EC’s qualified support to Serbia’s draft data protection law

Earlier this week Serbian public got an opportunity to acquaint itself with the general comments and detailed comments by the European Commission (EC) of the Serbian government’s draft data protection law. The purpose of the EC’s comments, written in April 2018, was to assist the government to create a decent bill. At the same time, the comments represent a kind of a verdict on the government’s law-making effort.

Serbian data protection authority (DPA), the longtime and fierce critic of the government’s drafting exercise, readily interpreted the EC’s comments as confirming the DPA’s strongly negative take on the draft law. On a closer inspection, however, such assessment of the EC comments strikes the observer as exaggerated.

The EC rightly points to the overcomplexity of the text of the draft law. This feature of the draft law arises from the inclusion of provisions from Regulation 2016/679 (General Data Protection Regulation (GDPR)) and Directive 2016/680 (“Police and Criminal Justice Directive”) in one and the same document. The way in which provisions from the two EU instruments are intertwined makes the draft law difficult to read. A better solution would be to have in the law a separate section on data processing in the context of law enforcement. This is where the EC, Serbian DPA, and indeed most commentators in Serbia agree.

EC’s substantive criticism and requests for further clarification

When it comes to the substance of articles in the draft law, however, the specific critical comments by the EC are relatively few. The comments concern the issues described below. The critical comments made by the DPA at two points in time – first in January 2018 and then again in August – have been far more numerous and mainly concern issues which the EC did not identify as problematic.

The Ministry of Justice has most recently modified most of the provisions to which the EC objected, in an effort to bring those provisions in line with what the EC recommendations. The DPA, however, subsequently issued a new set of comments critical of the amended draft. The DPA considers the draft a “very bad text” which is “virtually unimplementable”.

With one or two possible exceptions, the EC did not object to the specific provisions in the draft which the DPA presently considers flawed. The EC’s points of substantive criticism of the draft’s provisions concerned other issues: the absence of the concept of “legitimate interests”; definition of “consent”; a narrow issue concerning cross-border transfers in specific situations; and, a couple of minor issues concerning certification and codes of conduct.

Of these issues, the one concerning “legitimate interest” was by far the most critical. The intervention by the EC will have a far-reaching positive effect. The initial draft law, from November 2017, contained the concept of “justified interest” which arguably had the same or very similar meaning as GDPR’s “legitimate interest”. The government muddied the waters in March 2018, at the end of the process of public consultations concerning the initial draft. The March draft altered “justified interest” with the notion of “interest based on law”. The meanings of an “interest based on law” and a “legitimate interest” are not the same: the former is significantly narrower in scope than the latter. Retention of the concept of “interest based on law” in the data protection law would make it very difficult for data controllers to carry out their activities without breaching the law. (BDK Advokati strongly advocated in a public forum and through the professional associations in Serbia for the removal of the concept of “interest based on law”).

The EC also noted that the government has not transposed any GDPR recitals into the draft law’s operative provisions. While that does not necessarily make the provisions deficient, the EC recommended that the government “should [c]heck [w]hether there are important clarifications which should be included directly in the text of the draft law”.

In a similar vein – i.e. by stopping short of making outright criticism – the EC sought clarification concerning the following three issues: availability of judicial remedy against decisions of the future supervisory authority; propriety of the law on access to public information serving as the instrument to govern election and termination of functions of the supervisory authority; and the scope of the data subjects’ right to lodge with the supervisory authority a complaint against data controllers and processors.

EC’s feedback and the big picture

It is not clear whether the government will restructure the law, i.e. separate from the rest of the text the provisions originating from the Police and Criminal Justice Directive. Additional months in the already long law-making saga would probably be spent on a redrafting exercise. The result, however, might be worth the effort.

Moving to the substantive provisions, the draft overall provides a solid basis for the future law. That said, the law will by no means be perfect, chiefly because it will not address in detail special processing situations. EU member states are completing their legal frameworks by enacting national data protection laws with detailed provisions on the processing in the scope of employment relationships, processing in health-related matters, and processing for purposes of scientific or historical research and for archiving purposes in the public interest. Serbian government does not seem to have appetite – or capacity – for going beyond the transposition of the GDPR text into the domestic legal system.

One fundamental point has been lost in the often noisy and impassioned debates in Serbia concerning the future law. What has been on the table in Serbia since the adoption of GDPR at the EU-level were the government’s draft law and the DPA’s so-called model law. Both were the efforts to comprehensively regulate the field, but only the former was worth pursuing.

The DPA’s model was a non-starter because it focused overwhelmingly on the right to the protection of personal data and paid scarce attention to the imperative of not restricting the free movement of personal data. Thus, the model provided for a continued obligation of the data controllers to notify the DPA of the intended processing and to seek the DPA’s authorization for cross-border transfer. Data subject’s consent was to be the rule, while the other grounds for lawful processing, including legitimate interest, were to be exceptions.

It is small wonder that the model got no support from Serbian business community. The businesses and the lawyers representing them were aware of the absence of the notification and authorization requirements from the GDPR, and of the painfully slow pace at which the DPA has been processing (especially) the requests for data transfer authorizations. On some of the fundamentals, the model and the GDPR headed in opposite directions.

That is not the case with the government’s draft. How the law will look in the end, and what its implementation will entail, remains to be seen. When it comes to the implementation, Serbia is not in an entirely unique position. Uncertainty reigns throughout Europe in relation to its new law – the GDPR itself.