Final text of the EU Regulation compared with draft Serbian law

On 15 December 2015, the European Parliament and Council of the European Union agreed on the final text of the EU General Data Protection Regulation (“Regulation“). We now know what the legal regime concerning protection of the personal data will be in the EU for a considerable time after 2018, the year the Regulation will come fully into force.

Two months ago, at the beginning of November, the Serbian Ministry of Justice released a draft Personal Data Protection Act (“Draft“). When we analyzed the proposed Draft in the series of four blog posts, there were still two versions of the draft EU Regulation on offer – Parliament’s and Council’s. Now, we are in position to compare the Draft with the final version of the Regulation. The Serbian lawmaker should do its best in the coming weeks and months to ensure that the future Serbian law is consistent with the future Regulation. Serbia opened the first two chapters in its EU membership negotiations on 14 December and is obliged to fully harmonize its law with the EU legislation. If the text of the Draft is not fixed, the law might end up falling behind important EU standards.

The Draft stipulates that data subjects may give their consent to data processing only “in writing or orally on official record”. The limitation concerning the mode of expressing consent in the Draft gives no consideration to the realities of commercial life. In contrast, the Regulation prescribes that consent may also be given by a clear affirmative action (article 4, point 8). As recital 25 of the Regulation helpfully explains, ticking a box when visiting an Internet website is also a valid form of consent.

The Draft states that the provisions of the new Serbian law would apply to, inter alia, “any processing carried out in the territory of the Republic of Serbia”. This provision does not offer specific criteria – such as the use of equipment situated on the territory of Serbia – for determining whether the processing takes place in the territory of Serbia. The Regulation, in contrast, offers the specific criteria. The Regulation applies if the controller (not established in the Union) offers goods or services to EU residents, or processes personal data of data subjects residing in the Union in the context of “monitoring their behavior” (article 3(2)). The former occurs when a company engages in direct marketing targeting EU residents, and the latter encompasses the use of cookies.

Provision in the Draft on legitimate interest as a basis for permissible non-consensual data processing unduly expands the range of persons whose interests justify not seeking data subject’s consent, to encompass data processors. The Regulation does not include data processors among those whose legitimate interests provide basis for obviating data controller’s duty to obtain the consent to the processing (article 6(1)(f)).

The Draft under its definition of “special data” encompasses the data which should not be included among special data (gender and Unique Personal Identification Number of a Citizen (JMBG – jedinstveni matični broj građanina)). The privileged treatment of JMBG is justified in the explanatory memorandum accompanying the Draft by the possibility of inferring from a person’s JMBG his or her gender. However, treating gender as a special category of personal data is out of sync with the dominant position in the EU and its Member States. In the final text of the Regulation, gender does not figure as a special type of personal data (article 9).

The Draft would obligate every data controller who processes special categories of data to (i) enact a general act detailing permissible grounds for processing, the data subject’s rights, and the security measures to be applied by the controller, and (ii) appoint a data protection officer. Here is where the issue of JMBG and gender becomes highly relevant, because many data controllers in Serbia process the JMBG numbers, and if the Draft ends up treating JMBG as a special category of data, hardly any data controller could avoid the obligation to enact a general act and appoint a data protection officer. In contrast, the Regulation does not require from any data controller to enact a “general act”.

As to the appointment of data protection officers, the final version of the Regulation provides in article 35(1) for such obligation only if the core activities of the controller or the processor consist of (i) processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (mobile operators come to mind), or (ii) processing on a large scale of special categories of data (such as healthcare institutions when processing health-related data) or data relating to criminal convictions and offences. Therefore, the future data protection act should not automatically require from everydata controller who processes sensitive data to appoint a data protection officer.

Under the Regulation, basic rule is that the transfer of personal data abroad may take place if the country of import ensures an adequate level of protection (article 41). The section in the Draft dealing with transfer of personal data abroad omits any reference to adequacy of the protection of personal data in the country of intended import as a criterion for assessing permissibility of the intended data transfer. Instead, the basic precondition for permissible transfer is a formalistic one: a transfer may take place if a statute (unclear what kind of statute), a bilateral treaty, or a multilateral data protection agreement (presumably the Council of Europe Convention no. 108) provide a basis for such transfer. True, the Draft also includes additional grounds for permissible transfer – such as data subject’s consent, implementation of a contract between the controller and the data subject, or interests of national security and defense. However, the failure to consider adequate protection of personal data as a stand-alone basis could result in inability of a data controller to export personal data to a country in which the protection is exemplary but the country happens to not be a party to any agreement to which Serbia is a party and no substitute ground for transfer exists.

A provision in the Draft ostensibly makes room for use of binding corporate rules or standard contractual clauses as grounds for lawful transfer of personal data abroad even if in the absence of a relevant bilateral or multilateral agreement involving the country of import, and even without the data subjects’ consent. However, the scope of application of the provision is heavily restricted by two requirements: (i) that Serbian law govern the rules/contract, and (ii) Serbian bodies have jurisdiction if a dispute concerning the protection of the exported data arises. No analogous requirement exists in the relevant provisions of the Regulation (articles 42 and 43).

The Draft puts a much heavier burden on data controllers in terms of required paperwork than the Regulation. The Regulation does not require enactment of a general act, nor does it provide for a sweeping obligation to notify the data protection authority of intended data processing of special categories of data and to register an established filing system containing such data. Instead, the data controller must conduct a data protection impact assessment if the nature, scope, and purposes of the intended processing are likely to create a genuine risk for the rights and freedom of individuals (article 33(1)). The assessment has to be expressed in a document describing the envisaged processing operations, an evaluation of the risk for the rights and freedoms of individuals, and the measures to address the risk and to demonstrate compliance with the Regulation (article 33(3)). If the assessment indicates the likelihood of a high risk, the data controller must consult the national data protection authority (“DPA“) and the DPA may prohibit the intended processing (article 34 and 53(1b)).

The Draft also requires a data protection impact assessment, on grounds similar to those under article 33 of the final text of the Regulation. However, the Draft parts way with the Regulation by requiring the following from every controller in charge of processing special categories of data: (i) enactment of a general act detailing permissible grounds for processing, the data subject’s rights, and the security measures to be applied by the controller; (ii) notification of data protection authority of intended data processing; and (iii) registration of an established filing system. We discussed in detail the data protection impact assessment, the notification of data protection authority of intended data processing, and the registration of an established filing system in our blog post of 17 November 2015.

The Draft introduces an explicit reference to joint control and co-processing. A downside is that, unlike the Regulation (article 24), the Draft makes no mention of an obligation for joint controllers to determine their respective responsibilities for compliance with the law, and in particular their responsibilities vis-à-vis the data subjects.