Not sure if I understand. How is a data privacy law being used to get an organization to reveal its sources? The article mentions something about the government needing to know how data were stored, but that’s all I could see that addressed this question.
Edit: Comments filled me in. The regulation seems to relate in part to people having the right to know who is collecting what data on them.
The source presumably had the information lawfully and, under GDPR, owed a duty to the subject of the information to (i) protect it from disclosure, and (ii) notify the subject of the information in the event of a breach or unlawful disclosure. However, GDPR does not extend that duty to protect/disclose when the data in question is being used for journalistic purposes. I suspect the corrupt government is just as eager to find the source of their leak as they are to bully these journalists into silence.
- The date/period of time when the said personal data was published on your Facebook account;
- The source from where the personal data published on Facebook was obtained;
- The support (electronic and/or physical) where you stored the documents/images published on Facebook;
- If the mobile storage devices (tablet, HDD, memory stick) were/are password protected or encrypted;
- If you have other information/documents containing personal data of the said people;
- If the personal data or documents that contain personal data of the said people were revealed in other circumstances - with the specification of these circumstances;
- The way in which you informed the said people, in conformity with Art. 13-14 of GDPR.
Still having trouble following. They're saying that:
"If you host someone's information for public view on a website, under the GPDR, you have to say where you got it. Therefore, if someone leaks our (the government's) information and you're hosting it, you must say who the leaker was."
Yes and no. GDPR only protects the data of natural persons, not the government. It's difficult to follow because the natural person in this case happens to be the leader of the ruling political party and the government's reason for using GDPR as an enforcement tool tenuous at best.
GDPR does two important things: it gives natural persons rights over the data collected about them[1] and creates requirements for when/how/why a company can collect data about natural persons as well as what can be done with it (called "processing").
GDPR requires companies get affirmative consent from individuals in order to collect information about them and to inform them about how that information is processed. Importantly, the definition of processing under GDPR includes gathering, disclosing, and disseminating information.
From reading the demand letter and not knowing much else about the case it seemed to me that the government is taking the position that the data transaction between the source and the journalists was unlawful because the subject owner of the data (the politician) did not consent and that whoever provided the information (assuming they were permitted to possess the data) did not fulfill their obligation to protect it.
If you take the journalism/politician/embezzlement piece out of the equation the logic makes more sense. If you live in the EU and someone gets a copy of your tax return and posts it on Facebook the government would do well to figure out how that person got your tax return and make sure your accountant (who rightly has a copy of your tax return) is sufficiently protecting your personal information. Where the logic falls apart is that GDPR is expressly not intended to apply to information collected for "journalistic purposes," as is the case in Romania.
You're right. That's an oversimplification. GDPR requires a "lawful justification" to collect the information. The six justifications all speak to consent or fulfilling legal obligations (government investigation, court order, contract performance, etc). Consent is a critical component of GDPR, though, as evidenced by the hundreds of GDPR consent emails that swarmed our inboxes in May.
The consent emails are evidence that people in charge were mindlessly following some rules given by some consultants.
Not all of them were necessary, and some of them might be harmful to those sending them down the road: if they had a valid reason before but asked, question is what happens if the person on which data was collected rescinds their permission? Answering "you refuse, but we have a legit reason according to GDPR" is a recipe for bad PR at least.
They are trying to intimidate Rise with this letter. Rise seems to be determined not to cave. This will be interesting, but I do not think it will get to courts, the SDP leader needs a solution NOW. And I do not think EU will be happy if the first fine paid in the name of GDPR will be a journalistic organization trying to uncover corrupt politicians.
The current government operates more like Erdogan or Putin than an EU country. The same government appeals to "human rights regulations of the EU" to justify passing laws that save several heads of government from ongoing corruption trials.
Edit: Comments filled me in. The regulation seems to relate in part to people having the right to know who is collecting what data on them.