On 14 June 2022, IT system of the Serbian State Cadastre, the public platform containing data on real estate (land, parcels, houses, apartments..) and its owners, was subject to a hacker attack. According to the Cadastre officials, in order to prevent the damage to infrastructure and preserve the data, the system was locked, both for external but also for the majority of internal users, i.e. the institution’s employees. It took almost a month for the system to become operational again, which means that for weeks the real estate trade, but also construction-related legal transactions and investments in Serbia were blocked. The citizens were not informed about the details of the incident, its nature and scope, but most of all whether their personal data in the system was compromised. After the Commissioner performed its oversight control, this independent institution concluded that the incident did not cause a personal data breach and that the citizens’ data were not compromised. This finding surprised many data protection and IT experts, since it seems to ignore the fact that a data breach happens not only when the personal data in a data base are damaged or deleted, but also if they are not accessible to its users and data subjects. Inadequate communication with the public and the lack of transparency and accountability throughout this crisis has further undermined citizens’ trust in the system and has made them question the safety of their data in all public data bases.
Because the Cadastre incident is not the first, and probably not the last case of data privacy violation in Serbia, which does not have a commendable history of information management – data from investigations have been “leaking” from institutions in the tabloid media for decades, health records of political opponents and photos of celebrities from hospital beds are published, and in pre-election campaigns, there is no party that did not violate the privacy of voters by forming bases of secure or capillary votes, by unauthorized possession of a copy of the voter list, etc.
The digitization process, which the authorities in Serbia insist on as a unique chance for faster economic growth and improving the competitiveness of our economy, has made things more complicated. The creation of centralized digital databases, however useful it may seem, has made citizens’ data more vulnerable to breach. They may not be more frequent now, but the number of citizens affected by them is increasing, and the consequences are increasingly difficult to remedy.
The case of the most massive data breach in Serbia was recorded back in 2014, when the data of over 5 million citizens contained in the database of the Privatization Agency were available on the Agency’s website, and then on social networks. No one was responsible for this omission, because the Agency ceased to exist. At the beginning of March 2020, as a result of a hacker attack, the server of the Public company Informatika from Novi Sad was disabled, and thus, for several days the work of city services was almost blocked (from communal services to preschool institutions).
With the corona virus pandemic, our lives have been almost completely moved into the online sphere, and thus the space for data breaches has been expanded. In April 2020, the username and password for accessing the Covid-19 information system, which contained particularly sensitive health data of those tested, cured, deceased, as well as persons who were imposed a self-isolation measure, were publicly available on the website of a health institution. The introduction of Covid passes brought new problems – at the end of 2021, it turned out that the so-called Covid monitors (usually waiters in catering establishments) had insight into citizens’ personal health data. In May 2020, there was also a case of unauthorized access to student data contained in the electronic diary (which potentially has over 1.3 million users), and the State Audit Institution found in its latest report that the companies Telekom Srbija and Tesla from Zagreb, which made this system, do not process students personal data in accordance with the Law on Personal Data Protection.
The fact that the insufficient security of information systems can lead to concrete consequences for the economy, but also for the lives of Serbian citizens, is shown in the current cases of bomb threats, which the competent authorities cannot solve for more than a month and a half. It would be useful for someone to calculate how much all this costs the budget of the Republic of Serbia, not to mention the lost time, knowledge and emotional consequences for the children and society in general. Considering this chronology of violations, hardly anyone rational could believe that the system of mass video surveillance with automatic facial recognition (which the Ministry of Interior planned to introduce last year with the new Law on Internal Affairs, but it did not happen due to the quick reaction of the civil sector and the general public) would be used proportionately and limitedly, with minimal risks for omissions and abuses.
This is not a complete list of incidents and violations of data and systems so the question arises as to why they occur, especially as investments in infrastructure are increasing (albeit still mainly from international projects), and that Serbia has a solidly developed legal framework in this area. There are many reasons – from the introduction of new platforms and applications without adequate preparation of the adequate infrastructure, through insufficient training of employees who work on these systems, to the lack of application of other data protection measures. However, it seems that the core of the problem still lies in the lack of awareness of decision-makers about the consequences of poor information management, inadequate supervision and the ubiquitous policy of not punishing those who commit privacy violations, or whose omissions lead to violations.
The information management system includes information security, personal data protection, access to information of public importance and data confidentiality. However, supervision over the implementation of regulations in these areas is divided between four institutions – the Ministry of Trade, Tourism and Telecommunications, the Commissioner for Information of Public Importance and Protection of Personal Data, the Ministry of State Administration and Local Self-Government and the Ministry of Justice. In addition to the fact that the cooperation between these authorities is not at a satisfactory level, some of them do not do their work at all. Thus, during 2021, the Administrative Inspectorate did not submit a single request to initiate a misdemeanor procedure in the area of access to information, and according to the available data, the Ministry of Justice did not conduct a single supervision procedure in the area of data secrecy in the last 4 years (at least).This means that no one is conducting control over whether documents and information are justifiably marked as secret, and thus withheld from the public, but also that the Ministry does not file criminal charges for, for example, unauthorized disclosure of state secrets. Because of that, today in Serbia, citizens cannot find out, for example, how the tax payers money is spent, but a case of disclosure of a state secret that could threaten national security or defense can go completely unnoticed (and without sanction).
In this state of things, bragging about the achievements of digitization, but also insisting on further development of state centralized databases, automation and application of artificial intelligence in public services, without adequate protection of data and citizens’ rights, seems reckless. It is undeniable that technological development contributes positively to economic and social transformation, but the fascination with technology should not overshadow the risks it brings. Cooperation and coordination of all those dealing with information management issues, improvement of employees’ knowledge, application of adequate data protection measures, education of citizens, but above all the establishment of a system of accountability for privacy violations and omissions, should be among the tasks of the future government, if there is still an intention to continue with the digital transformation of our society. Otherwise, insisting on technological development alone, without applying the principles of the rule of law, good governance and a human rights-based approach, may cause the digital revolution to do more harm than good.