Blog Details

Overview of the Origins of GDPR and the Need for This Regulation in the Modern Era

It is said that in ancient Egypt, people with a surplus of curiosity, or as common folk would say - those who eavesdrop, were punished by being required to feed their neighbors' camels for the next 10 days, or as the educated would say – to do the community service. However, if an ancient Egyptian obtained information that could harm the reputation of a wealthy family or the survival of the state, they would be punished by death. But what about people nowadays?

Modern civilization has been developing for years under the conditions of rapid technological progress. This has opened the doors to a new reality where it is necessary to legally regulate all issues provoked by life in the digital age. And although it is clear that the law always lags behind reality (just as Montenegro lags behind Europe), codification of legal areas that regulate life in the digital environment, as well as alongside the achievements of artificial intelligence (e.g., artificial intelligence law, information technology law, internet law), is necessary not only to regulate newly emerged relationships between states, legal and natural persons, but also to prevent abuses and violations of fundamental human rights and freedoms, to which the technological era has widely opened its doors.

Where can our personal data be found today? Who can access, process, or store it? These are just some of the questions provoked by life in the digital environment. Even a superficial response from a legal layperson cannot help but spark doubts about the existence of anything resembling privacy, as well as concern about our basic human rights, especially the right to respect for private life. The European Union was the first to seriously tackle this issue, attempting, and largely succeeding to legally regulate this very specific and important area with its General Data Protection Regulation (GDPR).

Overview of the Basic Provisions of GDPR

The General Data Protection Regulation (hereinafter referred to as GDPR) was adopted by the European Parliament in 2016 and has been in effect in the Member States of the EU since 2018. In addition to contributing to more effective protection of human rights and freedoms, this regulation significantly changes the operations of all entities that collect and process personal data.

Many of the provisions contained in GDPR already existed at the national level, but they have now been consolidated and enhanced, making this regulation a unique codification applied in all EU member states. By regulating the area of personal data protection in this way, differences in national legislations are overcome, thus facilitating the position of business entities operating in multiple EU member states that collect and process personal data.

GDPR has a very wide scope of application. This regulation applies not only to business entities operating within the EU, but also to all those who, regardless of location, process data of residents of the EU (Article 3). For example, if access to a certain website is available in at least one EU member state, personal data on that site must be collected and processed in accordance with the provisions of GDPR. Therefore, GDPR applies to all entities operating on the internet and processing data of EU citizens.

GDPR introduces stricter standards for the protection of personal data, including the obligation for data controllers to ensure a high level of security and transparency in their processing. The regulation grants individuals greater rights over their data, such as the right to have it deleted (the so-called 'right to be forgotten'), and mandates the implementation of privacy by design and by default to ensure minimal data processing. Additionally, GDPR imposes significant financial penalties for non-compliance with these standards, encouraging data controllers to strictly adhere to the regulations.

Reflection on Our Legislation and Compliance with GDPR by the Authorities in Montenegro

Montenegro has not yet fully aligned its Law on Personal Data Protection with the provisions of GDPR. Furthermore, state bodies and institutions, local government bodies, and a large part of business entities have not yet fully harmonized their activities in the collection and processing of personal data with GDPR standards.

For example, several Montenegrin municipalities recently violated the Law on Personal Data Protection by publishing personal data of citizens, such as unique identification numbers, residential addresses, and telephone numbers, on their websites. Specific irregularities were identified by the Agency for the Protection of Personal Data and Free Access to Information in Berane, Rožaje, Tuzi, and the Capital City. Namely, on the websites of these municipalities and the Capital City, requests submitted by citizens to chief municipal architects were published, but personal data were not redacted. This case shows that not enough effort has been invested in educating personnel who should successfully and responsibly apply legal norms in the field of personal data protection, and that citizens are not sufficiently informed about their rights, the level of their protection, and how to exercise them.

We should also not forget the case that occurred during the COVID-19 pandemic, when the Government of Montenegro published a list of individuals who were in self-isolation, thereby violating the Law and compromising citizens' privacy. Given that the Law on Personal Data Protection prescribes fines ranging from 500 to 20,000 euros for legal entities that process personal data contrary to the Law, and that the same violation can result in fines of 150 euros to 2,000 euros for the responsible persons in legal entities, state bodies, state administration bodies, and local government bodies, Montenegro was obliged to pay citizens cumulative damages of around 800,000 euros due to this oversight. That is how much ignorance cost us at that moment.

Amendments to the Law and Their Purpose

Recent amendments to the Law on Personal Data Protection, along with seven other laws, have come into effect. The goal of adopting this group of laws is to ensure the quality of data collected during the population, household, and housing census conducted at the end of 2023. The key amendment to the Law on Personal Data Protection concerns Article 2, paragraph 4, stipulating that personal data may be used for statistical or scientific research purposes in a form that does not reveal the identity of individuals, except for the administrative authority responsible for statistics, for the purpose of developing, producing, and disseminating official statistics.

These amendments will enable the Statistical Office to gain full access to administrative data sources. The previous version of the legal text restricted the use of data for statistical purposes, thereby preventing the full implementation of Article 34 of the Law on Official Statistics and the System of Official Statistics, which prescribes that the Statistical Office has the right to access all administrative data sources, including identifiers. These amendments will allow for the substantive application of the previously mentioned article.

Challenges for Employers

GDPR also brings new challenges for employers. Business entities must adjust their operations to comply with the provisions of this EU regulation, processing and storing personal data according to new rules without violating fundamental human rights and freedoms. The regulation stipulates that, in addition to public authorities, certain business entities will be required to have an expert or external associate to monitor the processing of personal data. Their engagement does not depend on the number of employees but on the volume of data processed. Therefore, all business entities that extensively process personal data of users of their products and/or services will have to hire at least one additional employee. Thus, despite the fact that GDPR imposes a new set of obligations on employers, it will also test the social responsibility of business entities, as well as their readiness to survive and succeed in the competitive market in the digital age.

A Long-Kept Secret

During World War II, among other things, books that served as registers containing citizens' personal data (birth registers, marriage registers, etc.) were destroyed in numerous Montenegrin settlements. After the partisans liberated Montenegro and Yugoslavia from fascist occupiers and domestic traitors, the country's reconstruction began. When the time came to restore the registers and re-enter citizens' data into the books, certain abuses occurred. It is said that during this period, some fathers, when re-entering their daughters' data, decided to subtract or conceal a few years of their lives, thinking it would help them get married more easily and advantageously. Thus, my grandfather de jure married a woman a few years younger, but de facto a year older.

My grandmother had a hard life, giving birth to six children and cradling eleven grandchildren in her lap. On the eve of her death, she openly admitted that she was older than we thought. It was easy for her to open up then because my grandfather had long been gone, and GDPR still did not exist.