Getting to know the Draft Serbian Data Protection Act – Part 1 (Spotting issues)

Тhe Ministry of Justice released a draft Personal Data Protection Act (“Draft”) on 4 November 2015. In this blog post and a few subsequent ones, we shall highlight the key features of the Draft. The Ministry invited all those interested to take part in a public debate that will last until 30 November.

The Data Protection Act now in force (“DP Act”) was enacted back in 2008 and amendments were subsequently passed in 2009 and 2012. During its life, the DP Act has proved to contain impractical, out-of-date provisions (such as the very restrictive provisions on the mode of expressing data subject’s consent – in written or orally on official record) and important gaps (no provisions on video surveillance, for example). Although reflecting some of the basic principles of the EU Data Protection Directive (95/46/EC) (“Directive”), the DP Act too often departs from how the Directive treats certain specific issues.

In early June 2014, the Serbian DPA drafted a Model personal data protection act (“Model”) and made it available for public debate as the first step in a process that should have led to enactment of a new data protection law. The Model took into account the current trends within EU in the regulation of data processing, by resorting both to solutions from the Directive and to the text of new EU data protection regulation as proposed by the Commission in  January 2012 (“Draft Regulation“).

The Model was a right step towards further harmonization of the Serbian data protection law with the EU standards. (BDK Advokati thoroughly analyzed the Model’s initial version in a document released on 30 June 2014 (English version here). The final version of the Model contained significant improvement when compared to the initial draft.)

There seemed to be even more reasons for optimism in May 2015, when the Serbian Government issued a final version of its Action Plan for Chapter 23 (on Judiciary and Fundamental Rights) of the EU acquis communautaire (“Action Plan”). The Action Plan expressly stated that a new Personal Data Protection Act should be enacted in the third quarter of 2015 and that it should be based on the DPA’s Model.

However, the third quarter has passed, without a new law having been presented in the parliament. More importantly, the Draft proposed by the Ministry of Justice at the beginning of November has little to do with the DPA’s Model.

BDK will analyse on this blog’s pages the most important provisions in the Draft and compare them – where such comparisons are helpful – with the corresponding provisions in the Model, DP Act, Directive and Draft Regulation. Where in our opinion the draft erects for no good reason hurdles to normal operation of businesses, or sacrifices data subject’s rights and legitimate interests to vague State interests, we shall point to alternative approaches which the Model or other sources have already included.

In this blog post we briefly indicate the most important issues to be discussed, among others, in more detail in the posts to come:

  • Absence of clear affirmative action as a mode of expressing consent;
  • Explicit references to joint data controllers and sub-processors (novelty in the Serbian legal framework);
  • Omission of provisions concerning video surveillance and biometric data processing (although the Draft defines those terms);
  • Territorial application of the future Act (lack of criteria for the assessment of whether the processing is carried out in the territory of Serbia);
  • Legitimate interest as an exception to the general requirement that processing requires data subject’s consent (the Draft arguably goes too far by endorsing legitimate interests of processors, recipients, and third parties as grounds for exception);
  • Processing of personal data about minors (confusing provision);
  • Article 28 of the Draft – State Secret, Strictly Confidential, Confidential (out-of-place in a data protection statute);
  • Data subjects’ rights protection (appeal and petition [pritužba] – are both really necessary?);
  • Security measures (improved from the current law, adopts the approach from the Model);
  • Notification on data security breach (another useful novelty);
  • Preliminary risk analysis (in line with the Regulation’s data protection impact assessment);
  • Two-step record of filing systems still remains (anachronistic feature);
  • Transfer of data outside the Republic of Serbia (ostensibly room made for use of binding corporate rules and standard contractual clauses as grounds for transfer, but the scope of application heavily restricted by the requirement that Serbian law govern the rules/contract);
  • Monetary fines (significantly increased – arguably a right approach).