The Romanian Secret Services’ press release does little to clarify the disguised mass surveillance project and indirectly confirms all our suspicions. SRI’s reply gives rise to more fundamental questions which need to be clarified. Below is our translation of several excerpts of the press release.
“The SII Analytics project – an information system for the integration and operational and analytical exploitation of big volumes of data is designed to assure a superior analytical capacity of databases from major public institutions in Romania. The platform’s objective is to considerably increase the search speed of relevant information in existing databases.
In practical terms, instead of interrogating different, informational and procedurally inhomogeneous systems, public institutions will be able to access the information rapidly and efficiently and in an integrated manner. The system does not collect new information, but rather it analyses the existing data based on algorithms.”
These affirmations are correct and do not contradict our previous conclusions. The key issue still stands: Is SRI duplicating the databases of the public institutions in question?”
The analysis of the technical specifications and of SRI’s public comment leads us to conclude a positive answer. In this context, this “super-database” will be a goldmine for SRI and other institutions which will be able to search at any time any type of information, without a court order or other procedural limitations.
“The need for rapidity in accessing the databases is imposed by threats specific to intelligence institutions – terrorism, illegal migration, organized crime – the combating of which requires a first rapid reaction.”
Without denying the correctness of this affirmation, we cannot stop questioning its relevance in the context of an eGovernment project and not one related to terrorism, illegal migration, organized crime etc. This leads to conclude that SRI’s project will have a different purpose from what was initially declared – which is illegal from a personal data processing legislation point of view.
“The project’s purpose is to modernize and make more efficient the internal activities of public institutions with attributions in preventing and combating terrorism, organized crime, corruption and tax evasion, and its beneficiaries (Ministry of Interior Affairs, Public Ministry, Ministry of Public Finance, Fiscal Anti-fraud Department, Romanian Secret Service).”
This information is also correct, but incomplete. It needs to be reminded that the Ministry of Public Finance cannot directly access the Ministry of Interior Affairs’ database since the European Court of Justice declared this processing illegal in Bara vs. CNAS (C201-14) based on the interpretation of Directive 95/46/EC and Law 677/2001 on personal data protection.
Basically, the SII Analytics system will be just a way to circumvent the law.
“The project includes a complex auditing system assuring compliance with enforced regulation and security norms for accessing stored data, all queries being automatically logged and analysed for preventing any type of abuse.”
This information can easily provide misguidance. SRI does not refer to Law 677/2001 on data protection as “enforced regulation” because it believes it is not subject to such legislation. Therefore, the citizen’s data are not protected since there is not competent authority to verify compliance.
If the data protection law would have been mentioned in SRI’s statement, the first obvious questions would have been: “If the data have been collected for one purpose, why are they used for a different scope? Was there a personal data impact analysis performed?”. Other important questions are: Who is the external auditor of the system (provided that there is indeed one external auditor for this project)? Who is responsible for the technical analysis of the system? What are the mechanisms to ensure the accuracy of the logs?
In conclusion, the fundamental questions still stand:
- are citizen’s data going to be merged in a single massive database without the real possibility of control. How is this in line with Romanian and European Union legislation?
- what is the role of hardware and interception software in an eGovernment project?
- what does facial recognition has to do with eGovernment?
- what is the role of SRI in eGovernment in general, but also in this project specifically? Was SRI indeed an eligible institution for receiving the funding?
Therefore, we are still urging for the public procurement process to be annulled and for the project which grossly violates fundamental rights to be invalidated.
We are also signalling the necessity to introduce as a necessary requirement for accessing European funds the interdiction to use such funding for violating or limiting human rights. At the same time, we also highlight the need for a public debate on the role of the SRI in the Romanian society and regarding the guarantees for avoiding this type of abuses and increasing institutional transparency.