In Montenegro, the Law on protection of personal data is still in power, and was last amended on April 3, 2017 („LPPI“).
In the meantime, on May 25, 2018, the European Union's General Data Protection Regulation („GDPR“) entered into power, a new legal frame that determines the manner of using personal data of European Union's citizens, such as the name, surname, Personal ID no, email address, phone number as well as access to different websites, i.e. data not only related to the person itself but also how to identify it.
GDPR should be obligatory for Montenegro, considering our practice of aligning our legal frame with the European Union's, and considering GDPR itself prescribes that legal and natural entities outside of the European Union are subject to the rules of GDPR if they offer goods and services to the residents of European Union and/or monitor the behavior of EU residents within EU territory.
One of the goals of GDPR is that the level of private data protection should be the same within all EU territory.
Until this date – the LPPI has not been aligned with the GDPR.
An interesting occurrence in the days leading up to the local elections in Montenegro held on October 23, 2022, is sending SMS messages to numerous citizens by different political parties. A number of questions arise in this situation: (i) where have the political parties received the citizen's numbers from, (ii) is the right to citizen's privacy at stake here, (iii) is a phone number a private data, as well as others.
Today's advanced technology allows us to save an NN's phone number with the help of apps used daily and with one „click“ have the name / surname / photo of exactly that person. Citizens received SMS messages with content and link on which it's necessary to click to review content, i.e. which leads to a certain page. Here we can speak of the common responsibility of operators and political parties which manage the page on social networks (fan page) – so-called „joint controllers“. In this case, the citizens have a right to demand from both the political parties and operators, information on which data they collect through links sent in the SMS messages, the manner of collecting data, and authorization to even collect personal data and share it with others.
Illegal actions of one and the other could result in responsibility for immaterial damages to the citizens. Let us remember the case of the illegal publication of private data of citizens which did not respect COVID-19 isolation rules – in this case, the court awarded citizens a righteous remuneration.
Article 26 of GRPR's Preamble states that, to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
Therefore, is a phone number / prepaid number a part of our identity and only ours, or, can it be used by all of those to whom we have never voluntarily provided our number with nor signed consent for use in purposes other than processing, and especially not in the purpose of leading political campaigns?
Of course, operators can process our data for the purpose of providing service, i.e. conclusion and execution of subscription agreement, and if used for any other purpose i.e. sharing of information, they must receive our consent to it. This is also determined by the Law on electronic communications and LLPI. The same is for political parties – our phone numbers in operator's data bases can be used by those operators to provide service, and, collecting data by political parties, with the purpose of leading election campaigns, without our consent is simply – illegal.
Citizens can simply determine whether political parties are able to determine their identity, based on the data they have collected about them, – by filling a request and enquiring whether the controller is managing their private data. If the data controller does not act in accordance with the request, the citizens may submit a request to the supervisory body i.e. Agency for protection of private data („Agency“). Agency has a wide scope of authorization to act in accordance with the LLPI, among others, to also access private data collections and means of electronic data processing.
Having in mind all previously stated, citizens should not so easily tolerate breaches of their privacy. On the contrary, if they have not consented to processing of their private data, they should request information from both operators and political parties with whom their data is shared: (i) why is private data shared, (ii) which private data is shared / exchanged, (iii) how and based on what are they collecting data, i.e. to use all legally available means to stop illegal processing, alongside a request for righteous remuneration for breach of their privacy.
If commercial entities claim to be socially responsible, they should have aligned their business operations with GDPR, not awaiting alignment of local regulation, thereby justifying the trust, given by the citizens, to process data fairly and in accordance with the law. Research coming from reputable sources, claims that consumer trust is the most important factor in achieving success in business and politics, and that investing in data protection leads to increased profits.
Breach of LLPI leads to scandals and distortion of reputation with the public, which directly impacts the loss of trust and professional ruin.
By Ivan Milosevic, JPM Jankovic Popovic Mitic, and Alma Karadjuzovic Djindjinović, Senior Associate at JPM Partner in Montenegro
