In the course of 2014, personal ID numbers of 5,190,396 Serbian citizens of age were publicly available at the web-site of the Privatization Agency for ten months. The link was distributed on the social network Twitter, while data was downloaded on several occasions.
This was the database of all citizens who applied for free shares in 2008, which was reported to the Commissioner for Information of Public Importance and Personal Data Protection as protected and accessible only to authorized persons. In reality, just anyone world-wide could access it and get names and family names of individuals, their personal ID numbers, and information about the shares they owned.
It is the personal ID number that is one of the most important personal data, based on which each citizen is issued documents. When in wrong hands, it can lead to serious violation of privacy and abuse, such as identity theft.
The case of the Privatization Agency is but one among numerous examples of omissions which occur when state institutions, public companies, private companies, and individuals process personal citizen data.
Share Foundation, which has been dealing with the issue of personal data protection for many years, has analyzed six public sector institutions which handle personal data on daily basis: the Tax Administration, republic healthcare, old-age pension and disability funds, Belgrade Centre for Social Work, Central Register of Compulsory Social Insurance, and Agency for Business Register. According to the analysis published in March 2016, these institutions had 101 registered personal data collections.
Rodoljub Šabić, Commissioner for Information of Public Importance and Personal Data Protection
Photo: Medija centar
The Law on personal data protection, aimed, among others, at prevention and sanctioning of abuses, was passed in 2008, but has numerous shortcomings. They are always pointed out by Rodoljub Šabić, Commissioner for Information of Public Importance and Personal Data Protection, who assesses the current situation as alarming. Drafting of the new law has lasted for years.
Due to leakage of data from the Privatization Agency, in January 2015 the Commissioner filed misdemeanor charges against the Agency and responsible individuals in this institution – directors Vida Uzelac and Marijana Radovanović.
The Minor offence court passed the decision to launch proceedings at once and held the first hearing in March 2015. On the following three occasions, the court intended to continue the proceedings, but the responsible persons from the Agency did not appear. The court also issued injunctions in relation to presence of the both manageresses.
Uzelac showed up in October 2016, but it was already late, as her case had become barred by statute of limitation in June that year already. The trial of Marijana Radovanović was continued, but the police did not manage to bring her in before December 2016, when her case had also already become barred by statute of limitation.
The Privatization Agency ceased to exist in February 2016, which is why the court passed the decision to stop the proceedings. In relation to this case, the Agency filed criminal charges against John Doe, suspecting a hacker attack, but the Prosecutor’s office did not initiate any proceedings.
“The most drastic confirmation of the incomprehensively irresponsible attitude of the state to citizen right to personal data protection”, as Šabić described the case, thus passed without any consequences.
Officials accessible for citizens, but not justice
From January 2009 to 15 June 2017, the office of the Commissioner for Personal Data Protection filed 159 misdemeanor charges to courts all over Serbia for irresponsible handling of personal citizen data.
The accused were mostly state bodies and their representatives: as many as 16 current and former ministers, 34 former heads of municipal and town administrations, while in 50 launching of proceedings was requested against institutions, public companies, or their employees.
The Commissioner’s records indicate that 132 cases were concluded, mostly with guilty verdicts, as many as 81. However, they mostly get down to fines ranging from 20,000 to 950,000 dinars for legal entities, that is, from 5,000 to 60,000 dinars for natural entities. The highest pronounced fine for legal entities amounted to 950,000 dinars, followed by a 400,000 and another 200,000 dinar fine, while the others were lower, not exceeding 100,000 dinars.
One fourth of the Commissioner’s charges – 40 in total – were not processed to the end because the cases became subject to statute of limitation.
In his reply to the Center for Investigative Journalism of Serbia (CINS), Rodoljub Šabić stated that the current court practice deserves a severe criticism, as it is fully inadequate: “It is evident that not only is that number of processed misdemeanors smaller than the number of misdemeanors committed, but that a large number of processed charges are not sanctioned due to statute of limitation”.
Most cases, as many as 86 of them, were processed before the Minor offence court in Belgrade, including the cases against 16 ministers.
As indicated by the practice in the last two years, out of the total number of court deliveries 20% is handed in, while 80% is returned
Milan Marinović, President of the Minor offence court in Belgrade
Zlatibor Lončar, Minister of Healthcare, has been subject to the Commissioner’s control twice, and received two misdemeanor charges. In the case dating from 2013, when he was the Emergency Centre director, he was relieved of charges for publicizing information on the health status of Jovanka Broz, while the case from 2015, when Lončar had already become minister, was barred by statute of limitation.
Lončar was then charged because an e-mail had been sent from his office to the Psychiatric clinic “Dr Laza Lazarević” requesting information on the diagnosis of Aleksandar Kornic, former manager of the Kurir daily. Several days later, this data was published in the TV programme entitled “Rušenje Vučića – poslednji čin” (Toppling of Vučić – The last act) on TV Pink, when Dragan J. Vučićević, editor of the Informer, showed medical documents and read the findings.
Slavica Đukić Dejanović, Minister without portfolio in charge of demographics and population policy, was also involved in this case; charges were filed against her, as, at the moment when information on Kornic was published, she was in the capacity of the manager of the Clinic “Dr Laza Lazarević”.
The proceedings against Đukić Dejanović are still underway, which is why she did not want to comment the case for CINS.
Milan Marinović, President of the Minor Offence Court in Belgrade, says that the fact that the period prescribed for conducting proceedings lasts for two years only presents a major issue: “This is two years as of the day on which the infringement took place, not two years as of the day on which the judge receives the case for action”.
The cases against ministers Rasim Ljajić and Saša Dragin before the Minor Offence Court in Belgrade were barred by statute of limitation because the accused were “not available for the court”, that is, “temporarily unavailable”.
Marinović explains that the system for summoning of defendants and witnesses to scheduled hearings is inefficient, which is why in public citizens see persons who are not available to courts.
“As indicated by the practice in the last two years, out of the total number of court deliveries 20% is handed in, while 80% is returned”, says Marinović.
The short deadline for completion of misdemeanor proceedings resulted in the fact that even some cases which ended in guilty verdicts in the first instance were barred by statute of limitation.
Five first-instance guilty verdicts against ministers, in the cases against Božidar Đelić, Petar Škundrić, Oliver Dulić, Slobodan Milosavljević, and Snežana Samardžić-Marković became legally valid. Three of them pronounced fines amounting to 10,000 or 15,000 dinars each, while in two cases only reprimands were pronounced.
Five cases were barred by statute of limitation upon appeal, so there is no court decision on accountability of Dragan Šutanovac, Milutin Mrkonjić, Žarko Obradović, Nebojša Bradić, and Diana Dragutinović.
Ivan Ninić, lawyer and executive manager of Centre for the Rule of Law, says that for the state it is better that misdemeanor cases become barred by statute of limitation, because every guilty verdict means that citizens could request damage compensation from the state, that is, from the institutions which infringed their privacy.
Graphic: Andrija Ćeranić
Almost no criminal accountability
Unlike misdemeanor charges for violation of the Law on personal data protection, which are processed to an extent, there is practically no criminal accountability, explains Rodoljub Šabić, the Commissioner.
Unauthorized collection of personal data is a criminal offence for which maximum prescribed sentence is up to three years of imprisonment – if the criminal act is perpetrated by a public official in the course of his exercising of duties.
Over the last seven years the Commissioner’s office filed 32 criminal charges. According to their records, one acquitting and one guilty verdict have been passed. A public official from the Belgrade-based Faculty for Special Education and Rehabilitation was convicted in 2010 firstly for unauthorized distribution of data on more than 6,600 students by mail to Australia, followed by the print version and electronic version on a UBS memory stick as well.
The Higher Public Prosecutor’s Office in Belgrade, which has been processing nine criminal proceedings on the aforementioned grounds, stated in its official letter to CINS that such cases are handled by the Department for high-tech crime, and that they are in the stage of pre-trial investigation. The sources could not provide any more information on these cases, stating that it is still not established whether these criminal offences were actually committed and who possible perpetrators are.
The criminal charges which are being investigated include the case of leakage of a photo of Saša Ivanić, deputy public prosecutor for organized crime, which is suspected to be originating from the database of electronic photos intended for personal documents of the Ministry of Interior.
The Commissioner ordered surveillance so as to establish whether someone gained unauthorized access to Ivanić’s data and supplied media with his photo. The results indicated that five persons approached the database from the Ministry of Interior, while one person approached it from the Security information agency.
In May 2015, the Commissioner filed criminal charges against John Doe, while the Department for High-tech Crime of the Higher Prosecutor’s Office could not provide more information on this case, except for the fact that it is in the pre-investigation stage.
Ivanić’s photo is still available on several portals, which presents a potential threat to his security, as he is the prosecutor in charge of the case of Darko Šarić, charged with money laundering and cocaine smuggling.
The road of non-passing the law 2013-2017
Numerous violations of the right to privacy, some of which were on a grand scale, are the reason which the Commissioner has requested adoption of a new Law on protection of personal data for years. The state, headed by the Ministry of Justice which is in charge of its passing, is running late, while the planned deadlines have been missed several times.
Danilo Krivokapić from Share Foundation, one of 17 NGOs including CINS who in May 2017 filed an initiative for urgent passing of the Law to the Serbian Government, says that on declarative level there is willingness to pass the new Law, but that nobody works on this seriously.
According to his words, the current Law is poor as “it does not take onto account the current reality, the extent to which the world has changed, and the plentitude of data collected. It was simply created for some other times“.
New EU regulations
While Serbia is waiting for the new law to be passed, in April 2016 the EU passed a General ordinance on protection of personal data, which was introduced as the “most important change in regulations relating to protection of personal data in the last twenty years”. The Ordinance will enter into force on the territory of the EU on 25 May 2018, and Serbia will have to harmonize its regulations with new standards.
One of the novelties is that the rules relate to all companies which process private data of EU citizens, regardless of the country in which the company is based. This means that Serbian companies handling personal data on the territory of the EU will also have to abide by these regulations. The sanctions are also made more severe, so that the legal entity in violation of the Ordinance may be fined at up to 4% of the annual turnover, or 20 million EUR if, for instance, it fails to obtain approval of the person for utilization of his/her personal data.
The current law in Serbia envisages relatively low fines – from 50,000 to 1,000,000 dinars for legal entities and from 5,000 to 50,000 dinars for natural entities.
“As a company, it will cost you less to pay the fine than to hire a lawyer who will harmonize your operations with the law. This is why the law needs to stipulate more severe punishment, because it is the only manner to make companies, businesses, and institutions observe regulations,” says Danilo Krivokapić from Share Foundation.
Among others, video-surveillance performed by entities other than the Ministry of Interior is not regulated, so there is no control over hundreds of cameras in cafes, restaurants, shops, and banks, and nobody knows where this footage ends up and who has access to it.
State institutions, which are among major holders of personal citizen data, do not always have clear procedures in relation who may have access to data; accounts and access codes are frequently shared by several employees, which is why it is difficult to track abuse, while technical standards for data-keeping and its protection from hacker attacks differ from institution to institution.
The procedure of controlling data leaving the country is not efficient, while validity of our law in relation to citizen data used by companies based outside Serbia, such as Facebook, is not defined in terms of territory.
The Ministry of Justice has been attempting at drafting a new Law since 2013, when a working group was established. Nikola Selaković, Minister of Justice and State Administration at the time, defined 1 May 2013 as the deadline for preparation of the working version of amendments of the existing Law. As this did not happen, in 2014 the Commissioner’s office drafted a new model law of its own initiative and presented it to Serbian Government.
Passing of the Law is one of the conditions in negotiations with the European Union (EU), while in the Action plan for Chapter 23, which relates to justice and human rights, the Government determined that the current law will be promoted in the third quarter of 2015. The deadline was later rescheduled to the fourth quarter, when it was planned to adopt the new law in accordance with the Commissioner’s model, but it was only then when the Ministry presented the Draft law.
Saša Gajin from the Union University School of Law, member of the working group since its establishment, says for CINS that in the beginning the working group worked on harmonizing the law with EU regulations, but, as there would be too many modifications, they decided to draft a new law instead.
The Draft was ready in October 2015; however, in the course of the public debate, which lasted for a month, it was criticized by the Commissioner, as it was in disharmony with his model law.
According to Gajin, this was followed by the Parliamentary elections in April 2016, and the work on this draft ceased.
In the same month, the final version of the Action plan for Chapter 23 was published; as the last deadline for passing the new law, it envisaged the fourth quarter of 2016. This deadline was missed too.
In the meantime, the EU adopted a set of entirely new regulations in this area, so the Draft needs to be harmonized with the new rules. In accordance with this, the Commissioner drafted a new model law and presented it to the public in mid-June this year.
Gajin explains that the working group will take this draft in consideration too, and that it is now planned that the text of the law is drafted by the end of July 2017, which would be followed by consultations with experts from Brussels and a public debate, and, finally, by adoption of the law in the end of the year.
The story has been produced under an EU funded grant, awarded in the Media Programme 2014. The contents of this publication are the sole responsibility of the Center for Investigative Journalism of Serbia and can in no way be taken to reflect the views of the EU.