Monitoring of digital rights and freedoms, second quarter of 2018: data and privacy of citizens under attack

26-07-2018

After another three-month monitoring period of the state of digital rights and freedoms in Serbia, SHARE Foundation presents the most recent report on this issue from April to June. In total, we registered 24 violations in this period of time, and the most important cases were dealing with the problem of processing personal data of citizens and the IT privacy such as the one of mobile application ‘Selected GP’.

It must be noted that this is the first quarterly report compliant to the new version of methodology for monitoring the state of digital rights and freedoms. Having in mind the degree to which trends changed since 2014 when SHARE Foundation began to conduct  monitoring, we believe that it is necessary to update the methodology in line with the changes of the nature of cases. The new version of methodology expands categories of violations which were assessed as occurring more often such as the prohibited processing of personal data of citizens or paid promotion of problematic content on social networks.

Technical attacks were dominant in the previous monitoring report (January-March 2018) and although at the beginning of April it seemed that the trend will continue, most cases belonged to category  “Pressures due to expressions and activities on the Internet” and “Manipulations and propaganda in digital environment”, seven cases in each category. In the category of pressures, we must point at two cases when employees had problems with their employers because of their posts on social networks where they complained to work conditions. Female workers at the textile factory ‘Kajzen’ in Smederevo were fired and received threats of being criminally prosecuted due to posting photographs of the strike on Facebook, whereas the employees of Radio Beograd 202 received threats of being sanctioned because of Facebook posts in which they asked for public support due to uncertain situation regarding possible transformation into a music radio which would actually mean cancelling informative, cultural and sports content at the Radio.

The biggest violation of personal data protection in this reporting period was the collection of data via mobile application ‘Selected GP’ which was presented by the Ministry of Health at the end of May. The Commissioner for Information of Public Importance and Personal Data Protection warned the citizens to use this application carefully  because of the danger of particularly sensitive data on their health being collected without permission and because of several other problems, and he also prohibited further data processing to the company which made the application. Also, in July, the Commissioner submitted the information  on the application to the High Public Prosecutor’s Office and proposed that the Prosecutor’s Office considers the doubts regarding the criminal act of unauthorized collection of personal data.

The degree to which the application is problematic is also supported by the fact that the old version of the application as a log in required a personal number of health insurance – LBO, which meant that any person who knew another person’s LBO, e.g. an employer, could have the access to this person’s scheduled medical exams. According to the information from Google Play Store, the application collected more data than it necessary for its functioning and there was no privacy policy available.

It is also worrisome to see that it is precisely in state institutions where cases of irresponsible relation towards citizens’ data occur, thus the Commissioner had to react by filing a criminal charge against an unidentified official of the Municipality of Požega due to unauthorized collection of personal data. Facebook page “Glas Požega” published citizens’ data on social and material status and financial aid which was previously determined to had been submitted at the request of the municipality.

In June, the Commissioner initiated misdemeanor proceedings against the Centers for Social Work in Niš, Zrenjanin, Pančevo and Kraljevo, and against directors of these bodies and the entrepreneur who made the instruction for the use of software for official needs of the Centers. The Centers made the citizens’ data on the use of social protection, victims of violence, national affiliation, gender, language, health and social help available without any legal basis to the entrepreneur in order to ‘produce the instructions for the use of the software’ which published this information on his website without the adequate protection, therefore this information was publicly available. The lack of responsibility in state bodies is almost a rule when it comes to violating the rights of citizens to privacy and personal data protection, and the situation is even more serious because the cases described deal with particularly sensitive data which must have a higher level of protection.

The attention of the public was also drawn by announcements of the state that it will deal with fake news on social networks. The Minister without Portfolio in charge of innovation and technological development, Nenad Popović submitted a proposal for establishing a working group for the defense from fake news, and said that ‘most European countries already started various procedures in order to include the fight against fake news into legal and institutional framework.’ The initiative for ‘the fight against fake news’ appeared after spreading information that the water in Belgrade water supply system was poisonous, and it remains unclear in which way this fight will be manifested and what specific tasks and goals of the working group will be. Legislative solutions should be approached very carefully, especially because of possible negative consequences to freedom of expression and the right of the citizens to be informed.

Since there is no new Law on Protection of Personal Data, which is in the drafting process for six years now, and since there are big problems in the application of the current Law from 2008, the citizens found themselves in an unenviable position when it comes to the privacy of their data. Since the beginning of application of the General Data Protection Regulation in the EU – GDPR as of 25 May 2018, it is expected to see big changes regarding individuals enjoying their rights, but it seems that Serbia will have to wait a little longer. The latest version of the draft of the Law was announced in July  and it was sent to ministries for them to submit their opinion, but it is still unknown what the deadline for the Law to be passed is. Unfortunately, it is difficult to assume when this agony would end, while the Law violations become more and more often and serious.

All cases are found in our Monitoring database: monitoring.labs.rs