Tag: data protection

Montenegro Data Protection Agency Voices Concern Over COVID-19 Measures

Posted on by Ivana Jeremic

A member of Montenegro’s Council of the Agency for Personal Data Protection, Muhamed Gjokaj, on Wednesday warned that new COVID-19 measures could put citizens’ personal data at risk.

He said he feared unauthorized persons could get insight into citizens’ personal data, and called on the Health Ministry to be more precise about its new health measures.

“The Health Ministry should explain on the basis of which specific legal norms it has prescribed that waiters have the right to process the personal data of citizens who enter a café or restaurant.

“If there is no adequate legal basis, citizens can sue all those entities that ask to inspect their personal data, which also relates to health information,” Gjokaj told the daily Pobjeda.

On July 30, the Health Ministry announced that patrons of nightclubs, discotheque and indoor restaurants must show their ID and National COVID-19 certificate before entering.

The national COVID-19 certificate is a document issued by Health Ministry, which proves that a person has been vaccinated, or has had a recent negative PCR test, or has recovered from COVID-19. According to the Health Ministry, the certificate must be showed to the waiter or club staff.

Montenegro’s Personal Data Protection Law specifies that personal data related to health conditions can be inspected only by medical personnel, however. It prohibits inspection of personal data by unauthorized personnel.

On July 30, the head of the Digital Health Directorate, Aleksandar Sekulic, said no violation of citizens’ personal data was taking place under the measures, as only the name and date of birth of the person were on the COVID-19 certificate.

“We do not provide medical conditions through the certificates but only the data citizens want to provide. They voluntarily agreed to provide a certain amount of data,” Sekulic told a press conference.

On August 3, a lawyer, Andrijana Razic claimed the Health Ministry had violated the law by the new health measures, accusing it of forcing citizens to be vaccinated. She said that non-vaccinated citizens must not be discriminated against in any way.

“It’s completely clear that employees in a restaurant or nightclub have absolutely no right to identify citizens, or ask them for health information that is secret by law. The government should seriously consider the possible consequences of pursuing such a discriminatory and dangerous health policy, based on a drastic violation of basic human rights,” Razic told the daily newspaper Dan.

According to the Institute for Public Health, there are 1,667 registered COVID-19 active cases in the country. The capital Podgorica and the coastal town of Budva have the largest numbers. On Wednesday, the Health Ministry said that 34.5 per cent of the adult population had been vaccinated against COVID-19.

Romanian Intelligence: Hospitals Need ‘Urgent’ Protection from Cyber-Attacks

Posted on by Ivana Jeremic

Days after authorities announced that the Witting public hospital in Bucharest had been targeted by hackers, the Romanian Information Service, SRI, has called on the government to take “urgent” action to protect state-owned medical institutions from these disruptive threats.

Romania’s national intelligence service has warned of widespread deficiencies when it comes to cybersecurity in hospitals, in spite of their increasing reliance on informatics and online systems to run their daily operations.

“Such attacks against some hospitals in Romania represent a sign of alarm about the low level of cybersecurity that exists,” the agency’s statement issued on Friday said, stressing “the need to adopt centralized decisions” that make it mandatory for all medical institutions to impose “minimal cybersecurity measures”.

The intelligence service has briefed the ministries of Health and Transport and Infrastructure concerning the “way in which the attack [reported this month against the Witting hospital] was conducted”, warning the two ministries about the “vulnerabilities of which attackers took advantage”, the SRI statement on Friday said. 

The secret service also presented both departments with a “series of measures to be implemented on urgent basis, in order to limit the effects generated of the attack as well as to prevent future ransomware attacks.

“Although they are of a medium or reduced complexity, this kind of ransomware attacks can generate major dysfunctions in the activities carried out by medical field’s institutions,” the SRI statement explained.

In the absence of clear general standards, the level of cybersecurity in public hospitals and most Romanian state institutions largely depends on the competence and awareness of the personnel in charge, specialists told BIRN.

On 22 July this year, the SRI said the servers of the Witting hospital in Bucharest were targeted by a cyberattack conducted with a ransomware application known as PHOBOS.

“After encrypting the data, the attackers demanded that a ransom be paid for them to decrypt them again,” the intelligence service said at the time.

The attack did not affect the functioning of the hospital, which assured the continuity of operations using data from offline registries. According to the SRI, no ransom was paid to the hackers.

The intelligence service said the attack resembles others that targeted four Romanian hospitals in the summer of 2019. The systems of the four hospitals were not protected by antivirus and were also compromised using PHOBOS.

Glitched Online Registration System for COVID-19 Vaccination Confuses Croatia

Posted on by Ivana Jeremic

As more doses of COVID-19 vaccines finally arrive in Croatia, problems continue when it comes to registration, especially through the national online platform, CijepiSe [Get vaccinated].

“I expected the CijepiSe platform to work because the pandemic has lasted such a long time,“ Mia Biberovic, executive editor at the Croatian tech website Netokracija, told BIRN.

“I assumed the preparations were done early enough,“ she said, concluding that alas, this was not the case. As a consequence, she noted, a small number of people who applied online for a jab are being invited to get vaccinated.

For days, media have reported on problems with the platform, which cost 4.4 million kuna, or about 572,000 euros. On Friday, media reported that the data of the first 4,000 people who applied for vaccination via the platform during its test phase in February had been deleted.

The health ministry then denied reports about the deletion, and said the data relevant for making vaccination appointments had not connected in the case of 200 citizens who booked vaccinations during the test trial.

“The problem is, first, that the test version came when it [the system] was not functional yet. Second, [in the test phase] there were no remarks about the protection of users’ data, i.e. how the user data left there would be used,” Biberovic, who was also among those who applied during the test trial, noted.

“As far as I understood, the data was not deleted but could not be seen anywhere because it was incomplete … So they are not deleted, but again, they are not usable, which is even more bizarre,“ Biberovic added. “This is certainly a risk because citizens do not know how their data is being used.”

Vaccination appointments in Croatia can be ordered through the CijepiSe online platform, a call centre or via general practitioners, and all those who apply should be put on a single list. However, direct contact with a doctor has turned out to be the best way to get a vaccination appointment.

The ministry on Saturday said 198,274 citizens have been registered via the CijepiSe platform, of whom 45,416 have been vaccinated. But around 40,000 of these were not invited through the platform but by direct invitation of general practitioners.

Zvonimir Sostar, head of the Zagreb-based Andrija Stampar Teaching Institute of Public Health, stated on Saturday that the platform was not functioning in the capital, and that they would change the vaccination registration system, advising citizens to register via general practitioners.

Shortly after, the ministry promised that “everyone registered in the CijepiSe system will receive their vaccination appointment”.

“Maybe the platform is not functioning the way we wanted, but it functions well enough to cope with the challenges of vaccination. I read in the papers that the system of vaccination has collapsed. That’s not true! We are increasing the daily number of vaccinations,” Health Minister Vili Beros said on Sunday.

However, the Conflict of Interest Commission, an independent state body tasked with preventing conflicts of interest between private and public interests in the public sector, confirmed on Tuesday that it has opened a case against Beros. It comes after the media reported that the minister has ties to the company that designed the CijepiSe platform. The minister denies any wrongdoing.

Study Underscores Link between Human Trafficking and Online Abuse

Posted on by Ivana Jeremic

More than 40 per cent of female victims of human trafficking have also been subjected to some form of online abuse, according to a report by a Serbian NGO looking at the correlation between the two.

In interviews with 178 women and girls who received support from the organisation Atina over the past five years, 42 per cent reported being the target of online abuse, ranging from cyber-bullying, cyber-stalking, hacking, catfishing, revenge porn and ‘doxing’, the online publishing of private information to publicly expose and shame the victim.

For 31 per cent, the online abuse was directly linked to the process of human trafficking.

“He was posting my half-naked photographs on Facebook and I couldn’t do anything about it,” said one victim of human trafficking who was 18 years old at the time and found refuge in a shelter run by Atina.

“People were commenting on these posts, they were insulting me, he called me a slut online, but no one ever wondered what I might be going through.”

When she reported the case to authorities, the woman said they looked at the photos and “laughed.”

“Later, after I went to the gynaecologist, I gave them the medical report that confirmed I was also sexually assaulted,” she told BIRN, speaking on condition of anonymity.

“At one point I even thought about killing myself, or killing him. The photos are still online.”

Serbia failing in fight against human trafficking

Women and girls make up the vast majority of victims of human trafficking, often for the purpose of sexual exploitation.

According to the latest Trafficking in Persons Report by the US State Department, published in June, the Serbian government “does not fully meet the minimum standards for the elimination of trafficking but is making significant efforts to do so.”

While foreign women and girls also become victims in Serbia, Serbian women and girls are frequently trafficked abroad – to neighbouring countries and across Europe, particularly Austria, Germany, Italy and Turkey.

With lives becoming more digital, the Atina report highlights the threat from cyber-trafficking in the recruitment of victims for the purpose of sexual exploitation, as well as the live streaming of forced sexual exploitation.

There are fears that the COVID-19 pandemic may fuel the growth of cyber-trafficking given the restrictions on movement imposed by states.

Society ‘blames the woman’

In July, United Nations warned of the dangers posed by the loss of jobs, growing poverty, school closures and the rise in online interactions as potential drivers of trafficking.

Women and girls already account for more than 70 per cent of detected human trafficking victims and are among the hardest hit by the pandemic, Ghada Waly, the executive director of the UN Office on Drugs and Crime said in a statement. Women often face more difficulty finding paid jobs in the aftermath of crisis, Waly said, and urged “vigilance”.

Gender-based violence is prohibited under numerous international conventions, as well as under national laws in many countries, including Serbia. But the legal framework is often hazy when it comes to online gender-based violence, despite the fact the consequences can be equally as destructive. Online perpetrators frequently go unidentified.

One victim said society “always blames the woman.”

“She is response for being mistreated, she provoked it, she asked for it…,” the woman, who also spoke on condition of anonymity, told BIRN. “I also blamed myself for a being a victim of online harassment, but I was lucky enough to have the support of my family and that my case did end up in the media. Sadly, many women are usually left without any support.”

Atina Programme Manager Jelena Hrnjak said it is vital that the victims are heard – “Not only to be heard, but to be understood and respected.”

To read the full report “Behind the screens: Analysis of human trafficking victims’ abuse in digital surroundings” click here.

Concern over Moldova Cyber Security As Election Looms

Posted on by Ivana Jeremic

As the campaign for Moldova’s presidential election intensifies, so too does the rate of cyberattacks on state institutions in the former Soviet republic, torn between Russia and the West.

But while Moldova’s Intelligence and Security Service, SIS, says it is working to disrupt cyberattacks, critics say more needs to be done to confront the scourge of fake news and disinformation.

“Moldova does not have a strategy to tackle propaganda, nor clear policies for the protection of the information space,” said Cornelia Cozonac, head of the Centre for Investigative Journalism in Moldova.

“Moldovan politicians are not even trying to take over similar research-based guidelines from the Baltic States, for example.”

Individual hackers

In an interview for Moldpres, SIS director Alexandr Esaulenco said that election campaigns in Moldova frequently brought an “intensification” of cyberattacks on state bodies handling the electoral process.

In written comments to BIRN, the SIS described four types of attacks since 2015 – denial of service, or DDOS, phishing via state e-mail, brute-force attacks trying to gain access to government information systems and the hijacking of official web pages.

“These activities aim to stop or hinder the conduct of the electoral process, but in all these cases, we act proactively to prevent their success,” Esaulenco told Moldpres.

In an interview with tribuna.md in October, Sergiu Popovici, the director of the government Information Technology and Cyber Security Service, STISC, said most attacks were the work of individual hackers, “who try out their criminal talent on randomly selected electoral processes.”

‘Real propaganda’

Esaulenco, a 43-year-old major general, previously worked as a security adviser to Moldova’s pro-Russian president, Igor Dodon.


A person scrolls the screen of a mobile phone while loading information on how to counter ‘fake news’ in New Delhi, India, May 2, 2019. Photo: EPA/Harish Tyagi

Dodon is bidding for a second term in next month’s election but faces a strong challenge from pro-European candidate Maia Sandu.

The SIS press office told BIRN that, while it confronts the threat of cyberattacks, its future focus would be more on disinformation and propaganda.

Torn between integrating with the West or remaining in Russia’s orbit, Moldova has proven particularly vulnerable to outside propaganda, particularly against NATO, the European Union and the international community in general.

The SIS said that during the COVID-19 state-of-emergency in the spring, it closed some 61 websites and news portals deemed to be spreading propaganda and fake news regarding the pandemic.

But Petru Macovei, executive director of the Independent Press Association, API, said SIS did not go far enough.

“It was a facade with the closure of those sites, to justify themselves that their activity was not in vain during the state of emergency caused by the pandemic,” Macovei told BIRN. “Indeed, it was neither effective nor sufficient.”

These “were selective decisions,” he said, “because the real propaganda was not affected by that SIS measure.”

By ‘real propaganda,’ many experts in Moldova mean Russian media outlets that broadcast in Moldova with a distinctively anti-Western tone.

“Russian media in Moldova like Komsomolskaya Pravda or Sputnik every day have at least one anti-EU and NATO news and some about Ukraine,” said Cozonac.

Strategy lacking

Elena Marzac, executive director of the Information and Documentation Centre on NATO, IDC NATO, said that COVID-19 crisis and the economic fallout were “gradually turning into a security crisis.”


The executive director of the IDC NATO in Moldova, Elena Marzac. Photo: Facebook

“Besides classic disinformation there are also the cyberattacks, both elements of hybrid warfare,” Marzac told BIRN.

“Also, the narratives circulating in the international space, but also the regional and national one are strongly influenced by geopolitics, and the main promoting actors in that sense are China and Russia.”

Moldova has made some progress towards establishing the legal basis for a better information security strategy, but experts agree there is still much to be done.

“It is too early to talk about the existence in Moldova of an integrated and effective national mechanism for preventing and combating cybersecurity incidents and cybercrime,” said Marzac.

Montenegrins in Self-Isolation Sue State for Publishing Names

Posted on by Ivana Jeremic

More than 300 citizens of Montenegro have filed lawsuits against the state for publishing their names on lists of people ordered to self-isolate. On Wednesday, a Podgorica-based lawyer, Dalibor Kavaric, who represents some of the citizens, said the government had violated their human rights.

“By publishing the names and personal data of persons in self-isolation, the government stigmatized them and unnecessarily exposed their privacy to the public … the government has unnecessarily caused material damage to the budget of Montenegro just because it didn’t respect the constitution,” Kavaric told BIRN.

The government published the names on March 21, despite warnings from opposition parties and civic society organisations that it risked violating constitutionally guaranteed human rights. They also warned that citizens whose names were published might sue the state before the courts.

The government said it had a right to publish the names because some citizens were not respecting self-isolation obligations. It also said it had approval for its actions from the Agency for Personal Data Protection. It stressed that the security forces could not control every citizen who should be in self-isolation, and that anyone who failed to self-isolate posed a threat to the entire community.

The Head of the EU Delegation to Montenegro, Aivo Orav, called on the authorities to find the right balance between protecting the health and respecting the confidentiality of health information and the right to privacy of citizens.

Danilo Papovic, from the Civic Alliance, said citizens had every right to to seek legal protection of their civil rights.

“The lawsuits are completely justified … This government action indicates the absence of responsibility both in the legal and financial sense, bearing in mind that the consequences of illegal actions are ultimately borne by the citizens, because any compensation is paid from the budget,” Papovic told BIRN.

On March 22, Prime Minister Dusko Markovic said no compromises would be made with those who violated preventative measures amid the COVID-19 pandemic. He also warned that the government would continue to publish the names of citizens who had been ordered to self-isolate.

“The lives of our citizens are the priority. We have estimated that the right to health and life is above the right to unconditional protection of personal data,” Markovic said.

But after the Civic Alliance submitted an appeal to the Constitutional court on March 23, on July 23, the court annulled the government decision to publish the names of citizens ordered to self-isolate – though it did not rule that the government had violated their human rights. The government then removed the list from its website.

A lawyer from Bijelo Polje, Milos Kojovic, said the Constitutional Court had confirmed that the government had violated basic human rights and freedoms by publishing the names of persons ordered to self-isolation. “The government didn’t respect their right to a private and family life,” Kojovic told the daily newspaper Dan.

“Persons on the list published on the official government website, then transmitted by all electronic and print media, are entitled to fair compensation for violation of their personal rights,” he added.

Kosovo Lawmakers Play Politics with Personal Data

Posted on by BIRD

Personal data and the right of access to public information remain largely unprotected in Kosovo after parliament failed again to elect a Commissioner for the Information and Privacy Agency, IPA, leading critics to accuse lawmakers of playing politics with citizens’ rights.

The Information and Privacy Agency, IPA, had asked the parliament to give its director, Bujar Sadiku, the powers of the Commissioner of the Agency despite the failed recruitment process for the post.

The request was rejected by the parliamentary Committee on Security Affairs as illegal, however, and civil society groups on Thursday publicly asked the Presidency of the Assembly, especially the Speaker, Vjosa Osmani, to be vigilant and ignore such illegal requests.

On August 14, none of the three candidates for the post received the required 61 votes, the third time in two years that parliament failed to appoint a Commissioner, failure analysts attribute to narrow political interests. The British embassy, which has assisted in the recruitment process, said British experts had been withdrawn.

Flutura Kusari, a legal adviser at the European Centre for Press and Media Freedom, who voluntarily monitored the recruitment process, said the British decision was a good one, but was “bad news” for Kosovo.

“It is not logical financially or politically for an ally to invest this much in a clearly politicised process,” Kusari told BIRN.

In its five years of existence, “the agency has failed from the beginning to protect our personal data,” she said. “If the Commissioner will be politicised, s/he can become a censor of public information, pleasing politicians.”

Starting ‘from zero’


The meeting of the Kosovo Committee on Security and Defence, where the annual report of the Information and Privacy Agency, IPA, for 2019 was reviewed, presented by IPA director Bujar Sadiku, June 16, 2020. Photo: Official Website of Kosovo Assembly.

Without a Commissioner, Kosovo has no institutional mechanism to implement the Law on Access to Public Documents and the Law on the Protection of the Personal Data.

The first two attempts to appoint a Commissioner failed in May and July last year due to the fall of the then government and the dissolution of parliament after the prime minister at the time, Ramush Haradinaj, resigned on being summoned for questioning by war crimes prosecutors in The Hague.

Without a Commissioner, citizens of Kosovo have no institutional means to complain and seek justice if a public or private body violates their rights to protection of their personal data or access to information. Civil society groups say that without an independent overseer, the agency could become biased in fining particular institutions or officials.

British-approved candidates

Twelve people applied for the position, cut down to five after a review of the applications. Each of the five candidates went through a two-day interview process, after which a commission selected three to be submitted to parliament.

They were Bujar Sadiku, Krenare Sogojeva-Dermaku and Muharrem Mustafa. Sadiku and Sogojeva-Dermaku had received the approval of the British Embassy as the best candidates.

The IPA is unable to impose fines on bodies that violate the law due to the absence of certain internal acts that should be signed and submitted to the government by the Commissioner, Jeton Arifi, head of the Access to Public Documents Pillar at the agency, told BIRN.

If a bank, for example, accidentally or intentionally revealed the account details of a customer, that customer would have to take the bank to court, a lengthy and potentially expensive process during which the bank could continue violating the law.

“The persistent failure to select the head of our authority is continuing to cause consequences in the prolongation of internal processes, which should have been concluded within six months from the entry into force of the relevant law,” Arifi told BIRN. The Law on Personal Data Protection entered into force on March 11, 2019.

Politicians can ‘hijack’ process

Without a Commissioner, the IPA is also unable to hire new staff and has had to halt a twinning project with Germany and Latvia.

“Now everything will start again from zero,” said Fatmire Mulhaxha Kollcaku, who heads parliament’s Committee on Security and Defence and led the interview panel for the Commissioner’s job.

“As long as we don’t have an independent institution with a competent Commission, we have two unenforceable laws,” said Mulhaxha Kollcaku, and questioned how the recruitment process would continue without the British involvement.

The British embassy said on August 17 that it would not spend British taxpayers’ money on repeating a process that had been conducted properly but which failed to end in the appointment of a Commissioner. Under the agreement with the embassy, parliament is obliged to endorse an approved candidate.

“The non-appointment of any of them calls into question the stated commitment of political parties to implement the Memorandum of Understanding (MoU) with the British Embassy, ​​but more importantly, it sends a negative signal to independent professionals in Kosovo and their hopes to contribute in Kosovo Institutions,” the embassy said.

“Any public appointment should take into account only the interests of the country and its citizens, and not the narrow party interest.”

Without the British involvement, politicians can “hijack the process and elect politically involved people with no actual skills for the position,” warned Kusari.

Taulant Hoxha, CEO of the NGO Kosovar Civil Society Foundation, which supports the development of civil society with a focus on EU integration, told BIRN:

“It is painful that the Kosovo Assembly has to sign security agreements with foreign embassies in order to be able to elect a Commissioner. It would make sense if only the human, technical, and methodological resources to be provided with funding from the British Embassy because the Assembly of Kosovo is a new institution.”

Hiljade.kamera.rs: Community Strikes Back Against Mass Surveillance

Posted on by BIRD

Serbian citizens have launched the website hiljade.kamera.rs as a response to the deployment of state-of-the-art facial recognition surveillance technology in the streets of Belgrade. Information regarding these new cameras has been shrouded in secrecy, as the public was kept in the dark on all the most important aspects of this state-lead project.

War, especially in the past hundred years, has propelled the development of exceptional technology. After the Great War came the radio, decades after the Second World War brought us McLuhan’s “global village” and Moore’s law on historic trends. Warfare itself has changed too – from muddy trenches and mustard gas to drone strikes and malware. Some countries, more than others, have frequently been used as testing grounds for different kinds of battle.

Well into the 21st century, Serbia still does not have a strong privacy culture, which has been left in the shadows of past regimes and widespread surveillance. Even today, direct police and security agencies’ access to communications metadata stored by mobile and internet operators makes mass surveillance possible. 

As appearances matter most, control over the flow of information is a key component of power in the age of populism. We have recently seen various developments in this context – Twitter shutting down around 8,500 troll accounts pumping out support for the ruling Serbian Progressive Party and its leader and the country’s President Aleksandar Vucic. These trolls are also frequently used to attack political opponents and journalists, exposing the shady dealings of high ranking public officials. Reporters Without Borders and Freedom House have noted a deterioration in press freedom and democracy in the Balkan country.

However, a new threat to human rights and freedoms in Serbia has emerged. In early 2019, the Minister of Interior and the Police Director announced that Belgrade will receive “a thousand” smart surveillance cameras with face and license plate recognition capabilities, supplied by the Chinese tech giant – Huawei. Both the government in Serbia and China have been working on “technical and economic cooperation” since 2009, when they signed their first bilateral agreement. Several years later, a strategic partnership forged between Serbia’s Ministry of Interior and Huawei, paving the way to the implementation of the project “Safe Society in Serbia”. Over the past several months, new cameras have been widely installed throughout Belgrade.  

This highly intrusive system has raised questions among citizens and human rights organisations, who have pointed to Serbia’s interesting history with surveillance cameras. Sometimes these devices have conveniently worked and their footage is somehow leaked to the public, and in some cases, they have not worked or recordings of key situations have gone missing, just as conveniently. Even though the Ministry was obliged by law to conduct a Data Protection Impact Assessment (DPIA) of the new smart surveillance system, it failed to fulfil the legal requirements, as warned by civil society organisations and the Commissioner for Personal Data Protection

The use of such technology to constantly surveil the movements of all citizens, who are now at risk of suddenly becoming potential criminals, has run counter to the fundamental principles of necessity and proportionality, as required by domestic and international data protection standards. In such circumstances, when there was no public debate whatsoever nor transparency, the only remaining option is a social response, as reflected in the newly launched website. 

“Hiljade kamera” (“Thousands of Cameras”) is a platform started by a community of individuals and organisations who advocate for the responsible use of surveillance technology. Their goals are citizen-led transparency and to hold officials accountable for their actions, by mapping cameras and speaking out about this topic to the public. The community has recently started tweeting out photos of cameras in Belgrade alongside the hashtag #hiljadekamera and encouraged others to do so as well.

The Interior Ministry has yet to publish a reworked and compliant Data Protection Impact Assessment (DPIA) but the installation of cameras continues under sketchy legal circumstances.

Bojan Perkov is a researcher at SHARE Foundation. 


BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now