Although more than 70 civil society organizations, media and representatives of the business, professional and scientific communities had made an initiative for holding a transparent process of election of the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter referred to as: Commissioner) as early as in November 2018, it was only in late July this year that Milan Marinovic, the former acting president of the Belgrade Misdemeanor Court, was elected the new Commissioner by the Serbian National Assembly. Since Rodoljub Sabic’s term of office had expired in December 2018, this independent institution did not have anybody at its helm for nearly seven months.

The postponement of (or, more precisely, carelessness about) the process of election of a new Commissioner was no surprise for many, and it was viewed as yet another confirmation of the careless attitude of the legislative (and executive) authorities towards the country’s independent institutions.[1] However, the key issue is whether and to what extent this interregnum has undermined the functioning of the institution charged with the protection of two rights which largely represent the basis of a free and democratic society:

• the right to a free access to information, which enables citizens to control the work of public officials, and places a strong anti-corruption mechanism at the disposal of each individual; and
• right to privacy, which lies in the foundations of human dignity and represents a barrier to the infringement of individuals’ private lives by the authorities (and today also large corporations), and therefore also an unavoidable requirement for human freedom.

Photograph: Allstar/Paramount

The Partners Serbia organization analyzed the work of the Commissioner’s Office in the period between December 22, 2018 and August 6, 2019, in order to determine whether the termination of office of the previous commissioner had affected the achieved level of independence in the operation of this institution. The complete analysis is available HERE (in Serbian). We came to the conclusion that the work of the institution and standards achieved in its operation had not been threatened during the period that preceded the election of the new Commissioner.

Namely, the 2018 report on the work of this institution, drafted after the expiry of the term of office of Rodoljub Šabić and signed by Deputy Commissioner Stanojla Mandić, assesses the negative trends in the field of access to information of public importance and dissatisfactory attitude of entities subjected to the law on personal data protection regarding the privacy of citizens in the same way as the previous reports.  This shows that the Commissioner’s Office has not changed its attitude towards key issues in both areas. Although, on the one hand, a drop has been observed in the number of solved cases, on the other, one can observe that the number of received cases on the monthly basis has also been reduced.

Moreover, as regards to Partners Serbia researchers’ requests to the Commissioner’s Office, no difference has been observed regarding the time needed for getting an answer to a request for access to information or a complaint against the inactivity of an institution. The Commissioner’s Office was expected by the same number of citizens to exercise its competences and protect their rights. As regards to an increase in the number of cases pertaining to the access to information compared to those pertaining to the protection of personal data, citizens are obviously becoming more and more aware of what they can do, primarily in terms of controlling the operation of public authorities, as well as in terms of mechanisms they use for accessing information in the possession of these authorities.

Finally, an especially encouraging fact was that the Commissioner had reacted in politically sensitive cases and cases involving influential entities subjected to the law, even in this period. Thus, the Commissioner acted in the case of the traffic accident at the Doljevac tollgate, contracts in connection with the Belgrade Waterfront project, and introduction of invasive surveillance measures within the Belgrade City Administration and Ministry of the Interior.

Rodoljub Šabić spent the last year of his term of office in a turbulent atmosphere surrounding debates on amendments to the legal framework regulating the two fields within the Commissioner’s competence.

In February 2018, Ministry of State Administration and Local Self-Government started with the process of public consultations on amending the Law on Free Access to Information of Public Importance (LFAI), and published the Draft Law on Amendments to the LFAI in March. Although the Draft contained some good solutions, one threatened to seriously undermine the public’s right to know, and this was the proposal that corporations operating on the market, in accordance with the regulations on companies, regardless of who their member or shareholder is, will no longer be the entities subjected to the Law. In simple terms – corporations which have the state (or state companies) as their shareholder(s) will no longer have the obligation to work in a transparent manner.

This solution was strongly criticized both by the domestic and the international professional public, and the Commissioner also provided his opinion.[2] Experts of the SIGMA(Support for Improvement in Governance and Management) organization, a joint OECD-EU initiative, have noted that comparative law does not recognize such a solution and that it undermines the existing level of the right to access information in the Republic of Serbia, paves the way to abuse and potential concealment of illegalities in the work of these companies and is contrary to the principle of openness and transparency of the European Administrative Space, which Serbia is trying to achieve on the path towards a full-fledged membership in the European Union.”[3]

Despite of the passage of a year and a half after the beginning of the process, amendments to the LFAI have still not been adopted. The draft has been submitted to competent authorities for review, and the final text of this document is yet to be seen. The question also remains whether this process would have been more efficient or would have had a different outcome if the institution with the mandate to protect the public right to know had been complete.

With the aim of harmonizing the domestic legal framework with the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), Serbia adopted a new Law on Personal Data Protection (LPDP) on November 9.

The LPDP was drafted in a non-transparent process, in which the proposals of the Commissioner and the civil sector had not been taken into consideration, while the interested public had difficulty establishing the identities of members of the working group who drafted the Law, and learning the opinion of EU institutions on this document. Finally, some answers were obtained through the application of the mechanism of free access to information of public importance. Among other things, the European Commission’s comments criticizing the Draft LPDP became available to the public in August 2018.

Contrary to the European Commission’s advice to separate provisions referring to the GDPR from those referring to the Law Enforcement Directive, our legislator has adopted a text which represented a clumsy combination of the two documents, with a number of vague provisions that are not adapted to our legal system.[4] The LPDP, also, takes the provisions from the GDPR and LED (although these are legal documents with different levels of generality and application) that have been left to the EU Member-States to specify in accordance with their legal systems.

The implementation  of (such) LPDP started on August 22, 2019, and, apparently, most entities had not been ready for it – starting from the data controllers who were insufficiently informed about their obligations, through citizens who were not informed about their rights, to the Commissioner to whom the new LPDP entrusted wide competences. The last claim was adressed by new Commissioner, Milan Marinović right after he took the office, when he addressed the speaker of the National Assembly and requested the postponement of the implementation of the Law. His request was not answered.

In the period of preparation for the implementation of the new LPDP, the Commissioner adopted the necessary by-laws in this field. However, neither the Commissioner, nor the Serbian Government had a proactive approach in preparing for the implementation of a number of legal solutions – e.g. it remained unclear what the procedure of protection of persons’ rights would look like, which group of bodies of authority was subjected to a special regime of data processing (under the Law Enforcement Directive), which sectoral laws had to be amended by our country in order to be harmonized with the LPDP, etc.

In view of all this, it is clear that two big tasks lie before the new Commissioner and his team – to defend the achieved level of the public right to know and to promote the protection of the so far marginalized and frequently threatened citizens’ right to personal data protection. The civil society and citizens have the task to continue to monitor, support and constructively criticize, while providing arguments, the work of maybe the last institution in the country which has not compromised its integrity.