Serbia: Very different proposals of the new Law on Personal Data Protection

Data Protection

Uroš Popović

Publisher: Bojović & Partners

The area of personal data protection in Serbia started to develop only with the enactment of the Law on Personal Data Protection at the end of 2008. Even though the law governing this area existed even before, it had never actually been applied in practice. The reason for this was a very low level of willingness of the state to effectively protect these rights of data subjects, and the consequential lack of awareness of citizens about their rights and the degree of their vulnerability. Namely, in that period, it was not yet determined which body of the Republic of Serbia would be competent to supervise the application of that law. 

This situation changed for the better to a certain extent with the enactment of the “new” law, even though the European Commission assessed it, after its adoption, as only „partially harmonized“ (with primarily) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as: the „Directive“), and also with other directives, regulations, and opinions which comprise the acquis communautaire in the area of personal data protection. 

The Law on Personal Data Protection, in force for more than five years (hereinafter referred to as: the „Law“), despite its initial inconsistency, was amended only on two occasions and not significantly. The Commissioner for Information of Public Importance and Personal Data Protection (hereinafter referred to as: the „Commissioner“) has pointed out on every possible occasion the normative deficiencies of the Law as well as the deficiencies in its application. Namely, not only that secondary legislation which was supposed to regulate the matter in a detailed manner and which was necessary for the implementation of the Law, was never adopted (this primarily refers to the protection of particularly sensitive data), but also the constant increase of the use of modern means of technology, electronic communications, devices for video surveillance, processing of biometric data and the like was not accompanied with the appropriate modern legal solutions, which inevitably resulted in the fact that the risks of unlawful processing of data increased rapidly and to a great extent.

Commissioner’s concern for the low level of compliance with European standards, inappropriate provisions and incomplete legislative resulted in the drafting of the proposal of a new law on personal data protection (hereinafter referred to as: the “Model”) and its presentation by the Commissioner to the Ministry of Justice in 2014. The Ministry of Justice was putting the matter of inadequate protection of personal data “under the rug” for a long period of time, thus disregarding one of the fundamental rights protected and guaranteed by the Constitution - the right to privacy. 

However, the Commissioner’s initiative and plea for the amendment of the regulations were finally recognized by the Ministry of Justice in November this year through the drafting and publication of the draft law on personal data protection (hereinafter referred to as: the “Draft”) and scheduling of public discussion in that regard, whereas one of the major incentives for such conduct was certainly the fulfilment of the obligations set forth in the Action plan for Chapter 23 within the negotiations on Serbia's accession to the European Union. 

The Commissioner expressed his discontent immediately upon the publication of the Draft. Namely, according to his statement, the Commissioner has evaluated the Draft as “significantly below the needed and expected level”, emphasizing that it “practically ignores the majority of problems which are identified in current practice, and which are the source of numerous violations of citizens' rights”. In any case, the general impression is that the Commissioner’s Model regulates the issues which caused problems in practice so far in a more detailed manner, as evidenced by the fact that its text contains 30 articles more than the Draft. 

By comparing the Model and the Draft, generally speaking, vast discrepancies in the proposed legal solutions between these two texts are clearly visible. While the Commissioner’s approach corresponds to reality because it is primarily based on problems that he and his associates encountered in practice due to the lack of adequate (or any) legal solutions, the approach on which the Draft prepared by the Working group, formed within the Ministry of Justice, seems more focused on the preservation of national interest. 

One of the fundamental remarks of the Commissioner which the Working group did not accept in its Draft refers to the area of management of particularly sensitive data and specific forms of data processing. The difference, in that regard, is already obvious in the definition of "sensitive data". Namely, the Draft erroneously kept “gender” as an element based on which the “sensitivity” of the data is being determined in its definition from the currently applicable Law, thus carrying forward the problems of its different interpretation. Unlike the Draft, the Model brings a somewhat more clear determination - change of gender, providing a higher degree of legal certainty. 

In addition, unlike the Law which did not regulate biometric data as special category of sensitive data at all, the Draft includes this data in the definition of particularly sensitive data, but governs its processing in a unified manner, without taking into consideration the special features of the processing and the increasing prevalence of its use. The Draft authorizes the Government to regulate the manner of storage and protection measures with an secondary act of legislation, keeping the same solution compared to the currently applicable Law, which proved to be very poor considering that the adoption of the relevant acts never took place. 

On the other hand, the Model thoroughly regulates the processing of particularly sensitive data, specifically focusing on the processing of biometric data and data obtained through video surveillance, processing for purposes of direct advertising by various means of communication, records of entering and exiting the business premises, processing of personal identification number on the Internet and use of personal identification documents, as well as special forms of processing, the use of which the Commissioner identified in practice as the most widespread therefore choosing to regulate it in a special manner. The Commissioner, in his explanation of the Model, states that the main reason for separating the mentioned forms of processing and their special regulation is the fact that these issues were absolutely unregulated in the legislation so far, which caused significant problems in practice.

When it comes to the territorial application of regulations, both the Model and the Draft, each in its own way, tie the implementation of regulations to the territory of the Republic of Serbia, which was not the practice so far. Namely, the Model ties its application to the resident data controllers, as well as to non-resident data controllers if they use the equipment in the territory of the Republic of Serbia (in which case such data controllers are obliged to appoint their representative with the seat, i.e. permanent or temporary residence in the territory), unless such equipment is used only for the transfer of personal data through Serbian territory. The Model especially singles out and underlines its application to the diplomaticconsular and other representations of the Republic of Serbia abroad, eliminating any dilemma in that regard. Unlike the Model, the Working group explicitly excludes tying of application to the registered seat or permanent or temporary residence, giving priority to the very act of processing of personal data. In that regard, the Draft prescribes that it will apply to each processing which is performed in the territory of the Republic of Serbia, as well as to processing outside its territory, if such application is prescribed by the international law, the Draft or treaty, unless such data is only transferred through Serbian territory. It remains unclear why the Working group deviated from the solution provided not only by the Directive, but also from the legal solutions in the region, all of which as the tying element of their application take the residency of the data controller or the use of equipment in the territory. 

Another significant difference between the two proposals of the new law can be seen in the fact that the Model foresees the possibility of expressing the consent of data subjects not only in writing or orally for the record, but also by a concludent act, defining it as one or more acts, i.e. conduct which is clear and unambiguous and on the basis of which it can be concluded with certainty that the consent of data subject exists. This significant novelty is actually a reaction to the increasing development of technology and increasing presence of Internet in everyday life and communication. On the other hand, it seems that the Working group placed greater weight on mitigation of risk from the possible misuse of personal data which would occur by introducing the consent on the basis of a concludent act, than on the fact that the introduction of this novelty would facilitate the traffic. 

While the Draft broadens the list of exceptions from the mandatory obtaining of consent for the processing of personal data compared to the Law, anticipating, in the form of broad formulations in favour of public interest, that the processing without consent is allowed, inter alia, for the purpose of fulfilling obligations of the data controller determined by the law, as well as in situations when processing is necessary in order to perform tasks for the realization of public interest or for the purpose of carrying out legal authorizations of the data controller or third party to whom the data is made available. The Model of the law provides exceptions only in two situations and in a different manner depending on the type of the data controller, introducing the legitimate interest concept for the first (meaningful) time - while the data controller which is a public authority may process data without consent of data subject only in the event that it is in a contractual relationship with such person, or it is negotiating with such person the conclusion of a contract, the data controller which is not a public authority may process data without consent if processing of data is in the legitimate interest of such data controller. In each case, these exceptions are allowed only to the extent to which the data processing is necessary and appropriate, and in case of realization of the required legitimate interest of the data controller - under condition that the rights, freedoms and legitimate interests of data subjects are not prevailing over the interests of the data controller. 

An important novelty compared to the Law, stipulated by both the Draft and the Model, is the introduction of the obligation of engaging a person for protection of personal data and the obligation to adopt a general act on the protection of personal data. However, while the Model prescribes these obligations only for data controllers which are public authorities, data controllers which process particularly sensitive personal data, and data controllers with more than 500 employees, the Draft in this respect does not link these obligations to the number of employees, but stipulates that this obligation exists, besides for public authorities and processors of particularly sensitive data, for all data controllers whose business activity consists of processing of data. Also, the Model prescribes and regulates in detail the obligatory taking of appropriate professional exam before the Commissioner, as a necessary condition for performance of activities related to the protection of personal data, and in case these activities are performed by legal entities or entrepreneurs – the obligatory obtaining of a license. The Draft does not stipulate this requirement, but only generally prescribes that such persons must have adequate professional knowledge necessary to perform duties related to data protection. 

The procedure for protection of rights is regulated in a different manner in the Model as compared to the Draft. Namely, while the Model considers the act for initiation of the protection procedure before the Commissioner as a request for protection of rights regardless of the type of data controller, the Draft foresees two procedures - the appeal procedure, if the data subject did not realize his/her right in the procedure before the data controller which is a public authority, and the complaints procedure, if the data controller is not a public authority, whereby it stipulates that a complaint may be filed for all reasons for which the appeal may be filed, unless the request for exercising of rights before such data controller is rejected or dismissed. 

The Draft, unlike the currently applicable Law which prescribes the obligation of registering data collections for all data, prescribes this obligation only for those data controllers/processors which process special categories of data and data involving a certain type of risk. Model on the other hand prescribes that, all data controllers/processors which process data for which some other law prescribes mandatory registration of data collection, should be exempt from this obligation. In this way, data controllers which process data on e.g. employees, health security plans and similar, would be excluded from the obligation to register the same data collections more than once. 

Unlike the Law, both the Model and the Draft pay special attention to the security of personal data which was so far governed by a secondary act of legislation and within the procedure of previous examination of data processing operations carried out by the Commissioner. Also, the drafts of both proposals of the new law introduce in this part another novelty - the obligation of data controllers to inform the Commissioner about the violation / breech of safety, whereby greater urgency is noticeable in the Draft which is reflected in a shorter deadline for reporting violations compared to the same deadline prescribed in the Model (the Draft – 72 hours, the Model- 15 days). On the other hand, the Model extends the obligation to report violations of the data controllers to data processors which process particularly sensitive personal data on behalf and for the account of the data controller or entities which process personal data of more than 500 persons. The Model also particularly regulates the situations in which the Commissioner is the data controller. Namely, in these cases, the Model foresees the establishment of the Commission of independent experts, in order to remove any impartiality of persons deciding on the violation since the control would otherwise be carried out by government officials employed with the Commissioner, or by another authority (especially by the bodies of executive power which would bring into question the independence of the Commissioner).

Another important area where texts of the Model and the Draft differ is the area of data transfer from the Republic of Serbia. The Model regulates the procedure of transferring of data from the country in a very detailed manner, considering that, as stated in the explanatory notes of the Model, the lack of regulation in this regard was a main obstacle to the application of these provisions and made it difficult to obtain permits for transfer. Unlike the Model, the Draft does not regulate the procedure of data transfer but prescribes a significantly greater list of exceptions when the permit of the Commissioner is not required as compared to only 3 exceptions stipulated by the Model. 

Other discrepancies, such as distinction of fines prescribed for misdemeanours in a range (the Draft) from fines prescribed for misdemeanours in the fixed amount (the Model), or provisions on the legal successors of the data controller in the event the data controller ceases to exist, prescribed by the Draft and not by the Model, are not as significant as those described above.

Public discussion on the Draft is taking place until the end of November, during which time the authorized persons, among which is certainly the Commissioner, will deliver their comments and suggestions on the text of the Draft. The Commissioner has already expressed his discontent with the Draft in his public statement so the end result and the final text of the law which will enter the parliamentary procedure for adoption is yet to be seen.