Data Protection and the Internet - New Challenges

- The experience of the Serbian Commissioner -

Marinko Radic, Secretary General

20-21 June, Zagreb

Republic of SerbiaThe Commissioner for Information of Public Importance and Personal Data

Protection

1

The legal framework for the personal data protection

Constitution of the Republic of Serbia (article 42.);

2005. Ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

European Convention on Human Rights; Law on personal data protection (2008);

2

The Commissioner for Information of Public Importance and Personal Data Protection is an independent and autonomous public authority, .

In 2004 the Law on Free Access to Information of Public Importance established the institution of the Commissioner.

Four years later, the Commissioner was also entrusted with enforcing personal data protection pursuant to the Law on Personal Data Protection .

Commissioner for Information of Public Importance and Personal Data Protection

3

monitors the implementation of data safeguards and to propose improvement of those measures;

gives proposals and recommendations for improving data protection;

gives prior opinion on whether a certain processing method constitutes specific risk for a citizen’s rights and freedoms;

keeps up to date with the data protection arrangements in other countries;

files motions for review of constitutionality and legality of laws and other general enactments.

Commissioner’s Powers in the protection of personal data

4

supervises and enforces LPDP; decides on complaints in cases set out in LPDP; supervises and allows transborder transfer of data

out of the Republic of Serbia; points out identified cases of abuse in data

collection; produces a list of countries and international

organisations with adequate provisions on data protection;

gives his/her opinion on the formation of new data files or introduction of new information technologies in data processing;

gives his/her opinion in case of doubt whether a data set constitutes a data file within the meaning of this Law;

(2)

5

In 2012 the Commissioner carried out 365 inspections:

in 162 (44.38%) cases the Commissioner initiated inspection on his own initiative,

in 203 (55.62%) cases inspections were carried out pursuant to reports filed by the citizens.

Supervision of Personal Data Protection in 2012

In 2012, the Commissioner carried out 184 preliminary checks of personal data processing:

In 66 cases (35.87%) no irregularities were found,

In 118 cases (64.13%) the Commissioner found irregularities and pointed them to data controllers

6

Structure of all personal data controllers inspected by the Commissioner for compliance

with and implementation of LPDP

(2)

7

Reasons for initiation of inspection procedures following citizens’ reports

(3)

8

Identified violations of LPDP

(4)

9

Measures taken by the Commissioner

(5)

10

Personal data protection in the use of Information and Communication

Technology

1. Publication of Unique Personal Identification Number and other personal data on the Internet

2. Inspection of implementation of LPDP

by data controllers – mobile and landline telephony operators in the Republic of Serbia, regarding to access to the so-called retained data on communications

3. Data privacy on social networks

11

CONSTITUTION OF THE REPUBLIC OF SERBIA

- Confidentiality of letters and other means of communication (Article 41)-

Confidentiality of letters and other means of communication shall be inviolable.

Derogation shall be allowed only for a specified period of time and based on decision of the court if necessary to conduct criminal proceedings or protect the safety of the Republic of Serbia, in a manner stipulated by the law.

(1)

12

- Protection of personal data (Article 42) -

Protection of personal data shall be guaranteed.

Collecting, keeping, processing and using of personal data shall be regulated by the law.

Use of personal data for any the purpose other the one were collected for shall be prohibited and punishable in accordance with the law, unless this is necessary to conduct criminal proceedings or protect safety of the Republic of Serbia, in a manner stipulated by the law.

Everyone shall have the right to be informed about personal data collected about him, in accordance with the law, and the right to court protection in case of their abuse.

(2)

13

1. Publication of Unique Personal Identification

Number and other personal data on the Internet

14

JMBG – The Unique Person Identification Number consists of 13 digits in 6 groups:

• The first group: day of birth (two digits),• The second groups: birth month (two digits),• The third group: birth year (3 digits),• The fourth group: the number of registers

(region allocation - 2 digits), • The fifth group: the combination of sex and

the number of persons born on the same date (3 digits),

• The sixth groups: control number (1 digit).

(1)

15

Having in mind the structure and importance of JMBG, he has the status of a delicate and protected data, because it contains a lot of information about a particular person.

Publication of JMBG thousands of citizens on the Internet, even if permitted by law, opens the question of the proportionality of processing in relation to the purposes for which it was established (eg, disclosure of JMBG to register in the Serbian Business Registers Agency).

Operators who collect and process this data should have a very restrictive approach, and should take care of LPDP’s basic principles.

This primarily refers to the requirements for processing, especially regarding suitability, appropriateness and overdosing on processing this information .

(2)

16

2. Inspection of implementation of LPDP by data controllers – mobile and landline telephony operators in the Republic of

Serbia, regarding to access to the so-called retained data on communications

17

During the 2012th the Commissioner carried out an inspection of compliance with and implementation of LPDP by four data controllers – mobile and landline telephony operators in the Republic of Serbia.

The subject of inspection was the access of public authorities to the so-called retained data on communications, referred to the Law on Electronic Communications (Article 129 ), as follows:

determine the source of the communication, determine the destination of a communication, determine the beginning, duration and end of the

communication, determine the type of communication, identification of terminal equipment and determine the location of mobile terminal equipment.18

2.1 Inspection of implementation of LPDP by data controllers – mobile and landline

telephony operators

Inspections of mobile and landline telephony operators carried out by the Commissioner have found cases of disregard for the constitutional guarantee for inviolability of communication and violations of the provision which stipulates that derogations are allowed only for a limited period based on a court order, for the purpose of conducting criminal proceedings or for reasons of national security.

Based on the results of these inspection activities, the Commissioner and the Ombudsman have drawn up Draft Recommendations in 14 items for improvements in this field. They include the following:

19

2.2 Inspection results

1. The Government should draft and propose, and the National Assembly should enact, only such laws that respect the constitutional guarantees concerning the privacy of communications and other human rights. The National Assembly should not ignore the opinions of public authorities established to protect the citizens’ rights.

2. Relevant laws should be amended as a matter of utmost urgency in order to determine which courts have the jurisdiction to decide on requests for access to citizens’ communication data by the police and the Military Security Agency (the existing regulations only stipulate which courts have the jurisdiction in case of the Security Information Agency (SIA)).

3. Effective organisational measures and IT solutions should be put in place to expedite preliminary judicial review and deciding on requests for access to communications and communication data.

(2)

20

4. The existing, largely parallel, technical capacities of various agencies and the Police should be integrated into a single national agency that would act as a provider of technical services needed to intersect communications and other signals to all authorised users.

5. The procedures applicable to electronic communication service providers and their obligations should be integrated.

6. Indelible recording of access to telecommunications should be provided, with all information necessary for post factum review of legality and regularity of access.

7. Relevant legal arrangements should be introduced to regulate the operations of the private security sector and effective supervision of that sector should be ensured.

8. Strong legal and de facto protection should be accorded to whistleblowers (especially in the security sector, as well as generally) and the Ombudsman should be entrusted with such protection.

(3)

21

9. Obstruction of investigations carried out by independent supervisory public authorities (the Ombudsman, the Commissioner for information of public importance and personal data protection, the Anti-Corruption Agency, the State Audit Institution, the Equality Commissioner) should be criminalised. Any harassment, threat or other attempt to influence a complainant or a witness cooperating assisting the supervisory authorities should be made a criminal offence.

10. An obligation should be introduced for internal supervision mechanisms to report their findings relevant for the respect for human rights to the Ombudsman and the competent parliamentary committees, especially in cases where they are disregarded by the management of their respective authorities and in cases of alleged or confirmed serious human rights violations.

(4)

22

11.The results of implementation of the Law on Data Confidentiality (including the adoption of necessary implementing regulations, declassification of old documents, conduct of investigations, issuing of security certificates...) should be reviewed and comprehensive amendments or enactment of a new law should be initiated.

12.The capacities of supervisory institutions for handling and keeping confidential data should be strengthened.

13. A new Law on Security Information Agency should be enacted to ensure, among other things, predictability in the implementation of special measures.

14.The law enforcement powers of intelligence and security services and their involvement in criminal proceedings should be reviewed.

(5)

23

24

3. Data privacy on social networks

25

3.1 Increasing the total number of users of social networks

Report of "GlobalWebIndex“, for the last quarter of 2012, which is related to the popularity of social networks, indicating a drastic increase of total number of social networks users :

Facebook for 33% (693 million active users);Google+ for 27% (343 million users); Twitter for 40% (288 million users).

26

3.2 Increasing the number of users of social networks in Serbia

According to a survey conducted by AdriaTalk, related to the number of Facebook users in SouthEast Europe, in Serbia this number increased to over 3 million profiles.

Compared to 2009 (when there were 1.6 million users) this is increase of about 90%.

It is similar to other social networks.

27

3.3 Careless behavior of social network users

3.4 False profiles, misuse of published photographs, email

addresses, phone numbers, videos, etc.

3.5 Commissioner’s Activities aimed at affirming the Right to Personal Data

Protection

In 2012, the Commissioner carried out a number of activities on the promotion and affirmation of the right to personal data protection, through meetings – organisation and/or participation in trainings, seminars, debates, round tables, conferences etc., as well as through the media, Internet presentation, social networks and other manners of communication with citizens.

The Commissioner organised and took part in more than 80 trainings and seminars for employees in government authorities, territorial autonomy authorities and local self government authorities, institutions etc, the University of Belgrade, commercial banks etc.

28

Thank you !

Tel: 00 381 (0) 113408-900Fax:00 381 (0) 11 2685-023

office@poverenik.rswww.poverenik.rs

42, Svetozara Markovica str.Belgrade 11 000/ Republic of Serbia

29