Challenges and Initiatives in Safeguarding Privacy and Cybersecurity in Kosovo

As Kosovo undergoes digitalization, experts stress that it is imperative for institutions to intensify efforts in raising public awareness about personal data protection as well as vigilance from institutions and resilience against cyberattacks.

The Kosovo State Training Center for Cybersecurity was inaugurated at the Adem Jashari military barracks in Prishtina, on Tuesday, aiming to increase the country’s capacities in combating cyber attacks. 

“The training that the Center will offer will address the essential objectives for the development of human capacities in cyber security and the creation of collective awareness of cyber risks,” Kosovo PM Albin Kurti said during the inauguration on Tuesday.

The law establishing the Agency for Cyber-Security  was passed in response to a series of cyber attacks in 2022 against the Kosovo Government. A cybersecurity law was enforced only in February 2023,  regulating the preparation and monitoring of the implementation of cybersecurity policies at the national level.

Despite attempts of the Kosovo government to increase cybersecurity capabilities, experts and officials that deal with the issue on a daily basis warn that the country is not properly equipped to combat potential cyber risks.

The annual ‘Cyber Zero’ conference convened in Prishtina on March 4-6, 2024, and featured experts from many security institutions. Those experts identified the foremost challenge for Kosovo as the need for  Kosovo citizens to enhance their awareness regarding the protection of their private data. They underscored that, in the pursuit of transparency, institutions occasionally violate citizens’ personal data.

Experts also claim that Kosovo’s many laws related to security, the law on national security, the national security strategy, the defence strategy, and the telecommunications law, lack harmonisation. Greater harmonisation is needed among these laws, according to experts.

Cybersecurity is not included in Kosovo’s National Security Strategy 2022-2027. In this document, this term cybersecurity is mentioned only once in the section on digital transformation.

Meanwhile, the Ministry of Internal Affairs also has a separate department dealing with cybersecurity and Systems Administration.

Insufficient capacities to combat cyberattacks

Kosovo PM, Albin Kurti (R), and Minister of Defence, Ejup Maqedonci (L), during the inauguration of the Kosovo State Training Center for Cybersecurity at the Adem Jashari military barracks in Prishtina, March 12, 2024. Photo: Kosovo Prime Minister’s Office

Despite “satisfactory” infrastructure Kosovo institutions are often targeted by cyber attacks, with citizens’ personal data violated by domestic institutions and accessed from outside.

The Kosovo Police, which processes a significant amount of sensitive personal data of citizens on a daily basis, is continuously targeted by cyber attacks.

The representative of the Kosovo Police,  Abdurrahim Gashi, told the Cyber Zero conference in Prishtina  “we have attacks constantly, every day, every minute,” adding that  “the infrastructure is satisfactory. The police have their own mechanisms and the infrastructure, whether hardware or software, or human resources to carry out their tasks”. 

Experts caution that privacy breaches often stem from institutions that are supposed to safeguard them. Thus, there is also a need for civic awareness regarding the protection of citizens’ personal data.

 The Commissioner for Information and Privacy Agency, AIP, Krenare Sogojeva-Dërmaku, expressed at the same conference that institutions frequently violate citizens’ personal data under the guise of transparency.

“Institutions list [full] names in subsidies [when disbursing government funds] but violate citizens’ rights,” stated Sogojeva-Dërmaku.

According to her, such violations occur daily, even by online media that may lack sufficient knowledge of data protection laws. “But citizens also do not complain that their rights are being abused as they are not aware that this abuse is happening towards them,” she further added.

The Information and Privacy Agency has decided to impose fines of 20,000 to 30,000 euros when public enterprises issue invoices without envelopes, as this violates citizens’ privacy.

Burim Ramadani, the former chief inspector of the Kosovo Intelligence Agency, emphasised that cyber attacks and data breaches also come from abroad. 

“It is not only the institutions of Kosovo that can access the data of Kosovo citizens, there can also be interference from outside,” Ramadani said.

‘Public’ private data

Illustration. Photo: BIRN

The absence of civic consciousness, coupled with the indiscriminate flow of personal information from online media outlets and responsible entities, presents a formidable obstacle to safeguarding citizens’ data and privacy in Kosovo.

Online media often violates the code of ethics by publishing personal data. In one case, in January 2024, different online media outlets in Kosovo published a video of two minors beating a person who died a few days later. This data, based on the Code of Juvenile Justice, is confidential as the suspects are minors, and  should only be published in cases authorised by the court.

The publication of this information could contribute to the rehabilitation and reintegration of juveniles after they have completed their punitive measures.

 Sogojeva-Dërmaku explained at the Cyber Zero conference that “if certain personal information is accessed to a specific sector, the person who has that information should be known, and if there are any leaks of that information from unauthorised persons, measures should be taken as legal protocols are in place to address such matters, with oversight from the Police inspectorate tasked with handling these issues.”

Apart from security institutions, privacy breaches in Kosovo also stem from public universities, which often publish results with extensive personal data of students.

In September 2023, BIRN reported that Kosovo’s biggest public university displayed students’ exam results in public, a direct abuse of students’ data privacy rights.

Ramadani said at the Cyber Zero conference that “citizens often are not careful even in filling out application forms and how much personal data they give away.”

read more: