Getting to know the Draft Serbian Data Protection Act – Part 2 (Major shortcomings)

Following our first blog post of 10 November, we now turn to some of the key provisions in  the Draft Serbian Data Protection Act (“Draft“) which, in our opinion, compare poorly with the corresponding provisions in the Serbian DPA’s Model personal data protection act (“Model“), the EU Data Protection Directive (95/46/EC) (“Directive“), the draft EU data protection regulation (“Draft EU Regulation“), and the national laws within the EU and in the territory of the former Yugoslavia. In a subsequent post we will look into other contentoius provisions in the Draft, and then we will conclude this series of blog posts with one on the positive features of the Draft.

1)  Absence of clear affirmative action as a mode of expressing consent

Potentially the most damaging provision in the Draft is the one stipulating that data subjects may give their consent to data processing “in writing or orally on official record”. This rule comes very early into the Draft, in Article 3, and it sets the tone of the document as one giving no consideration to the realities of commercial life. The limitation of the mode of expressing consent stands at odds with the treatment of consent in virtually every contemporary data protection law, including in the Draft EU Regulation. Both the European Parliament and the Council of the European Union accept that consent may also be given by a clear affirmative action. That form of consent encompasses clicking the button or ticking the box online.

The Data Protection Act now in force in Serbia, adopted in 2008 (“DP Act 2008“), was already obsolete when it required the consent to be given in writing or orally on official record. The Data Protection Authority (DPA) was well aware of it and in the Model from June 2014 it proposed that consent may also be given by a clear affirmative action. It is amazing that the government would transport the excessively restrictive and ultimately unworkable provision from the old law into the new one. Elsewhere in the draft it is stipulated that valid consent also means a consent given with a qualified electronic signature, which just adds to the perception of the Draft as a document intended to be restrictive and make things difficult for the businesses.

2)  The Draft lacks criteria for determining whether the processing is carried out in the territory of Serbia

The Draft states that the provisions of the law would apply to “any processing carried out in the territory of the Republic of Serbia, as well as outside the territory of the Republic of Serbia, where regulations of the Republic of Serbia apply in accordance with the international law, the present Act or a contract, regardless of the registered or domicile address of the controller or the processor, except where data are only in transit through the territory of the Republic of Serbia” (Article 4(3)).

This provision does not offer specific criteria for determining whether the processing takes place in the territory of the Republic of Serbia. In contrast, the DPA’s Model employed as the criterion the use of equipment situated on the territory of the Republic of Serbia. The DPA apparently proposed that provision because the Directive also states that the Member State’s national provisions apply to the controller (not established on Community territory) who, for purposes of processing personal data, makes use of equipment situated on the territory of the Member State (unless such equipment is used only for purposes of transit through the territory of the Community).  As we explained in a blog post in August this year, data protection authorities in Spain, France, and Belgium, as well as the Berlin Court of Appeals have in the past two years used the criterion of “equipment” (also referred to as “means of processing”) to reach the conclusion that the national data protection law applies to the use of cookies by Facebook and Google. Their reasoning is that the foreign-based data controller uses “equipment” in the respective EU Member State when it sets cookies on the user’s personal computer or other device situated in the country.

The Draft EU Regulation preserves the same idea, but expresses it differently. The Regulation would apply if the controller (not established on Community territory) processes personal data of data subjects residing in the Union in the context of “monitoring their behaviour” (which is what cookies do). Unlike the Directive, the Draft EU Regulation also lays down a rule whereby an entity established outside the EU will be subject to the Regulation if it offers goods or services to EU residents. This would typically be the case when such entity engages in direct marketing targeting EU residents.

3)  Legitimate interests of the data processor should not be a ground for not having to seek data subject’s consent to processing

Article 10, point 6, of the Draft prescribes that the processing without consent shall be permitted if carried out “in order to achieve the legitimate interest pursued by the controller, processor, recipient or third party, if the need for the protection of such interests overrides the need for the protection of the fundamental rights and freedoms of the data subjects.”

Among the EU Member States, “legitimate interests” of entities other than the data subject are a long-standing exception to the general rule that lawful processing requires the data subject’s consent. Absence of a provision to that effect in the DP Act 2008 was an unfortunate omission.

However, the legal instruments employing the concept of legitimate interests make sure not to include data processors among those whose interests might outweigh the interests or fundamental rights and freedoms of the data subjects. Neither the Directive (Article 7, point (f)) nor the Draft EU Regulation (Article 6(1)(f)) include data processors among those whose legitimate interests provide basis for obviating data controller’s duty to obtain data subject’s consent to the processing. The national laws of France, Italy, the Netherlands, Germany, Croatia, Bosnia and Herzegovina, Montenegro, and a number of other countries, also exclude data processor’s “legitimate interests”.

4)  Lack of clarity and minimum standards concerning provision of personal data to “recipients”

Тhe Draft proposed by the Serbian government gives significant power to “recipients” of personal data. The general rule under the Draft is that, if a recipient wishes to have access to personal data concerning a data subject, it must submit a written request to the data controller. However, this rule has two exceptions that are formulated so broadly that it is difficult to avoid a conclusion that they are meant to give broad discretion to law enforcement and intelligence agencies, i.e. to free them of any genuine limitations to their addressing the data controllers with requests for access to personal data.

The relevant provision in the Draft (Article 22) states that a request to data controller for access to personal data does not have to be in written if a special legislation so allows, provided that the underlying purpose is protection of national security, interests of defence of the country, of prevention, detection and prosecution of perpetrators of criminal offences. Another exception from the obligation to submit a written request applies where considerations of expeditiousness so require.

The government’s Explanation accompanying the Draft DP Act does not shed any light on the reasons for introducing this provision or on its precise contours. The Explanation briefly asserts that “practical exigencies” require the approach under which data controllers should in urgent matters provide the personal data to unspecified recipients even in the absence of written requests by the latter. One should note here that, unlike some other countries which have confronted real threats of terrorism in the past decade, Serbia has been fortunate enough to almost completely escape the interest of contemporary terrorists. In other words, there does not seem to be a policy justification for ill-defined provisions likely to give broad power to the police and the intelligence agencies.

5)  Gender and Personal Identification Number (JMBG) should not be included among “special data”

The Draft includes Unique Personal Identification Number of a Citizen – known by its acronym JMBG (jedinstveni matični broj građanina) – among the special categories of personal data (earlier referred to as “sensitive data”). If adopted, such provision is likely to cause more harm than good.

The accompanying Explanation of the Draft DP Act justifies such privileged treatment of JMBG by the possibility of inferring from person’s JMBG his or her gender. The Draft considers gender a special category of personal data, so the JMBG by extension enters into such category as well. But treating gender as a special category of personal data is out of sync with the dominant position in the EU and its Member States. Gender does not figure as a special type of personal data in either the Directive or the Council’s version of the Draft EU Regulation. The data protection laws of – to name a few examples – France, Germany, Netherlands, and the UK do not consider gender as a special category of data either. Likewise, Croatia, Slovenia, Bosnia and Herzegovina, and Montenegro, all of them once parts of the Yugoslav federation together with Serbia, do not accord gender the status of a special category of personal data.

The drafters of the new Serbian DP Act may have concluded – wrongly – that the DPA’s frequent criticism of the widespread practice in Serbia to unnecessarily photocopy or retain the data subject’s ID documents with JMBGs meant that JMBG is a special category of personal data. But that is not the case, and the Model proposed by the DPA in June 2014 did not include JMBG among the special categories of data.

6)  Excessive bureaucratisation: obligation to enact a general act and a data protection officer

The Draft DP Act would obligate every data controller which processes special categories of data to (i) enact a general act detailing permissible grounds for processing, the data subject’s rights, and the security measures to be applied by the controller, and (ii) appoint a data protection officer. Many data controllers process the JMBG numbers, and if the DP Act ends up treating JMBG as a special category of data, the obligation to enact a general act and appoint a data protection officer would be pervasive.

The proposed rule may simply be an expression of a resilient legal culture in Serbia which treats over-regulation as a value in itself. (In truth, the Draft DP Act does not in this respect depart significantly from the Model, which would also compel every data controller who processes sensitive data to enact a general act and appoint a data protection officer).

In contrast, the Draft EU Regulation does not require from any data controller to enact a “general act”. Even the data protection laws in the countries neighbouring Serbia – Croatia, Montenegro, and Bosnia and Herzegovina – do not contain such a requirement.

As to the appointment of data protection officers, there does not seem to be a good argument for why every data controller in charge of processing sensitive data should be obliged to appoint a data protection officer. In the Council’s version of the Draft EU Regulation, there is no obligation on the part of a controller who processes special categories of data to enact a general act or appoint a data protection officer. The European Parliament does provide for such obligation, but only if the processing of special categories of data belongs to core activities of the controller or the processor. (Processing of health-related data by health institutions comes to mind).

Therefore, even if the government – or the parliament – drops the JMBG from the list of special categories of personal data, the future DP Act should not automatically require the data controller processing genuinely sensitive data to appoint a data protection officer.  Instead, the Act should introduce a numerical criterion, whereby a data protection officer must be appointed if the controller processes personal data of a specific minimum number of data subjects. That approach is a standard in the comparative law, and the Draft EU Regulation also follows the model.

7)  Transfer of data outside the Republic of Serbia

The section in the Draft DP Act dealing with transfer of personal data abroad is problematic for more than one reason.

The Draft peculiarly omits any reference to adequacy of the protection of personal data in the country of intended import as a criterion for assessing permissibility of the intended data transfer.  Under almost every other national law, the Directive, and the Draft EU Regulation, the two basic rules are that (i) the transfer of personal data to a third country may take place if the country of import ensures an adequate level of protection, which may be the case even if the country is not a party to a specific bilateral or multilateral data protection agreement, and (ii) the data protection authority in the country of export, or the European Commission, has the authority to assess the adequacy of protection. The Model proposed by the Serbian DPA had a provision similar to that in the Montenegrin DP Act, whereby the adequacy decisions by the European Commission would be presumed to be accurate.

The Draft DP Act, however, does away completely with adequacy decisions by the Serbian DPA or the European Commission. Instead, the basic precondition for permissible transfer is a formalistic one: a transfer may take place if a law (unclear what kind of law), a bilateral treaty, or a multilateral data protection agreement (presumably the Council of Europe Convention no. 108) provides for such transfer. In addition to this general rule, the Draft DP Act includes some additional grounds for permissible transfer (such as data subject’s consent, implementation of a contract between the controller and the data subject, or interests of national security and defence), but the law seems to be indifferent vis-à-vis the level of protection of personal data in the country of intended import.

A provision in the Draft DP Act ostensibly makes room for use of binding corporate rules or standard contractual clauses as grounds for lawful transfer personal data abroad even if in the absence of a relevant bilateral or multilateral agreement involving the country of import, and even without the data subjects’ consent.  However, the scope of application of the provision is heavily restricted by the requirement that Serbian law govern the rules/contract.

The provision allows for a data transfer if the controller established or residing in Serbia has entered into an agreement with another controller, or a processor or recipient established, i.e. residing, abroad. The provision would cover an equivalent to what at the EU level is known as “standard contractual clauses” (clauses in the transfer agreements between a data controller located in the E.U. and a data processor, or another data controller, typically from a country which does not ensure an adequate level of protection of personal data). The provision might also be flexible enough to encompass the so-called binding corporate rules (codes of practice adopted internally by multinational corporations, the purpose of which is to allow a transfer of personal data to the affiliates located outside the European Economic Area (E.U. Member States, Iceland, Liechtenstein, and Norway)).

However, for such agreements to provide a basis for lawful transfer of personal data from Serbia under the Draft DP Act, it must designate the Serbian DP Act as the governing law and must provide for jurisdiction of Serbian bodies if a dispute concerning the protection of the exported data arises. No analogous requirement exists in the relevant provisions in the Draft EU Regulation (articles 42, 43, and 53).