Romania: Trends in competition and data protection investigations l Consumer welfare. Industry focus

Competition or data protection authorities tend to be interested in industries prone to consumer risks, such as telecom, financial services, energy, pharma or tourism, and we expect these will continue to be in the spotlight.
Back in 2017, on its 20^th anniversary, the Romanian Competition Authority (the "RCA") commissioned a study to assess the impact of its interventions in 10 key industries, including consumer benefits. This study, prepared by the Bucharest Academy for Economics, estimated savings of EUR 1bln by Romanian citizens over the 20 years of the RCA.

Competition and data protection investigations: synergies and trends
It will come as no surprise to many of our readers that over the past 10 years the RCA has developed a steady practice of investigating high-profile companies and applying severe turnover-based fines. On average, the RCA opens more than 10 new large-scale investigations each year and finalises about the same number of cases.
On the other hand, the reported number of investigations opened by the Romanian Data Protection Authority (the "DPA") in the first 12 months of application of the GDPR may come as a shock: 485 investigations ex officio and 496 investigations following 5,260 complaints received by the authority.
But mere numbers are irrelevant when seeking to benchmark the efficiency of one authority versus another in terms of investigations. This is because the DPA's procedural rules are much looser and its investigations less intrusive than the RCA's (at least for now).
For example, statistics released by the DPA show that most of the investigations were conducted in writing. On-site investigations took place only in very few cases. The RCA in turn always kicks off its large-scale investigations with dawn raids authorised in advance by the Bucharest Court of Appeal. We expect the DPA will likely also become subject to stricter rules in the short to medium term, similar to the RCA, as subjects will need an adequate level of protection against potential abuses.

Sanctioning trends
The RCA and DPA also take different approaches when applying sanctions.
While the DPA currently appears to be more focused on remedies and corrective measures, the RCC traditionally applies heavy fines (a no-fine scenario is truly exceptional, for example, when a case would be closed via commitments).
To date the DPA has only applied very few fines, with their largest fine of EUR 150,000 in October 2019. Over its first 20 years, the RCA applied fines totalling EUR 574m, with the largest fine of EUR 205m applied in 2011.
The RCA follows clear-cut and detailed rules for calculating the level of a potential fine, based on the gravity and duration of the alleged infringement and factoring in mitigating and aggravating circumstances. The rules for fines applied by the DPA are nowhere near as transparent, though. We expect the DPA rules to become clearer by also relying on the established know-how of the RCA and on those of other European data protection authorities.
Finally, fines applied by the DPA have faced limited scrutiny. Public records show that only two fines were challenged in court, which may imply either that companies have not found compelling grounds for a counterclaim or remain reluctant to pursue challenges in court, especially given the low fines. Conversely, fines applied by the RCA are usually challenged in court, particularly in a no-settlement scenario.

Readiness is everything
We anticipate the RCA will continue to be a powerful and active authority. It is only a matter of time until the DPA becomes more aware of its sanctioning powers and therefore more active.
Continued compliance is essential to mitigate potential risk. Detailed procedures (including on how to behave during raids), employee trainings and awareness raising programmes (including periodical checks or audits of ongoing day-to-day practices) should be part of every company's compliance toolkit.

Co-Author: Costin Sandu