This article is an integral part of the Coalition prEUgovor report on progress of Serbia in Chapters 23 and 24 for the period from November 2015 to April 2016.
No progress was achieved in the area of personal data protection. The Law on Personal Data protection is said to be hardly implementable and the new draft Law was submitted by the Commissioner for Information of Public Importance and Personal Data Protection to the Ministry of Justice, with no feedback on this issue during the last several months. Several provisions of the current Law are practically impossible to enforce, such as the one that requires written consent by individuals in order for the processing of personal data to be legal. This is virtually impossible to enforce, since the broad definition of personal data also includes the video footage of individuals, including that obtained through video surveillance. Another problem is that the Guidebook on Access to Retained Data[1] has not been adopted yet. This situation creates an inauspicious environment for protecting personal data pertaining to electronic communication of citizens.
In addition, the new Draft Law on Records and Data Processing in the Area of Internal Affairs,[2] particularly Articles 28 and 29 pertaining to the records of importance for community policing, raise additional concerns. These articles stipulate that the MoI has the right to keep extensive databases of sensitive personal data, with the aim of preventing criminal activities and conducting security vetting, over a wide group of natural persons, including responsible persons from civil society organisations.
Moreover, the issue of protection of personal data still remains largely unaddressed in both Draft Action Plans for Chapters 23 and 24. The measures proposed in the Draft Action Plans should reflect the new legislative momentum at the European level, aiming at replacing the Personal Data Protection Directive (95/46/EC) with the newly launched initiative by the European Commission in 2012 to reform personal data protection at the EU level. Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose whereas those collecting and managing personal information must protect it from misuse and must respect certain rights of data owners which are guaranteed by EU law. This is especially true in regard to the protection of personal data within the framework of exchange of information between law enforcement agencies, where the Directive does not apply and where the exchange is regulated through a number of Council's Decisions.
Recommendations:
- There is urgent need for the Government of Serbia to adopt the following legislation: the Draft Law on Personal Data Protection, as drafted by the Commissioner and submitted to the Ministry of Justice, the Draft Law on Video Surveillance, and the Law on Security Vetting.
- Make the necessary legal adjustments in line with the EU acquis, particularly in relation to the new initiative of the European Commission aiming to replace the outdated Data Protection Directive.
- Invest further effort in the protection of personal data within the framework of exchange of information between law enforcement agencies at the EU level.
[1] Full name of this document reads the Guidebook on technical requirements for regulation and programmatic support to lawful interception of electronic communications and access to retained data.
[2] Full text is available in Serbian at: http://www.mup.gov.rs/cms/resursi.nsf/nacrt-ZOE-cir.pdf.