An analysis released by the Center for Democratic Transition (CDT) and Partners Serbia reveals that Montenegro’s legal and institutional frameworks still fall short in providing adequate protection against the misuse of personal data and digital targeting for political and manipulative ends.

According to the CDT, even as disinformation campaigns increasingly depend on citizens’ personal data for refined profiling and dissemination of manipulative communications, existing national laws are outdated, with minimal or nonexistent institutional oversight.

“The Data Protection Act of 2008 has yet to be revised to reflect contemporary practices in data processing and profiling, while a proposed new law has not yet been introduced in Parliament,” the statement indicated.

The CDT pointed out that Montenegro lacks regulations on political advertising in the digital realm, as well as public registries for political advertisements.

“Political campaigns that leverage citizens’ data for microtargeting can proceed without mandatory risk assessments, transparency, or sufficient oversight,” stated the non-governmental organization (NGO).

They noted that penalties for legal infringements remain minimal, even for the most severe violations.

“This environment does not dissuade those who exploit data as a means of political manipulation; rather, it encourages them to persist without facing consequences,” the statement added.

The CDT reminded that while Montenegro has enacted a new Law on Information Security, its enforcement is hampered by a lack of functional institutions.

“Despite the formal establishment of the Cybersecurity Agency, its operations are stalled due to political gridlock concerning staffing, thus directly undermining the state’s capability for digital security,” the statement said.

The CDT urged decision-makers to promptly enact the new Data Protection Law, which should mandate impact assessments for risky data processing, require the reporting of data breaches, and restrict targeting based on sensitive personal information.

The NGO emphasized the importance of aligning the legal framework with European standards, including GDPR, DSA, DMA, and the new Regulation on Political Advertising.

They also highlighted the need to ensure institutional readiness for the implementation of these regulations by strengthening the Data Protection Agency, enhancing the functionality of cyber regulators, and facilitating clear coordination among all relevant authorities.

“Without systematic regulations, political will, and technical supervision, citizens’ personal data will remain vulnerable to opaque targeting, leaving the digital landscape susceptible to disinformation that erodes trust, fuels polarization, and jeopardizes democratic processes,” the statement concluded.

News