A BIRN report found that the Western Balkans and Turkey have moved closer to EU data protection standards on paper, but rapid digitalisation risks outpacing the ability of states to protect fundamental data protection rights.
According to a new report by the Balkan Investigative Reporting Network, BIRN, titled “Privacy and data protection in the Western Balkans and Turkey – A comprehensive regulatory and institutional assessment,” the Western Balkans and Turkey continue to struggle with weak enforcement, limited institutional capacity, and growing technological risks despite legal reforms inspired by the EU’s General Data Protection Regulation, GDPR.
Across Europe, the GDPR has set a standard which shapes how personal data should be collected, processed, and safeguarded. For the Western Balkans and Turkey, aligning with these standards is not only a legal obligation linked to EU integration, but also a practical necessity in an era of rapid digitalisation.
The BIRN report reveals legislative progress, but also structural weaknesses that threaten citizens’ rights in practice.
Governments are rolling out biometric technologies and experimenting with AI and automated decision-making, often without adequate safeguards. Weak infrastructure, limited cybersecurity, and a number of high profile cyberattacks highlight how vulnerable national systems remain.
Across the region, rapid digitalisation is creating new risks that existing systems are not fully equipped to manage.
According to the European Commission’s 2025 report, North Macedonia’s legal framework for personal data protection remains insufficient, and the capacities of the Data Protection Agency require significant improvement.
Bosnia and Herzegovina strengthened its legal framework in early 2025, granting its Data Protection Agency enhanced investigatory and sanctioning powers, but concerns remain about the agency’s independence and effective use of resources.
The report further states that Serbia’s legal framework is largely aligned with EU rules, but implementation gaps persist. The report highlights concerns that persist regarding street video surveillance, spyware targeting human rights defenders, and journalists and unauthorised disclosure of personal data during protests and in the media.
According to the European Commission’s 2025 report, Kosovo’s legal framework for personal data protection is largely aligned with the GDPR, however, additional reinforcement of the Agency’s human and financial resources is needed to ensure fully effective oversight.
The 2025 report also discusses Montenegro’s personal data protection law, which is not yet fully aligned with the EU acquis. Furthermore, Montenegro has still not ratified the 2018 Council of Europe Protocol on the automatic processing of personal data.
Albania adopted a new GDPR-aligned law in December 2024, but citizens still report difficulties exercising basic rights such as access, rectification, and erasure of personal data.
Turkey, meanwhile, lags behind the region. Although it has a data protection law and an active authority, its framework remains insufficiently aligned with EU standards, particularly regarding enforcement and privacy safeguards.
Emerging technologies: Biometric surveillance and AI risks
Illustration: BIRN/Igor Vujcic
The BIRN report notes that the widespread deployment of facial recognition technologies in public spaces, particularly by law enforcement, poses a serious risk of mass surveillance, with far-reaching implications for the right to anonymity and privacy.
Centralised biometric databases, such as those used for passports, IDs, or law enforcement records, represent high-value targets for cyberattacks.
In Serbia, thousands of surveillance cameras have been installed in Belgrade under the Huawei “Safe City” project, raising concerns about mass surveillance and lack of transparency.
Biased historical datasets, common in the region, risk embedding discrimination into automated systems used in areas such as social welfare, justice, and healthcare.
In Kosovo, Albania, Bosnia and Herzegovina, and Montenegro there is a push to establish interoperable regional biometric databases for border management and law enforcement purposes, which increase the risk of large-scale data breaches, as demonstrated by major cyberattacks targeting government systems in Albania and Montenegro.
In Turkey, state surveillance and digital rights remain a concern in light of broader “authoritarian trends.”
The BIRN report stresses that human oversight of such systems must remain essential.
Cybersecurity, data breaches and public awareness
Illustration. Photo: Pixabay/ Pete Linforth
The focus on digitalisation and e-government services across the Western Balkans has led to the centralisation of citizens’ data, turning these databases into high value targets for cybercriminals seeking to steal identity information.
Recent breaches, such as those reported in Albania, have exposed sensitive personal data including salary records and private communications.
The shortage of skilled cybersecurity professionals in the public sector is further exacerbated by the “brain drain,” as top IT talent is drawn to higher-paying private sector jobs or employment opportunities in EU member states.
At the same time, public-sector employees often lack adequate training in basic cybersecurity hygiene, leaving government systems vulnerable to phishing attacks, social engineering, and the use of insecure legacy devices.
The most common violations in the area of personal data protection in Bosnia and Herzegovina relate to unlawful video surveillance.
In Kosovo, it includes lack of transparency and information provided to data subjects, processing of personal data without a valid legal basis. The Agency in Kosovo added that, based on complaints, awareness about data protection is increasing.
The most frequent cases in Montenegro concern the establishment of video surveillance systems and the publication of publicly accessible personal data on websites and unlawful processing of personal data.
In Serbia, the most frequent violations concerned the processing of personal data.
2025 was marked by two major data breaches in Serbia. Air Serbia suffered a serious cyberattack, with internal memos indicating that the airline had to delay the issuance of payslips and shut down service accounts while teams worked to restore system security. The Ministry of Justice also reported a series of hacker attacks culminating in an attack on a data centre.
In North Macedonia, cases primarily concerned the implementation of video surveillance in multiple residential buildings and public areas; the retention of identity cards and travel documents by hotels during guest registration in the guest book.
In addition, 249 complaints related to social media were recorded in 2024 with most being concerns about fake profiles, the publication of photographs and video recordings of third parties on social media profiles, defamation, etc.
In Albania, citizen complaints also concerned installation of video surveillance cameras in public and private spaces, as well as unsolicited direct marketing communications, via telephone or email.
In Turkey, the most common violations identified involved failures to implement adequate data security measures.
From a formal perspective, the region appears significantly closer to EU standards than it did a few years ago. However, the reality on the ground is more mixed. Many data protection authorities continue to face shortages in staffing, funding, and technical expertise, limiting their ability to enforce data protection rules effectively.
The report recommends that Governments should ensure the budgetary independence of Data Protection Authorities, recruit skilled IT and legal personnel, prevent political interference in appointments, and reinforce supervisory powers for robust oversight
Data Protection Authorities should strengthen their institutional independence and capacity by ensuring budgetary and operational autonomy in order to prevent political interference and civil society organisations and academic institutions should actively raise public awareness about data protection and privacy rights through campaigns, workshops and educational programs.
This article was prepared for Prishtina Insight by Ardita Zeqiri.
