23 Nov 2020

Are Major High-Tech Companies “Skirting the Law” in Serbia Regarding Personal Data Protection?

Although it has been more than a year since the new Personal Data Protection Act (“Act”) entered into force in Serbia, some of its provisions are not yet fully applicable.  One clear-cut example is Article 44 of the Act, which requires foreign companies (therefore those who does not have a registered business seat in Serbia) to appoint a Personal Data Protection Representative for Serbia (“Representative”).

Who is the Representative?

This provision, (as well as the majority of the Act’s provisions), was adopted from Article 27 of the General Data Protection Regulation (“GDPR”) and refers to any personal data controller and processor who does not reside in Serbia, but which must, without exception, comply with Serbian law and thus with the Act.  This Act’s exterritorial scope sees it include undertakings who provide their goods or services in Serbia or who process personal data on its territory.

What is the Role of the Representative?

In line with the Act, the Representative in addition to or instead of the company it represents, can be addressed by the Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) or another person regarding personal data processing issues in order to ensure compliance with the provisions of the Act.  Appointing Representatives of companies is not and should not be viewed as a mere formality given that it is fundamental to the realization of the rights Serbian citizens are entitled to under the Act.  In the current climate major companies see Serbia, like many other developing countries, as fair game for the unregulated exploitation of citizens’ private data, despite Serbia having harmonized its laws and regulations with the EU Single Digital Market by adopting the Act. 

Among other things, these companies do not provide clear contact points for members of the Serbian public – they mostly use the same complaint forms, often available only in a foreign language, processed by programs that send generic automated responses. This leaves customers feeling like they are communicating with a machine; they are not mistaken.  The legal institute of Representative is set to address these shortcomings, but to achieve this companies need to step up to the plate and appoint Representatives.

Despite the Act having come into effect on August 21, 2019, the impression is that major high-tech companies are not too pushed about their statutory duties under the Act.

Big Data – Big Risk

Considering the ever-increasing number of people, and now in modern times also devices that generate, communicate and share enormous volumes of data via the global village – Internet, the risk of such data being misused also increases day-by-day.  Companies that own platforms for providing various services, such as first-class companies like Google, Facebook, Twitter, Viber, Snapchat, Amazon, Netflix, and many other companies process huge volumes of Serbian citizens’ personal data, whereas Serbian citizens are being shortchanged of their rights, and are instead left to the whims of automated communication platforms.

NGOs Quick Off the Mark

The fact that many companies operating in Serbia have failed to appoint a Personal Data Protection Officer or a Representative in the Republic of Serbia, despite their duty to do so under the Act, prompted non-governmental organizations such as Share Foundation to take action to “rein in” those companies. 

Consequently, Share Foundation filed misdemeanor complaints against Facebook and Google for failing to comply with their obligations under the Act i.e. for failing to appoint Representatives in Serbia, which it notified the Commissioner of.

Widespread Non-compliance

Besides Facebook and Google, at that point in time (one week after the Act entered into force), out of tens of thousands of controllers, only 192 of them submitted mandatory information on the Data Protection Officer to the Commissioner, which only demonstrates the severity of the situation and the failure by controllers to properly plan for compliance with the mandatory rules.  Now, more than a year on from the Act’s entry into force the situation literally has not changed at all, with non-compliance even more pronounced if anything. 

Against this background, on October 1, 2020, Share Foundation’s legal team filed misdemeanor charges against 16 global tech companies.  The failure of these companies to appoint Representatives in Serbia for more than a year, as prescribed by the Act, triggered this NGO to take further legal action (available here in Serbian) following the initial misdemeanor charges filed against Google and Facebook. 

Huge Reputational Risk vs. Small Fines

Misdemeanor complaints were filed with the Commissioner who has the authority to initiate a compliance check procedure and impose fines of RSD 100,000 on companies and RSD 20,000 on their director(s) for non-compliance.

Unlike the European GDPR based on which our law was written, the fines in Serbia are symbolic, especially for global companies that make mind-boggling profits off of the data of citizens around the world. However, we are of the opinion that fines would show that the authorities in Serbia are enforcing legislation that safeguards our citizens and moreover that these companies are not operating in accordance with national legislation.

The Complaint that Initiated the Companies Chain Reaction

Following much “to and fro” correspondence with the Commissioner, the additional misdemeanor saw Google become the first among the high-tech giants to appoint a Representative in Serbia.  Furthermore, the Commissioner recently received written confirmation from Viber appointing a Representative for Serbia, in line with the Act.  Of the “smaller” global corporations, a Representative in Serbia was appointed by the owner of the commercial flight search service eSky, while the Dutch owner of the Serbian-language platform KupujemProdajem already had a local Representative at that time.

The Added Extra – Serbia’s First “Right to be Forgotten” Case

Thanks to Google’s Representative in Serbia, Serbia’s inaugural right to be forgotten case was closed successfully. The case concerned the removal of channel run by a Serbian citizen on the video sharing platform known as You Tube.

This would not have been possible without the Representative in Serbia. In spite of the fact that any individual or legal entity residing in the Republic of Serbia can be appointed as a Representative, it would be appropriate to appoint a personal data protection expert to this position.

Authors: Ognjen Colić and Žarko Popović