International In-house Counsel Journal Vol. 2, No. 8, Summer 2009, 1227–1238

Data Protection Regulation in the Republic of and Compliance by the Companies: A proposed Model for Kosovo

MERITA KOSTANICA Head of Legal and Regulatory Affairs, IPKO , Republic of Kosovo

I. Introduction

Most companies cannot survive without storing personal information of individuals in different forms. In today‟s information society the of this information is becoming of fundamental importance for different purposes of companies. Present trends the way information flows around include widespread outsourcing arrangements, providing services from where companies find best skills and productivity, working far away from the employer, companies‟ split-up functions in many different countries who transfer information between themselves online. Considering these scenarios, it is easy to see how the ability to process and transfer personal information can in effect be a company‟s lifeblood.1 Whilst the use of personal data for such purposes may make commercial and political sense, companies should not overlook the fact that the use of personal data is increasingly regulated.2 Data protection regulations exist to make a balance between the rights of individuals to privacy and ability of the companies to use personal data for the purpose of their business.3 Any company processing and controlling personal data must comply with significant data protection regulations. However, companies often take no notice of the ever-increasing regulation of data protection that might affect their functionality in the market.

While in the European Economic Area (EEA) the flow and the protection of personal information is complex and fluid, and its regulation is continually developing, outside EEA data protection is relatively new issue. The Republic of Kosovo, for instance, is the case where data protection is not yet regulated as an issue on its own; consequently, this paper will outline the immediate need for data protection regulation in Kosovo.

The paper will begin by underlining the current status of regulation of privacy and data protection in Kosovo and will analyze whether this regulation is adequate. However, at this point, it should be noted that the aim of this paper is to outline the problems arising from the lack of regulation of data protection in Kosovo rather than privacy in general. Attempts of the policy makers to bring a specific law on this issue will be emphasized.

1 C. Kuner, European Data Protection Law, Corporate Compliance and Regulation, (Oxford: University Press, 2nd ed. 2007) p152. 2 Louise Townsend and Victoria Southern, “The cost of non-compliance with data protection law”, Privacy and Data Protection Journal, Volume 6 (07 August 2006) p1. 3 Ibid.

International In-house Counsel Journal ISSN 1754-0607 print/ISSN 1754-0607 online 1228 Merita Kostanica

The second part of this paper will focus on the problematic revolution as a consequence of an inadequate level of regulation of data protection in Kosovo, its impact on how companies process, control and transfer personal data inside the territory of Kosovo and the impact that the absence of this regulation may have on international business transactions as well as international investment in Kosovo, especially in the light of the restrictions of data from EEA to third countries. Emphasis will be given on legal matters as well as potential economic and reputation consequences that might arise from non regulation of this issue. Further, the third part of this paper will emphasize the comprehensiveness of the EU regime in data protection. At this point it should be noted that it is beyond the scope this paper to analyze the EU regime on data protection as a whole, rather this part of the paper will discuss the effect that the implementation of the EU Data Protection Directive had on the business activities through EU.4 In its fourth part this paper‟s focus will continue with the consideration of the regulatory studies which would lead to the adoption of an adequate data protection law in Kosovo and an adequate authority to ensure the law is complied with. The paper will conclude with the call on imperative need of adequate data protection regulation in Kosovo. However, it should be emphasized that this paper does not aim to solve the problems that arise from inadequate regulation of data protection rather to underline them and also to provide awareness among competent authorities and business organizations of the importance of adequate legislation on this issue.

II. General Rules That Currently Govern Data Protection in Kosovo

There is no specific legislation on data protection, consequently, no independent data protection authority has been set up. However, it seems like policy makers attempted to make a difference of the two concepts, „privacy‟ and „data protection‟. Firstly, Article 36 of the Constitution of the Republic of Kosovo considers privacy as a fundamental human right and also attempts to regulate data protection by stating as follows: “Every person enjoys the right of protection of personal data. Collection, preservation, access, correction and use of personal data are regulated by law”. 5Secondly, according to Article 22 of the Constitution, the provisions of the European Convention for the Protection of Human Rights and Fundamental Freedoms consequently, provisions on privacy as a fundamental human right are directly applied in Kosovo. Further, Article 168 of the Criminal Code of Kosovo provides a provision on Infringing Privacy in Correspondence and Computer Databases.6

Given the current regulation of privacy and data protection in Kosovo, one might ask a question whether in today‟s information society general privacy rights and obligations enshrined in a Constitution and other instruments are considered adequate regulation of

4 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the movement of such data [1995] OJ L281/31. 5 Constitution of the Republic of Kosovo, adopted on 15 June 2008, available in English version at: www.kushtetutakosoves.info/repository/docs/Constitution.of.the.Republic.of.Kosovo.pdf (last visited on 01 June 2009). 6 Criminal Code of Kosovo, UNMIK Regulation, 2003/25, 06 July, 2003, available at:www.unmikonline.org/regulations/2003/RE2003_25_criminal_code.pdf (last visited on 02 June, 2009). Data Protection Regulation 1229 data protection or whether policy makers intended to regulate data protection as a subject on its own based on Article 36 (4) of the Constitution stated above. These two concerns will be analyzed subsequently. Firstly, in today‟s society it is generally known that privacy legislation is not considered adequate in regulating data protection. Privacy and data protection concepts are not the same, „On one hand the concept of data protection is narrower than privacy since privacy encompasses more than personal data, on the other hand, it encompasses a wider area, since personal data are protected not only to enhance the privacy of the subject but also to guarantee other fundamental rights, such as the right not to be discriminated against‟.7 Secondly, it looks like the policy makers intended to regulate data protection as a subject on its own based on Article 36 (4) of the Constitution quoted above. From the first part of this provision it is clear that all persons have the right to the protection of their data. Whereas, the second part, on one hand provides that the collection, preservation, access, correction and use of personal data are regulated by law and on the other hand, there is no law protecting these rights. So far, the policy makers have not taken the necessary steps to bring a specific law in order to transpose the data protection directive obligations.8 As per the Criminal Code provisions on „Infringing Privacy in Correspondence and Computer Databases‟ provided above, it is clear that these provisions more or less regulate the secrecy of correspondence and do not even touch the regulation on how one can process and handle others personal data.

Given that there are no rules on protection of personal data in Kosovo, and consequently no data protection authority to ensure these rules, if an individual‟s personal data are breached, they may only seek to realize their rights before the applicable courts based on the general provisions outlined and analyzed above. However, Kosovo‟s judicial institutions remain week and unable to deliver a proper service, both in the civil and criminal sectors thus, individuals have additional reasons as to why they do not seek to realize their rights before the courts. Thus, the absence of the appropriate regulation creates a disorder on how organisations process individual‟s data in one hand, and leaves individuals with no means on realising their rights in the other.

Attempts to specific regulation on data protection - It is of utmost importance to emphasize that on 22 July 2005 the policy makers adopted the Law on Information Societies Services, section 7 of which attempted regulation of data protection and the creation of data protection authority.9 However, these provisions were never complied with and the provisions were abrogated accordingly. At the present, there are indications that policy makers are working on a draft of data protection law which would transpose obligations that arise from the EU Data Protection Directive, however, there are no indications for any regulatory studies which would bring adequate regulation.

7 See: European Data Protection Supervisor, „Public access to the documents and data protection‟ (July 2005) 15, available at: http://www.edps.europa.eu/EDPSWEB/ (last visited on 06 August 7, 2008). 8 Commission of the European Communities report: Kosovo under (UNSCR 1244), 2007 Progress Report, Brussels, 6 November 2007, SEC (2007) 1433, p 48. 9 Law No. 02/L- 23, available at: http://www.assembly-kosova.org/common/docs/ligjet/2005_02- L23_en.pdf (last visited on 27 June 2009). 1230 Merita Kostanica

III. Current trends on how information moves around and the problematic revolution

A. Current trends on how information moves around Since 1999 there has been a total transformation in the way companies move information inside and outside the territory of Kosovo. From the time of old technologies, where information had to be processed manually, almost all companies adopted the new technology where all data is processed online. Nowadays, with the development of technology, the privatisation of social owned enterprises, private investment and the growth of the economy in general in Kosovo, the concept of data transfer is much broader. 10 However, there are no limits or means on how this information flows.

The attitude toward taking even the most basic of the data protection measures by the organizations that process and control data is the main problem.11 Any technology standing alone is going to struggle to resolve the problem without the right regulation and appropriate body to ensure implementation. 12 Data security is not an issue of technology only, but also of culture. The right signals on best practice data handling need to be communicated throughout corporations and organizations, until sensible approaches to data protection management becomes a normal part of standard operating procedures in today‟s organizations. 13

The development of the market in Kosovo for goods and services is in expansion, thus, most of the companies in Kosovo do business in the global networked economy. These companies store the data of individuals, suppliers, consumers as well as business organizations in different forms. However, there are no conditions or means on how this information is processed and controlled. This has resulted in a problematic revolution that may affect the general growth of the economy in Kosovo which will be analyzed subsequently.

B. Problematic revolution The development of economy and the rise of the collection of personal data by business organisations in the absence of proper regulation have brought with it a whole host of concerns. The lack of regulation in this subject creates enormous problems inside the territory of Kosovo and most crucially has an effect on the international investment and the business between kosovar and international companies.

i) Concerns Within the Territory of Kosovo Companies take advantage of the lack of legislation in this matter by not meeting any of the principles that arise from data protection regulation in general. However, it is very important to emphasize that in many cases it is not that these companies have deliberately or maliciously failed to protect personal data, but rather they have not been aware of their responsibilities.14

10 Supra Note1, p1. 11 Nigel Clarke, „Industry viewpoint-RFID technology development and data protection „Privacy and Data Protection, Volume 8, (1 May 2008) p1. 12 Ibid. 13 Ibid. 14 Louise Townsend and Victoria Southern, “The cost of non-compliance with data protection law”, Privacy and Data Protection Journal, Volume 6 (07 August 2006) p3. Data Protection Regulation 1231

Companies collect any information they find necessary from their clients, even if it‟s not relevant to the purpose of the agreement between them. Clients are never told the purpose of collection of their additional personal data, neither is their consent for the transfer of their data taken from them. Further companies use this data for any other purpose which would commercially benefit them resulting in a breach of most of the main principles that arise from general regulation of data protection.

In several cases, thousands of contracts of the clients have been transferred to other businesses without prior consent of the clients. 15 Information provided in these contracts was used to replace their contracts with the new ones and the clients were asked for additional information where necessary. Similar cases are contracts for broadcasting services between the broadcasting companies and their subscribers which do not provide a provision for protection of their personal data. In this case the Independent Media Commission Regulation on Cable Distribution of Radio and TV in Kosovo which provides provisions on what client‟s contracts for broadcasting services shall minimally include, did not provide that broadcasting companies in Kosovo shall include a data protection clause in the contracts with the clients.16

One of the key concerns is that individuals mostly are not aware that their personal data could be breached. However, those individuals that are aware of their rights are reluctant to seek the same considering that the judicial system remains weak.

ii) Impact on the international investment After the declaration of the independence of the Republic of Kosovo in February 2008, one of the most important aims remains to attract international investment. Any company interested to invest in Kosovo or anywhere in the world will firstly consider all the risks that could arise from the investment and will judge whether the legal framework of the chosen country of investment could affect its business as a whole. The lack of the regulation in data protection can affect international investment in Kosovo in several ways. Any Kosovar company interested to sell its shares to an international investor will come under scrutiny from the potential purchaser therefore should consider whether arrangements are correctly in place. 17 With a share sale, a purchaser buys shares in a company,18 in which cases there is no new data controller, as the legal entity remains the same.19 However, the share purchaser would require to be aware of any potential non- compliance risks20 as the corporate separate legal personality of the company could be lifted and the parent company could be held liable for the actions of its subsidiaries in Kosovo21.

15 This paragraph is based on my experience as an In-House Counsel in Kosovar companies. 16 Article 17, CIMC/ 2007/04, available at: http://www.imc-ko.org/index.php?id=394&l=e (last visited on 29 June 2009). 17 Louise Townsend „Data protection in corporate transactions‟, Privacy and Data Protection Journal, Volume 7 (01 September 2007) p1. 18 Ibid. 19Lorry John and Allan Dignam, Company Law, Chapter4 in general, Oxford University Press, (4th edition 2006); See also Dine Janet, Company Law (London Sweet and Maxwell 2007). 20 Supra note 17. 21 Supra note 19. 1232 Merita Kostanica

For instance, in Unites States (US) parent companies can be liable under the Foreign Corrupt Practices Act (FCPA) for the activities of their subsidiaries where they have authorized, directed or controlled the activity in question.22 The fundamental principles of agency and criminal law support the view that a company is responsible for the acts of its agents, including persons and companies acting on its behalf.23 More interestingly, the US Department of Justice takes this position not only in cases where the parent company directed or approved a violation, but also in cases where the parent company failed to implement adequate controls or failed to prevent a violation about which it should have known.24 As a practical matter, companies are expected to take reasonable steps to ensure that their foreign subsidiaries comply with the FCPA.25 Another way how the lack of regulation on this filed of law effects international investment in Kosovo is the restriction of the transfer of personal data to organizations which are based in countries outside the EEA. The transfer of data to these organizations is prohibited unless „an adequate level of data protection‟ exists in the recipient country, as determined by European Commission.26 A formal finding of adequacy at the EU level is carried out by the Member States and the Commission according to the procedure given in Article 31 of the General Directive, with the advice of the Article 29 Working Party.27 The method usually adopted is that of „white listing‟ countries which have been found to have an adequate level of protection, although the EU Data Protection Directive provides the possibility of „blacklisting countries, i.e., finding that they do not provide an adequate level of data protection, although, to date no country has been blacklisted, possibly because of the political repercussions this would have.28 The EU has been effective on using the threat of being found „inadequate‟ as means of motivating third countries to enact data protection legislation close to the EU model.29 So far, the only countries outside the EEA which the Commission has deemed to be „safe‟ are Argentina, Canada, Guernsey, Isle of Man and Switzerland.30

Considering the level of data protection in Kosovo, any company interested to invest in Kosovo might be restricted to transfer personal data. These companies will be faced with a difficult choice of which legal basis to use, which is a decision that must be made by balancing legal certainty against business opportunity.31

22 Bret Campbell and Peter Carey, “International corruption and data protection”, Privacy and Data Protection Journal, Volume 7(1 February 2007) p1. 23 Ibid. 24 Ibid. 25 Ibid. 26 Supra note 1, p124. 27 Supra note 4, Article 30 (b). 28 Supra note 1, p175. 29 See; News Office of the Privacy Commissioner of New Zealand, “Self regulation is not the answer for small states‟ (September-October 2001), 3, in which New Zealand Privacy Commissioner Bruce Slane is quoted as saying that self regulation is not correct privacy regime for New Zealand, since „it is unlikely to gain the nod from the European Union‟. 30 Anette Orange, “Outsourcing- data protection considerations”, Privacy and data Protection, Volume 8, 1 May 2008, p 4. 31 Supra Note 1, 154. Data Protection Regulation 1233

The prohibition of the transfer of personal data to third countries is not absolute. There are number of legislative exemptions from the export ban provided in Article 26 of the General Directive, however, it is out of the scope of this paper to discuss these approaches. While the General Directive sought to facilitate the flow of personal data between EU Member States, it has often been seen as a serious barrier to global commerce.32 The EU authorities are well aware of this issue and have been working for many years to find mechanisms that would even up the situation.33

It can be concluded that companies based in countries where individuals privacy rights are respected and enforced may be reluctant to investing in Kosovo because there are no safeguards on the protection of personal data, thus an international company as a parent company could be responsible for the activities and actions of their subsidiaries in Kosovo. Particularly, the prohibition of the data transfer can affect the necessary transfer of personal data. iii) Impact on the Business between kosovar and EU companies An asset or business sale differs from a share purchase, as the purchaser buys whatever assets of the company it chooses.34 For example, a company located in EU may purchase a customer database or the right to take renewal of costumer insurance policies in a company in Kosovo.35 In this case, EU company purchaser becomes a new data controller, thus there is a potential liability for the data controlled.36 In many transactions, the consideration of personal data, whether of employees, customers or both, is a key part of the deal.37 Whether such personal data complies with the relevant legislation may affect the value or the progress of the transactions.38 In the new e-commerce economy, missing a strategic deal today means failing to achieve global expansion tomorrow.39 Given that the speed of our response is such an essential feature, anticipating the way in which e-business need to comply with, the adequate law in Kosovo is the only way to offer effective solutions. Providing that data transfers to a non-EU country are subject to special restrictions determined by whether an „adequate level‟ of protection exists in the recipient country, the business transactions between these companies can crucially be effected. iii) Legal, commercial and bad reputation risks The cost of taking no notice by the companies of the fact that personal data should be protected could bring serious implications to them. Currently, there is no data protection law and no data protection authority in existence to handle this matter, consequently, there is no evidence that any company in Kosovo has been fined for breach of

32 Eduardo Ustaran, „Binding Corporate Rules- a promising solution?‟, Privacy and Data Protection Volume 5, 1 December 2004. 33 Ibid. 34 Louise Townsend „Data protection in corporate transactions‟, Privacy and Data Protection Journal, Volume 7 (01 September 2007) p1. 35 Supra Note 34, p1. 36 Ibid. 37 Ibid. 38 Ibid. 39 Peter Carey, “A step into the future of law”, Privacy and Data Protection Journal, Volume 1 (1 October 2000). 1234 Merita Kostanica individuals‟ personal data. Nevertheless, it is very important that the companies in Kosovo are aware that the consequences are not just legal but, often more importantly for them, the consequences can extend to commercial and reputation damages.40

IV. European Union Approach to Data Protection Regulation

The EU Data Protection Directive is the major instrument of EU data protection law41 and is considered as the most important and comprehensive data protection legislation.42 This Directive is expressly concerned with the protection of an individual‟s right of privacy, in accordance with which, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect the processing of personal data.43 The Directive requires each EU member state to pass specific national legislation on data protection that gives effect to the Directive.44As the result all EU Member States have adopted data protection laws which differ considerably from each other in structure, content and approach, each with its own language and separate legal systems and traditions.45 In UK for example, Data Protection Directive was implemented by the Data Protection Act (DPA) 1998.46 The Act has had a dramatic effect on the way in which UK organizations use personal data.47 Both the UK DPA and the Directive represent the world‟s most advanced data privacy legislation.48 Prior to the implementation of the General Directive, the existing law in the UK was insufficient to deal with the concerns about the amount of information relating to individuals that was held by organizations in electronic form.49

V. Changes for the Future of Data Protection Regulation in Kosovo

A. Regulatory studies leading to a promulgation of data protection law In the face of exponential growth of collecting personal data, clear regulations are needed, so that companies and authorities have concrete guidelines to follow in the future. In the light of the importance of the regulations of this field of law analyzed above, this paper considers that the immediate step that the policy makers in Kosovo should take is implementation of regulatory studies that suggest adequate legislation on

40 Louise Townsend and Victoria Southern, “The cost of non-compliance with data protection law”, Privacy and Data Protection Journal, Volume 6 (07 August 2006) p1. 41 Supra Note 1, p19. 42 Christopher Wolf, Timothy P. TOBIN, “The European Union (EU) Data Privacy Directive”, available at: http://www.proskauerguide.com/law_topics/28/III (last visited on 15th August 2008) 43 Supra Note 4, Article 1(1) 44 Supra Note 4, Article 4. See also: P. Carey, Data Protection, A Practical Guide to UK and EU Law, (Oxford University Press, 2nd Ed. 2004) p5. 45 Supra Note 1. 46 P. Carey, Data Protection, A Practical Guide to UK and EU Law, (Oxford University Press, 2nd Ed. 2004) p8. 47 Ibid. 48 Ibid. 49 Ibid, p1. Data Protection Regulation 1235 data protection in Kosovo. Such studies should address several matters in order that an adequate data protection law is created and effective implementation is ensured. Firstly, policy makers should find means on how to inform Kosovar citizens that their personal data are protected by law and that the adequate authority is created to ensure that their rights are protected. This awareness may be done through mediums or other campaigns in order that individuals have a clear understanding on how they can seek their rights if their personal data are breached. At this point it is also very important to have an open discussion with data controllers.50 The fundamental principle of data protection is that there has to be a sound objective reason for processing personal data which has to meet certain standards to be lawful and companies have to be bound by this principle. 51 This principle will results in restricting data controllers in Kosovo as to how they process and control personal data.52 It is very important to face this problem from the beginning, since data controllers in Kosovo for almost ten years now had no rules to comply with therefore it could be seen as unwanted intervention.53 The companies in Kosovo should understand that in modern times more and more areas of the society are regulated.54 Therefore, they should recognize that to reject the concept of regulation as such is to step outside the society by disregarding the fact that society must be conceived as a political institution, in addition, such rejection makes it impossible to reach a regulation that is sufficiently balanced.55 Further, these studies should address how Kosovan companies can better inform their clients on data protection in order to ensure that those individuals know the purpose of the collection of their data and are asked for their consent if their data are to be transferred.

It seems that, Kosovo‟s aim towards EU integration leads the policy makers to copy and paste the EU law on certain fields. However, given that the many aspects of data protection law derive from administrative practices and informal customs the policy makers should primarily consider these practices on which the issue of privacy and data protection were born and ensure that the chosen model can properly be implemented.

Particularly, when drafting the rules, policy makers are advised to look at other best practices of the EU Member States. At this point it should be noted that there are variations on how the EU Member States implemented EU Directive on Data Protection, therefore the regulatory studies shall asses these variations in order to come to a decision on which approach would be adequate for Kosovo. For example, in the UK, the Information Commissioner‟s Office (ICO) has been given new powers to fine organizations that deliberately or recklessly commit serious breaches of the UK data protection law.56 These sanctions are seen as a first step towards repairing the public‟s falling confidence in how their personal data are handled.57 In Spain, the main objective

50This idea came from: Peter Blume, „Practical Data Protection‟, Informational Journal of Law and information Technology‟ Volume 2. 51 Ibid 52 Ibid. 53 Ibid. 54 Ibid. 55 Ibid. 56Kate Brimsted, „The ICO‟s new power to fine the shape of things to come, Privacy and Data Protection Journal, Volume 8, June 2008 p1. 57 Ibid. 1236 Merita Kostanica of the new data protection regulations is to provide a degree of legal certainty in the data protection framework by clarifying several data protection related concepts and combining in a single text the regulatory criteria and principles that have until now been dispersed among case law and secondary legislation.58 New data protection regulations in Spain have further extended protection to non-computerized files, i.e. paper, providing details of the security measures to be observed by those who process archives containing personal data (files) on paper.

Given different examples of the changes of the data protection laws in several countries, it is very important that the makers in Kosovo analyse these approaches as much as possible in order to bring an appropriate law on this field. Regulatory studies should also ensure that all personal data processed prior to the proposed rules to be implemented in Kosovo are protected from the same. This paper does not overlook the financial and expertise difficulties that might be faced by the policy makers on following the regulatory studies and acquiring expertise in order to bring up a law and create data protection authority however, the promulgation of this law must be priority and necessary steps shall be taken immediately. Bearing in mind that promulgation of data protection law and consequently creation of DPA is very costly it is very important to get it right.59 Following the results of regulatory studies policy makers shall decide on the most appropriate model of data protection law to be applicable in Kosovo.

C. Appropriate Model to be applied in Kosovo

For several reasons, outlined as follows, most suitable model of data protection regulation in Kosovo is EU data protection law. Firstly and most importantly is the Kosovo‟s potential candidate status to EU60. European States which are not members of EU and which do not apply European Directive on Data Protection will have to implement this directive into their national laws during the process of accession to the EU61 in order to fulfill the EU membership obligations. Furthermore, in recent years, countries outside EU, most of which until now have lacked comprehensive data protection regulation, have begun to enact more detailed data protection laws, which often show the influence of the European Models.62 For instance, Argentine Personal Data Protection Act, enacted on 4 October 2000 and the Hong Kong Personal Data Ordinance also show the influence of EU data protection law.63 The E.U. Directive has become the leading trendsetter and benchmark for data privacy around the world64. Not only is it shaping national data protection regimes but it is also

58 Ana Bayo Busta, „New Data Protection Regulations coming into force in Spain‟, IT Law Today, Volume 16, p1. 59 Supra Note 1. 60 EU Instrument for Pre-accession Assistance (IPA), 1 January 2007. 61 Supra note 1, p4. 62 Ibid p2. 63 Ibid. 64 Lee A. Bygrave, “Privacy Protection in a Global Context- A comparative overview”, published in Scandinavian Studies in Law, 2004 Volume 47, p337. Data Protection Regulation 1237 shaping international instruments.65 For example, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (COE Convention) has recently been supplemented by a protocol containing rules that essentially duplicate the rules in the Directive dealing respectively with flow of personal data to non-member states and with the competence of national data privacy authorities.66

Data Protection Authority - To achieve a greater degree of success and uniformity in regulating data protection, Independent Data Protection Authority should be set up in order to ensure the implementation of the adequate laws on data protection to be implemented in Kosovo. It is very important that Data Protection Authority to be created in Kosovo is independent and not susceptible to political influence.67 Several elements are necessary to ensure regulatory independence; in particular having national legislation provide for the DPAs independent status, and the DPA having sufficient financial and personnel recourses to do its job, properly and thus resist political interference.68 It was provided that this paper does not overlook the financial problems that the independent authority might have on implementing the law. However, any company processing data must be registered in order to do so, hence pay administrative fee which could be used for the function of the authority. Another aspect of the position of any regulatory authority is that such a body will need resources in order to be effective on carrying its assigned tasks.69 In this sense, policy makers in Kosovo should effectively use all the support from the EU Mission in Kosovo and also the EU contribution given to Kosovo as a potential candidate state toward the EU integration.70

Training for data protection - It is very important that the companies in Kosovo are aware that personal data are protected by law and they should take the necessary steps to implement these laws. Companies shall also understand that data infringements, in one way or another, are a significant risk for companies.71 To decrease the risk of the infringement occurring, companies should initiate relevant training procedures at all levels inside the company.72 The training should include an element on the internal procedures and policies of the company with which stuff must comply with, as well as the requirements of data protection rules and examples of real life data infringements and how they could have been prevented.73

65 Ibid. 66 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows (C.E.T.S. No. 181; adopted 23rd May 2001; in force 1st July 2004). 67 Supra note 4, Article 28(1): „these authorities shall act with complete independence in exercising their functions entrusted to them‟. 68 Supra Note 1, p17. 69 Ian Walden and John Angel, Telecommunications Law and Regulation’ (Oxford University Press, 2nd Ed.2005) p134. 70 EU Instrument for Pre-Accession Assistance (IPA), 1 January 2007. 71 Peter Carey, Editorial, Privacy and Data Protection, page 2, Volume 8, Issue 6 72 Ibid. 73 Ibid. 1238 Merita Kostanica

Concluding remarks- imperative need of data protection regulation In the face of exponential growth of collecting personal data in Kosovo, clear regulations on how these data are handled are needed, so the companies and authorities have concrete guidelines to follow in the future. After the declaration of independence of the Republic of Kosovo, two main aims remain of fundamental importance, firstly the economic development and secondly Kosovo‟s road towards EU integration and this paper strongly considers that promulgation of data protection law which would transpose obligations that arise from EU Data Protection Directive is an input to both of these aims. It is imperative that policy makers in Kosovo join their efforts for having laws that respect international standards in a coherent system.

One of the main fundamental reasons for the call of this law is sufficient legal protection of the citizens of Kosovo and repairing their falling confidence in how their personal data are handled by Kosovar companies.

The necessity for a sustainable legal framework which would encourage economic development and foreign investment is more then ever in Kosovo, especially now that new companies and businesses have been created trough the privatization process and the growth of private investments in general. It is imperative that these companies are under adequate regulation towards positive changes in Kosovo‟s economy. The need for the regulation in the area of data protection is essential to the future economic development of Kosovo.

Merita Kostanica is Head of Legal and Regulatory Affairs at IPKO Telecommunications LLC, Republic of Kosovo. Ms. Kostanica has graduated with Merits at University of London, Queen Mary College, in Commercial and Corporate Law, specialising in Company Law, Data Protection Law, Law and Legal Aspects of International Finance. From May 2006 Ms. Kostanica was employed as first In-House Legal Counsel at IPKO Telecommunications and was promoted as Head of Legal and Regulatory Affairs at IPKO from August 2008. Being only 26 years old, with 9 years working experience Ms. Kostanica is a highly motivated professional. Ms. Kostanica's personal research interests include a wide range of commercial and corporate law issues such as privacy and data protection regulations. She has also been actively involved in a lawful interception of electronic communications projects to be implemented in Kosovo.

IPKO Telecommunications is recognized as one of the fastest growing telecommunications companies in Europe. Established in 1999, IPKO has grown from being the first Kosova-wide internet provider to becoming a modern enterprise offering full range of integrated services as well as content, in mobile communications, fixed telephony, digital , internet services as well as media. In less than one year IPKO achieved more than 35% of the marker share in mobile telephony, while remaining the leading internet and digital TV service provider, both in terms of number of costumers and network reach.