Current Serbian Data Protection Act (DPA) dates back to 2008, including some minor changes that followed. Given the rapid change of technology and the ever-evolving ways personal data are being processed, it is safe to say that our current DPA did not stand the test of time. Moreover, it was characterized as flawed by the domestic data protection experts since the very moment of its adoption.
25 May of 2018 marked the beginning of a new era, since EU’s General Data Protection Regulative (GDPR) came into force, setting up an array of new standards and obligations imposed on data controllers and processors, including some draconian penalties for failing to implement GDPR’s requirements.
In its EU accession path, Serbia is obligated to harmonize its legislation with EU’s, which includes the GDPR itself.
All of the above mentioned are the reasons as to why the new Serbian Data Protection Act has been underway since 2013 when the first working group for the compiling of the new DPA draft was formed by Serbian Ministry of Justice. Later on, the GDPR followed, making the adoption of the new DPA even more of a pressing issue.
After years of preparation and not without its fair share of controversies, the Serbian Government has adopted the new Data Protection Act proposal at the end of September 2018 and referred it to further legislative procedure. This means that there is still time to amend the proposal further and we are yet to witness the final Act. However, the new DPA is expected to be adopted by the end of this year.
It is worth noting that European Commission’s comments on new DPA’s draft became available to the public only recently. In its comments, the European Commission stated that the DPA draft is confusing and that its language is not adjusted to a regular citizen’s basic understanding, that it features an excessive amount of exceptions to the standards providing to the citizens’ rights connected to data processing and other remarks.
Furthermore, the new DPA proposal does feature a great amount of transplanted GDPR solutions, but a significant amount of such solutions seem to be copied into the new Serbian DPA proposal, without adequate national mechanisms for their implementation. Moreover, Serbian Commissioner for Personal Data Protection went as so far to state that the new DPA draft is practically non-applicable.
Therefore, it remains to be seen what kind of impact the new DPA will have once it comes into force.