Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy

Low public awareness on privacy issues remains the major obstacle to the development of the information society in general and e-commerce in particular. This refers to public awareness of both basic data protection principles and rights and the procedures to enforce these rights. The lack of awareness about the complementary right of free access to information hampers increasing the (much-needed) transparency and accountability of public institutions.

According to research conducted by Metamorphosis in 2009 and 2010 and published in the report "Privacy in Macedonia 2010", the majority of Macedonian websites lack privacy policies. Metamorphosis's research included automatically and manually processing large samples of URLs, including more than 13,000 domains from MARNet's register (all second and third-level MK domains), and over 2,000 links from the Macedonia Search Directory.1

The research, which consisted of two waves of surveys in March 2009 and February 2010, proceeded in two phases. First, automatic crawling determined whether domains led to an active website and whether selected keywords appeared on its front page. Second, the sites containing these keywords, which were supposed to be part of a link to a privacy policy, were checked manually. Out of these two samples, only a few dozen Macedonian websites were found to have privacy policies.

This research also found that no websites that use second- and third-level domains have privacy policies. A significant portion of new e-commerce websites also lack this basic feature, although there has been some improvement over time.


By 2000, Macedonia had acquired a bad reputation, as most of the transactions initiated from its territory on e-commerce websites proved fraudulent. The absolute number of such transactions was not significant, but the fact that a high percentage involved some sort of abuse – resulting from sharing stolen credit card numbers among IRC users from other Balkan countries,– resulted in the country's IP addresses' being blacklisted over the next decade.

Blacklisting meant that Macedonian Internet users could not use services provided by foreign e-shops, who declined transactions and delivery. In addition, e-commerce was not developed for domestic use, as financial institutions reluctantly kept postponing investing in e-banking and e-commerce, while the Government kept failing to complete the legal framework.

Through various projects, USAID invested in improving overall business conditions, including hiring consultants from VeriSign in 2006 to help in regard to improving the situation with cybersecurity and remove Macedonia from blacklists by providing factual data on levels of use (increasing use of Internet and credit cards) and abuse (lowered percentage due to increased overall number and enforcement). Local actors, such as the Metamorphosis Foundation and some private sector companies promoted the concept of information security through awareness-raising and educational campaigns,2 and by offering services to assist in the implementation of ISO standards, respectively.

The government assigned a Minister to take charge of Information Society Development; he announced the drafting of a special law on e-commerce that was adopted in November 2007.3 In contrast to similar policy efforts in the past – including the landmark National Strategy for Information Society Development (2004-2005) and the National Strategy for Electronic Communications and IT Development (January-April, 2007) – the task force working on this law failed to include civil society representatives. This law, based on the EU's e-Commerce Directive, does not include additional stipulations on personal data protection, since they are covered by other laws.

The opening of the domestic payment processor Casys in 2008 was one of the most important developments of that year. By September 2009, at least 16 e-shops offered transactions via Visa or MasterCard using three banks as intermediaries.4 However, by the end of that year e-commerce in Macedonia was still not popular: at most a few thousand people performed no more than a few thousand transactions of relatively small size.

Many of these new e-shops (56 percent) adopted privacy policies in strict consultation with the DPDP.. However, a research carried out by the NGO Metamorphosis showed that while the number of local e-shops rose to 29 by the beginning of 2010, a surprisingly large percentage of them (38 percent) do not feature privacy policies, even though the overall situation is improving. Metamorphosis' team surveyed them all based on the links offered by the banks that act as intermediaries for e-commerce accounts (please see Appendix I for details).

In addition, a survey by New Moment in early 2010 established that e-commerce customers from Skopje "do not know if the Macedonian e-shops offer safe purchasing,"5 confirming the lack of confidence in online transactions.


No specific information has been provided under this heading.

Online behavioural marketing and search engine privacy

The Agency for Electronic Communications is in charge of enforcing the Law on Electronic Communications through an inspectorate, but so far no information has been made public about its efforts to enforce the privacy provisions contained in the law, including those regulating direct marketing by legal entities.

A public panel on privacy in Macedonia held on 26 August 2008, as part of a public consultation to debate the Macedonia Report for Privacy and Human Rights Report 2007, reiterated the assertions from the previous year that no cases have been made public of in which the privacy protection provisions of the Law on Electronic Communications have been enforced. Spamming remains widespread practice in the Macedonian business sector. Moreover, at least one company provides spamming services for other companies.6

This situation remained unchanged until June 2010, even though the commercial spamming services have been less prominent since 2009. In general, Macedonian companies continue to use mailing lists compiled without the recipients' explicit permission as one of their primary marketing tools. However, a number of consulting companies and marketing agencies specialising in online promotion have reacted to increased action on the part of the DPDP and digital rights NGOs by adding an opt-out footer in their e-mails.

There's no evidence of advanced user profiling via local search engines; advertising networks and portals mostly serve banner ads and claim that they do not profile their users.

Online social networks and virtual communities

The most significant development on the Macedonia-related Internet in 2009 has been the explosive growth of social media use resulting from the increasing popularity of Facebook. The number of Facebook users from Macedonia, which had already begun rising in 2008, dramatically increased in 2009 from around 83,000 in January to almost 500,000 by the end of December.7

One factor influencing this trend was overcoming the language barrier, identified in a 2004 survey by Metamorphosis and FOSIM.8 Multilanguage interfaces introduced in August 2008 – including Macedonian and Albanian – effectively opened Facebook to the three-quarters of the Macedonian population lacking a working knowledge of English.

The existing cultural preference for social networking as a form of interpersonal communication and entertainment provided strong potential for a fit with ICT solutions that support these activities. In 2009, even the customarily slow-to-catch-up traditional media begin to provide frequent coverage of Facebook-related developments, which supports the argument that online social media have become an integral element of mainstream culture in Macedonia.

The trend of the increasing online presence of politicians from 20089 continued in 2009. During the March and April elections, presidential and mayoral candidates started using social media such as Facebook and blogs as part of their election campaigns, alongside personal or political party websites.

Research by the NGO Metamorphosis revealed that candidates failed to address all potential voters by using the relevant local languages in their Web presence, did not provide regular updates or respond to e-mail, and in general did not seem to grasp the new technologies. This research also found a surprisingly high correlation between the level of support provided to the presidential candidates on Facebook and the number of actual votes gained in the two election rounds, suggesting that social media could be an effective market research tool on issues that mobilise a critical mass of users.10

State institutions were affected by the rise of Facebook's popularity. Some, including Parliament, blocked the use of this service on their office networks.

On the other hand, the Ministry of Interior Affairs (MOI) opened a short-lived "unofficial" personal profile in April causing some journalists to question the motives of invitations to become "friends" with the Ministry, since accepting those invitations would enable the Ministry to view their profiles and activities.11 Facebook shut down the MoI profile because it violated the company's terms of service, which allow only individuals to have personal profiles. Legal entities are required to use pages.12

The still very low level of public awareness of privacy, especially digital privacy, issues has been noted as a major obstacle by the stakeholders.

Online youth safety

The Metamorphosis Foundation launched the "Children's Rights on the Internet – Safe and Protected" (CRISP) project in 2007; it ended in December 2008. The project involved the Directorate for Personal Data Protection of the Republic of Macedonia and a network of 11 NGOs working on the promotion and safeguarding of children's rights within their communities. CRISP was co-funded by the European Initiative for Democracy and Human Rights (EIDHR) and Metamorphosis. CRISP's objective is to create educational content intended to teach the skills needed to protect personal data for the Macedonian public education system. CRISP's activities included creating educational content for children, parents, and teachers and designing leaflets and posters in Macedonian and Albanian.13

The project's activities covered 50 primary and 20 secondary schools in 12 cities and seven villages in the Republic of Macedonia, with the participation of 8,482 students, 1,170 teachers, and 1,138 parents. The website received over 10,000 visits during its first year of operation. With support from OSI and FOSIM, Metamorphosis continued its efforts to raise public awareness of youth-related privacy issues through the Online Privacy Made Easy project in 2009 and 2010.

The Parliament adopted the Declaration for Safer Internet14 drafted by MP Aleksandar Spasenovski and supported by MPs from both majority and opposition parties on 1 March 2010.15 The Declaration16 incorporates analysis and recommendations against censorship and Internet filtering based on information given by EDRI and provided by the Metamorphosis Foundation in official expert testimony at the public hearing and direct consultations with MPs.

During 2010 there were two other notable initiatives in the area of protection of children and youth. The first concerns the creation of a national hotline dealing with online abuse and crime. This initiative is promoted within the framework of the EU's "Safer Internet" Programme and is run by the NGO Internet Hotline Macedonia with the participation of Metamorphosis and children's' rights NGO Megjashi. The second initiative was to found the new NGO, National Internet Watch Forum,17 which focuses on cooperation with ISPs and the mobile operators.

Workplace privacy

No special regulations govern workplace privacy, which is covered by the Law on Personal Data Protection.

Health and genetic privacy

Medical data, including genetic and biometric data, are considered special categories of data whose processing is prohibited by the Article 8 of the LPDP. Paragraph 8 provides an exception for processing these data in case they are "needed for the purposes of medical prevention, diagnosis, treatment, or management of a health service and is carried by a person whose profession is to provide medical protection under an oath of secrecy for the data revealed to her/him during the performance of her/his profession" or if the data subject provides explicit consent or the processing refers to data made public by the data subject.

Medical records

The Law on Health Care18 specifies that health sector workers are obliged to take care of patients, to respect their dignity, to adhere to medical ethics, and to keep professional secrets. The obligation to keep professional secrets applies to any worker who uses medical records or comes across data contained therein as any part of performing their jobs. In accordance with the Law on the Protection of the Population from Contagious Diseases,19 the reporting of AIDS, HIV infection, and microbiological findings for Treponema pallidum, Neisseria gonorhoeae, congenital infection with Rubella virus, Tohoplasma gondii, and Chlamydia gondii is anonymous.

A scandal erupted in January 2010 when a TV station republished photos from the Facebook profile of a doctor from the Emergency Ward of the main Clinical Centre in Skopje showing her and other medical staff posing with an unconscious and half-naked patient on a stretcher (presumably intoxicated during the New Year celebrations).20 Within a few days the doctor was fired because of the damage to the reputation of the medical profession.21 As a continuation of this affair, debates continue about whether the journalists had the right to republish the incriminating photos and in what format, i.e., hiding the identity of some of the photographed persons by blurring.

Genetic identification

The Law on Family22 holds that the data on adoptions are an official secret.

Financial privacy

The Law on the National Bank of the Republic of Macedonia23 obligates the members of the Council of the National Bank and the employees of the National Bank to keep official and business secrets. This obligation binds these persons for five years following the end of their term. Data that are official or business secrets may be provided only upon written request of the court. Furthermore, the Banking Law24 determines the categories of persons who may not reveal data and information classified as bank business secrets by law, statute, and other banking acts. The obligation to keep a business secret that persists after the termination of employment with the bank also relates to persons with special rights and responsibilities, bank employees, and other persons with access to bank operations. The data such as savings and bank deposits of natural and legal entities, as well as the account operations of natural and legal persons, are classified as business secrets of the bank. The above data may be provided only in the following cases: (1) If the client provides written consent to reveal the data; (2) Upon written request or order of the competent court; (3) Upon written request of the national bank or another body authorised by law for the purpose of monitoring; or (4) If the data are provided to the Directorate for Money Laundering Prevention in accordance with law. Additionally, in accordance with the Law on Securities,25 the management and the employees of the Central Securities Depositary, as well as certified auditors, are obliged to keep confidential the data learned through their employment unless they are obliged to provide such information in accordance with specified law.