Before the new Law on Personal Data Protection starts with implementation Jelena Pejić from the Belgrade Centre for Security Policy points out the deficiencies of the provisions related to data processing for the purpose of satisfying criminal justice and protecting national security - exceptions are mixed with the basic rules in a confusing manner, unconstitutional restriction on the rights of persons are envisaged, and more precise definitions, time-limits and penalties are missing.
In November 2018, the National Assembly of the Republic of Serbia adopted the new Law on Personal Data Protection (Law), which will be implemented from August 21, 2019. The drafting process was excessively long, insufficiently transparent, and circumvented the expertise and experience of a key authority in this area - the Commissioner for Information of Public Importance and Personal Data Protection (Commissioner), as well as domestic civil society organizations (CSOs) which deal with this topic.
As a result of the flawed process, the new law did not meet the expectations of the professional community. Both the Commissioner and network of CSOs, including members of the prEUgovor coalition, persistently criticized the draft published at the end of 2017. The European Commission pointed to similar omissions of the Draft, and the study it commissioned from Slovenian experts analyzed in detail the problematic provisions.
The text deals only with the provisions of the Law relating to the processing of personal data for "special purposes" - in short, the purposes of satisfying criminal justice and protecting public and national security. There are two types of provisions we are referring to:
- general provisions relating, inter alia, to this field, and
- specific provisions which, in the form of exceptions to the general rule, govern exclusively this field.
While the general provisions are more or less transcribed from the General Data Protection Regulation (GDPR) of the European Union, the specific provisions transpose solutions from the second part of the 2016 EU legislative package on personal data protection - the so-called Law Enforcement Directive (LED). The mere fact that the text of the Law integrates the provisions of both these European acts of different legal nature gives rise to the first problems, because this was done in a flawed manner.
The Law inappropriately separates the general from the specific provisions, thus creating confusion for the citizens whose rights they regulate, but also for the lawyers who should interpret and apply them. The impression is that more effort has been made in translating European provisions into Serbian than into the Serbian legal system. The writer of the Law has not added appropriate national content where, precisely for this purpose, the Law Enforcement Directive leaves room for the discretion of the national legislator, especially regarding precise definitions, time-limits and encompassing penal provisions.
The basic shortcomings of the Law are grouped in three sections, with elaboration on how they can be overcome. The suggestions were then summarized and listed, and a table of alternative general and special provisions of the Law is enclosed.
Since there is a proposal to postpone the implementation of the Law for a year, and that the already expressed serious objections to the (un)constitutionality of certain provisions require the Law to be revised, with this text the prEUgovor coalition aims to contribute to the best possible and timely amendments of the Law.
Overview of suggestions
- Separate provisions on personal data processing for specific purposes, and transposing the provisions of the EU Law Enforcement Directive, into a special law or a special chapter in a single Law on Personal Data Protection.
- Specify the definition of competent bodies that process personal data for specific purposes, in particular when it comes to legal entities other than public authorities. It is desirable to draw up a list of these bodies and/or an authentic interpretation of Article 4, para. 1, item 26.
- Explicitly state in Article 3 that the general rules of the Law apply to the processing of personal data by competent bodies for other than specific purposes.
- Align with the Constitution and amend Article 40, as well as Articles 28 and 34, so that the limitation of guaranteed rights is based solely on law.
- Specify time-limits for data storage and periodical reviews of the necessity to store data in Articles 8, 10 and 48.
- Add to the list of Commissioner’s powers in Article 79 the exercise of indirect access to data at the request of the data subject.
- Remove the reference to the Law on Inspection regarding exercise of Commissioner’s powers in order to protect the independence of this institution.
- Specify the definition of the association that may represent the data subject in the exercise of his/her rights before the competent institutions, with reference to the Law on Associations.
- Amend the penal provisions to cover violations of the provisions of Articles 8, 22 and 48.
This publication is part of the action is supported by the European Union through the program “Civil Society Facility” under the Instrument for Pre-Accession Assistance (IPA). The contents of the publication are the sole responsibility of the publisher and views expressed in this document are not necessarily those of the European Union.