In a critical move to face the rapidly evolving technological novelties and their immanent implications on the protection of personal data and the business environment in general, the Serbian Government adopted the Personal Data Protection Strategy 2023 – 2030 (the “Strategy”) late this August.
It seems that the Strategy arrived at a crucial time, considering the remarkable technological progress and resulting booms in data processing practices since the Strategy’s 2010 predecessor. The Serbian Data Protection Authority recognized this long ago and has been urging other stakeholders ever since to adopt a new and improved strategy to guide the data protection framework in the times to come.
All the aspirations and promises contained in the Strategy can be summarized in one main goal – securing Serbia with an adequacy decision from the European Commission, which would mean formal recognition of Serbia as a country offering a level of protection of personal data essentially equivalent to that in the EU. Ultimately, ensuring the adequacy decision should mean a great deal for facilitating the data flow between Serbia and the EU, thus leaving room for greater business cooperation and wider inclusion of Serbia in the markets fueled by the big economies.
According to the Strategy, the main obstacle in seeing this ambition through lies in the numerous shortcomings of the existing Personal Data Protection Law (the “DP Law”) and other pieces of legislation tackling personal data matters. Despite its near-verbatim adoption of the EU’s GDPR articles, the DP Law failed to include GDPR’s recitals and also to account for numerous local specifics, making it rather difficult for companies to interpret and comply with, as well as for the regulators to manage expectations and ensure smooth supervision.
To combat this, the Strategy kicked off by outlining the key deficiencies in the overall legal and socio-political framework in Serbia and, mirroring the potential solutions for these, proposed a set of quite a few goals to reach before 2030 ticks off.
Most importantly, the Strategy sets upgrading the DP Law to fully match the GDPR standards as a key step in this process, including the adjustment of other laws with the provisions of the DP Law. Interestingly, the Strategy focused the first year of the Strategy’s implementation on adopting legislation in areas where appropriate guidance lacked the most, suggesting that we should have a new set of video and audio surveillance, as well as biometrics and genetic personal data regulations adopted by the end of 2024. A bold statement for an otherwise complex and demanding area, especially to be performed within a rather tight deadline.
The Strategy also promised to bring tangible results when it comes to the actual enforcement of the DP Law, recognizing this has been one of its weakest spots in the preceding 15 years. Unlike the GDPR, which prescribes fines up to EUR 20 million or 4% of a company’s global annual turnover, the DP Law limits the fines’ amount to approx. EUR 17,000, which hardly motivates companies to invest more strongly in compliance. An explicit Strategy’s reference to the mechanism introduced by Serbian Competition Law, which entitles the Competition Commission to impose fines calculated as a certain percentage of the company’s turnover, implies that the Government means business and that this may turn out to be a crucial change to be introduced to the DP Law in the forthcoming period.
The Strategy also vouches to bring a significant increase in the number of appointed data protection officers (for local companies), as well as in the number of foreign companies to appoint their local representatives in Serbia, which is something the Data Protection Authority has been focusing on in recent years. The Strategy further commits to ensure that the entities subject to the DP Law adopt and maintain the required internal documentation, and to bring certain improvements to the legal remedy apparatus, thus suggesting that the Data Protection Authority and other competent bodies plan to noticeably strengthen their enforcement policy to accommodate the expected goals.
Finally, the Strategy outlines the importance of strengthening the capacities of the Data Protection Authority, primarily in terms of the number of employees dealing with information technology and digitalization. Raising public awareness about the importance of data protection is also one of the Strategy’s cornerstones, which should be achieved through updated school curriculums, training for employees in courts, public prosecutor’s office, and administrative bodies, as well as by organizing roundtables and similar events and increasing the number of visits to the Data Protection Authority’s website.
One thing is clear – the data protection milieu is curious to see the Strategy kick off and welcome the rise in the awareness of privacy rights and the redefining of the resulting practices in Serbia. Meanwhile, the bold announcements of the Strategy should serve the companies in – or doing business with – Serbia, as a good wake-up call to revisit their data protection ways and prepare ahead for the coup.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
By Goran Radosevic, Partner, and Anja Mihajlovic and Anja Gataric, Junior Associates, Karanovic & Partners