Another GDPR disaster: Journalists ordered to hand over their secret sources under 'data protection' law

When the GDPR [EU's General Data Protection Regulation] was being debated, we warned that it would be a disaster for free speech. Now that it's been in effect for about six months, we're seeing that play out in all sorts of ways. We've talked about how it was used to disappear public court documents for an ongoing case, and then used to disappear a discussion about that disappearing court document. And we wrote about how it's been used against us to hide a still newsworthy story (and that leaves out one other GDPR demand we've received in an attempt to disappear a story that I can't even talk about yet).

When I wrote about all of this both here on Techdirt and on Twitter, I had a bunch of "data protection experts" in Europe completely freak out at me that I had no idea what I was talking about, and how any negative impact was simply the result of everyone misreading the GDPR. I kept trying to point out to them that even if that's true in theory, out here in the real world, the law was being used to disappear news stories and was creating massive chilling effects and burdens on journalists. And the response was the same: nah, you're reading the law wrong.

And now we have an even more horrifying story of the damage the GDPR is doing to journalism. There's a Romanian investigatory journalism publication called RISE Project that has reported on corruption in Romanian politics. Not surprisingly, not everyone is happy about that. OCCRP -- the Organized Crime and Corruption Reporting Project -- a partner to RISE Project has the worrisome details about how the very Romanian government that RISE Project has been breaking corruption stories on has magically found the need to use the GDPR to demand the journalists turn over their sources.

The full story is a bit complex, but in reporting on Liviu Dragnea, the president of the ruling party in Romania, RISE Project made some connections between Dragnea and a local Romanian company, Tel Drum SA, "currently involved in a massive scandal in Romania."

RISE Project journalists found proof that Dragnea and his family benefited from Tel Drum SA money and had close relationships with the corporation's executives. They spent holidays abroad together, went hunting together and Tel Drum SA paid for various construction, maintenance and beautification works at properties belonging to Dragnea's family. Some of these were posted on RISE Project's Facebook page.

And, magically, soon after that, the Romanian Data Protection Authority (ANSPDCP), whose boss was appointed by Dragnea's party (and who is facing some corruption accusations as well), started demanding all sorts of info from RISE Project under the auspices of the GDPR.

Among the demands?

• The purpose and legal basis of publishing on the Internet (Facebook) of personal data, at the address;
• The date/period of time when the said personal data was published on your Facebook account;
• The source from where the personal data published on Facebook was obtained;
• The support (electronic and/or physical) where you stored the documents/images published on Facebook;
• If the mobile storage devices (tablet, HDD, memory stick) were/are password protected or encrypted;
• If you have other information/documents containing personal data of the said people;
• If the personal data or documents that contain personal data of the said people were revealed in other circumstances - with the specification of these circumstances;
• The way in which you informed the said people, in conformity with Art. 13-14 of GDPR.

Now, I don't know about you, but given all of the circumstances, the idea that these demands have anything to do with "data protection," and not the government implicated by this reporting trying to find out who snitched on them, seems perhaps far fetched. But, the Data Protection Authority is warning RISE Project that if it fails to hand over all of the above information, it faces fines of up to €20,000,000. I am guessing that an independent investigative journalism operation doesn't have that much cash to spare.

This, of course, puts the organization is quite a tight spot. Giving up its sources is a massive journalistic sin, especially when the real reasons for the demands are so transparent. But the risk of being embroiled in deathly litigation can't be much fun either.

And I know (I know) those very same "data protection" geeks who were screaming at me a few weeks ago are already screaming about just how terrible this article is because clearly the GDPR has built in protections for media organizations, so obviously this is the Romanian Data Protection Authority abusing its powers. To paraphrase these GDPR bros, "the problem is clearly with the Romanian Data Protection Authority, not the law."

Once again, of course, this ignores the reality of what is actually happening today. Sure, it would be great if governments and the politically powerful didn't abuse the laws to their own advantage and against the public interest, but when has that happened recently? The backers of the GDPR brought us this mess, and created a law that can plausibly be used in a manner where the threats alone are chilling to journalism.

And if you think it's bad now, just wait until more and more powerful individuals and entities realize this. This (again) shouldn't surprise anyone. We've seen it for decades with the DMCA. Once it clicked in people's brains that "oh, hey, this is a tool for censorship," it got used widely as the tool to take down anything you didn't like. And it was pretty successful at that. The GDPR is an even more powerful tool, because the potential fines are orders of magnitude larger than a copyright infringement award. Anyone still insisting that the GDPR isn't a problem for journalists because they've written in exceptions -- after all this -- is not to be taken seriously. They are putting their heads in the sand and ignoring the reality around them to pretend that what they want to be true actually is.