The Montenegrin Agency for the Protection of Personal Data and the Free Access to Information ("Agency") published on 22 March 2016 on its website a decision that deals with data leakage from the police database. The Agency reacted in response to a request by six individuals whose names, surnames, and photographs had been published in a Montenegrin newspaper in October 2015. The newspaper, Dnevne novine, received the photos from the police.

The article in Dnevne novine appeared a few days after the opposition parties held a protest rally in the capital Podgorica, which turned violent. The title of the article was "More than 50 persons under scrutiny", and the subtitle "Who caused the riots of 24 October at the protests organized by the Democratic Front". Somebody from the Directorate of Police (within the Ministry of Interior) leaked the photos to Dnevne novine, apparently in order to facilitate discreditation of the government’s opponents through the media.

A representative of the six persons filed a request for the protection of right (zahtjev za zaštitu prava) to the Agency, asserting that the publishing of the personal data in the newspaper was contrary to the provisions of the Montenegrin Data Protection Act ("DP Act").

The Agency established that the data from the newspaper form a part of the Records of issued identity cards maintained by the Ministry of Interior. The Agency also found that a total of 14 (rather than six) persons, i.e. data subjects, had their photos leaked from the Records.

The Agency qualified the Ministry of Interior as data controller in charge of a filing system (the Records). According to the Agency, the newspaper Dnevne novine is to be considered as a user of the data.

The DPA then proceeded to examine whether there existed a statutory basis for making available the photos from the police records to the user (the newspaper). Article 17 of the DP Act stipulates that upon the user’s request, if requirements from articles 10 and 13 of the Act are met, data controller must furnish the requested data to the user. Article 10 sets forth five exceptions from the basic rule that data processing is permitted only with data subject’s prior consent. Article 13 deals with the sensitive personal data ("special categories" of data, as the Act calls it) and also includes a list of exceptions, when processing of sensitive data is permitted even in the absence of data subject’s consent.

In the case at stake the data subjects did not consent to disclosing their data to the newspaper. Also, conditions for application of an exception under articles 10 were not met. (Article 13 was not of relevance here because no sensitive data were involved.) Under article 10 of the Act, data processing without the data subject’s consent is permitted if the processing serves one or more of the following purposes:

  1. carrying out the controller’s  obligations mandated by law;
  2. protecting the life or other vital interests of the data subject where the data subject is incapable of giving his consent;
  3. performing a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract;
  4. performing a task carried out in the public interest or exercising official authority vested in the controller or in a third party, i.e. the user of the personal data; or;
  5. purposes of the legitimate interests pursued by the controller or by the third party, i.e. the user, except where such interests should be restricted in order to exercise and protect rights and freedoms of the data subject.

During the second supervision procedure, the Agency established that the Ministry of Interior identified an official who disclosed the data to the newspaper. In the decision, the Agency (only) prohibits the Ministry of Interior from providing the personal data from the Records to the user contrary to article 17 of the DP Act. Unlike the Serbian DPA in the case of mental health data leakage, which we wrote about in January 2016, the Agency took a soft approach and did not initiate the misdemeanour proceeding against the Ministry of Interior, i.e. the data controller. This is consistent with the generally lenient approach by the DPA to the violations of the DP Act: in 2015, for example, the Agency did not initiate any misdemeanour proceedings or file a criminal charge in relation to violations of the Act. In contrast, the Serbian DPA initiated 19 misdemeanour proceedings and filed three criminal charges in the same period.