Agency for Personal Data Protection and Free Access to Information must be liable for the series of illegal decisions

Centre for Civic Education (CCE) received the minutes of the supervision of a natural person, who is the creator of the application https://www.crnagorakorona.com/home. The minutes represent the long-awaited response of the Agency for Personal Data Protection and Free Access to Information to the initiative submitted by the CCE to the Council of the Agency in March 2020, which referred to determining the legality of personal data processing on that web page.

The CCE expresses concern about how the whole procedure about this issue has been conducted by the Agency. Primarily because the Agency for Personal Data Protection and Free Access to Information first determined the legality of an application that was not in question, and then because of the chronology of actions. This raises the question of liability due to failure to comply with deadlines for conducting supervision, but also the capacity of the institution that does not know who is its subject of supervision. The question is whether the Agency would ever have conducted the supervision, if the CCE had not addressed the Protector of Human Rights and Freedoms, who, acting on the CCE’s initiative, required them to submit a report on actions and measures in this particular case.

Insight into the report of the Agency indicates that in the particular case, the obligation to draw up the minutes within the legally prescribed time limit was grossly violated. Namely, it took the Agency four months to conduct supervision, which made it meaningless as the controversial application was no longer active and did not contain the disputed data. At the moment when individuals’ rights to privacy are in question, the prompt and effective reaction of the competent authorities that would prevent enormous damage to them is crucial, and it was omitted in this case. The minutes also contain numerous legal contradictions, which cause reasonable doubt in the professional capacities of the persons who conducted the supervision, as well as the Council of the Agency for Personal Data Protection and Free Access to Information headed by the President.

CCE disproves the statement of the Agency for Personal Data Protection and Free Access to Information that the natural person, creator of the application https://www.crnagorakorona.com/home is the administrator of the personal data collection because these are data that were publicly available on the website of the Government of Montenegro following the opinion of the Council of the Agency. Based on that opinion, the Government made its decision, which was later revoked by the Constitutional Court, stating, amongst other things, that ‘publishing personal data on persons undergoing self-isolation created a prerequisite for their stigmatization, and their data can be used by an illimitable number of citizens.’

Also, if the administrator of the personal data collection plans automatic processing of personal data, which represents a particular risk to the rights and freedoms of individuals, he has a legal obligation to obtain the consent of the supervisory body before each automatic processing of personal data, which Agency for Personal Data Protection and Free Access to Information acknowledge but does not apply. It essentially annuls the interpretation of the Personal Data Protection Law by giving preference to one criterion, in this case – to the public health. Thus, the opinion of the Council of the Agency for Personal Data Protection and Free Access to Information, which explicitly prescribes that ‘publication of the personal name and place of residence of persons undergoing self-isolation, according to the decision issued by Sanitary inspection, and all to protect public health, is not contrary to the Personal Data Protection Law’, set the stage for data processing without obtaining consent.

It is indisputable that with the unconstitutional and illegal opinion of the Agency for Personal Data Protection and Free Access to Information initiated series of violations of the right to privacy, which had its reflection through this application as well.

Therefore, we urge the President of the Council of the Agency for Personal Data Protection and Free Access to Information, as well as the Director, to resign and release this institution from chains of party influences, which should be independent and professional, and to finally increase protection of personal data and free access to information to the level expected in a democratic society. We expect that the decision-makers of all previous and numerous illegal decisions of the Agency for Personal Data Protection and Free Access to Information will finally be held accountable for such actions.

 

Tamara Milas, Human Rights Programme Coordinator