In connection with the sixth anniversary of adoption of the Personal Data Protection Strategy (which the Serbian Government adopted in August 2010), the Commissioner for Information of Public Importance and Personal Data Protection notes that the way in which implementation of this Strategy is treated by the authorities provides the best – and rather worrying – illustration of the irresponsible handling of this important area of human rights by the state.
The state's activities in this area mostly come down to those undertaken by the Commissioner, which, although increasing in number (with the number of cases handled by the Commissioner in the field of personal data protection increasing from 83 in 2009 to 2430 in 2015), cannot compensate for what the line Ministries, the Government and the National Assembly are supposed to do.
Noting there was a need for a fundamental shift in the attitude of authorities at all levels of government, including in particular the Government of the Republic of Serbia and the line Ministries, commissioner Rodoljub Šabić said:
"When it adopted the Strategy, the Serbian Government stated that 'an Action Plan to implement the Strategy setting out defined activities, expected outcomes, implementing bodies in charge of specific duties and timeframes for implementation shall be passed within 90 days of publication.'
At the time, the Government also stated it would 'form a special working body in charge of overseeing the provision of necessary requirements and implementation of the Strategy and the Action Plan, coordinating government authorities to ensure efficient functioning of the personal data protection system, reporting to competent authorities on implementation of the Strategy and any issues identified in its execution and initiating amendments to the Strategy as appropriate to reflect new needs or identified shortcomings.'
Even after six years, we still have no Action Plan, let alone a 'special working body', and a 'natural' consequence of such state of affairs is the lack of a number of necessary legislative instruments and activities.
Probably the most absurd illustration of this is the fact that the Government has been postponing the passing of a Regulation on the Protection of Particularly Sensitive Data for more than seven years after the date specified in the Law on Personal Data Protection. Even more importantly, a new Bill on Personal Data Protection is currently four years behind schedule. Not even the fact that the Commissioner prepared and made available to the Government a complete new Model Law on Personal Data Protection almost two years ago was enough to move things along in this regard.
The absurd delay in the passing of the Action Plan has not passed unnoticed by the European Commission, which issued a warning to Serbia. In its action plans to implement EC's recommendations, the Government anticipated that an Action Plan to implement the Personal Data Protection Strategy would be passed by mid-2013, but has failed to do so. After repeated objections from the EC, the deadline was postponed to mid-2014 and then beyond, but an Action Plan to implement the Personal Data Protection Strategy has not been passed to date. The situation is more or less identical with regard to the enactment of a new Law on Personal Data Protection.
These facts will certainly be a hindrance to the forthcoming negotiations of Chapter 23 with the EU. However, even more importantly, they will be a constant source of problems from the aspect of protection of the rights the state owes to its citizens.
The Commissioner will continue protecting those rights through his activities. However, the situation being as it is, all the Commissioner can do comes down to 'damage limitation.' What Serbia actually needs is systemic addressing of the source of problems and establishment of a new, modern system of personal data protection."
