Protection without guarantee
ExpiredPersonal information
Protection without guarantee
Can we reliably know what is on a daily basis happening with the citizen's personal information stored in numerous databases available to diverse subjects, from government and non government sector?
When, several months ago, during business negotiations of two companies in USA, a laptop went missing, i.e. got stolen, at first it did not appear to be interesting news. Today, in electronics era, not only in USA, but also worldwide, such things happen everyday in countless numbers. However, in this case, this event came up as important news, so important that both participants in business negotiations - two famous and powerful companies, one in the field of electronics, Hewlett Packard, other in the field of finance, Fidelity Investment - not only jointly addressed the public, but they also undertook range of activities, unusual by its scope and specific (financial) weight.
Surely, the reason of such reaction was not the computer, but information stored in its memory, obviously very valuable. Although it would be logical, in the sense of our circumstances, to presume that this information, which was a priori given a great value, is from the field of hi-tech, defense and security, espionage etc. - it was not the case. On the contrary, the computer memory contained personal information related to 196.000 active and former employees of Hewlett Packard (names and surnames, addresses, birth dates, social security numbers, disbursed severance amounts, etc.).
Hewlett Packard and Fidelity Investment informed US public through media on this event, and in addition, they directly and personally warned each of 196.000 persons about the possible hazard. Moreover, in cooperation with three elite companies for processing credit cards, they have specially organized - of course, free of charge for the owners - supervision of access to potentially vulnerable financial accounts, and provided double verification system for financial transaction on such accounts. Finally, aware of the fact that the possible damage does not have to be solely financial, but also includes other consequences such as identity theft, notwithstanding all measures already mentioned, Hewlett Packard and Fidelity Investment committed to compensate any damage incurred due to theft of this information.
It is unlikely that something more can be done, however the event started debate not only in public, but also in US Congress, concerning the issue whether the sufficient measures are taken in order to protect personal data.
This event deserves our attention as well. It is not because it is somehow related to our reality; it does not have any connection whatsoever, which outlines a huge contrast regarding significance of protecting personal data in the world, and here.
What would be our reaction to a similar situation? Would we ever find about this? Do we know for certain what is happening everyday with citizen's personal information stored in multiple databases available to diverse subjects, whether from government or non government sector? Who can be sure that this information is used solely for the purpose for which it has been collected, and is it available solely to the persons pursuant to the law? Who can offer and what guarantees can be offered to this end?
It is unlikely that the possible answers to these questions can be optimistic, on the contrary. It is not circumstantial that the last, recently published EU report, states not only that our existing Personal Information Protection Law from 1998 is not in line with the European standards but also that, which is much more important, we do not have any independent functional entity which could actually provide realization of personal information protection rights. It is not, of course, necessary that EU Commission point this out, because it has already been done throughout years by our expert public, however, without effects.
Enactment of the new Constitution, and in particular Constitutional Law for its implementation, was certainly a good opportunity for something to be done in this sense. Regretfully, this opportunity was left out as well. There are particular dilemmas already at the constitutional level. The constitutional guarantee for the right to privacy was omitted, although this was an old practice originating from early socialist constitutions. It is still unclear whether it was an omission due to promptness, or it was intentional. And, at least for some people, there is a dilemma whether the constitutional guarantee for the protection of personal information completely compensates absence of the right to privacy. An abstract guarantee of the protection of personal information at the constitutional level has not been made operational in the Constitutional Law for implementing Constitution. Not only that authors of the Constitutional Law did not opt to entrust protection of this right to independent functional entity, commissioner, ombudsman etc. which currently represents a trend; they rather did not go into creating provisions for the concrete protection of personal information. It is really hard to understand that the Constitutional Law deals with rights and entities, for which it is difficult to find equivalent in the comparative practice, and that it does not treat the problem of protecting personal information.
In such conditions, it is not a coincidence that the mentioned report of the European Commission concludes that the existence of the right to protect personal information in Serbia is purely theoretical, because implementation of the regulations has not been ensured, which is something to worry about. Acceptance of this remark, of course, is not a problem. Ignorance of the responsible persons with regard to issue of protecting personal information is not only a current problem; it will become a growing problem.
Information Commissioner
Rodoljub Sabic