access or a communications service, including via Internet;

57. identity document – identity card, electronic identity card, passport or driving licence.”

35. By Decision no. 1.258 of 8 October 2009, published in the Official Gazette of Romania, Part I, no. 798 of 23 November 2009, the Constitutional Court held that “the lack of an accurate legal regulation which could precisely determine the scope of the data needed to identify users, either individuals or companies, opens the possibility of certain abuses in the process of retention, processing and use of data stored by providers of publicly available electronic communications services or of public electronic communications networks. The limitation on the exercise of the right to personal life and to secrecy of correspondence and to freedom of expression must also occur in a clear, predictable and unequivocal manner, as to be removed, if possible, the occurrence of arbitrariness or abuse committed by authorities in this area”.

36. By the impugned rule, the legislature has expressly regulated the data needed to identify a subscriber or a user, requiring the issuing country for individuals, namely the tax identification code for companies, besides surname/forename and telephone number or identifier of communications service, personal identification code, series and number of identity document. It must be emphasized that Law no. 82/2012 did not provide the obligation on the retention of the personal identification code, the series and number of the identity document, respectively the tax identification code needed to identify a subscriber or a user, and the database set up according to the provisions of Article 4 of this law refers, both for fixed line and mobile telephone networks and for Internet access services, electronic mail and voice over Internet, only to telephone number, as well as to subscriber or registered user’s name and address. Therefore, in the light of the reasons held by the Court in Decision no. 1.258 of 8 October 2009, the challenges on the accuracy and predictability of the rule can no longer subsist as the new rule precisely determines the area of data necessary for the identification, but, taking into account the supplementing of data required to the subscriber or to the user, as well as their nature strictly personal, the amended legal provisions should have been properly amended by provisions ensuring high standards on their protection and security throughout the entire process of retention, storage and use, precisely so as to minimise the risk of the infringement of the right to personal, family and private life, the secrecy of correspondence, as well as the citizens’ freedom of expression. However, the Court ascertains that Law amending and supplementing the Government Emergency Ordinance no. 111/2011 makes no amendment on the guarantee for the protection of such rights, so that the grounds for the solution of unconstitutionality of Law no. 82/2012 are particularly justified in this case.

37. Moreover, the law subject to constitutional review not only establishes no guarantees and technical security and operational measures, but also widens the area of subjects of law who are subject to the obligation to retain and store the data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services.

38. Thus, Article I (3) of the impugned law, on the supplementing of Article 51 of the Government Emergency Ordinance no. 111/2011, with a new paragraph, paragraph (11), provides as follows: “(11) Purchase of electronic communications services with advance payment is conditional upon completion with the personal identification data of a standard form by a user, on paper or in a secure electronic format, made available by provider.” While the first 10 paragraphs of Article 51 regulate the general framework on the content of contracts entered into between providers and end-users in order to benefit from services of access and connection to public electronic communications networks or to publicly electronic communications services, so certain legal acts relating to the two contracting parties’ consent (on the one hand, operators of publicly electronic communications services or empowered persons to act as intermediaries in the specific commercial transactions – dealers – and, on the other hand, individuals or companies as recipients of services provided by them), acts establishing rights and mutual obligations, in case of electronic communications services with advance payment, the amended rule refers to completion of a standard form made available by provider for the user. However, the new regulation is susceptible to generate confusions from at least two points of view. Firstly, the rule does not precisely determine the area of persons who make available the standard form and, thus, collect such data, respectively if it refers solely to providers of publicly electronic communications services and to persons empowered by them as intermediaries (dealers) or also comprises other distributors selling electronic communications services with advance payment (as it happens nowadays on the markets of prepaid telephone and internet services), circumstance which creates the prerequisites for the commitment of certain abuses in the activity of retention, processing and use of stored data. Secondly, it is not clearly provided if the obligation which should be borne by user regarding the completion of the standard form (representing, at least in appearance, a unilateral legal act) corresponds or not to a corresponding obligation of the person who collects personal data in order to ensure confidentiality, security and use of such data according to the purpose laid down by law, as long as the depositories of standard forms just receive such documents, with no liability in this respect. The more so as in accordance with the provisions of Article 46(1) and (2) of the Government Emergency Ordinance no. 111/2011, the obligation to take all technical and organisational measures appropriate to manage risks which may affect the security of networks and services, measures intended to ensure a security level corresponding to the identified risk and prevent or minimise the impact of security incidents on users and interconnected networks, considering the latest technologies, is only the responsibility of providers of public electronic communications networks and of publicly electronic communications services and not of other persons who arrange the purchase of electronic communications services with advance payment.

39. In the light of the non-compliance with the conditions of accuracy and predictability of the rule, a similar situation is laid down by Article I (4) of the impugned law relating to the supplementing of the Government Emergency Ordinance no. 111/2011 with a new article, namely Article 732, providing as follows: “(1) Companies which provide Internet access points to public must identify the users connected to such points.

(2) The identification provided for in paragraph (1) shall be made through the retention of user’s identification data or telephone number, by bank card payment or any other identification procedure which, directly or indirectly, ensures that user’s identity is known.

(3) Personal data retained in compliance with paragraph (2) shall be stored for a period of at least 6 months as from the time of their retention.

(4) The provisions of Law no. 677/2001 for the protection of individuals concerning the processing of personal data and free movement of such data, as subsequently amended and supplemented, shall enforce on the processing of personal data retained in compliance with paragraph (2).”

40. The amended rule widens the area of persons who must identify users of electronic communications services, expressly providing the obligation of companies which provide Internet access points to public, on retention of users’ identification data: the telephone number or the identifier of the communications service with advance and subsequent payment; surname, forename and personal identification code, series and number of the identity document, namely the issuing country – for foreign persons; identification data obtained through bank card payment; any other identification procedure which, directly or indirectly, ensures that the user’s identity is known. The obligation of retention is doubled by the obligation of data storage for a period of 6 months as from the time of their retention.

41. Currently, companies which provide Internet access points to public are private companies, especially in commercial and recreation areas, coffee shops, restaurants, hotels, airports etc., or public companies – public institutions which cater for citizens direct and rapid access to public information (including those distributed on own Internet pages), as well as town halls, education institutions, public libraries, health care facility, theatres etc. The establishment of the obligation to retain and store personal data in such persons’ charge, correlatively imposes the express regulation of certain adequate, well-established and unequivocal measures susceptible to guarantee citizens that clearly personal data made available are registered and stored under confidentiality conditions. In this respect, the law is limited to establish the measures of retention and storage of data, without amending and supplementing the legal provisions on the guarantees which shall be ensured by the State throughout the exercise of citizens’ fundamental rights. However, the legal framework in such a sensitive area must occur in a clear, foreseeable and unequivocal manner as to be removed, if possible, the occurrence of arbitrariness or abuse committed by authorities in this area.

42. Likewise, the provision that the identification is achieved through “any other identification procedure” which ensures, directly or indirectly, that the user’s identity is known forms an imprecise regulation susceptible to create the prerequisites of certain abuses committed in the process of retention and storage of data by companies subject to the assumption of this rule.

43. Retention and storage of data clearly form a limitation on the right to the protection of personal data, respectively on the fundamental rights which are constitutionally protected regarding personal, family and private life, secrecy of correspondence, as well as freedom of expression. However, such a limitation can function in accordance with the provisions of Article 53 of the Constitution enshrining the possible limitation on the exercise of certain rights or freedoms solely by law and if required, as appropriate, in order to protect national security, public order, health and moral, citizens’ rights and freedoms, for the development of criminal investigation, the prevention of consequences of a natural calamity, of a disaster or of an extremely serious catastrophe. The limitation measure can be ordered only if necessary in a democratic society, must be proportional with the situation which determined it, enforceable in a non-discriminatory way and with no limitation on right or freedom.

44. However, to the extent that the measures adopted by the law subject to constitutional review are not accurate and foreseeable, the interference of the State in the exercise of the above-mentioned rights, although laid down by law, is not clearly, rigorously and exhaustively formulated as to offer confidence to citizens, the strict minimum required in a democratic society is not fully justified, and the proportionality of the measure is not ensured through the regulation of certain appropriate guarantees, the Court ascertains that the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications violate the provisions of Article 1(5), Articles 26, 28, 30 and 53 of the Constitution. Therefore, the limitation on the exercise of such personal rights in terms of certain collective rights and public interests aiming at national security, at public order or at criminal prevention, interrupts the right balance which should be between the individual interests and rights, on the one hand, and those of the society, on the other hand, the impugned law cannot regulate sufficient guarantees in order to ensure efficient protection of data against abuse and any access or illicit use of personal data.

45. Apart from those analysed above, the Court notes that, if, in the case of the amendments aiming at the purchase of electronic communications services with advance payment, the legislature has granted a period of 12 months during which users may choose to maintain the service and to fill in the standard form, under penalty of suspension of the provided service at the end of this period, for companies which provide Internet access points to public, the obligations of retention and storage of data laid down by law occur on the date of entry into force of the regulatory act. Thus, the legislature has provided no transitional rule by which these latter persons may have been allowed to comply with the new provisions, without affecting the users’ right to access the Internet within the period of grace made available.

46. In conclusion, the Court considers that, although neither the Constitution nor the case-law of the Constitutional Court forbid, with no occasion, the preventive storage of traffic and location data, the method to obtain and store the data needed to identify users of electronic communications services with advance payment, respectively the users connected to Internet access points does not comply with the conditions required by the principle of proportionality, does not provide guarantees ensuring the confidentiality of personal data, affecting the very substance of fundamental rights on personal, family and private life and on secrecy of correspondence, as well as freedom of expression.

47. Likewise, the Court holds, in this case, the applicability of the grounds of Decision no. 440 of 8 July 2014 as the regulatory act subject to constitutional review is, in fact, no more than a supplement of the provisions of Law no. 82/2012, partly taking over the legislative solution regulated therein, but which no longer have effects following the ascertainment of their unconstitutionality.

48. As it has been previously revealed, although the impugned law aims at amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communication, after having examined the reasons set out by the initiator of the bill in “The Explanatory Memorandum”, as well as the amendments made through the provisions of the law, it results that, in fact, the regulatory act supplements the legislative framework on retention of data generated or processed by providers of public electronic communications networks and of publicly available electronic communications services, regulated by Law no. 82/2012. This supplementing aims at widening the area set out by this law on users of electronic communications whose personal data are to be retained and stored, regulating the registration of prepaid cards users, as well as the collection and storage of Internet users’ data through access points made available for companies. However, the flawed manner in which the legislature has understood to amend the current legislative framework generates serious problems for the interpretation and enforcement of law – just supplementing the area of persons who use electronic communications services, as well as the database which is to be stored for a certain period and imposing obligations of retention and storage on companies which provide publicly available electronic communications services with advance payments or Internet access points – , operations which are comprised in the first stage delimited by the Constitutional Court through Decision no. 440 of 8 July 2014, that of retention and storage of data, the law omits to regulate the second stage, namely the method in which such data shall be accessed and used. Thus, the amended provisions neither provide any rule in relation to Law no. 82/2012 which constitutes the general framework of regulation on the procedure to access the retained data (the type of accessed data, the persons who may require access, the authorisation conditions, the purpose for which such data may be used, the control on performed operations etc.), nor regulates, distinctly, alone, such procedures. Consequently, the impugned challenge, as a whole, is incomplete, confusing and, therefore, susceptible to generate abuses in relation to the enforcement of its provisions. In this respect, the legal provisions not only put into perspective the safety guarantees of data retention and storage, without requiring appropriate standards to ensure the level of security and confidentiality which may effectively be verified, as the Court has held in the reasoning part of the solution delivered through Decision no. 440 of 8 July 2014, but, by the lack of any regulation on the method in which personal data are accessed and used, the law is irretrievably jeopardised.

49. Taking into account all these reasons, the Court claims that the objection of unconstitutionality, having as subject matter the provisions of Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications, is founded and ascertains the unconstitutionality of the regulatory act, as a whole.

50.    For the above-mentioned reasons, on the grounds of Article 146 (a) and of Article 147 (4) of the Constitution, as well as of Articles 11(1) A.a), 15(1) and 18(2) of Law no. 47/1992, by unanimous vote,

THE CONSTITUTIONAL COURT

In the name of law

DECIDES:

     Allows the objection of unconstitutionality and finds that Law amending and supplementing the Government Emergency Ordinance no. 111/2011 on electronic communications is unconstitutional, as a whole.

     Final and generally binding.

     This Decision shall be communicated to the President of Romania, to the presidents of the two Chambers of Parliament and to the Prime Minister and shall be published in the Official Gazette of Romania, Part I.

Delivered during the session of 16 September 2014.