Even though Serbia already has the Law on Personal Data Protection, based largely on the GDPR and Police Directive, this legal document unfortunately cannot fully regulate the entire area of data protection, and some aspects need to be prescribed by different strategies and bylaws. Because of that, the adoption of the Strategy on Personal Data Protection represents an important milestone in the protection of privacy of Serbian citizens, especially having in mind the announcement of the Commissioner that the work on changing the Law on Personal Data Protection is planned to be initiated by the end of 2023.
When it comes to some of the main deficiencies noticed in practice, Serbia did not comply with the obligation from the Law itself, as well as from the Action Plan for chapter 23, in terms of harmonizing sectoral regulations with the Law on Personal Data Protection, for which the deadline was the end of 2020. Also, data controllers and processors from public, private and civil sector do not sufficiently comply with their obligations, due to lack of knowledge and capacity, but also the lack of responsibility for privacy violations. Also, the general public is insufficiently informed on their privacy rights, and do not use available legal mechanisms at their disposal for their protection.
Since December 2021, several meetings of the Working Group in order to prepare the draft of the Strategy on Personal Data Protection were held. Partners Serbia have been participating as members in the Working Group and provided 24 proposals to the Action Plan. This is especially important as it allows civil society organizations which possess the necessary expertise in this area to directly influence the legislative processes, in order to provide citizens with better protection of privacy and to better answer to the deficiencies in the Law itself. Among other things, Partners Serbia proposed the following activities: amendments to the Criminal Code (specifically harsher punishments in cases of unauthorized collection of personal data), harmonization of other sectoral laws with the PDP Law, amendments to the Law on Public Information and the Media (to prevent further leaking of data to the tabloid media), better legal protection of the privacy of victims of human trafficking, drafting of guidelines for employees in the social protection system for the protection of beneficiaries’ data, establishing disciplinary responsibility in institutions for violations of the right to privacy etc.
Given that the situation in the field of personal data protection in Serbia has been at an unsatisfactory level for years and that privacy violations are more and more frequent, the adoption of the Strategy on Personal Data Protection represents a significant step towards solving certain problems.
The working group for the development of the Strategy was formed in a somewhat non-transparent process, without the participation of the civil and private sector, even though the private sector gathers the largest number of personal data processors. The civil sector got involved only after the initiative of organizations that have been dealing with issues of personal data protection for years – SHARE Foundation and Partners Serbia, which also received the support of the Commissioner for Access to Information of Public Importance and Personal Data Protection for participating in the process.
During the work of the Working Group, as well as during the public discussion during which two roundtables were organized for the interested public, comments and suggestions were discussed in detail.
However, even though the Ministry of Justice is responsible for drafting the Strategy, the drafting of the document was coordinated by the cabinet of the Prime Minister. The Ministry of Justice was passive in this process, and all information about the meetings of the Working group, as well as draft documents came from the Cabinet.
On August 25, 2023, the Government of the Republic of Serbia officially adopted the Personal Data Protection Strategy for the period 2023-2030. However, the Action Plan has not been adopted yet.
Whether the adoption of such a document will improve citizens’ rights remains to be seen. In addition to the adoption of the Strategy, it is necessary to initiate changes to the Law on Personal Data Protection as soon as possible, in order to resolve the deficiencies noticed in practice. Priority in this area must be a detailed analysis of sectoral laws, their amendments and alignment with the Law on Personal Data Protection and establishment of harsher penalties for privacy violations. Unfortunately, if these issues are not resolved in the future, there is danger that the privacy violations might only increase.
Partners Serbia will continue to follow the implementation of this Strategy and adoption of the Action plan, advocate for better protection of privacy and also participate in the planned process of adopting the new Law on Personal Data Protection, when it starts. Because of that, it is especially important that these processes are organized in a transparent manner, with involvement of state bodies, independent institutions, civil society organizations and the private sector.