Image: iStock

Amid intense global debates about surveillance and online privacy, Romania has decided to give its state authorities access to personal data, such as phone-call metadata, equipment IDs, and localization.

Under a controversial new law, dubbed 'Big Brother' by the local media, state authorities in Romania will soon have a right to access citizens' data stored by telecoms and internet providers.

The act was signed by Romanian president Klaus Iohannis last week, after being successively passed by the two chambers of the country's parliament in September. Now, it just needs to be published in the Official Journal of Romania to come into effect three days later.

"The act is an extension of the E-privacy Directive of the European Parliament, detailing how Romanian authorities may access data already stored by the electronic communication providers," Bogdan Manolea, IT legal expert and executive director of the Romanian Association for Technology and Internet, said.

"Although it is not a data-retention law, the quality of the legal text raises more questions than answers."

Read this The mix of poverty and piracy that turned Romania into Europe's software development powerhouse Nearly two-thirds of Romania's computers run at least one piece of illegal software – a sign of a technological heritage that means it now has the most technology workers per capita in Europe. Read More

The law first came up for debate in 2014, before being ruled unlawful by Romania's Constitutional Court.

At the centre of the controversy is a paragraph of the legal text specifying that telecoms companies and internet providers have to hand authorities their clients' data upon request within 48 hours, if a judge issues an authorization.

This information includes information about calls, equipment, and locations. Inquiries may come from prosecutors, from the secret services or from defense structures, such as the Ministry of National Defence.

The act says telecoms companies and internet providers have to keep their customers' traffic data only as long as necessary for interconnection and marketing purposes. This period cannot exceed a maximum of three years.

However, using a special request, the authorities might ask providers to retain certain clients' traffic data for an extended period. In this case, a maximum timeframe of five years is stipulated, starting on the day the paper was filed.

The act also states that when the technology companies send information to state entities, they have to use an extended electronic signature, to guarantee the integrity of the data.

Opponents of the new law argue that this section of the legislation should have been fined-tuned to avoid abuses and misinterpretations. For instance, the legal text should have stipulated that access to people's data would only apply in relation to serious crimes, Manolea said.

His association has also demanded greater transparency, so that people can discover how much data the authorities are requesting.

Major Romanian politicians decided to support this bill during a meeting held in May, when President Iohannis and party leaders discussed the matter. At that time, several organizations also signed an open letter asking for clarifications and a public debate.

"This never happened and the law was rushed through parliamentary procedures, with no changes to the text," Manolea said. "Not even the grammar mistakes were corrected."

The secret services are among the organizations that lobbied for the bill, arguing that the country is vulnerable against terrorist attacks and organized crime. They emphasized the need for even stronger regulations following January's Charlie Hebdo shootings in Paris.

The new law comes at a time of controversy about surveillance legislation and online privacy. NGOs such as Amnesty International and the United Nations Human Rights Committee are taking a stand against several bills proposed in France, Switzerland, UK, and the Netherlands, arguing that they damage human rights.

Read more on central Europe