A misguided call to put Serbian data protection law on hold

Serbian

In the past two days, the recently appointed head of Serbian data protection supervisory authority announced one radical move and sharply criticized some provisions in Serbia’s new data protection law. The commitment and audacity of Milan Marinović should be encouraging to those who feared that the new data protection tsar would be the exact opposite of his very vocal predecessor, Rodoljub Šabić. However, when examined on the merits, Marinović’s statements give reason for concern.

The main point Marinović made in his appearance on the state-run television and in a statement to a news portal is that, in his opinion, implementation of the Data Protection Act 2018 should be postponed. The law, adopted in November last year, provided for a nine-month grace period. Therefore, implementation of the law should commence on 21 August 2019. Marinović is now calling for an additional one-year deferral.  To strengthen his case, Marinović made a few policy and legal arguments which are of dubious validity.

Who is “not ready” for the new DP law?

The new head of the supervisory authority said that “the society-at-large”, governmental agencies, data controllers, and data processors, are “not ready” for the DP Act 2018. That was a very general claim devoid of detail.

Marinović became much more specific and convincing when he turned to the problem perturbing the agency he now heads: simply, it suffers from a shortage of (qualified) staff. It is clear, from watching Marinović’s TV appearances, that that is where the real problem resides.

It is a well-known fact that Serbian supervisory authority has not seen any increase in personnel in spite of the enactment of the new, GDPR-modelled, law. That is a real issue: the law, like the GDPR, requires a proactive and properly staffed supervisory authority, much more so than the previous law (from 2008). But that is an issue that should be resolved in parallel with the application of the new law.

One or two weeks before the DP Act 2018 is about to be implemented, to postpone its implementation would be damaging to the many companies which have braced themselves for the law. The companies have carefully and systematically adjusted their modes of operation to the requirements under the new law. Now, if the parliament were to defer the law’s implementation, these companies would have to reshape the plans and turn the clock back to the outdated data protection law from 2008.

The old law does not even recognize “legitimate interests” as a legal basis for data processing. Also, that law strictly requires the written form of consent. It forces data controllers to notify the supervisory authority of each set of processing operations and to register those operations with the authority. Data transfers to non-European countries are allowed only if the supervisory authority in each instance issues an authorization. All that, in the GDPR era, looks like the stone age of the data protection law.

There are, without a doubt, companies which have not prepared for the DP Act 2018. But the way to address their self-inflicted tribulation is to educate and motivate them as the new law is being implemented – rather than to postpone implementation of the new law at the expense of those who did their best to prepare.

General DP rules take care of video surveillance

In one of his two TV appearances, Marinović moved from the policy arguments to legal ones. He made two such arguments for an intimation that the new law (the DP Act 2018) may have to be corrected before it can be implemented. On these legal issues Marinović was, if anything, even less persuasive than on the policy ones.

His first argument was that the new law does not specifically regulate the processing of personal data which occurs through video surveillance. It is true that the law does not address that matter in any detail. But, GDPR does not address it either.

Moreover, among the post-GDPR data protection laws adopted by the E.U. member states, those not dealing with video surveillance are at least as numerous (France, the UK, Denmark, Belgium, Italy) as those which do deal with that matter (Austria, Germany, Croatia). That is a fairly strong indication that regulation of the video surveillance by means of detailed statutory provisions is not as essential as the Serbian supervisory authority has come to believe.

Instead, data controllers may devise appropriate video surveillance measures by adhering to the general data protection principles enshrined in Article 5 of GDPR (also Article 5 of the Serbian DP Act 2018) and other GDPR/DP Act rules. Data protection authorities and courts may also decide on the basis of such general principles and rules. A French case recently presented here is an example of a supervisory authority (CNIL, in that instance) reaching foreseeable decision by applying general principles and rules from the GDPR.

Accreditation under DP Act 2018: clear and consistent with the GDPR

The second legal argument Marinović made also failed to impress. The argument goes like this (Marinović refers to the Serbian supervisory authority as “the Commissioner”):

We have an absurd situation, the Commissioner is now competent to prescribe the criteria for certification and accreditation, which should be followed by those who are accredited, who should be accredited and who issue certificates. However, the Commissioner has also been given the authority to conduct accreditation and certification. We come in an absurd situation, that the Commissioner should do this in addition to the already existing Accreditation Bureau, and in addition he should prescribe the criterion to be applied to itself!

The critique misreads the relevant provision in the Serbian DP Act 2018 (and in the GDPR). Serbian supervisory authority has conflated the concepts of accreditation, on the one hand, and assessment of whether a certification body has independence and expertise, and has no conflict of interest, on the other.

Article 62(2), of the DP Act says the following:

The certification body referred to in paragraph 1 of this Article may be accredited only if it: 1) proves to the Commissioner its independence and expertise in relation to the subject of certification; … 5) demonstrates to the Commissioner that their tasks and duties cannot result in a conflict of interest.

In an earlier letter to the Ministry of Justice, sent on 7 August 2018, the authority erroneously concluded that “it follows from paragraph 2 that, since the certification body can be accredited only if it demonstrates to the Commissioner that it satisfies the conditions required under that provision, the Commissioner is the one who conducts [accreditation]”.

That is a non sequitur. In actuality, confirming that a certification body has independence/expertise and has no conflict of interest is conceptually different from accrediting the certification body. One body (the supervisory authority) may do the former, and another body (in Serbia: Accreditation Bureau of Serbia) may do the latter. When the Accreditation Bureau decides on whether to accredit or not, it takes into consideration the supervisory authority’s finding of independence etc., as a precondition – among other preconditions – for accreditation.

GDPR shows that such division of labour is perfectly possible. Article 43(1) of the GDPR leaves it to the member states to decide who may accredit the certification bodies: (a) the national supervisory authority; (b) the national accreditation body; or (c) both. Consequently, in the provisions about the tasks and powers of the national supervisory authority, the GDPR authorizes the national supervisory authority – if the member state so chooses – to conduct accreditation of certification bodies (Articles 57(1)(q) and 58(3)(e)).

In any event, i.e. whichever accreditation option the member state chooses, the supervisory authority is the only body with the power to formally ascertain whether the certification body meets the specific requirements of independence, expertise, and absence of a conflict of interest. Article 43(2) of the GDPR, the equivalent of Article 62(2) of the DP Act 2018, explicitly says so.

Serbian DP Act 2018 is, if anything, clearer than the GDPR on the division of labour between the national supervisory authority and the national accreditation body. Unlike the GDPR, the DP Act 2018 does not even contemplate the possibility of the supervisory authority accrediting a certification body.

The power to conduct accreditation is with the Accreditation Bureau of Serbia. That power arises from the Accreditation Act (2010), which stipulates that the Accreditation Bureau of Serbia is “the only authority in the Republic of Serbia on which this law confers the power of granting accreditation”. The DP Act 2018 explicitly refers to the Accreditation Act as the relevant source (Article 62(1) of the DP Act 2018: “Certification body which has an appropriate level of expertise in relation to data protection and which has been accredited in accordance with the law regulating accreditation, shall ….”). In line with that, the DP Act 2018 does not include conduct of accreditation in the exhaustive lists of Commissioner’s tasks (Article 78) and powers (Article 79).

As Marinović said in one of his two public appearances described in this blog post, it may be difficult to have the parliament convene in the middle of the summer in order to amend the data protection law, i.e. defer its implementation. That is probably the best news concerning the most recent initiative coming from the supervisory authority.