Regulatory approaches to protection of human rights in the digital society: personal data protection

30-07-2014

Regulatory approaches to protection of human rights in the digital society: personal data protection

Personal data has become a foundation for new business-models as well as a foundation of responsibility for those companies which collect and process data about their users. Since it  is almost inevitable for individuals not to give their personal data, business-models are obliged to protect the users and ensure safety of their personal data from any kind of misuse and violation. Otherwise, serious violations of human rights, especially violation of the right to privacy, can be possible.

Legal framework for personal data protection has been developed in Serbia in 2008, after the adoption of the Law on Personal Data Protection (LPDP). Although before the adoption of this Law, Federal Republic of Yugoslavia has adopted the Law on Personal Data Protection back in 1998, but it has never been applied in practice. We should bear in mind that the Constitution of the Republic of Serbia (Article 42) guarantees protection of personal data.

LPDP stipulates that the data controller, i.e. a company, must fulfill certain standards before it can start processing data – user’s consent, data is collected for specified, explicit and legitimate purposes, proportional in relation to the purposes for which it is collected and/or further processed and accurate and kept up to date (Article 8). Furthermore, the law authorizes individuals to demand the data to be anonymous and be erased after being processed for specified purposes (Article 8). Data controller is a legal entity, that is the company, while the law also defines a data user, who is a person that uses data with the consent of the user whose data is being processed for specified purposes and processor of the data as a person who is authorized by the data controller, on a contract basis (Article 3).

LPDP stipulates that Commissioner for Information of Public Importance and Personal Data Protection (the Commissioner) supervises data protection and performs his duties as an independent body (Article 1, Paragraph 3 LPDP).  The Commissioner also keeps Central Data File Register as a unique record of data files established by all controllers processing personal data and companies are obliged to submit their data files to the Register (Article 3, Paragraph 10).

Also, the Commissioner considers appeals lodged by the applicants regarding the processing of personal data (Art. 38). A person can submit a complaint against the data controller in the  following cases: if the controller denies or rejects the request or if it doesn’t decide on the request within the prescribed period, if it does not allow access to the data, if the controller conditions the access to data by payment fee that exceeds necessary costs of copies, and in case the controller, contrary to the law, makes it difficult or impossible the exercise of rights.

The Commissioner has estimated that there are between 300.000 and 350.000 data controllers binded by the Law on Personal Data Protection. There is no information whether the controllers obey or implement the Law or whether they provide necessary technical and organizational measures for data protection, in accordance with prescribed standards and procedures, which is also an obligation according to the Law. Serbia 2012 Progress Report of the EU Commission stated that the office of the Commissioner for Free Access to Information of Public Importance and Personal Data Protection, faced with a constant increase in the number and complexity of the cases, still lacks sufficient resources. It can be concluded that the Commissioner cannot fully supervise the data controllers and the implementation of  the Law alone, so there is space for companies to implement self-regulatory acts and protect their users’ personal data from abuse.

Serbian company “Limundo” has therefore adopted and published its Terms of Service and Privacy Policy in accordance with the Law and this represents an example of good practice in data processing. When it comes to usage of personal data, Terms of Service names the employees of the company as the only ones who can acquire the authorization to use the data, individuals with whom the employees enter in contractual relations and every public authority that based on the Law and/or on a court decision exercises right to data usage. Therefore, public authorities can access users’ personal data only in cases determined by the Law or based on a court decision.

“Limundo” also has a Privacy Policy, which states that “Limundo” processes data only with the user’s consent, for a specific purpose, in accordance with the law, in a way that a person the data relates to is not identified or identifiable after purpose of data processing has been completed, not exceeding the purpose of data processing. Processed data must be accurate and complete and based on a verifiable source, e.g. the source that is not out of date.

The second example of a good practice is one of Telenor Group which in its Code of Conduct states that customers, employees and other related parties need to feel confident that personal data is processed in such a way that data is only used for legitimate business purposes (part 4.6). Also, Telenor shall only collect, process, and store personal data for legitimate business purposes and keep such data no longer than necessary for the purposes for which any data was collected. Customer’s personal information is processed in accordance with the relevant laws and regulations on protection of personal data.

According to Telenor Serbia Privacy Policy, the company shall retain personal data whose processing was explicitly demanded by Telenor’s users. Like many global companies, Telenor shall inform its users when it changes its Privacy Policy by updating the information on its webpage and by sending emails, no less than 30 days before the alteration, so that users can be aware of what personal data is being processed, how it is being used or revealed by Telenor, if that is the case. Telenor also has its Data Privacy Officer, responsible for respecting and implementing the Privacy Policy, which will be discussed in the following articles.

The first initiative for adoption of self-regulatory rules for advertising agencies was the one presented by International Advertising Association. In the working document of the Serbian Code of Marketing Communications, data protection and privacy can be found in article 17, divided in several parts (data processing and informing, data usage, protection of data processing, personal data of children, rights of consumers etc).

The part called “Privacy Policy” states that those who collect data needed for accomplishing its advertising activities must have a privacy policy, whose terms are clear to its users and will explicitly note whether data is being processed and collected. The Code should be applied by every organization, corporation and individual in every phase of advertising communication process (Article 23). The Code states that no participant on the market (an advertising agency, publisher, media owner) shall participate in a marketing communication process which is considered unacceptable by the self-regulatory body (Article 24). Since the Code hasn’t come into effect, we will pay attention on its implementation, since personal data processing is very popular among advertising agencies, especially because of the impact of direct advertising in the digital environment.

LPDP is a good basis for development of further regulation of data processing and collecting, required for ICT sector. However, we should have in mind the fact that current regulations do not keep up with social and economic needs, which can sometimes slow down the innovations, while the business-models tend to develop freely. Therefore, companies around the world use alternative regulatory principles which will be discussed in the following articles.

To be continued…