The Privacy Research Association (www.privacy.md), aiming at ensuring the proportionality of the right to privacy in relation to the processing of personal data and other competing human rights, welcomes the adoption of the Law on data exchange and interoperability, hence reveals the following
H.E. MR. Peter MICHALKO
Ambassador of the European Union Delegation
Head of Council of Europe Office
UN/UNDP Resident Coordinator and Representative
World Bank Country Manager
H.E. MS. Lucy Joyce OBE
Ambassador of the United Kingdom of
Great Britain and Northern Ireland
Hereby, the Privacy Research Association (www.privacy.md), aiming at ensuring the proportionality of the right to privacy in relation to the processing of personal data and other competing human rights, welcomes the adoption of the Law on data exchange and interoperability, hence reveals the following:
- On 19.07.18 the Law no. 142 on data exchange and interoperability – a legislative act to interconnect and centralize all databases, registers, information systems or public sector filling systems and, as might be the case, the private sector, in order to enable public authorities and institutions to exchange information between them by facilitating the public services provision.
As of 10.11.2018 – the date of entry into force of this law, all institutions and public authorities will be required to provide access to the registers, databases, information systems and filling systems they manage by connecting them to the interoperability platform , with the exception of public authorities and institutions with responsibility for the oversight of entities in the financial sector, national defense, state security, public order, crime prevention, prevention and fight against corruption, insofar where the relevant special legislation applies.
- The right to take part in the exchange of data, which involves the provision of data (disclosure) and consumption (access, view, use) thereof, or the transmission of data from an information system to another, through the interoperability platform, refers to, in particular, the public institutions and authorities, notaries, bailiffs, registrars, lawyers, authorized administrators, judicial experts, interpreters and translators and/or other private persons.
- Under the new legal provisions that will enter into force on 10.11.18, any participant from among those mentioned in pt. 2, will be required to ensure the availability (disclosure) of any data held by them through the interoperability platform to any other participant connected to it.
- The procedure of connecting a participant to the interoperability platform will be officially approved by a „competent Authority” (which has not been yet expressly established by law), and is subject to the authorisation issued by the National Center for Personal Data Protection. At the same time, it was mentioned that in the case of such authorisation, the access by the public and private sector representatives to data and their use of, as such as: first and last name, ID number, residence address, family members data, vehicle data, real estate, crossing the state border, information from the Health Register as well as other information, will be allowed without the consent of the natural person whose personal data will be accessed but only upon a declared explicit purpose and legal basis to the National Center for Personal Data Protection before issuing the authorisation to connection thereof.
- However, contrary to the provisions of Law no. 142/2011, at the points 1-4 above-mentioned, on 19.07.18, Law no. 143 for the amendment and completion of certain legislative acts, adopted in the framework of the applicability of the Law on data exchange and interoperability, supplemented the Art. 5 of the Law of personal data protection with the letter g) stipulating that: „the consent of the subject of personal data is not required in cases where the processing is necessary for the data exchange according to the legislation in force regarding the exchange of data and interoperability”.
In addition to it, at the Art. 15 of the same law, has been amended also, by the fact that when personal data are accessed and processed through the interoperability platform, the following shall not be respected:
– the principles of personal data protection, which implies that data will no longer be required to be accessed only in a specific case that justifies such processing (such as the existence of a contravention, criminal, civil file, enforcement, notary procedure etc.) and not to be limited only to those necessary data that must be stored for a certain period of time;
– the rights of the data subject, which would mean that the person will not be informed that his or her data are being accessed and used for certain purposes, the person will not be able to request the modification, completion or deletion of the data.
Even if both national and European personal data protection frameworks provide for these exceptions to protect state supreme interests such as security, public order and national defence without the obligation to respect the rights of data subjects during the investigations, but to notify the Supervisory Authority on the filling systems administered by the authorities investigating major crimes, the wording of the amendment to Art. 15 of Law 133/2011 allows the article to be interpreted vaguely, unclear and abusive in terms of breaches of human rights and fundamental freedoms because: when reading this amendment it reveals the risk of misinterpretation and disproportionate application of the provisions of this article through creating the understanding of putting the highest state interests as the defence, state security and public order on the same level with the activity of exchanging data under a regular regime through the interoperability platform between public and private institutions, taking into consideration the provisions of Law no. 142/2018 that the public authorities and institutions with responsibilities in the field of oversight of entities in the financial sector, national defence, state security, maintenance of public order, crime prevention, prevention and combating of corruption, acts related to corruption and corruption offences are exempted from performing the data exchange through the interoperability platform, to the extent that the specific legislation concerned applies.
If so, this amendment will flagrantly allow a degree of interference in the private life of the data subject on behalf of public or private entity during regular process of personal data exchange among them, with the total deprivation of data subjects from rights with respect to their personal data and privacy – serious misconduct against to the provision of the CoE Convention 108, and to the provisions of the European Convention of Human Rights, both to which the Republic of Moldova is a party.
In this context, it shall be emphasised that inserting these amendments to the personal data protection Law, it does deprive the National Center for Personal Data Protection from properly authorise the connection to the interoperability platform, or, the basic provisions applicable to the assessment of the safeguards of the right to privacy in connection with the processing of personal data have been excluded from the text of the law.
It is to be noted that the proposal of the amendments to the personal data protection Law have not been fully understood, either, the noble intention to establish the appropriate legal framework that would exclude certain impediments or the possible unwillingness or opposition of data providers/controllers to connect to the interoperability platform will lead to the establishment of a new legal basis for the processing of personal data.
This implies that any civil servant or private employee who will have access to the interoperability platform will be able to access any information in the system with regard to any individual, without having a legal need (request, demarch, contravention, criminal, civil file, enforcement, etc.), which would mean that the provision of personal data protection Law will not apply to the processing carried out through this platform.
- In support of the fact that the above rules exceed the principles of personal data protection at the level of the European Union and the Council of Europe, the following legal arguments are listed below:
- In the text of the Council of Europe modernized Convention 108 on the protection of individuals with regard to the processing of personal data and European Union General Data Protection Regulation (EU GDPR 2016/679), repealing Directive 95/46/EC, we do not find such a legal ground provided for in the amendment of Art. 5 lit. g) of the personal data protection Law. By this amendment, the Republic of Moldova establishes a new legal basis for the processing of personal data in the absence of the consent of the data subject. This form of data processing established by the Republic of Moldova, under the conditions of the European legal instruments mentioned above, is considered non-transparent because:
- a) such processing does not explicitly specify the safeguards that this processing does not harm the interests or fundamental rights and freedoms of the personal data subject, such as:
- the right to be informed on the identity and contact details of the controller and the legitimate interests pursued by the controller or third party;
- access to, rectification or erasure, or restriction of processing and the right to oppose the processing;
- the right to lodge a complaint with a supervisory Authority;
- the source of the personal data and, if appropriate, whether it comes from publicly available sources, relevant information on the logic used and the significance and expected consequences of such processing for the data subject.
b) from the point of view of the lawfulness of the personal data processing, such processing does not specify the list of purposes, the legal basis of the processing, the storage period and is, excessive from the point of view of the data categories which are subject to processing;
c) both legal instruments emphasise that the fundamental principles of data protection must be taken into account at all stages of data exchange and processing, through the obligation to comply with data protection principles from the time of conception/design and of data protection by default (privacy by design and privacy by default), in order to manage data security risks in accordance with the data collection principle to a minimum.
In the context of the above-highlighted, it is recommended to the legislator, unconditionally, to amend the provisions of Art. 5 para (5) lit. g) and Art. 15 para (1) of the Law on the protection of personal data in order to avoid total collusion against the right to privacy and personal data protection. In this respect, the Association is willing to provide all necessary capacity in terms of legal expertise to bring the provisions of the national legal-framework of personal data protection into line with those mentioned above.