Regulatory approaches to protection of human rights in the digital society: personal data protection
Personal data has become a foundation for new business-models as well as a foundation of responsibility for those companies which collect and process data about their users. Since it is almost inevitable for individuals not to give their personal data, business-models are obliged to protect the users and ensure safety of their personal data from any kind of misuse and violation. Otherwise, serious violations of human rights, especially violation of the right to privacy, can be possible.
Legal framework for personal data protection has been developed in Serbia in 2008, after the adoption of the Law on Personal Data Protection (LPDP). Although before the adoption of this Law, Federal Republic of Yugoslavia has adopted the Law on Personal Data Protection back in 1998, but it has never been applied in practice. We should bear in mind that the Constitution of the Republic of Serbia (Article 42) guarantees protection of personal data.
LPDP stipulates that the data controller, i.e. a company, must fulfill certain standards before it can start processing data – user’s consent, data is collected for specified, explicit and legitimate purposes, proportional in relation to the purposes for which it is collected and/or further processed and accurate and kept up to date (Article 8). Furthermore, the law authorizes individuals to demand the data to be anonymous and be erased after being processed for specified purposes (Article 8). Data controller is a legal entity, that is the company, while the law also defines a data user, who is a person that uses data with the consent of the user whose data is being processed for specified purposes and processor of the data as a person who is authorized by the data controller, on a contract basis (Article 3).
LPDP stipulates that Commissioner for Information of Public Importance and Personal Data Protection (the Commissioner) supervises data protection and performs his duties as an independent body (Article 1, Paragraph 3 LPDP). The Commissioner also keeps Central Data File Register as a unique record of data files established by all controllers processing personal data and companies are obliged to submit their data files to the Register (Article 3, Paragraph 10).
Also, the Commissioner considers appeals lodged by the applicants regarding the processing of personal data (Art. 38). A person can submit a complaint against the data controller in the following cases: if the controller denies or rejects the request or if it doesn’t decide on the request within the prescribed period, if it does not allow access to the data, if the controller conditions the access to data by payment fee that exceeds necessary costs of copies, and in case the controller, contrary to the law, makes it difficult or impossible the exercise of rights.
The Commissioner has estimated that there are between 300.000 and 350.000 data controllers binded by the Law on Personal Data Protection. There is no information whether the controllers obey or implement the Law or whether they provide necessary technical and organizational measures for data protection, in accordance with prescribed standards and procedures, which is also an obligation according to the Law. Serbia 2012 Progress Report of the EU Commission stated that the office of the Commissioner for Free Access to Information of Public Importance and Personal Data Protection, faced with a constant increase in the number and complexity of the cases, still lacks sufficient resources. It can be concluded that the Commissioner cannot fully supervise the data controllers and the implementation of the Law alone, so there is space for companies to implement self-regulatory acts and protect their users’ personal data from abuse.
The second example of a good practice is one of Telenor Group which in its Code of Conduct states that customers, employees and other related parties need to feel confident that personal data is processed in such a way that data is only used for legitimate business purposes (part 4.6). Also, Telenor shall only collect, process, and store personal data for legitimate business purposes and keep such data no longer than necessary for the purposes for which any data was collected. Customer’s personal information is processed in accordance with the relevant laws and regulations on protection of personal data.
The first initiative for adoption of self-regulatory rules for advertising agencies was the one presented by International Advertising Association. In the working document of the Serbian Code of Marketing Communications, data protection and privacy can be found in article 17, divided in several parts (data processing and informing, data usage, protection of data processing, personal data of children, rights of consumers etc).
LPDP is a good basis for development of further regulation of data processing and collecting, required for ICT sector. However, we should have in mind the fact that current regulations do not keep up with social and economic needs, which can sometimes slow down the innovations, while the business-models tend to develop freely. Therefore, companies around the world use alternative regulatory principles which will be discussed in the following articles.
To be continued…