Data-protection in the Western Balkans and Eastern Partnership Region
Brussels, 18-22 September 2023
High-level exchange and learning week on data protection as a joint initiative of SIGMA/OECD, RCC, ReSPA and GIZ aims to connect the experts from the Western Balkans and European Partnership Regions with the key EU actors in the area of data protection, to get familiar with the latest updates on robust policy and legal EU framework on data protection.
Experts from the European Data Protection Board and European Data-Protection Supervisor bodies shared in-depth and latest trends in the specific legal, policy, institutional and methodological issues pertaining to data protection area as applied in the EU that can be models for spurring legal certainty for both individuals and organizations processing data and greater protection for the individuals in general in the Western Balkans and European Partnership Regions.
Connectivity and joint forces bring better results. This time, SIGMA Programme, “Eastern Partnership Regional Fund for Public Administration Reforms” lead by GIZ, Regional Cooperation Council (RCC) and Regional School of Public Administration (ReSPA) are jointly supporting high-level data protection officials from Western Balkans and Eastern Partnership Regions to exchange views on common challenges and approaches finding the most efficient ways to overcome them by learning from their EU colleagues from EDPB, EDPS and data protection authorities from specific EU Members.
The first day of the exciting and intensive High-level exchange learning week on data protection started with greetings from four organisers OECD/SIGMA, GiZ, RCC and ResPA and thanks to high officials from the eleven economies from the Western Balkans and Eastern Partnership for accepting the idea and invitation to be part of this journey aimed at meeting with key EU actors on data protection (European Data Protection Board European Data Protection Supervisor, DG NEAR, DG Justice and European Parliament) and getting familiar with latest developments in this important area.
Getting together the representatives from two regions working in the same area was seen from the initial stage by four organisers as a valuable opportunity for data protection high officials to meet up, share experiences, make contacts and keep up this potential network in the future. Referring to this notion, Nick Thijs, Senior Adviser, OECD/SIGMA welcomed participants and officially opened the event of the working visit.
Head of the SIGMA Programme, Gregor Virant said that while SIGMA is present in both regions this joint visit is an added value that can be used as an opportunity for exchanging experiences about processes and work that Western Balkans colleagues had already done within the process of accession to the EU. He has also stressed that public administrations should not by any means see data protection as an obstacle to reforming the administration towards efficient administrations that provide user-centric and user-friendly public services. Virant reminded the audience that the importance of data protection is reflected in being one of the sub-criteria for monitoring the progress in reforms of PAs in new Principles of public administration that will be officially launched at the beginning of November.
Maja Handjiska Trendafilova, director of ReSPA joined in the statement regarding the benefits of having together two regions in a visit on such an important topic and the advantage of having the opportunity to get better insights into all aspects of data protection in the EU. Knowing that the efforts have been made in aligning legislative solutions with Acquis and EU standards in this area, Handjiska Trendafilova called for acquiring additional information and insights during this visit so that the gaps in the implementation could be better addressed. The need to build capacities in the administrations to more effectively approach data protection is acknowledged across the board and ReSPA through its capacity-building actions and specific instruments of support may contribute to meeting the demand for such capacity building.
Pranvera Kastrati, Acting Head of the Programme Department in RCC referred to the leading role of RCC in the digitalisation in the Western Balkans and reminded that data protection has been part of data governance and as such is the part of RCC programme for years. Looking at this event as initial proof of growing cooperation between two regions, Pranvera called for proactively using the opportunities to bring these regions together on the topics of interest. She reflected on different benefits but also challenges that the internet brought into the lives of societies and stressed that not only data protection authorities are guardians of personal data and privacy of citizens but also that economies need to invest comprehensive efforts in protecting the rights of all citizens not forgetting the vulnerable groups of children and elderly population.
Sandra Fuhr, Regional Director, GiZ said that in GiZ the intention to see both regions together is a wish that has existed for a long time. She emphasised how data protection is a key issue in digitalisation processes, and how important it is to think of data protection at the beginning of digitalising administrative procedures.
The meeting proceeded with introductions and presentations from DG NEAR and DG JUSTICE and their respective work in the data protection domain.
Dominika Skubida, Policy Officer in the Thematic Support Unit, Rule of Law, Governance and Security in DG NEAR, pointed out that data protection is in the group of fundamental human rights and that EU standards in this area can be certainly seen as the golden standards even globally. She called for ensuring the balance between efforts that are put into the protection of personal data with another right related to the free flow of information and emphasised the aspect of emerging technologies within such balance. Referring to the support that DG NEAR provides specifically in this area, including the important support to CSOs, she has communicated the message that candidate economies need to ensure the comprehensive protection of personal data, not only at the side of public administration but from all the actors in the society.
Alisa Vekeman, Head of Sector for data Flows and Other International aspects of the digital economy, (DG Justice & consumers) shed light on how data protection is more and more seen as the competitive advantage for the private entities of the private sector in the context of the global economy. There is also, according to Vekeman, the spread understanding that keeping the protection of data high on the agenda in a particular country is proof of the trust placed in governments that also increases the market range and economic standing.
The initial introduction, before the actual visit tomorrow, to the European Data Protection Borad (EDPB) has been provided by Anu Talus, Chair of EDPB. Explaining the structure and organisation of EDPB, Talus referred to the main components of EDPB mandate and work, emphasising the strategic importance of international cooperation for EDPB. Gwendal Lagrand, deputy head of the EDPB Secretariat, elaborated in more detail the importance of the Guidelines that EDPB issues on different aspects and provisions from GDPR and how they can be useful and used for enhancing the implementation of data protection. A specific “Guide for small business” is an example of guidelines that might be used across Europe for data protection in the private sector. It can be noted and is obvious, according to Lagrand, how GDPR additionally creates awareness in the public on the overall importance of protecting personal data.
The dynamic discussion followed and specifically high interest was shown from the attendees concerning data protection and AI. It has been responded by Lagrand that GDPR already fosters principles that are genuine safeguards for misuse of AI while the upcoming EU act on AI will provide an additional framework of the protective measures.
Leonardo Cervera-Navas, Secretary-General of the European Data Protection Supervisor (EDPS) presented the main competencies of EDPS underlying that independence is a crucial factor for data protection authorities to fulfil their authentic role. He has referred to promoting the culture of data protection that once created helps much in the implementation of data protection in any society. Often present perception of data protection authorities being the “No” authorities needs to be avoided by creating positive relations and cooperation with governments.
The experiences of data protection high officials from Italy, Spain and Norway attracted much of the interest from the audience. Apart from the mandates of data protection offices in these three countries, real-life examples of data breaches have been shared. The message was conveyed by Luigi Montuori (Head of Service for EU and International Maters-Italy), Pablo Manuel Mateos Gascueña
Data Protection Sub-inspector, Agency of Data Protection, Spain) that in the process of reviewing data breaches the balance between freedom of expression and right to privacy needs to be carefully kept, while taking care of the context in each particular case where the personal data were misused. Tobias Judin, Head of the International Norwegian Data Protection Authority, pointed out how the variety of expertise within the staff is crucial for the functioning of the Norwegian Data Protection Authority not only for its core functions but also for the research work on the impact of new technologies on data protection that Norwegian authority started already few years ago.
Hrachik Yarmaloyan, from GiZ, drew attention to the aspect of prevention, education and awareness raising when it comes to data protection. One of the modalities of awareness raising on the importance of data protection might be, according to Spanish experience to tackle the data protection more vigorously when the breaching comes from the big companies.
Dynamic discussions altered with the lively conversations and talks during the breaks during this intensive first day of the learning week on data protection.
And another exciting day full of new information, contacts, insights and discussions!
On the second day of the High-level exchange learning week on data protection, the representatives of data protection authorities from eleven economies from the Western Balkans and Eastern Partnership visited the key EU institutions dealing with data protection - the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).
After a warm welcome, Leonardo Cervera-Navas, Secretary General of EDPS presented the role of EDPS as the EU’s independent data protection authority that monitors and ensures the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals. The complex role of EDPS extends to consulting the European Commission on proposals for legislation, monitoring new technology that may affect the protection of personal information, intervening before the Court of Justice of the EU and co-operating with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information.
Following three presentations provided detailed insight into the mandate, organisational set-up and work performed in three main pillars of the EDPS’s Policy and consultation, Supervision and enforcement and Technology and Privacy units.
Olivier Matter, Head of International Co-operation presented the work of the Policy and Consultation Unit with deliverables stemming from the Unit’s role when advising EU institutions on legislative and other proposals, co-ordinating with international bodies and intervening on behalf of the EDPS in cases before the Court of Justice of the EU. The EU Digital Rulebook project that the Unit implements also advises on a number of specific acts related to digital data, including the Data Governance Act, Data Act, Artificial Intelligence (AI) Act, Digital Services Act, Digital Market Act and Common Data Spaces Act. Plamen Angelov, Head of Activity for Justice and Home Affairs answered questions from participants and explained that in the EU, the GDPR has the priority over other laws with the obligation in the EU that all legislative acts are aligned with GDPR provisions. He reiterated that the EU is at the forefront of regulating AI globally and that EDPS has its role in advocating that certain AI applications need to be regulated specifically for the enshrined data protection rights.
The work of the Supervision and Enforcement Unit was presented by the Head of Unit, Thomas Zerdick, with a focus on "hands-on" experience of investigation methodology and tools related to the investigative, corrective and advisory powers of the EDPS. Massimo Attoresi, Deputy Head of Technology and Privacy Unit talked about this unit’s work and expertise that is currently additionally invested in the pilot projects of Tech Sonar, Website Evidence collector, EU Voice / EU Video and others, which all have a strong foresight component.
At the end of the visit to EDPS, Wojciech Wiewiórowski, the European Data Protection Supervisor, underlined the importance of the EDPS, especially on advising national parliaments, governments and other institutions and bodies on legislative and administrative measures relating to the protection of personal data. Mr. Wiewiórowski said that co-operation and exchange of experiences between regions and administrations related to data protection is welcomed and needed so that all aspects, achievements and failures equally, are discussed and advice is transferred by bilateral cooperation and events such as this learning week.
The second day continued with a visit to the European Data Protection Board, where, for the occasion of this learning week a dedicated plenary session of the EDPB was organised. Welcoming the eleven participating delegations, the Chair of EDPB, Anu Talus opened the plenary session giving the floor to the SIGMA Programme to present the overall aim of this unique endeavour and to each delegation to present the state of play in their respective economies. Nick Thijs, Senior Adviser, SIGMA briefly presented the work of SIGMA, GiZ, RCC and ReSPA and underlined that this event is the result of the efforts of all four organisations in assisting the economies from the Western Balkans and Eastern Partnership on their accession path as well as in reforming their public administrations. Meeting and getting insight into key aspects of data protection in the EU is part of these efforts and the readiness of EU interlocutors to share their knowledge and experiences is accepted with great interest and appreciation.
The session continued with brief presentations of the state of play in data protection by each delegation. The presentations offered information about the existing legislative frameworks, organisational structures, challenges, initiatives and projects related to data protection in all eleven economies. The questions and reflections from the EDPB members from Germany and Italy showed that besides the interest in the situation in data protection outside the EU and the challenges being well understood, the support already provided to regions will continue and could be developed further based on bilateral dialogues. In that sense, the needs for capacity building in data protection need to be communicated to Member States. Tanja Maras, Expert on Digital Connectivity, RCC, said that RCC stands ready to support the region in implementing this important agenda and encourages the participants of WB economies to share needs with RCC to allow for structured and tailor-made support
The Chair of the EDPB thanked all delegations for their attendance and underlined that the Guidelines of the EDPB are available and might certainly be a resource when enhancing practices outside the EU. Anu Talus said that this visit will have an impact on further reflecting on what can be done from the side of the EDPB.
This exciting day, characterised by abundant information and insights shared, ended with a cocktail that was another opportunity to meet, communicate and network in an informal setting.
After the great impressions obtained at the EDPS and during the session with the EDPB, the third day of our data protection learning week started with the 1st round of sharing information between participants about the data protection context in their respective countries. The legal and institutional aspects of the state of play in data protection attracted as much attention as the challenges and opportunities.
The data protection contexts in Ukraine, Serbia, North Macedonia and Montenegro were presented and discussed.
The delegation from Ukraine provided information on actions related to the pressing need to ensure informational confidentiality and data protection translated into efforts to update Ukrainian legislation, with the new Law on Data Protection being in the process of adoption. The main challenges relate to the growing number of cyber threats and the need to educate citizens and employees of state authorities about the importance of personal data protection. These challenges are being addressed and are becoming opportunities for creating an effective national system of personal data protection and an appropriate mechanism for introducing liability.
The legal set-up in Serbia in data protection includes protection of the right to access information of public importance and the right to personal data protection. Raising awareness of the need for and importance of personal data protection, the increased need to protect personal data in the context of modern technologies, and the lack of IT experts are prevailing challenges related to data protection in Serbia.
The legislative framework of North Macedonia is fully aligned with the GDPR and the National Population Register is the central data base that can be used when creating e-services containing personal data. The challenge that hampers full digitalisation of e-services and relates to the data protection area is the lack of harmonised legislation that would allow referral to and use of data from the National Population Register when creating e-services.
In Montenegro the Law on Personal Data Protection is in accordance with the Directive 95/46/EC that is still in force in Montenegro, while the law that is in accordance with the GDPR has not yet been adopted. The essential challenges relate to the independence of the Agency and in particular its financial independence.
The day continued with a visit to EU Parliament. A meeting was held with the secretariat and the Chair of the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). Mr. Lopez Aguilar warmly greeted the delegations from Western Balkans and Eastern partnership and emphasised the fact that EU has the highest standards in data protection globally. According to Aguilar, although the GDPR has led to well-established practice for dealing with third parties there are still situations in which this remains a significant challenge, both for the organisations concerned and to the data protection authorities. Additionally, he reminded participants of the avant-garde role of the EU in promoting and regulating the responsible use of technology to ensure respect for privacy. Aguilar called for synergy in the efforts for promoting and implementing data protection as a clear indication of the acceptation of the EU social model.
The visit continued to the European Parliament Hemicycle in the vibrant heart of European democracy, where Members of the European Parliament gather during plenary sessions to hold the largest and most important debates.
The fourth day of the learning week started with the sessions of the Belgian authorities working in data protection area. The Belgian Federal Public Service of Policy and Support (BOSA) and the Belgian Data Protection Authority are key institutions engaged in assuring data protection in the provision of public services and in regard to overall oversight and implementation of measures stemming from GDPR provisions. Malik Weyns, area manager from BOSA, presented how BOSA helps government departments and agencies to elaborate and initiate digitalisation projects and co‑ordinates their implementation. He provided an extensive overview of the system of networking of public services while implementing the once-only principle in the delivery of public services. In the complex state administration structure, BOSA assures that all services are integrated and that users access only one service integrator that connects all provider portals (mydata.belgium.be) while checking and specifying the authorisations issued by public agencies which data can be published, fully respecting GDPR rules. Cédrine Morlière, President of the Belgian Data Protection Authority (DPA) presented the work of the DPA that in addition to implementing the tasks stemming from the GDPR includes the provision of legislative advises, awareness raising, prevention (through assistance to data protection officers) and research. Morlière emphasised that although it is a good sign that the number of requests for information is constantly increasing this hampers the provision of legislative tasks related to work on complaints. Based on recent and upcoming EU legislation concerning use of AI, in the DPA there is an understanding that the need will arise for technical expertise. The litigation Chamber was specifically presented by Eric Vandenbosche and attendees posed a number of questions on legal proceedings, sanctions and relations between judicial bodies when sanctioning the violations of GDPR rules.
The dynamic discussions of the presentations from the Western Balkans and Eastern Partnership economies that started the previous day continued. Moldova, Kosovo**, Georgia, Azerbaijan, Armenia, Bosnia and Herzegovina and Albania provided the information regarding the data protection state of play in their economies and presented challenges met and envisaged solutions and projects.
The situation in the Republic of Moldova is of a transitional nature, developing new legislative acts that will include EU data protection provisions to a greater extent. The National Centre for Personal Data provides an extensive report to the Government that includes information on breaches of data protection rights and proposals for inspection. The main challenge is the training needed for the DPA as well as for Data protection officers (DPOs).
The Privacy Agency of Kosovo* is an independent supervisory body accountable to the Assembly of the Republic of Kosovo that oversees implementation of the Law on Access to Public Documents and Law on Personal Data Protection, which is aligned with the GDPR. The biggest challenges relate to training of DPOs, although actions are expected to be in synergy with the private sector and recently-created network of DPOs.
In Georgia the Personal Data Protection Service’s main function relates to reviewing citizens’ applications regarding personal data protection. The new Law was adopted in June 2023 and it is aligned with GDPR. The main challenge will remain the new institutional framework stemming from the new law and practical implementation of the new law.
In Bosnia and Herzegovina the Personal Data Protection Agency implements the Law on Personal Data Protection in Bosnia and Herzegovina, issuing binding decisions. Harmonisation of legislation on personal data protection in Bosnia and Herzegovina with the GDPR and the limited capacities of the Agency are the priorities to be addressed.
In Azerbaijan the Data Protection Department of the Electronic Security Service is the main body for the implementation of the Law on Personal Data and it is requiring state authorities, legal entities, and physical persons involved in the collection, processing, and protection of personal data to eliminate violations of the Law on Personal Data. Legislation that is better aligned with EU standards is needed as well as assistance to public officials in drafting the new law.
The Personal Data Protection Agency is the independent authorised body in Armenia functioning as the state DPA. In addition to the need to further align the existing Law of Armenia on Protection of Personal Data, other laws need provisions related to data protection. The lack of knowledge and need to educate public and the civil service are the biggest challenges and priorities to be addressed in Armenia.
The General Directorate on Personal Data Protection and Data Protection Commissioner fulfil the role of DPA in Albania, implementing at the same time the Law on Protection of Personal Data and the Law on the right to information. The Commissioner’s Office issues binding decisions, can make investigations and impose sanctions and fines. There is already a good relationship established with the EDPB and Albania strives to expand and strengthen it, while the main challenge for the Albanian DPA is the education of public institutions, wider awareness raising and practical support to DPOs.
The last day of the learning week included the presentation of a Flemish data utility company for processing personal and sensitive corporate data, and a session dedicated to summarising the whole visit with direct input from the participants.
Athumi is a new Flemish public company bound by a statutory mandate to process personal and sensitive corporate data in a smart and secure way, ensuring that all who share their data through Athumi services retain full control and transparency. A great quantity of data is used and processed by private companies (example of companies for utilities) and the lack of trust by citizens in private companies handling their data is widely perceived (seven out of ten citizens in Belgium, according to SolidLab Digimeter). The role of Athumi is to provide support to all sides to enable the private sector to get “more data more usable for more companies” while citizens are in a position to securely participate without relinquishing control of their data. This innovative approach to protecting the data of citizens so they can be safely used by a number of private or/and public actors was presented using the example of a “diploma case”. In this practice, citizens/candidates easily create (via My Citizen Profile) a digital, personal data vault where they securely store data such as diplomas and share it with Randstad (a fully-fledged service provider in the area of human resources), with collaboration established and secured by Althumi. Candidates give permission to share their diplomas, which they can also revoke at any time. Thus, Althunmi establishes data collaboration in an ecosystem of partners, where consumers control their data via a personal data vault.
In the following session, eleven delegations from the Western Balkans and Eastern Partnership shared their feedback on the outcome of the learning week and outlined main challenges related to data protection for their respective economies, now incorporating the insights accrued during the learning week.
All participants found that learning week fulfilled its aim and was a unique opportunity for meeting, learning and exchanging with key EU actors (European Data-Protection Supervisor, DG Justice, European Parliament) in the area of data protection as well as gaining insights into the latest developments. At the same time, there was an added element with the possibility of exchanging and learning from each other about common challenges and approaches.
For Albania, raising awareness on data protection issues has been a focus since the economy suffered a cyber-attack that revealed a lack of knowledge on data protection in society generally. The lack of capacities of the DPA and the financial aspect of its functioning remain the biggest challenge. It is expected that a higher level of awareness might have a positive influence on getting more funds for DPA functioning.
In Armenia, apart from the need for training of DPOs, challenges include the increase in the number of digitised services and in the number of platforms hosted by public institutions coupled with a lack of exchange of data between governmental institutions and the application of once-only principle.
Similarly, in Azerbaijan, data exchange within e-government structure is being burdened with issues related to data protection with additional needs for specific technical training for the DPA on inspection and certification.
In Bosnia and Herzegovina, the adoption of the new Law on Data Protection (now in draft version) remains a challenge and its full alignment with EU standards is needed and would require technical assistance.
In Georgia, as the new Law on Data Protection will be in force from March 2024, there is a need to create additional sets of documents, such as guidelines or specific acts, for which the experience from the Western Balkans could be useful.
For DPOs in Kosovo**, additional education is needed while experiences from the EU would be valuable for designing comprehensive awareness-raising actions. Small scale exchange of experiences related to specific topics could be useful.
Having one legislative framework (for data protection and freedom of information)asis now the case in Montenegro creates problems for implementation and the possibility of separating these two legislations could be explored. It is necessary to be continuously updated on the developments in data protection in the EU and more exchanges of experience are needed on every level.
In Moldova, the work on drafting the new law on data protection has started and upon its adoption the insights into practical implementation will be sought from EUROJUST and EUROPOL. Apart from awareness raising, raining for the DPA remains a big recognised need.
For the delegation from North Macedonia, the question of becoming an observer of the EDPB is of importance while the interest and need exist for experiences and good practices from the EU related to specific issues (for example, open-source usage).
Serbia faces challenges in further harmonisation of the data protection law, education of DPOs on children’s rights, strengthening the capacity of the DPA, certification of DPOs and the lack of IT employees.
In Ukraine, the new law that will relate to data protection is in the procedure of adoption while the country is facing numerous cyber-attacks and other macro challenges such as the lack of knowledge and awareness in the public about data protection. At the institutional level, there is a great need to learn from others on good practices of the DPA’s functioning, and on specific technical issues such as the use of drones and specific digitals tools in the context of data protection.
All delegations stressed the importance of the opportunities that could be used for furthering the agenda in data protection based on the contacts made during this learning week. Exchanging the existing knowledge accumulated in different economies on a variety of technical and legislative issues, building networks and continuing learning from the EU in the future could lead to enhancing the profile of data protection and the application of the European standards in this area in the Western Balkans and Eastern partnership.
* The content of presentations is the sole responsibility of the authors and SIGMA/OECD and does not necessarily reflect the views of the Regional School of Public Administration (ReSPA). Neither the Regional School of Public Administration nor any person acting on its behalf are responsible for any use that might be made of the information contained in the presentations. The Regional School of Public Administration is not responsible for the content of the external websites referred to in the presentations.
** This designation is without prejudice to positions on status, and is in line with United Nations Security Council Resolution 1244/99 and the Advisory Opinion of the International Court of Justice on Kosovo’s declaration of independence.