North Macedonia: The Data Protection Act and enforcement challenges

The LPDP follows, almost in its entirety, the content of the GDPR. Like the GDPR, the LPDP set a transitional period of 18 months, later prolonged by six months, for data controllers and processors to adapt and harmonise their operations.

Accordingly, the same transitional period was foreseen for the adoption of the bylaws based on the LPDP. That said, most of the bylaws were adopted by the Personal Data Protection Agency of North Macedonia ("DPA") in May 2020, which marked the completion of the legislative process, leaving only the implementation process ahead.

In addition to the adoption of the legal framework, the DPA has published a series of guidelines that rely to a great extent on the Guidelines of the European Data Protection Board. Until now, the DPA has issued the guidelines dealing with the protection of personal data in the finance sector, the transfer of personal data to third countries and international organisations, data protection officers in the public and private sector, the use of cookies and lawful data processing.

Concerning enforcement of the LPDP and the harmonisation of the remaining legal framework with the LPDP, the DPA is still not sufficiently proactive. First, the DPA still does not impose any sanctions, but only warns data controllers and processors. Also, the DPA is not systematically consulted on sectoral laws or implementing legislation and its advice is not always taken on board.

Challenges of public institutions to maintain data privacy

While the DPA does focus on raising awareness and education at institutions in relation to data protection, most of its activities are directed at the public sector. Furthermore, the DPA's reluctance to sanction has affected overall data protection awareness in North Macedonia. While some positive steps have recently been taken in this direction, they have mainly been driven by a series of ransomware cyberattacks on Macedonian public institutions that affected a large amount of personal data of Macedonian citizens. Between 2021 and 2022, seven public institutions were targeted, including the Health Fund of North Macedonia, especially websites with the official governmental domain (gov.mk).

The cyberattack on the Health Fund was one of the most controversial cases, since the personal data of almost two million citizens were affected. After the attack there were a series of reactions about the level of personal data protection, the most relevant of which were from the Macedonian State Audit Office. In particular, the State Audit Office had warned about the insufficient level of data protection and IT security of the Health Fund several years back in its reports to both the National Assembly and Government. Although these incidents did raise public awareness about data privacy and protection, the DPA still did not respond properly to the incidents. The DPA neither sanctioned any of the institutions for the lack of cybersecurity measures nor issued a public statement in relation to them.

Concluding remarks

Despite the adoption of a modernised legal framework for data protection in North Macedonia, largely based on EU practices, recent findings imply that the DPA is not sufficiently educated and agile in its role of supervisory authority. Enforcement of the LPDP with a proactive DPA at the helm should be a priority throughout the following period. Therefore, effective implementation of the LPDP should target all the incompliant market players while the DPA is expected to take a more proactive role.

authors: Marija Vlajkovic, Oliver Vidikov