The Commissioner for Information of Public Importance and Personal Data Protection has sent a letter to the Serbian Government indicating that the conditions of the normative regulation in the field of classifying confidential data is such that it involves serious risks both for exercising the rights of the public, but, also, maybe in greater measure, for the security interest of the country and general legal security.

Two years after it was passed, the Data Confidentiality Act does not function very well, that is - it does not function. The Commissioner’s opinion is that the field of data confidentiality is in a state of troublesome improvisation, where not a single piece of information labelled confidential can be certainly said to be classified in a completely legal way and where, accordingly, it is very problematic whether you can, in a legal way, raise a question of anybody’s criminal liability for disclosing such information. The problem of a huge amount of inherited old secrets has not been solved and, at the same time, new secrets are being produced without reliable criteria. The Commissioner has estimated that all the conditions for undertaking urgent measures exist, including the need to amend the Act or replace it with a completely new one.

Concerning this, the Commissioner Rodoljub Sabic has also said:

“The main weakness of the Data Confidentiality Act is that for it to be enforced it is envisaged, as necessary, to adopt an enormous number of by-laws. The Government has adopted a certain number of those by-laws. Unfortunately, only one by-law was adopted on time. The rest were adopted with shorter or longer delays or were not adopted at all. And the most dangerous thing is that the Government has not passed the most important by-laws for the enforcement of the Act. The Government has not established the specific criteria for determining the levels of confidentiality, such as “state secret”, “top secret”, “confidential” and “internal”.

Because of the above mentioned, we do not have clear standards on the content of any level of confidentiality and the authorities could not enforce the provisions of the Law on Protection Measures and Records, nor perform other duties.

Supervising the implementation of laws and legislation passed based on the law should be the responsibility of the Ministry of Justice which does not possess basically any resources to perform that function, so the supervision is basically not performed.

The Heads of all the authorities had an obligation to review old labels of the confidentiality levels within two years. Unfortunately, but logically, the desired effects are lacking since the norm, which was supposed to provide declassification of the large amount of documents which still bear the formal label of confidentiality, even though there is no real need for that, does not envisage any sanctions for possible failure to meet this obligation, and that was something that the Commissioner warned about at the time when the Law was adopted.

The authorities had an obligation to harmonise their organisation with the provisions of this Law within a year, and within two years’ time to make sure that all the employees, who had access the confidential data, obtain the necessary certificates. The deadlines expired and the obligations were not met.

All this leads to a conclusion that an important field is in a state of troublesome improvisation. The responsible attitude towards the right of the public to know, but also towards the security interests of the country and legal security, demands the change of that condition immediately.”