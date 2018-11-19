Yet Another GDPR Disaster: Journalists Ordered To Hand Over Secret Sources Under 'Data Protection' Law
When the GDPR was being debated, we warned that it would be a disaster for free speech. Now that it's been in effect for about six months, we're seeing that play out in all sorts of ways. We've talked about how it was used to disappear public court documents for an ongoing case, and then used to disappear a discussion about that disappearing court document. And we wrote about how it's been used against us to hide a still newsworthy story (and that leaves out one other GDPR demand we've received in an attempt to disappear a story that I can't even talk about yet).
When I wrote about all of this both here on Techdirt and on Twitter, I had a bunch of "data protection experts" in Europe completely freak out at me that I had no idea what I was talking about, and how any negative impact was simply the result of everyone misreading the GDPR. I kept trying to point out to them that even if that's true in theory, out here in the real world, the law was being used to disappear news stories and was creating massive chilling effects and burdens on journalists. And the response was the same: nah, you're reading the law wrong.
And now we have an even more horrifying story of the damage the GDPR is doing to journalism. There's a Romanian investigatory journalism publication called RISE Project that has reported on corruption in Romanian politics. Not surprisingly, not everyone is happy about that. OCCRP -- the Organized Crime and Corruption Reporting Project -- a partner to RISE Project has the worrisome details about how the very Romanian government that RISE Project has been breaking corruption stories on has magically found the need to use the GDPR to demand the journalists turn over their sources.
The full story is a bit complex, but in reporting on Liviu Dragnea, the president of the ruling party in Romania, RISE Project made some connections between Dragnea and a local Romanian company, Tel Drum SA, "currently involved in a massive scandal in Romania."
RISE Project journalists found proof that Dragnea and his family benefited from Tel Drum SA money and had close relationships with the corporation’s executives. They spent holidays abroad together, went hunting together and Tel Drum SA paid for various construction, maintenance and beautification works at properties belonging to Dragnea’s family. Some of these were posted on RISE Project's Facebook page.
And, magically, soon after that, the Romanian Data Protection Authority (ANSPDCP), whose boss was appointed by Dragnea's party (and who is facing some corruption accusations as well), started demanding all sorts of info from RISE Project under the auspices of the GDPR.
Among the demands?
- The purpose and legal basis of publishing on the Internet (Facebook) of personal data, at the adress https://www.facebook.com/notes/rise-project/teleormanleaks/1937024593056150;
- The date/period of time when the said personal data was published on your Facebook account;
- The source from where the personal data published on Facebook was obtained;
- The support (electronic and/or physical) where you stored the documents/images published on Facebook;
- If the mobile storage devices (tablet, HDD, memory stick) were/are password protected or encrypted;
- If you have other information/documents containing personal data of the said people;
- If the personal data or documents that contain personal data of the said people were revealed in other circumstances - with the specification of these circumstances;
- The way in which you informed the said people, in conformity with Art. 13-14 of GDPR.
This, of course, puts the organization is quite a tight spot. Giving up its sources is a massive journalistic sin, especially when the real reasons for the demands are so transparent. But the risk of being embroiled in deathly litigation can't be much fun either.
And I know (I know) those very same "data protection" geeks who were screaming at me a few weeks ago are already screaming about just how terrible this article is because clearly the GDPR has built in protections for media organizations, so obviously this is the Romanian Data Protection Authority abusing its powers. To paraphrase these GDPRbros, "the problem is clearly with the Romanian Data Protection Authority, not the law."
Once again, of course, this ignores the reality of what is actually happening today. Sure, it would be great if governments and the politically powerful didn't abuse the laws to their own advantage and against the public interest, but when has that happened recently? The backers of the GDPR brought us this mess, and created a law that can plausibly be used in a manner where the threats alone are chilling to journalism.
And if you think it's bad now, just wait until more and more powerful individuals and entities realize this. This (again) shouldn't surprise anyone. We've seen it for decades with the DMCA. Once it clicked in people's brains that "oh, hey, this is a tool for censorship," it got used widely as the tool to take down anything you didn't like. And it was pretty successful at that. The GDPR is an even more powerful tool, because the potential fines are orders of magnitude larger than a copyright infringement award. Anyone still insisting that the GDPR isn't a problem for journalists because they've written in exceptions -- after all this -- is not to be taken seriously. They are putting their heads in the sand and ignoring the reality around them to pretend that what they want to be true actually is.
Reader Comments
Some Advantages to Off-Shore Operations
For an entity like the Romanian investigatory journalism group, being off shore (or at least having the public face off shore) could be an advantage. It is less likely that a foreign court would be sensitive to the pain felt by the presidential cronies.
On the other hand, for a US entity, it can be good to be somewhere not too closely allied to the US govt. Being off shore offers some real protections. It is certainly not impenetrable, if the host govt decides to turn you over you can still be cooked. But it is better than being within the easy reach of the feds.
I can offer little specific guidance as to good places for relocation. (That's not my job. My job is to try to prise the information out of the govt in the first place.)
Re: Some Advantages to Off-Shore Operations
Re: Some Advantages to Off-Shore Operations
Considering that the US government considers it's authority to be worldwide, I don't see much "real protection" there.
Re: Re: Some Advantages to Off-Shore Operations
Not everyone.
Yes, it clearly is. However in a country where corruption is more a way of life than an exception (you even need to fork over some cash to get a doctor's appointment) it would've been nice if somebody built in some safeguards to prevent this from happening. I'm fairly sure the RDPA could find a "friendly" judge somewhere.
Or we could not try to fix something that's not broken but who am I to stand in the way of the bureaucrats.
OCRAP
Sorry, but this is BS
Re: Sorry, but this is BS
You really called it, Mike. They're already out spewing their nonsense. :)
Re: Sorry, but this is BS
In this case, they've picked GDPR. Reasons for doing so are likely that it affords them the easiest and most punishing method to attack RISE.
Now. Since GDPR is awesome, please advise what meaningful protections it has against being abused in this fashion. Is there a way to throw it back in the Romanian government's face? Some penalty for bad actors? What is RISE supposed to do when faced with the actions against under the GDPR?
Re: Sorry, but this is BS
In that case, let me know when the order is cancelled and Interpol arrest warrants are issued for the government officials involved. Should be sometime later today, right?
That is not all
This week I lost two more non European sites. One due to adds and one that wants to spread some virus.
Re: That is not all
"No Problem Here"
John Smith would love a dictator, it seems.
That is an unfair assumption. He might be aromantic and only want to be platonic friends with a dictator.
Re:
Re:
So Shiva is a necrophiliac rapist in your opinion?
[ reply to this | link to this | view in chronology ]
Re:
Greatest, fastest library in history still very much a library
Re: Greatest, fastest library in history still very much a library
That's funny coming from someone posting anonymously.
Re: tl;dr
...no, he's posting pseudonymously. You're posting anonymously.
Re: Re: tl;dr
And you're posting pedantonymously.
Re:
Amirite?
On a separate note ...
And yes, while it is a pretty far-reaching interpretation, the GDPR does appear to provide a legal basis for requesting this information. Although it is not clear if a government office can blanket-request copies of these data without breaching data protection laws themselves. After all, the GDPR is about the relationship between individuals and businesses, with government agencies acting as referees or enforcers, but not data collection authorities.
Re: On a separate note ...
Re: Re: On a separate note ...
If it's anything like the DMCA penalties for abuse are entirely theoretical, requiring a near impossibly high bar to be met to kick in, and as such in practice don't exist.
Re: Re: Re: On a separate note ...
GDPR proponents, come at me and clear this up. Are there strong protections, methods of redress, and penalties for abuse of the GDPR? Are they easily accessible and understood?
Re: Re: Re: Re: On a separate note ...
Are there strong protections, methods of redress, and penalties for abuse of the GDPR?
Not just 'Are their penalties for abuse?', but 'Are the penalties(assuming they exist) even remotely similar in scale?'
If one side faces potentially tens of millions in fines, and the other side only has to deal with penalties a fraction of that size(that they can simply offload to the taxpayers), then even if there are penalties for abuse they're worthless as a deterrent.
Watch What You Ask For
You really have to watch what you ask for. When someone from the government offers to help, Be Very Afraid.
Re: Watch What You Ask For
'What do you mean they exploited the loopholes?!'
The parallels with the DMCA grow ever larger, with the people insisting that the law's not to blame, it's those dastardly people exploiting it, ever so conveniently ignoring how easy to abuse it is and the people who were saying that before it was passed.
If you pass a law with entirely one-sided penalties, where those on the receiving end either fold or go under due to ruinous fines/legal action and there's no similar penalty for abuse of the law, you don't get to be surprised when it's used/'abused' to go after people/organizations/companies that someone doesn't like.
You might as well be shocked that a rock thrown in the air comes down on someone's head thanks to gravity. Everyone knew it would happen, they've seen it happen before, and if you somehow thought it wouldn't this time despite not putting in place anything to stop it from happening then you've nothing to blame but your own ignorance, willful or otherwise.
Story you can't talk about?
why, per chance, would you be bound by the GDPR?
This is a purely european shitshow, that has no bearing on you.
This is from a german, that really hates (with a capital H) the GDPR.
GDPR delenda est!!!
Cheers, oliver
Giving them enough rope to hang themselves
Clearly it's a ploy to give the one making the demands time to come out with even more details TD can then use to mock them in a public post pointing out that, nah, they're not going to do any of that, because would you look at that, they aren't in the EU.
Is this "I can't talk about the GDPR demand" or "there is a GDPR demand about a story, but I cannot talk about the story itself"?
who had this as one of the horrible outcomes they EU kept saying would NEEEEEEEEEEVER happen.
