Increasingly intrusive technology requires urgent additional regulation, and much stricter oversight.
Every now and then, I check a tweet posted in June 2020 just to see if it’s still online. It is. Featuring a 15-second video, its caption in Srebian reads: ‘Accident in front of the government of Serbia’.In the clip, a speeding passenger car crashes into a minivan, causing, it later emerged, multiple fatalities.
We should be used to attention-grabbing content on social media by now, and even aware that an economy built around advanced technologies “treats human attention as a scarce commodity, as a United Nations-commissioned report says, ever seeking to maximise engagement. There are some means we can use to avoid particularly disturbing items online, but all we really have is good old self-restraint.
Controlling one’s own online behaviour – clicks, likes, and alike – is also one small step on a long and tedious road to protecting our privacy and personal data that we now know is what feeds multi-billion-dollar global businesses whose services we use ‘for free’.
But mindfulness shouldn’t be our best recourse when we use public services, surely?
Government institutions, agencies and authorities should run privacy-by-design operations, as they handle vast amounts of citizens’ data on a daily basis, providing no opt-out choice. We are obliged to lay out our personal data to them, and they are obliged to keep it safe, online or off.
Since August 2019, these operations in Serbia are required to comply with provisions of a new personal data protection law [passed nine months earlier, with a grace period for compliance], largely copy pasted from the appropriate piece of legislation in EU law on data protection, called the General Data Protection Regulation, GDPR. This EU regulation has set groundbreaking standards of data protection globally, its provisions applying to technical and organisational procedures, defining virtually all the ‘whys’ and ‘hows’ in handling citizens’ data, whether stored on a cloud system or in a paper file.
If the similar provisions from the Serbian 2018 law were applied, we would probably never see the tweet posted in June 2020.
Lack of transparency
The disturbing video of a car crash in front of a key government institution wasn’t taken on the street by an accidental witness. It is clearly marked as the video feed from a traffic surveillance camera. There are visible tags in the top corners of the feed, a date and time stamp in one and the camera’s number and location in other. But it wasn’t a leak either, at least not in the strict sense of a piece of original data leaking out of the system. Someone with physical access to the traffic monitoring room took their smartphone and recorded the broadcast from the computer screen. There’s another visible tag in the left upper corner, this one showing the name of the specific application, with the word ‘server’ in parentheses.
In Serbia, personal data governance often seems like an algorithmic ‘black box’ – a complex system whose inputs and inner workings are not visible or sometimes even comprehensible.
The internal processes are plagued with lack of transparency, while public access to information is thwarted. We manage to learn of the government’s data protection practices mostly by accident. Luckily, there are plenty. From the reckless disregard for legal obligations that exposed the personal data of almost the entire adult population of Serbia in 2014, to the intentional evading of protections laid out in the Constitution to access user communication data of four major telecommunication service providers.
To be fair, these things happened before the new data protection law replaced the old one, known among specialists as the legislation that had practically never been applied.
Times have changed, and expectations as well. Reading about fines issued by national privacy regulators and data protection officers, to both private and public organizations, somewhat shifted our perception. Knowing that we now have the same legal standards as those used to severely penalise an EU-member tax authority after it was hacked, for its deficient security practices, is bound to change procedures in Serbian public institutions too. Or is it?
Serbia does have “a relatively developed legal framework of personal data protection”, said Ana Toskic Cvetinovic, executive director of the Partners Serbia organisation, and an experienced privacy protection expert.
Besides specialising in the field, teaching at the National Academy of Public Administration, and producing a body of analysis and policy recommendations, Toskic Cvetinovic also took part in the working group that prepared a new government strategy for personal data protection. The public hearing on this key strategic document was recently concluded, “and it remains to be seen whether it will contribute to improving the situation,” Toskic Cvetinovic told BIRN.
“The main problem is that the 2018 law assumed some legal solutions from EU legislation – such as the GDPR and the so-called Police directive – that are not applicable in the Serbian legal framework.”
“In addition, although both the Law and the Action plan for Chapter 23 [Judiciary and Fundamental Rights] of the EU accession negotiations stipulate that all sectoral laws should be harmonised with the data protection law; this work has not even started yet. All this complicates applying the regulations, in both public and private sectors, and also leads to legal uncertainty for citizens.”
Who will have access?
Photo: Pixabay
Personal data protection is increasingly a topic of discussion in Serbia, at least in part thanks to the 2018 law, which has certainly improved the domestic normative framework, imposing new obligations on data controllers and processors, and introducing new rights for citizens whose data is processed. But these novelties have not fully taken root in practice, Toskic Cvetinovic said.
“There’s more awareness, in both private and public sectors, of their legal obligations,” she said. “Unfortunately, there are also those who knowingly violate the rules, deciding that the abuse of citizens’ data is more profitable than complying.”
Toskic Cvetinovic underlines that the sanctions provided under Serbian law “are lenient, and the criminal-legal protection is ineffective, thus sending a message to data controllers that non-compliance would not actually entail any serious consequences.”
In particularly, she points to the large systems of state administration that process massive volumes of personal data, while they have honest difficulties in applying protection measures. At the same time, politicians and decision-makers in the public sector keep pushing for rapid digitalisation of public services. Without adequate technical infrastructure and human capacities, this can only increase the risk to citizens’ rights, said Toskic Cvetinovic.
Global dilemmas and debates around increasingly intrusive technologies that expose human rights and civil liberties to grave risks, especially when using these technologies in critical areas such as policing, border control, judiciary, or healthcare, indicate the urgent need for additional regulation. And most definitely for stricter oversight.
But as I was pondering the introductory passage to this article, the latest clip from a traffic surveillance camera in Belgrade showing a car crash was launched into social media circulation. Again, the video feed was recorded with a smartphone from a screen in the traffic monitoring room.
A new round of consultation on the improved version of a draft law on police has been launched, after two failed attempts to legalise a smart video-surveillance system in public spaces. It would be the kind that is capable of automatically detecting and recognising faces, identifying people by their body postures, and tracking and recording their movement in real time. Certainly, far beyond the capabilities of a plain old traffic camera. Who will have access to such systems with their smartphone?