Source: Danas

Proposal of the Law on Personal Data Protection contains some strange solutions  
Rodoljub Sabic 
Personal attitude  
The National Assembly shall soon discuss the Proposal of the Law on Personal Data Protection. It is good that this is so, due to several reasons. As one would most usually say, adopting that law could bring us closer for a good step to  "White Schengen". Still more important is that this law could (and must) be a basic prerequisite for construction of one legal mechanism that we don't have, and which is necessary to one modern, democratic society. 

The need to, after at least a decade of lateness, receive an efficient mechanism for protecting privacy, that is, of personal data, requires utterly responsible relation both towards articulating solutions in the law, so towards securing organizational, logistics, material and all other assumptions for their implementation in life.

In that context, solution from Article 45 paragraph 2 of the Law Proposal is really "interesting". It enables security bodies to deny due to reasons of  "state and public security" and that "until the reasons exist", to the authority that should protect the personal data insight into relevant data, sets of data, even access to the premises. Simplified, citizens shall be guaranteed privacy protection by the law, that is protection of personal data, but protection from illegal "processing" by the security authorities shall be possible - only if approved by those authorities. At least to say interesting, isn't' it? Doesn't the Article 45 paragraph 2 remind you of stories about the "goat and the wolf" or "bunny and cabbage"? Isn't it probable that many would recognize in the quoted data, collections of data and rooms, for instance, those from famous RATEL's  "technical conditions" for intercepting Internet communication? Can the authority in charge, regardless of which it might be, faced with such limits, and that from expandable reasons, very difficult to check, for a term that can last for ever, seriously guarantee and secure efficient data protection?

Such limitations are significantly handicapping possibilities for efficient work in personal data protection, regardless to which authority shall that protection be entrusted. In this specific case, this issue is additionally complicated by the fact that as the authority in charge of personal data protection is envisaged an already existing state authority - Commissioner for Information. And he, according to the Law on Free Access to Information, has the explicit right of insight, without limitation, into each information carrier owned by the authorities in power. Isn't that slightly controversial situation? Obviously it is. Therefore conclusion can be derived that this solution, (un)consciously, at back entrance, opens possibilities to question and make relative the existing authorization of the Commissioner for Information of Public Importance, the authorization extremely important, even fundamental for the function he already performs.  Leaving possibilities for discretionary, extremely important narrowing of authorizations of the authority in charge in the procedure of control and protection of rights, is "interesting", not only because it opposes already determined, existing authorizations of the Commissioner for Information, but also because of the relation towards standards that have been determined in international documents from this area, that we have signed and accepted.  For instance, regarding provisions of the Convention on Personal Protection in relation to Automatic Data Processing, and also, provisions of Additional Protocol to that Convention. In the context of provisions by which the  Protocol regulates position of the supervising bodies, and which amongst else envisage authorizations to meddle without limitations in all legal proceedings and to point out to the breach of law, including authorizations to independently start investigations, limitations envisaged in Article  45 paragraph 2 look as a caricature, and the fact that their adoption is proposed to the Assembly simultaneously with Protocol Ratification seems almost cynical.

Therefore, the quoted solution, (and some other with similar controversy) should be excluded from the text body of the Law Proposal. As the Commissioner for Information hasn't received a chance, even after Constitutional changes to propose amendments to the laws pertaining to the field for which he is responsible, in relation to that I turned to the Ombudsman, who according to the Constitution has those rights. The Ombudsman shall submit adequate amendments, and I hope that this is not too optimistic to expect the MPs to accept them.

The situation turns even more "interesting" in relation to the real prerequisites for law application. Assumedly "taking care" about the time necessary for securing those prerequisites, the mover envisages deferred period for start of law implementation - 1st January 2009. Just, how much that  "realistic" approach has with the reality? The Law preserves solution based on which the Enactment on Organization of the Commissioner's Service shall be passed by the  Commissioner himself, but the consent for that is granted by the  National Assembly. And the first formal but necessary prerequisite for enabling the Commissioner for Information to take on new jobs is change of the Enactment on his Service Organization.

That is a good chance to remind us of some other situations in relation to that. 
The Commissioner for Information has delivered the Enactment on Organization for consent to the National Assembly two times. The first time during formation, and the second time two years later, in order to have it formally terminologically harmonized with the law. He waited for the first time for consent for five, the second time for incredible 18 months.

Otherwise, it is well known that the Commissioner for Information, as otherwise almost all "new", independent bodies, works from the very start in inadequate conditions. Not even more than three years were enough for the responsible ones in the Government to secure the necessary spatial conditions for housing Commissioner's service.  The authorities remained deaf on all warnings that this is endangering realization of the function. Due to that, instead of envisaged 21, the Service functions with only seven workers, with adequate negative consequences of contemporariness regarding work.  Does anybody think for real that within three months in those circumstances that service shall take over the task which is incomparably more difficult, bigger and more complex? Or maybe in the manner of Potemkin, he thinks that instead of personal data protection a mere resemblance of it suffices?