Privacy concerns amid digitalization in the Western Balkans


In Focus

The digitalization of public services has been among the priorities of Western Balkan countries. In the COVID-19 aftermath, it is even more evident that there is a need for digitalization in order to make the citizens, businesses, and societies as a whole more resilient and able to withstand external shocks and changes. Albania is the leading country in the region when it comes to the digitalization of public services. At the moment there are 1.225 e- services offered at the national platform e-Albania that are provided by 200 public administration institutions. In July 2022, there were 2.679.806 registered users, which is more than 90% of total population of Albania. Other countries of the region have a lot of work to reach these figures.

One of the challenges related to the development and use of e-services represents data privacy and data security. In the last year, the region experienced threats to the data privacy of citizens by different hacker attacks. In August 2022, hackers attacked the information network of the Government of Montenegro. The attacks in that country began on August 22nd, when access to the Government websites and emails, as well as other institutions such as the prosecutor’s office, courts, Cadaster, Customs Administration, and e-portals for citizens, was disabled. A series of cyberattacks happened to the Albanian institutions last summer, also. The first attack, which targeted the government server “Administrata”, took place in May. The second attack targeted the government portal e-Albania mentioned above, where citizens can log in using their ID or passport number and apply for official documents, schedule appointments, etc. The state institutions of Serbia have been the target of hacker attacks most recently on January 4th, 2023.

Parallel to these external threats, in previous years, the region experienced data leakages caused by institutions due to insufficient measures for the protection of personal data in process of digitalization services. For example, the username and password for accessing the Information System Covid-19 in Serbia were publicly available for eight days on the website of a health institution, which made it possible to access and download the personal data of citizens of Serbia.

Image by vishnu vijayan from Pixabay

Countries in our region, to the greatest extent, adopted the legal framework related to data privacy protection, but the implementation of laws is still not satisfactory. Problems are also related to other laws and bylaws that are not aligned with privacy data protection laws. Additionally, examples of data breaches show that public institutions do not follow procedures for the implementation of privacy protection standards when developing new digital services for citizens. The lack of necessary cybersecurity protection also causes a big concern.

A good example of moving forward with the implementation of privacy standards is the case of the North Macedonia’s Personal Data Protection Agency (PDPA) which adopted the Methodology for compliance of the line legislation with the Personal Data Protection Law. This document contains guidelines that regulate the actions of the ministries in the processes of harmonization of the line legislation covering the process of reviewing existing laws, as well as the process of performing impact assessment for the laws in terms of Personal data protection. The Methodology is prepared in accordance with the good practices and the legislation of the European Union and its member states and it also features information on the processes of prior consultation with the PDPA during the preparation of draft laws or respective bylaws related to the processing of personal data.

This document can be used by institutions in the region that are in charge of data protection to develop a similar methodology as a guide for public institutions in the processes of harmonization of laws, and preparation of new laws. In the absence of guidelines in this field from the Serbian institution for the protection of personal data, Partners Serbia created a similar document last year that can also be helpful- Guide for drafting and amending sectoral regulations governing the processing and protection of personal data.

A good example of how we can secure a better protection of personal data in e-services is a very helpful tool for the assessment of privacy standards of e-services, created by Metamorphosis Foundation for Internet and Society from North Macedonia. Namely, Metamorphosis developed a Methodology for assessing the compliance of the existing public e-services and the services that are being digitalized with the Personal Data Protection Law. In order to track the progress in the area, Metamorphosis assessed the compliance of 51 e-services provided by the central government institutions twice in 2022. The first assessment was completed in March 2022 and the second in August 2022. The second assessment showed that the institutions made limited progress in the process of aligning with the Personal Data Protection Law when delivering e-services. Having in mind that the application of the methodology started recently, the progress of the compliance of the public e-services delivery should not discourage other countries in the region from starting with similar activities.

We welcome the efforts of the countries in the region to digitize services and make them more accessible to citizens, but these activities should not jeopardize human rights. We request that our governments make e-government services safe and secure and that the privacy of the e-citizen become more protected.

More about how digitalization impacts data privacy and what can we learn from countries in the region will be presented at international conference “Privacy Week” by data protection authorities and representatives of the civic sector from the region. A detailed agenda and registration form are available on the following LINK.


This text was prepared with the financial support of the European Union. The contents of this text are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Union.

The project “Increasing Civic Engagement in the Digital Agenda – ICEDA” is implemented by the Metamorphosis Foundation (North Macedonia), e-Government Academy (Estonia), Levizja Mjaft! (Albania), Partners for Democratic Change (Serbia), NGO 35mm (Montenegro) and ODK – Open Data Kosovo (Kosovo). The project is implemented with financial support from the European Union.