The purpose of protecting personal data is to ensure protection of privacy and other human rights and fundamental freedoms when collecting, processing and using personal data. This human right has been regulated by the legal framework in the Western Balkan countries, but it has recently gained a new perspective when the laws have started to adapt to the European Union’s General Data Protection Regulation (GDPR). This process of adaptation is not yet finalized, and while some countries are in the process of adapting their laws to the GDPR, others are already in the process of implementation. Naturally, the implementation is not without its challenges, mainly because of the many oversights regarding the capacities of the institutions, the local context, etc.

Source: Image by pch.vector on Freepik

Privacy-related legal framework in the Western Balkan region

The protection of personal data in Serbia is regulated by the Constitution of the Republic of Serbia as well as the main law on this subject – Law on Personal Data Protection (LPDP), whose implementation began in August 2019. This law, modeled on the GDPR and the Law Enforcement Directive, regulates general rules for processing and protection of personal data. It also applies to the processing of personal data in specific sectors (for example, in the security sector, during conduction of criminal investigations, in the areas of education, social protection, telecommunications, labor relations, consumer relations, etc.).

Nevertheless, the standards established by the LPDP in Serbia need to be specified by sectoral regulations, because LPDP, as the general regulation, cannot prescribe the types of data and data retention deadlines that are processed in, for example, working relations, nor to prescribe which data is collected and in which way it is later used during security checks within the Ministry of Defense.

Reforming the legal framework governing the substance of personal data processing in Serbia is a thorough work that is unfortunately not carried out in accordance with established deadlines and obligations. For example, the obligation established by the LPDP “to harmonize the other laws relating to the processing of personal data with provisions of LPDP”, has not been fulfilled yet.

Violation of this deadline is not surprising, given that analysis of sectoral regulations and drafting a plan for harmonizing them with the new LPDP have not yet been made, even though they are envisioned by the Action Plan for Chapter 23. In the absence of the analysis that determines which regulations need to be enacted and which need to be changed (and how), the institutions responsible for drafting these regulations do not have clear guidelines on how to begin harmonizing sectoral regulations with the LPDP in the field of their jurisdiction. Until this analysis is made by the Ministry of Justice and the Commissioner for Information of Public Importance and Personal Data Protection, entrusted with this task, institutions may rely on some alternative sources, such as the Analysis of Regulations Governing the Security Sector from the Personal Data Protection Aspect, drafted by experts supported by the OSCE, and two consecutive analysis of selected sectoral regulations in the area of personal data protection and their implementation (2021 and 2022) drafted by Partners Serbia and a group of civil society organizations.

Regulatory reforms are lagging behind in the region, too. For example, in Montenegro, the intention to enact a law mirroring the GDPR was announced in 2019, but has not been done yet. Sectorial laws would need to be aligned subsequently. Further, the protection of personal data in Kosovo is guaranteed by the Constitution, and the Law on Protection of Personal Data, which has been amended and aligned with the GDPR. Since this law came into force, its provisions remain to be tested in practice, primarily with regards to personal data breaches.

In North Macedonia, the new Law on Personal Data Protection which is an adaptation to the jurisdiction to the European GDPR, was adopted in February 2020 and controllers and processors were obliged to align and ensure compliance of their businesses with the Law until 24 August 2021. In February 2022, the Personal Data Protection Agency (PDPA) adopted the Methodology for compliance of the line legislation with the Personal Data Protection Law which contains guidelines that regulate the actions of the ministries in the processes of harmonization of the line legislation covering the process of reviewing existing laws, as well as the process of performing impact assessment for the laws in terms of personal data protection. The Methodology is prepared in accordance with the good practices and the legislation of the European Union and its member states and it also features information on the processes of prior consultation with the national data protection authority during the preparation of draft-laws or respective bylaws related to processing of personal data. Finally, Albania have adopted respective PDP laws, however, further alignment with the GDPR is needed.

Source: Image by jcomp on Freepik


Civil Society in the region provides support to privacy-related regulatory reforms

Personal data protection is also an important element of the Digital Agenda for the Western Balkans. This ambitious venture, reliant on the Digital Agenda for Europe, aims to ensure that people of the region can use public services more easily, relying on the benefits of new digital technologies. At the same time, the Digital Agenda aims to improve the space for online business and availability of online content. However, for these goals to be achieved, it is necessary to incorporate personal data protection principles into the system of providing e-services. Otherwise, there is a risk of repeated breaches into large databases managed by institutions or cases of data leaks from public institutions to the media. One of the many roles of the initiative “Increasing Civic Engagement in the Field of Digital Agenda” (ICEDA), co-funded by the European Union is to support the institutions in the targeted Western Balkan countries in implementing the objectives of the Digital Agenda, implementing the obligations of providing quality public services, respecting the principles of accountability in the work of institutions and standards of protection of citizens’ privacy.

Members of the ICEDA initiative also contribute to the reform of privacy-related framework. For example, Metamorphosis (North Macedonia) raises the public awareness on personal data protection issues by multi-channel educational campaign and supports various entities from the public, civic and business sector in the process of complying with the LPDP by providing trainings and mentor support for different target groups. Metamorphosis has created a network of more than 200 representatives of CSOs, media, institutions, businesses etc. which offers a platform for deliberate discussion about privacy and joint advocacy efforts for improved implementation of respective legislation. They also regularly assesses the compliance of the provision of public e-services with the Law, and provide learning opportunities for the wider audience on the topic.

While in Montenegro NGO 35mm has also been active in producing educational materials and organizing public webinars on privacy and personal data protection, Open Data Kosovo (ODK) shares a positive collaboration with the Information and Privacy Agency, which is responsible for monitoring the legitimacy of data processing and access to public documents. ODK is also open to assist in the implementation of practices regarding data protection when it comes to the promotion of open data practices among the public institutions, and the rest of the stakeholders regarding open data.

Partners for Democratic Change Serbia have also been one of the key driving forces when it comes to supporting institutions in Serbia in implementing the right to personal data protection. In that sense, they have created a Guide with the purpose to support the institutions responsible for drafting regulations in the domain of personal data protection area to carry out the work in a quality way, thus improving the protection of personal data of persons whose data is processed on the basis of sectoral regulations, as well as increasing legal predictability in Serbia by horizontally harmonizing regulations. Also, the Guide is intended for civil society organizations that advocate for changes of certain sectoral regulations and their compliance with the Law on Personal Data Protection.

The project “Increasing Civic Engagement in the Digital Agenda – ICEDA” is implemented by the Metamorphosis Foundation (North Macedonia), e-Government Academy (Estonia), Levizja Mjaft! (Albania), Partners for Democratic Change (Serbia), NGO 35mm (Montenegro) and ODK – Open Data Kosovo (Kosovo). The project is implemented with financial support from the European Union.