Moldova’s New Data Protection Law Is a Step Forward, But Ambiguity Could Undermine It
Moldova’s proposed law on the processing of personal data by competent authorities is, on paper, a well-structured legal framework. Its weakness lies not primarily in what it says, but in how often it leaves room not to say things clearly. The law is a step forward. But in Moldova, a step forward taken through fog is still not enough progress.
Imagine a border officer at a crossing point.
She understands the law in theory. But the guidance she has been given is written in paragraphs that circle around themselves, refer back to earlier provisions that point forward to later ones, and rely on phrases such as “to the extent possible.”
She is left uncertain.
And uncertainty in law enforcement is never neutral. It is usually resolved in favour of the authority exercising power.
That is the central problem with Moldova’s draft law on the protection of personal data processed for the prevention and investigation of criminal offences.
At its core, the draft is genuinely aligned with European standards. It follows the EU Law Enforcement Directive and includes important provisions on accountability, logging, data protection impact assessments, record-keeping and breach notification.
But the drafting reflects an older and more discouraging legislative habit: using ambiguity where precision is needed most.
Ambiguity as Legal Architecture
The draft defines a “competent authority” by listing categories and examples, before adding the phrase “any other entity empowered by law.”
A more precise formulation would be “empowered through legislation,” but the broader problem remains.
This wording could allow almost any institution to become a competent authority with law enforcement functions, provided it receives a sufficiently broad mandate through sufficiently vague secondary legislation.
That creates room for dispute exactly when legal certainty matters most: during criminal investigations, when individuals are already at their most vulnerable.
Articles 12 to 16, which deal with the rights of data subjects, provide the clearest example.
They combine three distinct legal actions:
- the temporary delay of information;
- the partial restriction of data protection rights; and
- the complete refusal of those rights.
These are not the same.
Each should require different grounds, different procedural safeguards and different routes of appeal.
Combining them under similar wording does not simplify the law. It weakens judicial scrutiny.
A court cannot easily overturn a refusal that was never clearly classified as a refusal in the first place.
This is not simply a drafting oversight. It reflects a wider pattern in Moldovan legislation, where officials are often given discretion not through clearly defined exceptions, but through the grammar of ambiguity.
Silence When Citizens Are Denied Their Rights
When individuals are denied access to their personal data, they should be informed.
Not eventually.
Not merely “to the extent possible.”
They should be told promptly, in writing, and given a reason capable of being reviewed.
Article 29 addresses notification following a personal data breach where the breach is likely to result in a high risk to individuals.
However, it leaves several critical questions unresolved.
Who makes the decision?
What evidence must support it?
Must the decision be justified in writing?
In Moldova, where trust in public institutions is still being rebuilt, this gap risks weakening accountability through inaction dressed in legal language.
The draft should introduce three concrete safeguards.
First, a written justification should be mandatory whenever a data protection right is restricted. That justification should not remain only in an internal file. It should be communicated to the data subject or their representative.
Second, Articles 12 to 16 should clearly distinguish between delay, restriction and refusal. Each should have its own legal threshold, procedural requirements and review timeline.
Third, every restriction should be subject to a sunset clause. If a delay is not converted into a formal restriction within a defined period, the original right should be restored automatically.
Verbosity Is Not Precision
Some may argue that detailed legislation is strong legislation.
The governance provisions demonstrate why that is not always true.
Articles 17 to 24 contain some of the strongest elements in the draft, including obligations relating to accountability, data protection officers, records of processing activities and impact assessments.
But these provisions are so heavily burdened with cross-references that a compliance officer attempting to map the obligations may need to read the same requirement in several different places before understanding what it actually demands.
That is not rigour.
It is obscurity disguised as rigour.
A law that only specialists can navigate is, in practice, a law that only specialists can meaningfully enforce.
In Moldova, those specialists are more likely to work for the institutions being regulated than for the citizens the law is intended to protect.
The entire text needs a consistency review.
Recurring terms such as “operator,” “competent authority,” “necessary and proportionate,” and “to the extent possible” should be used consistently and carry the same meaning throughout the law.
Long and densely structured paragraphs should also be broken down.
Not because the law must be simplistic, but because it must be usable.
The Counterargument: Flexibility Has Value
The officials who drafted the law may argue that open-ended language gives authorities the flexibility to respond to changing circumstances.
That includes new investigative technologies, emerging threats and cross-border data flows.
This is a legitimate concern.
The EU Law Enforcement Directive itself allows member states a degree of discretion.
But flexibility and ambiguity are not the same thing.
Flexibility means clear rules accompanied by defined exceptions.
Ambiguity means that the rule itself is uncertain.
Article 35 illustrates the difference.
It allows operators to assess whether “appropriate safeguards” exist for transfers of personal data to third countries, based largely on their own judgment.
There is no mandatory assessment methodology and no clear requirement for prior approval by the supervisory authority.
That is not meaningful flexibility.
It is discretion without sufficient control.
Adopt It. Then Fix It
The Parliament of the Republic of Moldova should adopt this law.
It represents an important step towards EU alignment in an area that has remained under-regulated for too long.
But adopting it without a clear and committed revision process would create a different kind of risk.
The new framework could become a new legal cover for old institutional practices.
The supervisory authority, the National Centre for Personal Data Protection, needs a clear mandate to issue binding guidance on every provision that uses phrases such as “to the extent possible,” “appropriate measures,” or similarly elastic wording.
Parliament’s legal committee should also require the publication of a plain-language compliance guide within six months of the law entering into force.
A data protection law that can only be understood by the institutions it is supposed to restrain does not provide meaningful protection.
It creates paperwork.
Moldova can do better.
The strongest parts of this draft already prove that.
The real question is whether the same standard of clarity will be demanded across the rest of the law.
Textele de pe pagina web a Centrului de Investigații Jurnalistice www.anticoruptie.md sunt realizate de jurnaliști, cu respectarea normelor deontologice și sunt protejate de dreptul de autor. Preluarea textelor știrilor și a investigațiilor jurnalistice se realizează în limita maximă de 500 de semne. În mod obligatoriu, în cazul paginilor web (portaluri, agenții, instituţii media sau bloguri) trebuie indicat şi linkul direct la articolul preluat de pe www.anticoruptie.md în primul alineat, iar în cazul posturilor de radio și TV – se citează obligatoriu sursa. Preluarea integrală a textelor se poate realiza doar în condiţiile unui acord prealabil semnat cu Centrul de Investigații Jurnalistice.
Subscribe
