At the moment, data protection in Serbia is primarily regulated by the provisions of the Law on Personal Data Protection, enacted in 2008, with the last amendments from 2012 (the “Law”). Naturally, a number of other laws also regulate certain aspects of data protection, and these other laws are to be interpreted together with the basic principles and general rules of the Law.
Although it indeed constitutes a breakthrough at the moment of its enactment, practically introducing the modern concept of data protection in Serbia for the first time (there was one law preceding this one, but with no real application in practice) and establishing the Serbian Data Protection Authority (DPA), the Law’s effects throughout the past eight years have revealed serious deficiencies and room for improvement. Important improvements that need to be made primarily concern the overly restrictive regime for the provision of an individual’s consent for data processing (which must be in written form and hand-signed – no implicit, oral, or online consent is recognized), data transfer to non-European countries (which requires the DPA’s prior approval, often too hard and time-consuming to obtain), as well as the failure to regulate certain specific and sensitive areas (e.g., video surveillance, biometric data, etc.).
Moreover, or perhaps as a result, the Law failed to gain sufficient respect in the business sector and in most cases is simply ignored by companies and even by state authorities, despite the significant efforts of the DPA to educate the public on key data protection principles and individuals’ rights. As an illustration, the percentage of companies who have registered at least one personal database with the DPA (one of the most basic obligations introduced by the Law) is below 1%, probably placing the Law among the pieces of legislation least likely to be complied with in Serbia. This obviously needs to change.
With this in mind, the DPA prepared a draft of the new data protection law back in 2014 and provided it to the Serbian Government as a starting point, and the Serbian Ministry of Justice also prepared its own draft in 2015, apparently without taking the DPA’s draft into real consideration. Therefore there are currently two conflicting draft laws in Serbia as potential replacements for the Law, which probably speaks more about the immaturity of Serbian institutions than of their eagerness to upgrade the outdated piece of legislation. Although both drafts contain improvements to the existing Law, the DPA’s version undoubtedly seems more comprehensive (as it introduces alternative consent forms, regulates currently missing areas, etc.), as well as being both legally and technically superior.
In any case, both drafts contain provisions relaxing the currently problematic data transfer restrictions, prescribing viable alternatives to the rule requiring the obtaining of the DPA’s approval for transfers to non-European countries, such as obtaining the data subject’s consent for the transfer. The DPA’s draft also allows such transfers to be made if the country of data destination is included on the EU’s list of countries that have an adequate level of data protection (such as Canada, Argentina, and Israel, as well as the USA, with respect to companies included in the Privacy Shield List). On the other hand, the draft prepared by the Ministry of Justice includes several additional alternatives, including for transfers necessary for the performance of certain agreements (such as those concluded between the data subject and data controller, or between the Serbian data controller and foreign data controller or processor in which the applicability of the Law and competence of the DPA are stipulated, etc.).
Nevertheless, neither of the two drafts has yet entered the formal legislative procedure in the Serbian Parliament, and there are no recent indications of when this may happen. The fact that Serbia is required to harmonize its laws with EU legislation will hopefully accelerate this process, since the Law is only partially compliant with the EU Data Protection Directive 95/46/EC, let alone with the recently introduced EU General Data Protection Regulation 2016/679.
Until then, companies in Serbia will have to continue operating under the currently applicable Law. This requires careful navigation through the existing Law’s deficiencies and related risks, which, although undesirable and problematic, is something companies in Serbia are relatively used to by now. Hopefully this will not be the case for much longer, for a bit of legal certainty would go a long way for data protection standards in Serbia.
By Marjan Poljak, Senior Partner, and Goran Radosevic, Attorney at Law in cooperation with Karanovic & Nikolic
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.