Đurišić: The Ministry of Interior sent the Draft Law on Personal Data Protection to the European Commission last week, the public does not know yet what it contains

Montenegro, after 14 years of negotiations on EU accession, has taken only the first step toward aligning with the General Data Protection Regulation (GDPR), the EU’s key privacy law, which was adopted by the European Parliament 10 years ago and came into force across the Union two years later, said editor of investigative and digital projects at Raskrinkavanje.me Jovana Đurišić.

According to her, the Ministry of Interior sent the Draft Law on Personal Data Protection to the European Commission last week, in order to create the preconditions for Montenegro to align with the GDPR.

- When people hear about the GDPR, or General Data Protection Regulation, it often sounds like nothing more than boring bureaucracy and unfamiliar acronyms. However, it may matter more if you know it determines how large companies behind social media platforms use the data they collect about you. It also concerns what data banks and healthcare companies collect, whether someone sends you messages and advertisements without your consent, and ultimately what data state institutions collect about you, how they use it, and whether they collect it lawfully - said Đurišić.

She adds that it also concerns what data banks and healthcare companies collect.

- Whether someone sends you messages and advertisements without your consent, and ultimately what data state institutions collect about you, how they use it, and whether they collect it lawfully. When GDPR is applied, institutions must not only follow the rules, but must also be able to demonstrate the legality of processing, limit the purpose and scope of data, and respond in case of breaches - Đurišić emphasized.

Until recently, GDPR was not widely discussed in Montenegro.

- However, with the adoption of the Law on the National Security Agency and the Law on Internal Affairs, this regulation has come into focus both domestically and at the European level. Brussels clearly told Montenegro that the provisions of these laws are not aligned with the Data Protection Regulation, while the Government maintained that alignment would occur once the legal framework is in place, i.e. once the Law on Personal Data Protection is adopted - Đurišić stated.

The European Commission confirmed that it has received the legislative proposal and that it is currently under review.

- The public still does not know what is written in the draft law submitted to the EU for opinion - Đurišić stressed.

The EC expects full alignment

The European Commission stated that Montenegro must adopt laws fully aligned with the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) in order to meet the criteria for closing rule-of-law negotiation chapters. EU officials, according to the Commission, reminded the government of the need to prioritize the fundamentals of the accession process - key chapters on democracy.

- We have received assurances from the Montenegrin government that their legal framework will be aligned with the GDPR and the Law Enforcement Directive in the short term - the EU headquarters told Raskrinkavanje.

They also noted that the European Commission has provided technical assistance to Montenegrin authorities over the past several years and remains ready to continue supporting the process.

- We look forward to consultations on mature draft laws so that Commission services can assess and confirm full alignment - the EC stated.

Aligning Montenegrin legislation with the GDPR is part of the negotiation framework, however, the process of preparing key laws in this area has been delayed for years.

Đurišić notes that although work on the new Law on Personal Data Protection began back in 2019, the last version seen by the public was a draft published in March 2024.

- That document was never sent to Parliament, nor has the public received an explanation of the law’s current status. The current draft has now been sent to the EC for review, but the public is still unfamiliar with its provisions. No public debate has been organized, and given that June is the deadline for its adoption, it is highly questionable whether such a debate will take place at all - said Đurišić.

Why is GDPR important?

In today’s digital environment, where we spend more time than in the real world, data collection and processing have become routine.

- Every online trace we leave, whether searches, clicks, posts, or personal data such as card numbers or health records, is recorded, analyzed, and used for various purposes. Based on this data, the content we see online every day is curated. That is why the European Union established two key legal frameworks: the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA). Together with the Digital Markets Act and the Artificial Intelligence Act, these form the foundation of digital ethics and regulate how our data is processed. At least within the EU – Đurišić said.

Snežana Nikčević from the NGO 35mm explains that GDPR can be seen as a baseline standard without which it is difficult to discuss functional privacy protection, as well as other areas of digital regulation.

Alignment with GDPR, under ideal conditions, should bring a qualitative change in how personal data is processed in Montenegro, Nikčević says.

- The key difference compared to the current framework is not the mere existence of a law, but the standards introduced by GDPR. Institutions must not only comply with rules, but must also demonstrate lawful processing, limit purpose and scope, and respond in case of breaches (for example, through clear procedural mechanisms such as mandatory privacy impact assessments when processing poses high risks, such as surveillance, profiling, or handling sensitive data) - Nikčević explained.

Montenegro, she recalls, already has a law on personal data protection, but GDPR introduces operational standards that have not yet been systematically implemented in practice.

This is reflected, she explains, in limited supervisory capacity, underdeveloped internal procedures within institutions, and weak application of principles such as proportionality and data minimization.

- At the same time, certain parts of the private sector, especially companies operating in the EU market, already apply GDPR standards, creating an asymmetry between the regulatory and market frameworks, in which higher standards exist in business practice but are not fully reflected in institutional operations - Nikčević noted.

She emphasizes that alignment is not a new issue, as draft laws have existed since 2019, and the need for GDPR compliance has been consistently highlighted by experts and civil society.

- Despite this, the law is only now entering its final stages, in parallel with the intensification of other digital regulation processes. This indicates a discrepancy in priorities, given that data protection is the foundation for all other digital policies. In this context, some recent legislative processes, particularly in the security sector, have highlighted the need for clearer alignment with data protection standards. Risks have been identified regarding broad powers for data processing and insufficient oversight mechanisms, further confirming the importance of a systemic approach to this issue - Nikčević stated.

Currently, the only body authorized to act in cases of data protection violations is the Agency for Personal Data Protection. However, since the existing law is not aligned with GDPR, the Agency’s scope of action is limited, as it can operate only within the powers defined by the current law, which does not adequately address the challenges posed by modern digital technologies and artificial intelligence.

With the adoption of a new Law on Personal Data Protection, which will incorporate GDPR provisions and is expected later this year, citizens of Montenegro will be granted a level of personal data protection equivalent to that of EU citizens.

However, Nikčević warns that the importance of GDPR lies not only in formal legislative alignment, but in establishing operational standards and institutional practices that enable consistent, proportionate, and legally secure data processing.

- Without this, there is a risk of having a normative framework that is partially aligned but insufficiently applicable in practice - Nikčević concluded.