Stay in the loop with the most important updates
Although the data privacy protection of Serbian citizens has been a hot topic for years, it is now clear that not even the new law will provide the level of protection on a par with the EU citizens. In August 2018, the EU took a clear stance on the latest Draft Law on Personal Data Protection (hereinafter: Law): if the proposed draft gets adopted, Serbia will have to change the entire legal framework for personal data protection on the first day it enters the EU. It turns out that the preparation of the new law for the past five years was in vain.
Hence, the question arises – did the Ministry of Justice got lost in translation again? This looks like another “misunderstanding” in the series brought about by “language differences”. The previous one came about when the Ministry of Justice stated that it was satisfied with the report of the Venice Commission on draft amendments to the constitutional provisions. However, after the general and professional public criticized it, it turned out that the Venice Commission had very serious and substantial objections, which had nothing to do with language nuances, although the Ministry tried to justify, among other things, with “differences in translation”.
As a reminder, the current Law on Personal Data Protection was adopted in 2008. It was clear back in 2013 that the legal framework needed to change, with the forming of a working group for drafting the new law. “Harmonization with the EU acquis” was the main motivator behind the decision to change the law. The working group was due to finish its work in May 2013.
Nevertheless, the first draft of the Law was published almost four years later, at the end of 2017. Since the announcement, the draft has been seriously criticized in Serbia. Brussels also pointed to a number of shortcomings to the Ministry. Unfortunately, the impact on the Ministry was limited. The third draft included only cosmetic changes that did not essentially harmonize the area of privacy and protection of personal data with the EU legal framework.
At the beginning of August, Serbian media published a statement from the Ministry of Justice that the third (and for now, the last) Draft Law on Personal Data Protection was positively assessed by the European Commission (EC) and Eurojust. When asked by members of the civil sector to enable the public to read the positive review on their own, the Ministry of Justice replied that this was an option, as the opinion “does not exist as a single text”.
Nevertheless, certain civil society organizations addressed the Ministry of European Integration, by using the mechanism provided by the Law on Free Access to Information of Public Importance. Through that, the public finally received the two documents:
- General, provisional comments by the European Commission to the Draft Law and
- Specific, legal-technical comments on individual articles of the Draft Law
By analyzing the unequivocal statements of the EC, we summarized several reasons why Serbia won’t meet the legal standards of personal data protection as to be on par with the other EU members. Despite the statements of the Ministry of Justice about the EC’s positive review, it is clear that no reading can allow interpretation leading to an optimistic conclusion. In our opinion, the EU’s verdict is clear: the Draft Law fails to satisfy the EU standards.
In general comments, the EU “lectures” the Ministry of Justice on the basic rules of EU law, which should be well known to the candidate country. The EU regulations (such as the General Regulation on Personal Data Protection (hereinafter: GDPR)) have a binding legal force and are directly applicable in all EU member states. They are applied directly and do not require the adoption of additional national regulations or administrative measures, as supranational (European) laws. They serve the purpose to achieve unification of rights at the EU level.
On the other hand, we clarify that the EU Directive is a legislative act that is supposed to establish a goal that all EU Member States need to achieve. However, each state decides independently on the manner in which this goal is to be achieved. The directive serves the purpose to achieve harmonization and not unification.
The most significant change in the field of personal data protection within the EU is the replacement of the 1995 Personal Data Protection Directive with the General Data Protection Regulation, in order to achieve the complete unification.
Therefore, as an EU member candidate, Serbia does not need to “transfer” or “interpret” GDPR into its legislation (unless specifically indicated in the regulation, or when such instance is necessary for its implementation), and in particular not in an incorrect manner or in a manner directly contrary to the provisions of this General Regulation. The consequence of such actions will be that at the moment Serbia becomes an EU member, any provisions that are contrary to the General Regulation shall automatically become invalid. Nevertheless, it seems that Serbia, as a candidate country, does not respect such rules, but introduces its own version of GDPR in some parts of the Draft Law, or completely ignores the provisions of the General Regulation. Therefore, the criticism of the EU is, in our opinion, completely justified.
It is very strange that the Working Group has decided to put into one law the matter which is regulated within the GDPR at the level of the EU, on the one hand, and the Police Directive, on the other. Anyone who has just tried to skim the GDPR (even without trying to understand the complexity and breadth of the entire regulation) could see it as an extremely extensive legal act. On the other hand, the Police Directive, as a lex specialis, regulates solely the issue of the authority of state authorities in the collection and processing of personal data in the process of detecting criminal offenses.
In the EU, these are two regimes that have always been separated. While before GDPR entered into force, the first regime was within the scope of Directive 95/46 EC, the powers of the police and other authorities were previously prescribed by General Decision 2008/977/JHA. There is also a logical rationale behind this: the need to recognize the specific needs of state authorities in the prevention, investigation, and prosecution of crime perpetrators.
The set of changes that came into force in May 2018 within the EU has maintained a dual regime. While GDPR relates to the protection of personal data in general, the Police Directive refers to the collection of data for the purpose of prevention, investigation, detection, and prosecution of criminal offense perpetrators. Generally speaking, general data processing (the subject of GDPR) implies higher limitations on controllers but envisages more legal bases for such processing. The controller can choose one of the six legal bases for lawful data processing.
The Police Directive provides broader powers for certain state authorities, but only on one legal ground – when there is a need to “carry out a task by a competent authority when such a task is based on national or EU law”. Broader police powers sometimes interfere with the basic rights of the persons whose data are collected, which are otherwise provided under GDPR. For example, when collecting data to investigate a criminal offense, authorities are not obliged to notify the persons whose data they collect, which is otherwise one of the fundamental GDPR rules.
Bearing in mind this explanation, it remains completely unclear why the working group decided to regulate the areas in one law, which the EU could not unify in a single legal instrument.
The EC criticizes the Draft Law for this structure, as it finds it inconsistent. The EC states that so many exceptions provided in the Draft (which should have been the subject of a completely different lex specialis law) represent a potential problem for legal certainty and leave a wide space for potential abuse. As an example, it is stated that the Draft foresees over 40 exceptions to the rule.
The conclusion stemming from such criticism is that the EU agrees with the Commissioner’s remarks to some extent, remarks which he has so far pointed out in a fierce debate with the Ministry of Justice, ongoing since the publication of the first Draft.
The Commissioner rightfully, in our opinion, emphasized:
“this inevitably leaves the impression that the Draft Law is written more in the interest of “security structures” than in the interests of citizens’ rights”.
This is truly alarming because the main goal of GDPR is to put an individual and his rights to the core.
In the general comments on the Draft, Brussels reminds the Ministry that the right to the protection of personal data is a fundamental right of the EU, which is why special attention must be paid to the clarity of the Law. The EC concludes: “this is something that cannot be said for the current Draft”.
We clarify that the concept of personal data protection came from the Right to privacy as a Human Right, and it has not yet gained full autonomy internationally. Nevertheless, the importance, which the EU pays to the field of data protection, is best illustrated by the fact that it is recognized as an independent right in Article 8 of the EU Charter of Fundamental Rights. The EU Charter provided for this right irrespective of the Right to Respect for Private and Family Life (Article 7 of the Charter), unlike, for example, the European Convention on Human Rights and Fundamental Freedoms.
In addition, regardless of the EU standards and the accession process, legibility and clarity of the law should be of paramount importance for the benefit of the citizens of Serbia. If this is not the case, both state authorities and other entities will be able to abuse the vague letter of the law in the light of our right to privacy.
The European Commission criticizes the Draft as being the result of mere copying of certain provisions of the GDPR (where certain adjustments are necessary), as well as because certain provisions are contrary to the provisions of the General Regulation.
Paradoxically, what stems from the EC’s opinion is that where the regulation itself leaves room for further concretization and adaptation to national legislation, such an opportunity is neglected. On the other hand, some of the basic legal concepts of the General Regulation are defined in a way non-compliant with the GDPR. Such an approach poses a potential problem since there is room for interpretation and misapplication of provisions within Serbia in relation to the EU members.
One of the examples of non-compliance with GDPR is the definition of “consent” of the person whose data are being processed.
In order for any subject to collect or process personal information, they must have a certain legal ground for such action. Article 6 of the GDPR provides for a total of six possible legal bases for data processing.
In Recital 32, GDPR elaborates on the notion of consent, stating that it must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data, such as by a written statement or an oral statement.
However, as the EU clearly states in its comments to Article 4 of the Draft Law, the Draft Law provides a definition that does not exactly match the definition of GDPR. This is very dangerous given that consent is the key legal concept in GDPR and data protection law in general.
Apart from being different, the Draft Law provided a definition of consent, which has been vague and non-precise, and in one of the drafts was supposed to include very problematic situations. For example, the previously proposed provision stipulates that a person will be deemed to be in compliance with the collection and processing of personal data through video surveillance, by entering the video surveillance area, provided that there is a video surveillance in that area.
The EU has made it clear that this case of giving consent is problematic from the aspect of GDPR. In the latest version of the Draft, this example seems to be omitted, but in practice, it may enter through a wider interpretation of the term “affirmative act” provided in Article 4, paragraph 1, item 12 of the Draft.
The reason behind this lies in the fact, as the EC explicitly states in its opinion, that the working group did not take into account the GDPR Recitals, which help interpret and clarify the language contained in the norms.
On the other hand, collecting personal data via video surveillance was one of the most controversial issues in the previous debate on the Draft Law. The Commissioner particularly emphasized that this issue is very problematic in practice, as it is not clearly regulated within the existing legal framework.
It is clear from the comments of the European Commission that non-compliance with GDPR is evident in many other aspects. For example, it has been repeatedly emphasized that “legitimate interest” is not the same as “legal obligation”, that data transfer provisions are not adequate, and that there is a problem of lack of opportunity to claim compensation through court.
Therefore, it seems that GDPR is not yet coming to Serbia after all (at least not properly).
When it comes to the legal concept of the Commissioner, the Draft refers to the Law on Access to Information of Public Importance in some provisions. However, the current law under this name is from 2004 and its amendment is in progress, so it is not clear what will be the epilogue for this controversial topic.
In these circumstances, it is clear that the third draft should not be the last one. In the end, the EU based the opinion on this. The opinion ends with a proposal to organize a joint meeting between the Ministry, Commissioner and EU representatives in order to draft a new Draft Law. In such circumstances, we believe it would be unacceptable to neglect the EU’s stance, not only due to the process of EU accession, but also due to the protection of basic rights of citizens of the Republic of Serbia.
Nevertheless, how the data protection saga in Serbia will end (and possibly also begin) remains to be seen.