Data protection authorities of each member state create a decentralized system for personal data protection of European and Croatian citizens. Therefore, Politiscope conducted an analysis on the work of the Croatian data protection authority – Croatian Personal Data Protection Agency. The analysis is created for decision-makers in the executive branch who appoint the agency director, for members of the Croatian parliament who adopt the Government’s proposal of the agency director and monitor the work of the institution, for the expert community, media and the wider public which hold accountable holders of public office. The analysis gives recommendations on legislative and institutional improvements of the current framework for personal data protection, in an effort to deal away with illegitimate and illegal data collection and processing practices.
Independence of the oversight institution is in the focus of the analysis, since political capture and declining rule of law are evident in the appointment of a person extremely close to the ruling party and the Government. Even though the Agency belongs to a network of independent institutions protecting constitutional rights and overseeing other branches of government, it is treated by the Government as merely yet another executive agency. They appointed a person with deep political connections in a permanent conflict, who also does not meet the minimum expertise requirements set forth by the Croatian Law on the implementation of GDPR.
Subordination of the agency towards the Government is clearly recognized in the agency’s refusal to take on a proactive role in all data collection and processing matters which were a part of a wider effort to curb the pandemic. The agency remained silent, even though all data collection instructions issued by the Croatian Public Health Institute were illegal and illegitimate, since a separate legal framework in accordance with recital 45. and 52. of the GDPR was not created.
In its annual reports submitted to the Parliament, the agency paints a false picture of having a team of IT experts. Information provided by the agency, in an answer to our FoIA request, point to the conclusion merely one, or perhaps two persons have the capacities to monitor modern technological practices of data collection and at the same time possibly do this work. The agency needs to develop a clear plan for developing technological capacities, but a prerequisite for this is truthful reporting to the Parliament on current human resources of the agency.
In the brief analysis of the Law on the Implementation of the GDPR; the special focus was placed on two key features: exemption from financial sanction for public bodies, publication of anonymised administrative fines until the administrative act becomes final, confirmed in court. Exemption from financial penalties brought about a sense of impunity among public bodies. By anonymizing information about the data controller who grossly violated the fundamental rights of their client, one of the basic purposes of sanctioning violators of the Regulation is not realized – informing citizens of data controllers which employ illegal practices. GDPR presents numerous opportunities for developing many exceptions or further widening of the scope of the Regulation’s provisions through national legislation. Unfortunately, this opportunity was not used, except for one thematic area – video surveillance.