Following the adoption of the e-commerce laws we have dealt with in previous blogs, the new Personal Data Protection Act, or the Serbian version of the European GDPR has come to the fore. Like any Serbian version of a foreign venture, it developed a knee-jerk reaction, following expert intervention and the traditional formalism of our legislators.
The next Commissioner’s Office, together with expert organizations in this field, have been warning for months about the ambiguities in the implementation of the Law, as well as the fact that the Law is incompatible to the legal system of Serbia. Merely translating a regulation from foreign legislation doesn’t suffice and can lead to multiple problems. This includes a number of institutions and companies that ultimately will not have the capacity to meet the obligations imposed by law.
What does that really mean? All governmental bodies, i.e. public authorities must have persons in charge of protecting personal data. There are an enormous number, over 12,000 different bodies, and this translates into just as many people to be found ASAP from somewhere and employed as personal data protection officers. The question is how we stand with people, budget and time, but the outlook is not great.
What about the others?
In addition to the aforementioned public authorities, meaning thousands of them, the question is – what should others do? According to the law, data processing conditions are tightened, and additional investment is needed in staff, tools, and software that would help businesses and other entities to properly implement the law. So, is there enough space for companies, entrepreneurs, marketers, and also citizens to prepare? Obviously not, because now everyone is on legal “unknown territory”. Citizens have rights that even the state bodies themselves are not ready to guarantee, and the economy has not sought or been prepared to accept obligations.
A step forward for the citizens is better explained little later in the text, but what does this mean for the economy, businesses and marketers?
With the new provisions, they must unequivocally obtain citizens’ consent to data processing. Thus, there must be a written (digital) clue about their positive response to a clear and unambiguous query.
Furthermore, according to the Law, all business entities are obliged to explain in detail how they process personal data, the security, process and to enable them to revoke consent. It is up to them how these provisions will be implemented and what digital and other solutions are available. So, the companies got a set of obligations that were not prescribed by the previous law. As far as criminal policy is concerned, from the fact that penalties for misuse of personal data previously ranged from 50 thousand to one million, now the range is up to two million dinars.
Citizens somewhat benefited, because this area is regulated in much more detail than before, and the Law significantly extends the rights of citizens in the protection of personal data. In addition to the usual rights of access, copy, and correction of data, they were also granted the right to information and to delete data. New rights have also been introduced, such as the right to data portability, which allows us to transfer information once transferred to another company at your request.
Disadvantages of “our” GDPR
The first drawback pointed out by many did not necessarily have to be a drawback. This law is literally a translation of the EU regulation on the protection of personal data. If our country had followed steps of harmonizing rules and laws with the EU, had it managed to harmonize all the provisions and introduce new institutes and rules at a slightly higher level of development, then this translation would not be “so bad”. Now, everything is questionable – the structure of the law is incomprehensible and too complicated, with many solutions that are incompatible with our legal system.
According to the Law, citizens should react if someone misuses their data and now they have the necessary mechanism to do so. They can do this by sending a “complaint” to the Commissioner for Personal Data Protection. All this would be fine if that institute was not foreign to our legal system. It actually exists, as a mechanism that regulates a completely different legal field, like in an organization.
The procedure
According to the creator of the law, “The Commissioner can initiate the protection procedure himself, go to an inspection, or do so on the complaint of a person.”, pursuant to a misdemeanor warrant, in accordance with the Law on Misdemeanors. If there is any doubt or further determination is required, the Commissioner will file a motion for misdemeanor proceedings before the court.
Easy, right? The easier part was done, the law came into force. But – what about the implementation? We have a situation where the laws are not enforced or selectively enforced. What about the actions the Commissioner has already instituted? The epilogue is not even near, and even more troublesome is the fact that individuals in state institutions have been suspected of repeatedly violating the citizens’ right to privacy for many years. The rule of law needs to be strengthened, but a clear system of accountability for all must be enforced – this is the only path to a successful implementation of the law.
