This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Romania.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes. The main legal instrument governing communication networks and services is the Government Emergency Ordinance no. 111/2011 on electronic communications (“GEO 111/2011”), which transposes the main EU provisions in the field of electronic communications. This legal instrument covers all activities in the field of communications networks and services. The GEO 111/2011 establishes the general framework for regulation of electronic communications networks and services, the authorization of such activities and promotes competition on the market. In addition, there is special legislation encompassing laws and emergency ordinances on certain topics as well as secondary legislation (mainly government decisions and enactments of the telecom body).
The provision of electronic communications networks and services is subject to (i) general authorization and (ii) licenses for the use of limited resources for the provisions of electronic communications networks and services, such as radio frequencies, numbering resources and other associated technical resources. These licenses are subject to certain technical parameters and are granted for a limited period of time. The general authorizations as well as the licensees are issued by the National Authority for Management and Regulation in Communications ("ANCOM") in accordance with its decision no. 987/2012 on the general authorization regime for the provision of electronic communications networks and services.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Yes. The regulatory authority in the sector of electronic communications is the National Authority for Management and Regulation in Communications ("ANCOM") (in Romanian Autoritatea Națională pentru Administrare și Reglementare în Comunicații). ANCOM was established pursuant to the Governemnet Emergency Ordinance no. 22/2009 as an autonomous public authority under the control of the Romanian Parliament and financed entirely from its own revenues.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
The Romanian legislation in the sector of electronic communications does not require an operator to be established on the territory of Romania.
Under the Romanian legislation there are no foreign ownership restrictions with regard to telecom operators.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
Yes. ANCOM takes all necessary measures to ensure and encourage adequate access and interconnection as well as the interoperability of services in a way that promotes efficiency, sustainable competition, investment and innovation for the benefit of end-users. To accomplish this, ANCOM may impose certain obligations on undertakings, as follows:
- in order to ensure end-to end connectivity, the authority may impose obligations on undertakings that control access to end-users to interconnect their networks;
- in justified cases and if it is necessary, the authority may also impose obligations on undertakings that control access to end-users to make their services interoperable;
- to the extent that this is necessary to ensure accessibility for end-users to digital radio and television broadcasting services to provide access to application programming interfaces or electronic program guides on fair, reasonable and non-discriminatory terms.
The obligations and conditions imposed as per the above must be transparent, objective, proportionate and non-discriminatory and must follow a certain procedure provided in the law. Also, such measures that may be imposed by the regulatory authority are without prejudice to the measures that may be taken regarding undertakings with significant market power.
One of the tasks of ANCOM is to promote competition on the market. To achieve this, the authority identifies the relevant market and the undertakings with significant market power. In the sector of electronic communications an undertaking is considered to have significant market power if, either individually or jointly with others, it enjoys a position equivalent to dominance, that is to say a position of economic strength affording it the power to behave to an appreciable extent independently of competitors, customers and ultimately consumers.
After conducting the market analysis and to the extent that it is necessary to promote competition on that market, ANCOM may impose, maintain, amend or withdraw, as the case may be, certain obligations on undertakings with significant market power. According to GEO 111/2011 and in line with the EU provisions (Access Directive) the authority may, in addition to the above impose, maintain, amend or withdraw the following in order to facilitate access to and interconnection of electronic communications networks and associated facilities:
- obligations of transparency in relation to interconnection and/or access, requiring operators to make public specified information, such as accounting information, technical specifications, network characteristics, terms and conditions for supply and use;
- obligations of non-discrimination in relation to interconnection and/or access that ensure in particular, that the operator applies equivalent conditions in equivalent circumstances to other undertakings providing equivalent services, and provides services and information to others under the same conditions and of the same quality as it provides for its own services, or those of it subsidiaries or partners;
- obligations of accounting separation in relation to specified activities related to interconnection and/or access;
- obligations of access to, and use of specific network facilities in situations where ANCOM considers that denial of access or unreasonable terms and conditions having a similar effect would hinder the emergence of a sustainable competitive market at the retail level, or would not be in the end-user's interest;
- obligations of price control and cost accounting obligations; and
- obligations of functional separations; this obligation may be imposed when the authority considers that the above listed obligations have failed to achieve effective competition and that there are important and persisting competition problems and/or market failures identified in relation to the wholesale provision of certain access product markets; this obligation requires vertically integrated undertakings to place activities related to the wholesale provision of relevant access products in an independently operating business entity.
What are the principal consumer protection regulations that apply specifically to telecoms services?
GEO 111/2011 lays down the consumer protection regulations applicable for the sector of electronic communications.
Contracts concluded by consumers for the provision of access and interconnection to public electronic communications networks and services may be made on an initial period of up to 24 months. The offers and contracts designed for consumers must be transparent and offer the consumer sufficient information. For this reason, contracts concluded with consumers must contain the following minimum information:
- the identification data of the provider;
- the services provided, including in particular, if access to emergency services and caller location is provided, information with regard to the procedures for measuring traffic, the service quality levels offered, as well as the term for the initial connection;
- the prices and tariffs for each product or service covered by the contract, the way in which they are applied, as well as the means by which updated information on the tariffs for the provision of the electronic communications services and of the maintenance and repair services may be obtained;
- the duration of the contract, the conditions for renewal and termination of the contract, as well as the conditions under which service suspension operates;
- the applicable compensations and procedures in case the contracted service quality levels or other contractual clauses are not fulfilled;
- the means of initiating procedures for the settlement of disputes;
- the type of action that may be taken in reaction to security or integrity incidents or threats and vulnerabilities.
In addition, GEO 111/2011 contains certain provisions with regard to the conclusion of distance contracts. These provisions offer the consumers a favourable position in the sector of electronic communications.
What legal protections are offered in relation to the creators of computer software?
Legislation on intellectual property is in line with international practice, Romania having adhered to most of the international conventions on intellectual property, as well as to EU legislation in the field. According to EU legislation, computer programs are considered literary works. In Romania, computer programs are protected under Law no. 8/1996 on copyright and related rights (the “Copyright Law”). Article 72 of the Copyright Law provides that the protection of computer programs includes any expression of a program, application programs and operating systems expressed in any kind of language, whether in source code or object code, the preparatory design material and the manuals.
In Romania, copyright is protected provided that the work is original, takes a concrete expressive form and is able to be made known to the public. A copyright holder has the exclusive patrimonial right to decide whether, how and when its work will be used. In addition, he has the right to authorize or prohibit the following:
- the reproduction of the work;
- the distribution of the work;
- the import for trading on the domestic market, of copies of the work;
- the rental of the work;
- the communication to the public, directly or indirectly, of the work, by any means, including by making the work available to the public, in such a way that members of the public may access it from a place and at a time individually chosen by them;
- the broadcasting of the work;
- the cable retransmission of the work; and
- the making of derivative works.
Apart from the above general rights, copyright holders of computer software enjoy certain rights that are applicable especially to them. Thus, copyright holders of computer software have the exclusive right to do and authorise the following:
- the permanent or temporary reproduction of a computer program by any means and in any form, in part or in whole, including where the reproduction is required for the installation, storage, running, execution, display or transmission in the network;
- the translation, adaptation, arrangement and any other alteration of a computer program and the reproduction of the results thereof, without prejudice to the rights of the person who alters the program;
- any form of distribution to the public, including the rental, of the original computer program or of copies thereof.
Are specific intellectual property rights in respect of data/databases recognised?
Yes. According to Law no. 8/1996 on copyright and related rights (the “Copyright Law”) a sui generis right for the protection of databases is provided for 15 years. The data base owner has the exclusive right to authorize or forbid the extraction or reuse of the whole or substantial part of the database. This sui generis right applies irrespective of the fact that the database or its content are protected under copyright or any other right.
What key protections exist for personal data?
At present, the main legal framework is the Data Protection Act, Law no. 677/2001, which transposes the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and sets the general framework for processing of personal data in Romania.
The Data Protection Act defines personal data and data processing, regulates consent rules, data transfers, the obligations of data controllers and the rights and remedies of data subjects.
As per the current form of the Data Protection Act, key protections for personal data may be found in several articles, as follows: data quality requirements (Article 4), conditions for legitimate processing of personal data (Article 5), rights of the data subject (Articles 12 – 18), security requirements (Article 20) and notification requirements of the Data Protection Agency (Article 22).
Obligations of the data controller
The protection of personal data is inherent in the following main obligations of the data controllers:
- personal data must be processed in good faith;
- personal data must be collected for explicit and legitimate purposes only;
- personal data must be adequate, relevant and not excessive with regard to the scope for which it is collected and processed;
- personal data must be accurate and updated when necessary;
- personal data must be stored only for a specific period of time, as necessary for the processing.
Legitimate processing of personal data
Protection of personal data is also ensured on the condition that the processing is based on legitimate grounds.
Personal data may be processed as a matter of principle only with the data subject`s prior, voluntary and informed consent. The data subject may give such consent either in writing or electronically. For the processing of sensitive personal data the written consent of the data subject is required. The data controller must be able to prove at all times that the consent of the data subject has been provided properly and lawfully.
Notwithstanding, there are several cases when the processing of personal data can be performed without the data subject's consent, e.g. if the processing is performed for statistical, historical or scientific purposes, provided that the data remains anonymous, or if the processing is related to data resulting from publicly available documents / information.
Rights of the data subject
If personal data is obtained directly from the data subject, the data controller must provide to the data subject at least the following information:
- the identity of the data controller or its representative;
- the scope of the processing of the personal data; and
- any other information, as required by the law.
In addition to the above obligations, if the personal data is not obtained directly from the data subject, the data controller is obliged to inform the data subject with regard to the collection and processing of personal data.
The data subject also has the following rights with respect to the collection/processing of personal data:
- the right to access the data which is being processed;
- the right to intervene over the data – rectify, remove or block the personal data;
- the right to object against the processing of its personal data.
Under Article 20 of the Data Protection Act, all necessary technical measures must be taken in order to protect personal data against unauthorized access, alteration, transfer or disclosure, accidental or unlawful destruction and loss. These measures must ensure a level of protection appropriate to the data that is being processed.
Notification of the Data Protection Agency
Data controllers must, in certain cases provided by law, notify the Data Protection Agency (in Romanian language – Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) before carrying out of processing operations.
Are there restrictions on the transfer of personal data overseas?
Yes. The transfer of personal data abroad by the data controller is subject to a prior notification to the Data Protection Agency. In such cases the Data Protection Agency will assess the adequate level of protection of personal data on a case by case basis, by taking into consideration the nature of the data to be transferred, the processing scope and the proposed duration of the processing.
According to the Data Protection Act, data may be transferred abroad only provided that the State towards which the transfer is made ensures an adequate level of protection.
The Data Protection Agency may approve the transfer of personal data to another State that does not provide the same level of protection as Romania only if satisfactory guarantees with regard to a person's fundamental rights are provided by the data controller.
The transfer of personal data can be made only in the following situations:
- based on the adequacy status of the third country conferred by the European Commission;
- where the data subject has given explicit consent;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
- the transfer is necessary or legally required on important public interest grounds, public order or national security provided if the personal data is processed for this purpose and not longer than necessary;
- the transfer is necessary in order to protect the life, physical integrity or health of the data subject;
- the transfer is made based on requested access to official documents which are open to the public or by a request of information from public records.
What is the maximum fine that can be applied for breach of data protection laws?
Article 34 of the Data Protection Act provides that the maximum applicable fine is RON 500,000,000 (at this date the equivalent of EUR 109,492,212) for breach of confidentiality and security rules.
Are there any restrictions applicable to cloud-based services?
Cloud-based services are of significant importance in light of data protection law, since the data stored in the cloud moves freely between different jurisdictions. The data protection legislation does not provide per se restrictions applicable to cloud-based services. However such restrictions are implied from data protection rules and principles.
One of the data protection principles provides that data must be safeguarded and not transferred to third countries unless adequate safeguards are in place. For this reason, data controllers are legally required to conclude agreements when contracting with cloud service providers with a view to store data in the cloud. When storing personal data in the cloud the data controller must ascertain that the location of the data is known. This is of utmost importance, since the data may be stored on servers located in another country that may or may not provide an adequate level of protection as required under Romanian law.
In other words, the data controller must ensure that the agreement concluded with the cloud service provider is in line with data protection rules. Throughout this agreement the data controller must make sure that he will not be in breach of any rules with regard to processing and transfer of personal data.
Are there specific requirements for the validity of an electronic signature?
Article 4 of Law no. 455/2001 on electronic signature (implementing the eIDAS Regulation), defines the electronic signature (e-signature) and the extended e-signature. The latter is the equivalent of the advanced e-signature in eIDAS Regulation and it must fulfill four conditions in order to be valid:
- it is uniquely linked to the signatory;
- it ensures the identification of the signatory;
- it is created using electronic signature creation data that the signatory can use under his sole control;
- it is linked to the data signed therewith in such a way that any subsequent change in the data is identifiable.
Under Article 5 of the said law, an extended e-signature ensures the validity of an electronic document if it is based on a qualified certificate and generated by a secure signature creation device. Simultaneously, Article 6 recognizes the validity of an electronic document if e-signatures were used. Moreover, in the instance where one of the parties does not recognize the e-signature, the court must have it verified by an expert.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
When a company is outsourcing certain services that can be seen as a stand-alone function, and the outsourcing supplier also takes over the outsourced activity as such or certain assets/equipment pertaining thereto, there is a chance that we are dealing with a transfer of undertaking. In this case, the outsourcing supplier has the obligation to take over the employees attached to the relevant activity/assets/equipment.
The relevant provisions for the transfer of undertaking may be found in the Labour Code (Law no. 53/2003) and in Law no. 67/2006 on safeguarding of employees' rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses, which transposes EU Directive 2001/23 on the approximation of the laws of the Member States relating to the safeguarding of employees' rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses. Both enactments provide that all rights and obligations of the initial employer are automatically transferred in their entirety to the outsourcing supplier. A transfer of undertaking may not constitute ground for dismissal.
Moreover, the applicable legal framework provides that before any transfer of undertaking/outsource occurs, the employer and the outsourcing supplier must inform the employees on the following:
- the date of the transfer or a proposed date;
- the reasons why such transfer occurs;
- the legal, economic and social consequences of such transfer for the employees;
- any measures that may be taken with regard to the employees;
- the working conditions.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Currently the Romanian national legal framework does not contain any explicit provisions with regard to any form of A.I. Therefore, the general rules on civil contractual liability and tort law, as well as administrative and criminal liability would apply on a case-by-case basis, depending on the specific circumstances of the case.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
Government Decision no. 271/2013 regulates Cyber security strategy of Romania.
At the beginning of 2016, a draft law for the Cyber security of Romania was launched. The draft law was under public debate until September 2016, when it was withdrawn. At present, there are no further developments in this area.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The following cyber crime related laws are particularly relevant:
- Law no. 161/2003 on certain measures for transparency in the exercise of public functions and the business environment and for the prevention and sanctioning of corruption – Title III – Prevention of cyber crime;
- Law no. 64/2004 ratifying the Council of Europe Convention on Cybercrime (E.T.S. no. 185, November 23, 2001); since said ratification, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data; and
- the Criminal Code (Law no. 286/2009).
What technology development will create the most legal change in the jurisdiction?
It is hard to name only one technology development that would have the biggest legal impact, since any such important development has the ability to produce equally important legal change.
In Romania, as well as worldwide, one of the closest technology developments that have an appreciably effect on society is the development of the Internet of Things (IoT). We now live in a world in which all of our devices are connected to the Internet and the cloud. IoT has developed beyond just laptops, smartphones and tablets and now, includes everything from fitness trackers to even "smart" toys ("smart" fashion toys, like "My friend Cayla" – that has been recently designated as a spy tool by authorities across Europe).
One of the biggest problems that the IoT has is security. When all of your devices constantly collect data and communicate between themselves and even interact with the environment around them, one must be sure that they are not easily "corrupted" and that one`s data is not "stolen". Moreover, there is a need to develop devices and networks with an intense focus on security and create a compatible platform for the IoT. Currently, there are apps and devices that are unable to communicate between themselves due to lack of standardization. Hence, security and standardization are two major aspects to be dealt with by coming legislation.
In addition, the use of IoT also means that all of our data is collected and further processed for commercial purposes, as companies rely more and more on Big Data Analytics (i.e. the process of collecting, organizing and analyzing large sets of data to discover patters and other useful information) to understand and predict human behavior, laws will need to cover not only more efficient data privacy mechanisms.
Although efforts are being made in enhancing security and protecting privacy, one still cannot keep up with the fast pace of technology.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
By and large, EU and Romanian legal framework are very favorable to commerce and development. Therefore, while there is always room for improvement in our view, there is at present no regulatory major impediment to economic development and commerce.
Do you believe the legal system specifically encourages or hinders digital services?
Our legal system is aligned with the EU legislation in the field of digital services. At the EU level, as well as in Romania the digital environment is regulated by laws that are currently outdated (see as an example the legislation for the electronic commerce sector, which was enacted in 2000), as well as encompassing many grey areas, since many aspects of the digital environment are largely unregulated. As a consequence, the current frameworks as well as case law fail to provide legal certainty for the development of digital services.
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
The Romanian legal system is neither less nor more prepared than other legal systems to deal with the risks and legal issues associated with artificial intelligence. Currently, there is no national or European legal framework in the sense of AI tailor-made legislation. Whilst for the moment existing legislation may seem as largely sufficient, one the AI will spread and become more sophisticated there will be a stringent need for dedicated legal framework.