After a process that took more than five years, the National Assembly of Serbia finally adopted a new Law on Personal Data Protection in November 2018. The law closely follows EU’s General Data Protection Regulation (GDPR), almost to the point of literal translation into Serbian of some parts of the text. That was expected, due to Serbia’s EU membership candidacy. However, it seems it will be very difficult to implement the new legislation in practice – and thereby actually make a difference, as there are numerous flaws that were overlooked when the law was drafted and enacted.
There is not a high level of privacy culture in Serbia and therefore the majority of people are not aware of how the state and the private sector are collecting and handling their personal data. The recent affair with new high-tech surveillance cameras in Serbia’s capital city Belgrade, which were supplied by Huawei and have facial and vehicle license plate recognition capabilities, shows that little thought is invested in how intrusive technologies might impact citizens’ privacy and everyday lives. The highest-ranking state officials for internal affairs, the Minister of Interior and the Director of Police, have announced in the media that these cameras are yet to be installed in Belgrade, while a use case study on Huawei’s official website claimed that the cameras were already operational. Soon after EDRi member SHARE Foundation, a Serbian non-profit organisation dedicated to protecting and improving human rights in the digital environment, published an article with information found in Huawei’s “Safeguard Serbia” use case, the study miraculously disappeared from the company website. However, an archived version of the page is still available.
Considering that the adaptation period provided in the law is only nine months after its coming into force – compared to two years under the GDPR, the general feeling is that both the public and the private sector will have many difficulties in adjusting their practices to the provisions of the new law.
In the past years, we have witnessed many cases of personal data breaches and abuse, the largest one undoubtedly being the case of the now defunct Privatization Agency, when more than five million people, almost the entire adult population of Serbia, had their personal data – such as names and unique master citizen numbers, exposed on the internet. The agency was ultimately shut down by the government, and no-one was held accountable as the legal proceeding was not completed in time (see PDF of Commissioner’s report, 2017, p. 59).
Although the Serbian law contains key elements of the GDPR, such as principles relating to processing of personal data and data subjects’ rights, its text is very complicated to understand and interpret, even for lawyers. One of the main reasons for this is the fact that the law contains provisions related to matters in the scope of EU Directive 2016/680, the so-called “Police Directive”, which deals with processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data. The law also fails to cover video surveillance, particularly important aspect of personal data processing. The Commissioner for Information of Public Importance and Personal Data Protection, Serbia’s Data Protection Authority, and civil society organisations have pointed out these and other flaws on several occasions (see, among other, Serbia’s former Commissioner’s comments), but the Ministry of Justice ignored these comments.
In addition to filing a complaint to the Commissioner, citizens are also allowed under the law to seek court protection of their rights, creating a “parallel system” of protection which can lead to legal uncertainty and uneven practice in the protection of citizens’ rights. Regarding data subjects’ rights, the final text of the law includes an article with limitations to these rights, which omitted that they can only be restricted by law. In practice, this would mean that state institutions or private companies processing citizens’ personal data may arbitrarily restrict their rights as data subjects.
To make matters even more complicated, the Serbian National Assembly still hasn’t appointed the new Commissioner, the head of the key institution for personal data protection reform. The term of the previous Commissioner ended in December 2018, and the public is still in the dark as to whom will be appointed and when. There are also fears, including on behalf of civil society and experts on the topic, that the new Commissioner might not be up to the task in terms of expertise and political independence.
New and improved data protection legislation, adapted for the world of mass data collection and processing via artificial intelligence technologies, is a key component of a successful digital transformation of society. In Serbia it is, however, usually considered as a procedural stepto join the EU. A personal data protection framework which meets high standards set in the GDPR in practice is of great importance for the digital economy, particularly for Serbia’s growing IT sector. If all entities processing personal data can demonstrate that they are indeed GDPR-compliant in their everyday practices, and not just “on paper”, there will be more opportunities for investments in Serbia’s digital economy and for Serbian companies to compete in the European digital market.
It will take a lot of effort to improve the standards of data protection in Serbia, especially with a data protection law which will be difficult to implement in practice. Therefore, it is of utmost importance that the National Assembly appoints a person with enough expertise and professional integrity as the new Commissioner, so that the process of preparing both the private and public sector for the new regulations can be expedited. As the application of the new Law on Personal Data Protection starts in August 2019, it should be regarded as just the beginning of a new relationship towards citizens’ data, which requires a lot of hard work to accomplish. Otherwise, the law will remain just a piece of paper with no practical effect.
This article was originally published at https://policyreview.info/articles/news/will-serbia-adjust-its-data-protection-framework-gdpr-practice/1391
Law on Personal Data Protection (only in Serbian, 13.11.2018)
Outgoing Serbia’s Commissioner warns of data protection law (23.10.2018)
Serbian Data Protection Commissioner: NGOs call for transparency (04.12.2018)
(Contribution by Bojan Perkov, EDRi member SHARE Foundation, Serbia)