Even if competent state authorities disclose private data of a perpetrator or a victim, media must not transmit that information. An error on the part of state authorities does not imply a “permission” for the violation of ethical principles of the profession. This is what the Serbian Journalists’ Code of Ethics says, but media practice is frequently completely different. Why is this so?

Every day we see headlines and stories in the media in which traffic accidents, crimes and similar tragic events are described in horrible ways, in which visits are paid to the homes of the victims and their families, in which social media accounts are searched, speculations are made about what kind of person someone is (or was), with whom she is (or was), etc. Information is obtained from neighbors, reliable sources close to the family, anonymous sources from the police, etc. Media publish photos of family members and their gardens, but sometimes photographs are even taken from peoples’ ID cards.

Cases such as this – where information possessed by an institution somehow finds its way to the media – represent a special problem, illustrative of the situation in our media sphere and level of protection of citizens’ rights. The problem here is a well-established partnership between public institutions and individual media in breaking the law, which is profitable for both sides.

Probably the best-known example of cooperation between media and institutions in the breach of citizens’ privacy is the case of Igor Vukotić. His photo appeared on the front page of the Belgrade daily Blic within a chart depicting the members of the Škaljari organized crime group (OCG). Vukotić, however, was an “ordinary” man from Zemun, who was completely unrelated to any OCGs. Although mistakes are possible, what happened was disturbing because it was not just any photo of Igor that had appeared on the front page, e.g., a holiday photo that he might have posted on Facebook, but the one used in his ID card. In other words, this was the photograph that the institutions had to use responsibly and lawfully. And yet, it ended up in a newspaper. Asked during court proceedings how this had happened, the then Blic editor responded:

„The information source belongs to the highest security service circles, and the newspaper has frequently used this source of information without ever having any problems.”

During the Privacy Week 2023, Igor spoke about the consequences he suffered due to this breach of privacy. Igor has still not managed to dispel claims that he is an OCG member; his life is no longer the same and the fear that he may be in danger never ceases. A special problem lies in the newspaper’s persistent refusal to admit the mistake and the failure of institutions to provide him with adequate protection:

“I expected some empathy, that the newspaper would publish a correction, saying this was not me. However, this did not happen. Institutions did not react, I was left on my own, to find a way to deal with the situation,” Igor said.

Somebody at the Security Information Agency (BIA) gave Igor’s photo to the media. The Commissioner for Information of Public Importance and Personal Data Protection carried out inspection supervision and, based on the findings, filed a criminal report against an unidentified person for unauthorized transfer of personal data in the discharge of official duty. This report, like many other similar ones, had no judicial outcome. The case is still at the prosecutor’s office.

Although we can assume that this was just a coincidence and that nobody had an intention to put Igor in danger, the damage had been done. And it was done by an unidentified BIA official, obviously trying to achieve something by giving the photo to the newspaper. At this point, we do not know whether he had a financial or any other interest. But we can guess what motivated the newspaper to resort to this method of obtaining information – having something exclusive on the front page increases the number of readers, and an increased number of readers increases the profit.

We can draw three important lessons from Igor’s case. First of all, one can sometimes hear that privacy is not so important, that we do not have to worry about our privacy if we have not done anything wrong, or that no major damage or nothing significant can happen to us if someone accesses our data. Observing Igor’s case, we can see that this could not be farther from reality. Although Igor did nothing wrong, he is faced with the realistic fear that his fate would be the same as that of the actual members of the two OCGs which have been in a several-year bloody conflict. In his own words:

„Your entire system gets messed up. You look back, you watch… The battery [of my car] failed and my best man jumped out of the car, we thought that God knows what was going on. Simply speaking, your whole life changes. The way you move, socialize and think, you get mentally and physically ill […] Frankly, I will not sleep peacefully before that person [BIA employee who gave the data to the newspaper] or those who have given orders for this are prosecuted.“

This story demonstrates the importance of privacy protection even when we have nothing to hide. This is why privacy acts like a shield protecting us against attacks on our autonomy, integrity and security.

Secondly, public figures, celebrities or athletes are not the only ones haunted by the media, and data is not leaked from institutions only if someone rebels and is to be discredited. It is not even necessary for a tragedy to occur for the media vultures to start circling the victims. Your name and family name only needs to form an interesting match with the name and family name of a person of interest to the media in order for the trading of biometric data, which would have to be protected by an institution whose work we finance, to start. The infrastructure of privacy breaches is well developed, the only question is whose intimacy will be violated by the media at the relevant moment in the pursuit of clicks and higher sales and earnings. Therefore, privacy breaches can happen to any of us.

The absence of a judicial outcome to Igor’s case teaches us something even more dangerous. Institutions in charge of preventing or sanctioning those who disclose citizens’ data to the media, have not yet given much reason to “reliable sources” and media to give up this practice. The prosecution has not identified the person who misused the biometric photograph kept within the Security Information Agency’s records, which means that there is no indictment, as a necessary prerequisite for a judicial outcome in the case. Analyses of the case law for the criminal offense of unlawful use of citizens’ personal data conducted so far show that Serbian courts have not received a single case pertaining to the violation of someone’s privacy or compromise of data belonging to a large number of citizens. The few sanctioned cases of unlawful use of data involve violations with less drastic consequences than those suffered by Igor. They all ended with suspended sentences or admonitions.


On the recent cases of personal data misuse in the Western Balkan region


During the recent Montenegrin presidential elections, the State Electoral Commission (SEC) made it possible for citizens to use an app to check whether their signatures of support were in the candidate support database. In social media posts and letters to SEC, multiple citizens complained of misuse of their data, having discovered that they had “supported” one of the presidential candidates. This case has not yet had a judicial outcome.


In Kosovo, the most significant data compromise in 2022 was registered on the Regional Development Agency website, where a list of subsidy beneficiaries included personal data of more than 20,000 citizens. The Information and Privacy Agency issued a decision fining this institution 30,000 euros and ordering it to remove the data from its official website.


In North Macedonia, in early March this year the Ministry of Labor and Social Policy, acting pursuant to the Law on Financial Support to Vulnerable Categories of Citizens for the purpose of dealing with the energy crisis, published lists of beneficiaries of financial support in accordance with this law. The list posted on the Ministry’s website included their names, family names and addresses. They announced that the post will remain there for a short amount of time with the aim of informing the beneficiaries, i.e., that the list of financial support beneficiaries will be removed after three days. Albeit based on the law, this move of the Ministry violated the privacy of a vulnerable category of citizens. This was not the first such act of the Ministry – last year it published a similar list of beneficiaries of financial support. These cases raise the issue of justification when it comes to legal solutions that require the publication of sensitive data.


The absence of effective punishments for the misuse of personal data can only lead to even greater ethical violations in the media and, therefore, also to new cases similar to Igor’s. So, we should not be surprised if something similar happens again.

Under different circumstances, we would probably conclude the text on privacy by saying that we should do our best to protect our data. We should watch who we give our data to, we should not share it with everybody, and we should not agree to different consumer perks that are achieved through transactions that violate our privacy. Although we should all heed such advice, when it comes to Igor’s case this suggestion is simply inappropriate and insufficient. Victims of such privacy violations can do little to prevent detrimental events.

Instead, the answer lies in the institutions. Primarily in the institutions that leak data because they have the duty to prevent this from happening. Amid the growing enthusiasm for digitalization of public administration which aims to enable efficient provision of public e-services, privacy protection has become more important than ever before and needs to be embedded into public administration reform processes. Efforts of the civil society, such as the ICEDA initiative implemented in North Macedonia, Serbia, Kosovo, Albania and Montenegro, aim to support public institutions to align public policy reforms with human rights requirements, including personal data protection rights.

Then, the answer lies in the improvement of operation of institutions that have the job and duty to conduct thorough criminal investigations once data leaks occur. And last but not least, the professional integrity of journalists and editors must prevail over what currently drives and motivates daily breaches of privacy rights of citizens on whom media report.


This educational text was prepared with the financial support of the European Union. The contents of this text are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Union.

The project “Increasing Civic Engagement in the Digital Agenda – ICEDA” is implemented by the Metamorphosis Foundation (North Macedonia), e-Government Academy (Estonia), Levizja Mjaft! (Albania), Partners for Democratic Change (Serbia), NGO 35mm (Montenegro) and ODK – Open Data Kosovo (Kosovo). The project is implemented with financial support from the European Union.