Facial recognition & Privacy regulation in Romania

Given the fact that Romania has had a boost in the technology pillar in recent years due to multiple tech companies opening subsidiaries and developing a whole new system by which society is working, but also because the Romanian public and private authorities have started using facial recognition technology, it is urgent for the Romanian government to adopt additional measures in order to ensure data privacy and human rights within their national jurisdiction.

It is as such due to the fact that, although using facial recognition as a way of monitoring the population and getting the “bad people” or as a method of easing people’s day-to-day lives could be beneficial, its use could potentially lead to possible breaches of European human rights and national laws. This should be, needless to say, addressed within the Romanian legal system as additional measures that are already granted through EU law, such as the General Data Protection Regulation (GDPR) and the European Convention on Human Rights (ECHR). In a world where technology is a constant in most lives, we must analyze the evolution of technology-related law and the possible improvements that could be enforced by the Romanian Government.

About Romania’s legal system

Romania is a civil law jurisdiction, based on the standing Constitution of 1991 which states that it “is a democratic and social state, governed by the rule of law, in which human dignity, the citizens’ rights and freedoms, the free development of human personality, justice and political pluralism represent supreme values.”, in reliance to Article 1(3) of the normative act.

Moreover, it has been part of the EU since 2007 and has been longly adapting and following through with the legal provisions of the EU, especially in regards to the regulation of technology. It is now a signatory party of the GDPR and ECHR, which altogether bring about the urgent need for the Romanian authorities to take the necessary steps to ensure “citizens’ rights and freedoms” and the applicability of the EU provisions that advocate for human rights and data privacy, which are at risk by use of facial recognition within Romania’s territory.

By bearing that in mind, we are now going to analyze the legislative history of technology in Romania, which will be related to the social and legal issues that might be present in its legal system.

Romanian law in regards to technology

Law & Technology can be firstly seen under the Law no. 455/2001, when “data” was defined by Article 4 as “an electronic form if it is attached to or logically associated with other electronic data which serve as a means of identification.” The Government also implemented the Strategy for Computerization in the same year, which proposes three ideas: firstly, that the information has the aim of increasing operational efficiency in the central and local government authorities, thus the government shall provide a suitable framework for this; secondly, services’ computerization for both citizens and firms involves the integration of services that are granted by local or central government, so the legal system shall be adopted accordingly; lastly, that the public authorities shall provide access to information for users through IT services.

However, facial recognition still seems to be lacking under Romanian law, which shall be urgently tackled by the Government in trying to ensure personal data privacy. This is strengthened by the the Romanian National Supervisory Authority for the Processing of Personal Data (ANSDCP)’s report for 2019, as the agency argued that in the absence of national law providing adequate means for protection of data and the rights of data subjects in respect to the biometric data processing of visitors and employees for access in office buildings, the purpose that was followed does not account for the level of violation of law.

The W’s of regulation

It is clear that privacy under the Romanian legal system is an important aspect of the regulatory framework. The authorities have discussed the issue of privacy and personal data in numerous legislative acts, which gives a somewhat opening for a possible implementation of facial recognition regulation. This is especially significant due to the fact that law enforcement agencies are now looking to acquire such technological devices, while PayByFace has been introduced in places like cafes (Tucano Cafe).

Such initiatives bring about the legality of facial recognition and its possible use being linked to breach of human rights, such as the right of privacy enriched in Articles 8 ECHR and 32 GDPR, as the PayByFace app allows customers to pay by using their face, since the system converts their facial features into an encrypted template and then searches for a match to a registered user in local database. Additionally, the initiative of the Romanian police has been criticized by multiple NGOs which have brought the question of legality of such a measure.

In pursuance of that, after the implementation of the GDPR back in 2016, the tasks and goals enriched by the EU law were to be pursued by ANSPDCP, which struggled from the very beginning with the lack of regulatory framework in regards to facial recognition. By considering that there is still lack of regulation and monitoring instruments for facial recognition, which has started to be used within the Romanian territory, it is now evident that there is an urgent need for public authorities to tackle the issue at hand in such way that they ensure the protection of data privacy (as enriched in the GDPR) and human rights (granted by both the Constitution and the EU law, more specifically ECHR).

While implementing additional law can be surely done by the Government itself, monitoring facial recognition shall be the responsibility of ANSPDCP. It would also be beneficial if the latter state authority would allow the NGOs to bring initiatives on behalf of the population, since the Romanian public authorities should also take into account the belief and desire of the nation. Therefore, the NGOs could implement soft law, which would be later on transformed into a regulatory framework by the Government. Ensuring the applicability and the respect for the law on part of the businesses, but also the people, would be achieved by ANSPDCP.


While Romania has proved an incredible improvement since the early 2000s in regards to the regulation of technology, there is still a need for more regulation, especially when it comes to data privacy and facial recognition. As it was already mentioned, this could be done by allowing the ANSPDCP to work closely with both the NGOs and the Government in ensuring the nation’s welfare and the respect for human rights and privacy. While the Romanian system has been partially influenced by EU law, there could be more done at the national level as well.

If you would like to address more questions or if you need a legal consultation, you can contact us at office@rrpb.ro or by accessing our site www.rrpb.ro for more information.

Don’t forget to subscribe to our YouTube Channel where new and updated content is posted monthly on various current topics! 

Keep up to date with our latest articles!

Leave a comment