As we are coming towards the end of the year, it’s time to assess trends and present the most notable findings from SHARE Foundation’s monitoring of digital rights and freedoms during 2018. It was interesting to see emerging forms of rights violations in the digital environment, particularly those in connection with information privacy and personal data protection, which were present during the whole year. This can be linked with the lack of effective implementation of the Law on Personal Data Protection and enforcement of penalties, as well as the “waiting game” with the new law modeled after EU’s General Data Protection Regulation (GDPR).
In the first monitoring period, i.e. from January to March, technical attacks were the most notable forms of violations of digital rights and freedoms, after an extended period of on and off occurrences. The most notable case of a technical attack was the disabling the official Facebook of the Independent Association of Journalists of Serbia (NUNS), removed administrators managing the page and published inappropriate content. SHARE CERT, SHARE Foundation’s computer emergency response team for online and citizen media, reached out to Facebook in order to try to resolve the situation, but the administrators were not restored. As a result, the Facebook page of NUNS shut down, and so the association made a new page. A similar case happened to civil society association “Let it be Known” (“Da se zna”), which had its Twitter and Instagram accounts breached in the beginning of April. These threats are emerging in the sense that in earlier cases the websites of civil society organizations and independent media were the targets, which attackers usually flooded by DDoS.
During the second period of monitoring digital rights and freedoms, which took place from April to June, the most relevant cases for our analysis were in connection with abuse of personal data of citizens in Serbia. This was also the first monitoring report done in accordance with the new methodology developed by SHARE Foundation as a response to the changing nature of violations of digital rights and freedoms. The new version of the monitoring methodology expands categories of violations which were started occurring more often, such as the prohibited processing of citizens’ personal data or paid promotion of problematic content on social media.
The biggest intrusion into personal data during 2018 was the collection of data through a mobile application “Selected GP” which was presented by the Ministry of Health at the end of May. The app enabled citizens to schedule appointments with their doctor, but it had a very questionable policy on collection and processing of users’ data. The Commissioner for Information of Public Importance and Personal Data Protection warned the citizens to use this application carefully because of the danger of particularly sensitive data on their health being collected without permission and because of several other problems. Further data processing by the company which made the application was also prohibited, which speaks of the severity of this incident. The Commissioner submitted the information on the application to the High Public Prosecutor’s Office and proposed that the Prosecutor’s Office investigate the possible criminal responsibility for unauthorized collection of personal data.
Another issue we encountered in regards to handling of citizens’ personal data, especially their particularly sensitive data such as information on social and material status, is that state bodies very often do not protect this data in accordance with the Law on Personal Data Protection, causing this data to even be publicly available.
Such was the case of centers for social work in several cities across Serbia, which made the citizens’ data on the use of social protection, victims of violence, national affiliation, gender, language, health and social help available without any legal basis to a private contractor which was hired to produce the instructions for the use of the centers’ software. This contractor was entrusted with very sensitive personal information, which was published on the contractor’s website without adequate protection, meaning it was publicly accessible. Avoiding liability for this kind of reckless behaviour by state institutions is almost a rule when it comes to violating the rights of citizens to privacy and personal data protection. In another similar case, the Commissioner had to file a criminal complaint against an unidentified official of the Municipality of Požega due to unauthorized collection of personal data. Facebook page “Voice of Požega” (“Glas Požega”) published citizens’ data on social and material status and financial aid which was previously determined to had been submitted at the request of the municipality.
The latter half of the year was marked with a different kind of challenge to privacy and consequently freedom of expression: attempts to deanonymize users on Twitter, which is a popular social media channel for expressing political and social views in Serbia. Anonymity is key for the full enjoyment of freedom of expression and information, especially in societies with an adverse climate for views criticizing government policies and actions of state officials, such as Serbia. On Twitter, a photo of an anonymous user known for his criticism of the government, identical to the biometric photograph from the registry of the Ministry of Internal Affairs used on ID cards, was published on one of many anonymous accounts which mostly tweet support to the ruling coalition. Regarding this case, the Commissioner for Information of Public Importance and Personal Data Protection initiated an oversight procedure at the Ministry of Internal Affairs. Also, a particularly worrisome case was the public search of the data about a Twitter user writing under the pseudonym “Baz Kilington” which also offered an award, who used Instagram to publish a controversial movement for animal protection “Levijatan”, stating that this was a “poisoner and provocateur”. These issues can cause a “chilling effect” among users of social media and discourage them from speaking out.
Private actors also show lack of respect for personal data protection, as data of more than 2000 citizens who applied for a TV quiz were publicly available on the website of the company which organized the quiz. Names and surnames, unique personal identification numbers, addresses, phone numbers, emails and occupations were only some of the information on about 2300 citizens publicly available, whereas for a few more thousands of citizens there were names and surnames published, prompting the Commissioner to react and demand responsibility.
As we can see, this was the year of serious challenges for personal data protection and privacy of citizens in Serbia, which can be linked with the lengthy process of adopting the new data protection law and very little chance of enforcing penalties and fines. The new Law Personal Data Protection, which is based on GDPR, provides for new rights of citizens and additional obligations for all those handling and collecting personal data, but its implementation is also very uncertain, especially because it contains a provision on the restriction of citizens’ rights which are very likely to be deemed unconstitutional.