The state’s attitude towards the issue of personal data protection is chronically inadequate and irresponsible. Hence, it comes as no surprise that Serbia will begin the implementation of the GDPR unprepared.
The absence of a strategic approach is a key problem for our country in many aspects, including those concerning personal dana protection. The draft regulation, that regulates this field, is of poor quality, and the institution of the Commissioner,which is nominally a partner institution, is very often circumvented and ignored. At a time when we need to think about the new candidate for the Commissioner position, such attitude of the state also jeopardizes the further integrity of this independent institution. These are the worries that Commissioner Rodoljub Šabić has voiced, and who, at the end of his term in the office, has been coming up against more and more obstacles in the cooperation with the state authorities.
The General Data Protection Regulation (GDPR), which comes into force on 25th May this year, will have its repercussions on Serbia too. How much is our state and our companies prepared to act in line with the GDPR?
— In general, Serbia is unprepared for the implementation of the GDPR, and we are below the level at which we could have and should have been. The state’s attitude towards the issue of personal data protection is chronically inadequate and irresponsible. For example, our Government, following my initiative, adopted the Personal Data Protection Strategy in the summer of 2010, but to this day, despite the many warnings, it has not adopted an action plan required for its implementation. The similar thing is with the adoption of a new law on personal data protection. Five years ago, a working group was formed by the Ministry of Justice with the task of drafting a law in line with European regulation in mid-2013, and has not done that to this day. Since I wanted to help out, I submitted to the Government a format of a personal data protection law which complied with the GDPR. This format has been subjected to a big public debate and has received the support of the most prominent civil society organizations dealing with privacy and dana protection, but also from the economic sector, professional associations, and the citizens themselves. Unfortunately, the government ignored it, and instead offered a text that is practically a translation of the GDPR, without harmonizing it with the specifics of our legal system which, consequently, rendered it unusable. It is now certain that a new law on personal data protection will not be adopted by 25th May, and it is quite uncertain if it is going to be adopted at all. Unlike the state authorities, the attitude of companies towards this issue is fortunately somewhat better. Large multinational corporations and organizations have been harmonizing their business with the GDPR, which includes each of their affiliates in any country, even Serbia. In Serbia, they have also contacted the Commissioner, asking for an opinion and a consultation, as they seek and find a way to align their business with the GDPR. But what about small and medium enterprises, which do not operate under large global companies, and which do business with the EU? Will the EU-based entities continue to do business with them if they do not abide by the GDPR, thus risking very high fines? This question should be taken seriously, but, so far, the state has not shown serious interest in dealing with it in an adequate manner. In April, the Commissioner organized a really big, top notch two-day conference devoted to the GDPR, and in conjunction with the civil sector, has organized several more conferences. Still, that is not enough. Our main problem is definitely the absence of a strategic approach globally.
Serbia is committed to digitalization, and still, according to you little or nothing has been done in the segment of personal data protection. What are your key objections and how does the diplomatic community, which expects Serbia to adopt European standards in this respect, look at the different viewpoints that the Government and institutions have regarding the two laws – the new Law on Personal Data Protection and the Law on Amendments to the Law on Free Access to Information of Public Importance?
— Concerning the drafting of the laws that you are referring to, in both cases, the government has adopted an Action Plan and the Commissioner has been designated as a “partner institution”. Unfortunately, the facts show that this “partnership” relation exists only on paper, and that only one party behaves as a responsible and serious partner. Recently, I had to respond publicly the statement made by Prime Minister, Ana Brnabić, about alleged “Commissioner’s unwillingness to cooperate” which she gave in the context of the justified and strong public reactions to certain bad solutions stipulated by the laws you mentioned. I pointed out that, in 2017 alone, the Commissioner gave 60 official opinions on drafts and proposals of the law, and that there was not a single case where a ministry or government requested the Commissioner to hold a meeting, attend consultations, or give an opinion that the Commissioner ignored. The two laws that you are referring to perhaps best illustrate how this “partnership” looks in practice. Amendments to the Law on Free Access to Information are based, inter alia, on the “analysis” of the implementation of the law, carried out by the Ministry of Justice, which is brimming with examples of incompetence, ignorance, and inaccuracy. The Commissioner was not consulted at all, as he did not even know about the analysis. The EU partners were told that the Commissioner was a “partner institution” in this analysis. Despite this blatantly false claim, the Commissioner took an active part in the public debate on the draft law and submitted its opinion to the Ministry of State Administration and Local Self-Government. In terms of the Draft Law on Personal Data Protection, prepared by the Ministry of Justice, I have already said that it was below the required minimum. The Ministry of Justice has never requested a meeting or consultation with me, despite the fact that, according to the Government’s Rules of Procedure, the Commissioner’s opinion was required. The Commissioner, however, after having seen the content of the Draft Law on the Internet, gave his opinion. International organizations and foreign embassies have recognized the work of the Commissioner in the right and better way. In the past couple of months, the Commissioner met with many ambassadors. The EU, OSCE and SE delegations have demonstrated that they are very interested in the status of the rights that the Commissioner protects and are interested in his opinion. Personally, I consider that the amendments to these regulations are necessary, but not because of the foreign factor or fulfilling obligations just to please the EU in the accession process at any cost, but primarily because of the protection of the rights of the Serbian citizens and all those who are under the country’s jurisdiction.
Considering that we are living in the time of flourishing digitalization, how much does Serbia view security threats only as a technical issue and how much as an issue that affects basic human freedoms?
— Digitalization creates the opportunity to accelerate certain procedures, reduce administration and save time and money. As good as it may be, the digitalization process can and must be done without unnecessary violations and limitations of basic human rights. Implementation of technical measures for data protection, appropriate procedures, antivirus programmes and similar is undoubtedly necessary, but should also include the human rights aspects. Unfortunately, lawmakers often do not understand this. In several previous opinions, I pointed to the risks of the frequent intention to integrate a large number of existing databases and exchanging this data, although, in most cases, there was no need for that, or the same goal could have been achieved in a manner that was less invasive to the basic rights of citizens. The Government of Serbia will definitely have to seriously take into account the fact that, from the aspect of generally accepted standards in the field of personal data protection, the consolidation of a large number of smaller databases into huge centralized databases implies serious risk andshould be avoided, except when necessary and absolutely justified.
Do you believe that citizens, the civil sector and the media are ready to defend their freedom of access to information of public importance, which they had the opportunity to discover and exercise in the previous period?
— Both the citizens and the civil sector have already demonstrated their readiness to defend this freedom. A number of them is already involved in a public debate, sharply criticizing the bad and rigid solutions that are proposed. The same goes for journalists. As for the media…Considering our peculiar situation with “media freedom”, we cannot expect them to be willing to be critical of the solutions proposed by the government. However, nearly all journalist associations and all teams investigative of journalists, including the recipients of the largest international awards for investigative journalism, have voiced their opinion against bad solutions stipulated in the law. So, they are ready to defend it, but it remains to be seen whether they are ready to go all the way. Unfortunately, in a series of “public hearings”, our Government has demonstrated that it treats them as formal and superficial and that it is very unwilling to accept their results. I hope that this time around the situation will be different and that the Government will abandon some of the worst solutions. If it turns out that I am wrong, it will be at the expense of all of us, as it will mean a big step back from the democratic, and especially from the anti-corruption standpoint.
Summing up your work and the work of the institution that you helm, you said that today “the Commissioner is an institution that the citizens respect and trust”. Do you believe that this success will surpass you, or that your successor will succeed in preserving and improving the standards that you have set?
— If there is indeed a desire to preserve and improve what has already been done, the main criteria for selection should be high level of expertise in both legal areas that the institution protects and understand, and independence in relation to political parties, both ruling and in general. If we consider all of that, you will be able to find a fitting successor in the Commissioner’s office. And regardless of whether this person would be one of the veterans, someone who has been with me from the very beginning, or someone younger, who has, in the meantime, grown into an expert and proven themselves beyond the borders of Serbia, everything that we have achieved so far will be preserved and improved. Unfortunately, we must also take into consideration a completely different option, which many think is more realistic. This is a practice that has been particularly pronounced in recent years, where in the process of selecting people to work for independent institutions, you select a person who has obvious connections to the ruling party or a powerful individual from the political establishment. Such a solution, of course, leads to the transformation of a functional institution into a decorative one, and it constitutes a big step backwards.
Although, the government has been working on a format of data protection law in line with EU regulation, it has not yet managed to produce a valid text, and has chosen to ignore the text proposed by the Commissioner which complies with the requirements of the GDPR.