Ana Toskić Cvetinović
Executive director of the organization Partners Serbia
Marija – her name is changed to protect her identity and safety – is an activist from Belgrade. On several occasions, due to her work, Marija has been directly confronted by the Serbian police. In spring of 2022, she got indications that her communications had been surveilled by the Serbian authorities. In order to find out whether she has been under any special evidentiary measures, she submitted a request to the High Court in Belgrade in line with the Law on Personal Data Protection – the PDP Law.
Marija wanted to know whether her personal data had been processed through secret surveillance of communications and undercover tracking and recording by the authorities. She received the response that the court cannot provide her with the requested data, as they are considered confidential.
For Marija, this was a sign that she has been subject to surveillance either by police or by other authorized bodies, such as the prosecutor’s office or intelligence agency, meaning that a criminal proceeding has been initiated against her.
But when she submitted another request to the same court, asking whether there are any ongoing criminal proceedings against her, she received a formal response: there were no such proceedings. Marija then turned to the Commissioner for Access to Information of Public Importance and Personal Data, complaining that her right to access her data, guaranteed by the PDP Law, was not being granted.
But the Commissioner declared himself incompetent, stating that this was a case where the court was acting in its judicial capacity. Marija challenged this decision before the Administrative Court. Her case is still pending.
Marija is one of the few citizens of Serbia to have used the available PDP mechanisms prescribed by the law; very few, compared to the number of registered data breaches in last several years.
According to the National CERT, Computer Emergency Response Team, in 2022 the operators of ICT systems of special importance reported more than 7.5 million incidents of unauthorised collection of data. Not all included personal data breaches, but the numbers indicate the level of information security in the country. On the other hand, in 2022 the Commissioner received only 181 citizens’ complaints, 23 less than in 2021, and performed 354 inspection oversights in the PDP field.
In general, Serbia does not have a commendable history of information management, especially when the data is handled by public authorities
In general, Serbia does not have a commendable history of information management, especially when the data is handled by public authorities. Data from investigations has been leaking to the tabloids for decades, as in the case of Igor Vukotic, whose photo was mistakenly disclosed to Blic daily from the Serbian Intelligence Agency, which publicly marked him a member of an organized criminal group. Health records of political opponents and photos from hospitals are published, as in the case of the late actor Dragan Nikolic, while the political parties illegally process the personal data of voters almost on a regular basis.
The most massive data breach in Serbia was recorded back in 2014, when the data of over 5 million citizens in the database of the Privatization Agency became available on the agency’s website, and then on social networks. No one was found responsible for this omission because the agency ceased to exist.
Last June, Serbia’s cadastre information system was infected by a malware,, endangering personal data of the register’s user and its employees. However, the authorized bodies concluded that there was no personal data breach in this case, so no further investigation was conducted in this regard.
In April 2020, the username and password for accessing the Covid-19 information system, with particularly sensitive health data of those tested, cured, deceased, as well as persons who were imposed a self-isolation measure, were publicly available on the website of a health institution.
In May 2020, there was unauthorized access to student data contained in the electronic diary (which potentially has over 1.3 million users), and the State Audit Institution found that the companies Telekom Srbija and Tesla from Zagreb, which made this system, do not process student data in accordance with the PDP Law.
The list could be expanded, but the culminating event happened this May, after the mass shooting in the Belgrade school Vladislav Ribnikar. Just hours after the massacre, Veselin Milic, chief of the Belgrade police, disclosed the shooter’s “kill-list” with the names of his peers to the media.
What is common to all these incidents is that no one was held accountable for violations of citizens’ rights.
Having that in mind, the question is whether the existing protection mechanisms are effective.
Serbia’s legal framework does provide various opportunities for protection of privacy rights – from submitting a complaint to the Commissioner, filing a lawsuit to a civil court, including for compensation for damages, to initiating a misdemeanour case. Moreover, unlawful collection of personal data is a criminal offense, but the caselaw is still limited.
According to data collected by Partners Serbia, in 2022 Serbian courts issued only four convictions for this offence. The year before, the number was five, while in the period of 2015 to 2020, only two convicting verdicts were issued. None of these cases referred to systemic and mass personal data breaches.
It is clear that this practice does not correlate to the actual number of data breaches, so there are several ongoing regulatory initiatives aimed at improving the PDP legal framework. Specifically, Serbia is about to adopt the PDP Strategy for the period of 2023 to 2030, while the PDP Law will be amended and some specific areas of data processing, such as processing of genetic data, will be regulated.
However, no regulatory intervention can address the core of the problem – that a culture of impunity has prevailed and that the citizens are left to fend for themselves when it comes to their constitutional rights.
Source: Balkan Insight >>