"Data Protection matters have kept us extremely busy this year," Gjorgji Georgievski, ODI Law Partner in North Macedonia and Regional Head of TMT Group, reports, primarily as a result of the looming end of the transition period of the new data protection law in the country.
Georgievski explains that while a new GDPR-based data protection law was adopted in February 2020 in North Macedonia, it allowed for a transition period until the end of August 2021. "In the period following the adoption, we did try our best to launch a small public awareness campaign – basically telling the market what needs to be done in broad terms and announcing that we're here to help – but the pandemic hit shortly after and no one was thinking about data protection anymore." According to the ODI Partner, "in 2020, no one did anything, or very little, to ensure compliance. As the deadline was approaching, though, we saw increased interest in the issue at the beginning of the year across the board – both existing and new clients were reaching out as they were scrambling to ensure compliance." And it makes sense that they did, according to Georgievski, since, in contrast to the old legislation that only included nominal fines, the new one stands to slap companies with penalties in the realm of 2-4% of their turnover.
"And the reality is that, once you make the jump into the area of data protection, things can get complex quickly," Georgievski says, pointing to a car manufacturer they are working with for whom the ramifications are immense – from their head-up stores to the GPS user-profiles and other applications they are implementing as part of their offering.
And the deadline is unlikely to be moved. "While I personally believe an extension should be made when taking into account the pandemic, we have not seen any announcements from the Government in this regard as of yet," Georgievski reports.
Looking into the future, the ODI Partner points to two elements that will likely influence the workload for the practice. First, he explains that "an interesting instance is that large tech companies that process personal data of Macedonian citizens on a large scale are not present in the country". Based on the new law, they should be appointing a local Data Protection Officer to ensure compliance with the local data protection law. "Still, we have not heard of any such appointments just yet." That, he said is quite "strange when you compare it to the situation of Serbia, where these companies have been busy appointing local representatives. Hence, we hope to be able to assist and be appointed for some of these companies as well for North Macedonia." Second, "and this is the big question mark," according to Georgievski, there isn't a strong enforcement arm on the ground just yet, "which is a significant problem." In his view, "if there are a few examples of the agency going to companies, if we start seeing some fines, we expect many who have been relaxed until now will realize they really need to address this."
Ultimately, according to Georgievski, "data protection is here to stay, and we're likely going to see it branch out into more and more aspects of our work." The same way that, "all of a sudden, force majeure clauses were the thing to look out for in contracts," he explains that "data protection will matter beyond just simple compliance. We'll see it starting to play a role in M&A transactions as well, so I suspect our work in the practice will keep increasing – it only depends on enforcement for now as to how soon that will happen."