In Serbia, the regulatory landscape for AI is not yet governed by binding legislation dedicated exclusively to AI. However, a working group within the Ministry of Science, Technological Development and Innovations (the Ministry) has already been formed, tasked with preparing the draft law on AI, which is expected to be finalised mid–2025.
The recently adopted EU Artificial Intelligence Act (the EU AI Act) represents a significant milestone in the regulatory landscape, ensuring that AI systems are safe and respect laws on fundamental rights and values. Although Serbia is not a member of the EU, the country has consistently demonstrated a commitment to align its domestic legal framework with that of the EU. It is therefore reasonable to anticipate that Serbia’s law on AI that is currently being drafted will ensure alignment in the field of AI.
Meanwhile, a variety of existing laws, some of which are mentioned below, indirectly provide the wider legal framework which may come into play with the deployment and implications of AI.
For example, the Serbian Constitution (SC) protects the right to privacy and the protection of personal data. The Data Protection Act (DPA) builds on these constitutional guarantees by establishing detailed procedures for the processing and protection of personal data. This is particularly pertinent to AI systems that engage in automated data processing and profiling.
The Contracts and Torts Act (CTA), which has been a cornerstone of Serbian law for over four decades, outlines the fundamental principles and rules governing contracts and torts, including the liability for damages. This act is complemented by the Consumer Protection Act (CPA), which, in the context of AI products sold commercially to consumers, ensures that consumers have the right to legal remedies and compensation for harm suffered by certain products.
Intellectual property (IP) laws, including the Copyright Act (CA), regulate the rights and responsibilities associated with the creation of works and the rights that arise from them.
The Criminal Code (CC) may address the criminal law aspects of AI. The European Parliament’s Report on AI in Criminal Law, which recommends prohibiting the use of facial recognition technologies for indiscriminate surveillance in public spaces, is not legally binding but is seen as a significant step toward curbing the misuse of such technologies. In Serbia, proposed amendments to the criminal legal framework have laid the groundwork for the implementation of automatic facial recognition technologies. However, the absence of governmental approval for the necessary regulations is currently preventing their deployment.
Therefore, while the current laws in Serbia mostly do not directly regulate the use of AI, the existing legal frameworks offers a foundation for the governing of certain aspects of AI technologies.
In Serbia, the integration of both generative and predictive AI technologies is widespread across multiple sectors which are witnessing a surge in innovative applications such as automated customer support, predictive maintenance and automation.
The practical applications of AI and machine learning are mostly evident in the IT, medical and pharmaceutical industries.
The Serbian IT sector is at the forefront of these developments, with local companies employing AI to craft software solutions that leverage data analytics and machine learning algorithms. These include companies such as Wonder Dynamics. which is at the cutting edge of generative AI, aiming to democratise access to high–quality visual effects for content creators at all levels. Serbia is also home to other innovative entities such as Visaris and Mikroelektronika. A notable emerging company, Ninox/Fuller Vision, is making strides with its digital multifocal glasses project, which is poised to reach its first customers in Silicon Valley by year’s end.
The Institute for Artificial Intelligence Research and Development of Serbia (AI Institute) highlighted the transformative impact of advanced machine learning techniques in the pharmaceutical sector. AI’s role is pivotal in expediting the comprehension of biological disease mechanisms. In the healthcare industry, AI–driven initiatives are particularly focused on breast cancer diagnosis and drug discovery, with emphasis on enhancing mammography through AI.
In the realms of trade and manufacturing, AI and machine learning are pivotal for supply chain management, with companies like BE TERNA offering AI–driven services to optimise inventory management.
E–commerce platforms in Serbia have been utilising AI for some time, with machine learning algorithms being employed to personalise product recommendations. Examples include Donesi.com for online food ordering and delivery, and Kupujemprodajem for a consumer–to–consumer sales platform.
The food industry is also experiencing AI advancements, with the AI Institute developing applications such as an electronic nose for monitoring production processes, including quality control and biochemical process tracking. Moreover, the agricultural sector anticipates the imminent application of AI in intelligent land data analysis, yield forecasting, fertilisation requirements, pest detection and pesticide application.
Finally, Serbia also has two large language models trained on the Serbian language and other Ex–Yu languages. Those systems are known as Yugogpt and BertiĆ. Yugogpt is the largest open source LLM for Ex–Yu languages being trained on seven billion parameters, which confirms that Serbia’s AI ecosystem is keeping pace with global trends in this industry.
Serbia is actively engaged in the implementation of various incentives and policies designed to stimulate the research and development (R&D) of innovative technologies, including AI. Notable among these are tax incentives for R&D, which include the following:
Additionally, Serbia extends tax incentives to taxpayers who invest in newly established innovative business entities, including AI startup companies. These measures are indicative of Serbia’s commitment to nurturing an environment conducive to technological innovation and AI development.
Finally, there are several additional support mechanisms available to companies developing AI, such as specific grant schemes where non–repayable one–off funds are made available to entities engaged, among other things, in AI development, and a large number of startup incubators and accelerators designed to help startups through the process of AI development, from an idea to a marketable product.
Serbia is investing heavily in AI development, having launched the National AI Platform, established the AI Institute, and several national standard–setting bodies, as elaborated on later in this chapter.
Although no specific AI laws exist yet, Serbia has adopted strategic documents for AI’s legal and ethical use, also summarised below, demonstrating the country’s innovative approach to regulating AI.
As mentioned above, Serbia is already working on establishing a dedicated legal framework specifically addressing AI through a set of binding regulations. Meanwhile, in the past years, few laws were adopted or amended to include provisions relevant for specific AI–related issues.
Firstly, the General Data Protection Regulation (GDPR) principles have been integrated into the DPA. The DPA introduced the definition of automated processing of personal data for the first time, and profiling.
Secondly, a landmark amendment was introduced in 2023 within the context of the Road Traffic Safety Act (RTSA), pivotal in establishing a legal foundation for AI in Serbia, particularly concerning the testing of autonomous vehicles.
Both these legislative solutions are discussed into more detail in the relevant sections of this chapter.
While binding laws specifically addressing AI are in the drafting process, Serbia adopted several strategic, advisory documents dedicated to AI:
Artificial Intelligence Development Strategy (2020–2025) (the Strategy) – This document delineates objectives and initiatives aimed at the growth of AI, with the anticipation of catalysing economic expansion, enhancing the quality of public services, fortifying the scientific community and cultivating skills for future employment opportunities. The execution of the Strategy’s initiatives is intended to guarantee the responsible and secure development and application of AI in Serbia. The Strategy is aligned with the European Initiative on Artificial Intelligence, which outlines the European Commission’s policy framework in the field of AI. Preparations are underway for a new AI Development Strategy and Action Plan for the period from 2024 to 2030, with its adoption anticipated in mid–2024.
Action Plan for Artificial Intelligence Development Strategy (2020–2022) (the Action Plan) – Adopted in 2020, this Action Plan was designed to facilitate the operationalisation and realisation of the overarching and specific goals set forth by the Strategy.
Ethical Guidelines for Artificial Intelligence (March 2023) (the Guidelines) – The Guidelines provide a comprehensive framework for the safe deployment and utilisation of reliable and responsible AI in Serbia. They incorporate international standards, reflecting Serbia’s ongoing efforts to align its legislative framework with the legal acquis of the EU. The primary objective is to mitigate risks associated with AI systems, ensuring the preservation of freedom in action, thought and decision–making, while safeguarding rights and values. The Guidelines establish fundamental principles and prerequisites for trustworthy and responsible AI systems, including a self–assessment questionnaire for developers or users of AI systems, along with recommendations in line with the established principles. Additionally, the Guidelines delineate criteria for identifying high–risk AI systems.
Stabilisation and Association Agreement (the SAA) – Under the SAA between the European Communities and their Member States and Serbia, the Serbian Government has pledged to progressively harmonise its existing and future legislation with the European Community’s legal framework, which implicitly encompasses AI–related legal statutes.
The above documents collectively contribute to the evolving discourse on AI in Serbia, providing guidance and establishing a foundation for the ethical and strategic development of AI technologies.
There is no applicable information in this jurisdiction.
There is no applicable information in this jurisdiction.
There is no applicable information in this jurisdiction.
Even though Serbia’s legal infrastructure has yet to undergo comprehensive revisions to support advancements in AI — save for a limited provision within the RTSA, and certain general principles of the DPA, as mentioned in 1.1 General Legal Background — the Strategy lays the groundwork and offers preliminary guidance for the integration of such technologies in the foreseeable future.
With that view, the Strategy outlines a framework that suggests a trajectory for the country’s legislative evolution to accommodate and encourage the growth of AI, indicating a commitment to fostering this sector in the upcoming years. Explicit legislation amendments are envisaged for laws regulating procurement, discrimination, innovation and information, electronic administration and the set of laws regulating the field of education.
As mentioned in 3.6 Data, Information or Content Laws, a task force has been established within the Ministry with the responsibility of drafting specific AI legislation. The enactment of this law is anticipated in 2025. This group includes esteemed specialists from various areas, including two of Schoenherr’s experts (in the areas of IP and data privacy matters).
The primary objective of this legislation will be to institute a legal framework that oversees the development and application of AI within Serbia. The law will be intended to foster investment and innovation in the field of AI, while simultaneously establishing a harmonised market for the secure and reliable integration of AI systems. The SSA required Serbia to align both its current and future legislation with the acquis communautaire. Because of this, it might be expected that Serbia will synchronise its future domestic legislation with the EU AI Act.
While specific legislation is pending in Serbia, entities operating within Serbia may already find themselves subject to the provisions of the EU Act on AI under certain conditions, such as where Serbian companies intend to introduce AI systems into the EU market or when the outcomes generated by their AI systems are utilised within EU market.
At present, there are no judicial decisions concerning generative AI.
AI encompasses a variety of interpretations; however, judicial bodies would typically reference definitions from national strategies and regulatory documents. Within Serbia, specific legislation dedicated to AI is absent, but a definition is articulated in the Guidelines and the Strategy.
These strategic documents reference the definition from an independent expert group of the European Commission, whereby AI systems may be software–based, functioning in the digital realm – such as virtual assistants and recommendation systems, or embedded in hardware, like advanced robotics and autonomous vehicles. Although illustrative, these documents acknowledge the absence of a universally accepted AI definition at the time of their creation, prior to the EU AI Act’s adoption.
In comparison to existing Serbian regulations, the EU AI Act appears to provide a broader yet more precise definition of AI. In any case, it is reasonable to assume that Serbia will be further adjusting its legal system to the EU AI Act, including the AI definition.
Currently, there is no AI regulator in Serbia.
However, certain regulatory powers, which may relate to aspects of AI, are exercised by the Commissioner for Information of Public Importance and Personal Data Protection (the Commissioner), who is an autonomous governmental entity tasked with overseeing the enforcement of the DPA.
The Commissioner is empowered to supervise the evolution of information and communication technologies, commercial operations and additional practices pertinent to the safeguarding of personal data. Based on the wide supervising powers, the Commissioner is also entrusted with overseeing the processing of personal data within the context of AI.
Up to date, no fines or warnings have been issued with regards to AI–related data processing, and the Commissioner has not issued any specific AI guidelines.
There is no distinct regulatory body dedicated to the oversight of AI.
In the absence of an AI–specific regulator, the only regulator that currently oversees certain aspects of AI in Serbia is the Commissioner.
The regulatory aims of the encompass several goals that are linked to the safeguarding of personal data and privacy rights. These goals are essential for the assurance that personal information is managed with integrity and transparency, which is particularly pertinent in the context of automated processing of personal data, where the potential for misuse is significant.
To date, no enforcement or other regulatory actions have been taken in relation to AI in Serbia.
Serbia’s government has established two principal standard–setting entities:
In addition, the Ministry has formed a specialised working group dedicated to preparing the draft AI law.
International standard–setting bodies significantly influence Serbian law, particularly in aligning with standards from UNESCO, the EU and the Council of Europe. Serbia currently adheres to UNESCO’s Recommendations on the Ethics of AI, having contributed to its development. These recommendations have shaped the Guidelines.
The UNESCO Recommendations aim to ensure AI benefits humanity, society and the environment while preventing harm. The key principles of the UNESCO Recommendation have been incorporated in the Guidelines, including:
Further, the EU AI Act, with provisions on extraterritorial scope, could indirectly affect Serbia.
Finally, the Council of Europe’s Framework Convention on AI, adopted in May 2024, outlines a comprehensive approach to AI regulation, focusing on human dignity, autonomy and equality. Serbia, as a Council of Europe member, is subject to this convention.
The Strategy underscores the importance of revising extant regulations or creating new laws for AI use in all levels of government, including the judiciary and executive branches.
Adopting AI technologies in Serbia requires rapid digitisation and data systematisation. To date, the judiciary – including prosecutors and courts – and the public administration have demonstrated advancements in the establishment of user–centric e–governance as part of the ongoing reform initiatives. To integrate AI, Serbia has laid the necessary infrastructure, including the Law on Electronic Government, interoperable systems and digital transformation of administrative processes.
The eGovernment Portal is a major achievement, serving as Serbia’s central hub for electronic services for citizens, businesses and public administration. The portal facilitates a more efficient and transparent interaction between the citizens and state authorities.
In the judicial sphere, rapid digitalisation is also crucial for introducing advanced technologies. The integration of AI into law enforcement practices was proposed in the Draft Law on Internal Affairs and the Draft Law on Data Processing and Records in Internal Affairs. Although these drafts were retracted from the legislative process in 2022, they included provisions for the deployment of remote biometric identification systems utilising AI, through cameras installed in public spaces. The realisation of such biometric identification systems necessitates amendments to several ancillary statutes, such as the DPA. Given the controversies regarding RBI during negotiations on the EU AI Act between the EU Parliament and Council, the reach of local provisions on these systems will depend on domestic policy and potential amendments to the local framework.
So far, there have been no cases related to the use of AI in the Republic of Serbia.
Security services represent a particularly delicate area where AI can be deployed. The EU AI Act specifically outlaws the use of “real–time” remote biometric identification systems in publicly accessible spaces for law enforcement purposes, except under certain narrowly defined circumstances. Nevertheless, the deployment of AI within military or national security contexts is not currently governed by EU legislation, nor is it covered under the Guidelines. In fact, the introductory sections of the Guidelines acknowledge that their provisions may be limited or not applicable in scenarios pertaining to the defence and security of Serbia.
The Guidelines delineate more than ten categories of AI technologies that could potentially exert a manipulative or detrimental influence, either on individuals or society at large. High–risk categories include, but are not limited to:
Despite the potential risks associated with these systems, security agencies, such as the Security Information Agency (BIA) in Serbia, are not classified as high–risk systems under the Guidelines.
According to the Information Security Act (the ISA), Serbia has established a co-ordination body responsible for information security matters. The Act also provides for procedures in the event of significant information security breaches that could jeopardise the defence of Serbia.
The advent of generative AI technologies triggered significant challenges for IP law. One of the primary issues pertains to the utilisation of copyrighted materials for the training of generative AI systems. Generative AI systems are designed to produce content in response to specific prompts, drawing upon extensive databases that aggregate billions of images and texts sourced from the internet. Consequently, generative AI depends on the creative works of humans, utilising such art without the consent of the copyright owners and combining elements of these works without attribution or respect for the creators’ moral rights, thus potentially violating their IP rights.
Furthermore, the capability of generative AI to rapidly produce large quantities of text and imagery, raises questions regarding the applicability of IP rights to the outputs generated by AI.
In the context of Serbian law, these IP challenges have not been explicitly addressed. The CA presents a restrictive framework: it lacks provisions for exceptions related to training purposes, and the legal definition of copyright work does not encompass AI–generated content.
In addition to IP concerns, generative AI technologies also pose ethical dilemmas, particularly in relation to the creation of deceptive content. A cornerstone of the DPA is the challenge to comply with individuals’ privacy rights such as the right to rectify incorrect or false information. Another challenge is adhering to the data minimisation and purpose limitation principle when training the AI system, especially if such system is trained on vast amounts of data scrapped from the internet, in event of which full compliance with privacy rules is not possible unless certain exceptions are adopted.
The rapid expansion of AI over the past few years raises complex IP related questions. Already, it is evident that existing IP laws are not compatible with the new virtual reality where the creative process is shifted from humans to a machine. Applying IP principles to AI triggers various questions, problems and uncertainties.
When it comes to use of copyrighted materials for training purposes, the current legal landscape in Serbia does not support the AI training process. Generally, most copyright legislation around the world, including the CA, envisages that the use of copyrighted materials in certain manners requires the prior consent of the author, and the author is entitled to adequate compensation for such use. Typically, there are certain exceptions to this rule, where certain interests override the standard consent and compensate rule, and most laws contain certain statutory exemptions for such scenarios.
However, Serbian legislation lacks a provision like the “fair use” doctrine or other comparable exemptions that would facilitate the use of copyrighted materials for AI training without the copyright holder’s consent. The CA contains very limited statutory exemptions, all of which are confined to the non–commercial use of copyrighted materials. Consequently, entities engaged in the training of AI models in Serbia, through the selection of datasets and the execution of the training process, may find themselves liable for copyright infringement if the training datasets incorporate copyrighted materials. Potential infringement proceedings could result in liability for AI providers, with copyright holders having the right to demand the removal of infringing copies and seek damages.
That said, Serbian law does not currently impose a transparency obligation with regards to copyright materials, and AI providers in Serbia are not mandated to disclose the materials utilised for training purposes. While the recently enacted EU AI Act stipulates that general–purpose AI systems and their underlying models must adhere to specific transparency obligations, including compliance with EU copyright law and the publication of detailed summaries of the training content, no analogous requirement exists in Serbian legislation or strategic documents. Given these conditions, unless the output produced by the AI incorporates elements of the original dataset, it is improbable that an author could recognise their work within the training dataset.
The draft of the new CA is prepared, although there is no indication when the new law might be adopted. The new law was prepared with the aim of further harmonising Serbian copyright legislation with EU law. The pending draft CA does not, however, include the “text and data mining” exception introduced by the EU Directive 2019/790 (ie, the Digital Single Market Directive).
Finally, on the output side of the AI process, content generated by AI, either autonomously or with limited human involvement, does not qualify for copyright protection. The CA adheres to a traditional definition of a copyright work, whereby “a work of authorship is the author’s original, spiritual creation, expressed in a certain form […]”. This definition necessitates that the work originates from the author and reflects the author’s personality, spirit and intellect. Consequently, works produced by AI do not meet the criteria for protection under the current Serbian copyright regime. That said, it yet remains to be seen whether certain works created with the assistance of AI will nonetheless meet the protectability criteria, and if so, what is the necessary level of human involvement in the creative process to ensure a work is copyrightable.
Regarding the rights of data subjects in the context of automated processing, including AI–driven data processing, there are no deviations from the DPA or any specific regulations, rules or guidelines that would otherwise apply.
Under the GDPR and the DPA, users of generative AI models, such as ChatGPT, Gemini or others, are afforded rights to request the correction of inaccurate personal data or the deletion of their personal data that has been used in AI training. Such requests can be made under certain conditions; for example, if the use of personal data for model training lacked a proper legal basis or if the data subject has retracted their consent for data processing. However, how generative AI providers might comply with such requests remains unclear.
The GDPR principles of data minimisation and purpose limitation, which are also reflected in the DPA, are particularly relevant. The principle of data minimisation dictates that only data that is adequate, relevant and limited to what is necessary for the intended purposes should be processed. The principle of purpose limitation requires that the collected data not be repurposed in a manner incompatible with the original collection purpose. While compliance with these principles is conceivable for other automated processing activities, it is challenging to ensure adherence in the context of training generative AI models.
Generative AI models are often trained on extensive datasets obtained from the internet, including social media, which inherently contain various types of personal data. In Europe and Serbia, there are no exceptions for using data that individuals have published themselves, due to the principle of purpose limitation. Consequently, the training of most generative AI models likely violates the principles of data minimisation and purpose limitation, as the reuse of scraped data for different purposes contravenes the principle of purpose limitation.
Therefore, entities developing generative AI in Serbia could potentially face regulatory actions, such as orders to delete training datasets or the imposition of fines, unless specific derogations from the current rules in the DPA are introduced.
AI is rapidly transforming the legal landscape in Serbia, mirroring a trend witnessed globally. As in other jurisdictions across the world, AI is being intensively discussed among industry experts as it integrates into the practice of law.
While leading legal AI tools haven’t been trained on Serbian language laws or case law, the biggest law firms in the market leverage them to boost efficiency in specific tasks. However, the effectiveness of these tools remains limited. This is due to Serbia’s lack of comprehensive, structured legal data, which is crucial for training and applying these tools effectively in jurisdictions where they excel.
This gap is being addressed by some Serbian experts who are developing local AI tools, but their widespread adoption is yet to come. Law firms in Serbia, including Schoenherr, employ platforms like Henchman, DeepJudge, Spellbook, Harvey, CoCounsel and Lexis AI to automate and enhance various legal services. Serbian licensed lawyers who use AI tools remain liable for the output and are expected to uphold the same professional standards as with traditional, non–AI–enhanced services. This includes maintaining client confidentiality, actively supervising the AI’s outputs, and ensuring that all data is accurate and complies with legal standards.
The possibilities of integrating AI into the legal sector extend beyond mere assistance to legal professionals and encompass the development of advanced technologies capable of autonomously delivering legal services. This includes, but is not limited to, the deployment of legal chatbots, automated document drafting systems and other similar innovations. Some of these solutions are being currently developed by startup companies in Serbia.
Nevertheless, such application of AI within the legal domain is not without its challenges, particularly concerning ethical considerations, liability issues and potential conflicts with existing legal framework. The SC explicitly provides that the provision of legal assistance is a prerogative reserved for qualified legal practitioners. Furthermore, the CC criminalises the act of offering legal services by individuals who lack the requisite qualifications, labelling it as legal malpractice. In light of these issues, the substitution of human lawyers with AI–driven legal service tools appears, at least on the surface, to be in direct conflict with the regulatory statutes governing the legal profession in Serbia, as well as the SC.
The integration of AI in legal practice therefore raises several ethical concerns:
With regards to the above, in Serbia no specific legislative measures have yet been instituted to direct the application of AI in the practice of law in a manner that is permissible, ethically sound and addresses the consequences of overreliance on AI. The Serbian Bar Association has not publicly deliberated on this matter to date. Meanwhile, the Ethical Code of the Legal Profession (the ECLP) remains relevant, as it prescribes the general rules requiring lawyers to, at all times, act competently, diligently and responsibly.
One of the key challenges when it comes to the use of AI technology is certainly the liability in situations where the used AI causes damage. The complexity of AI systems obscures the clarity of their decision–making processes, thereby making it very difficult to establish a direct causal relationship between the actions of an AI and consequent damages.
Presently, the “dilemma” lies in the choice between adopting a (quasi)contractual framework or an objective liability model for addressing damages attributable to AI. The proposal for a directive of the European Parliament and Council on adapting non–contractual civil liability rules to AI (AI Liability Directive, or AILD) envisages a risk–based approach to AI liability, wherein the degree of liability correlates with associated risk level of the AI system in question. The AILD envisages an “objective” liability regime for high–risk systems, assigning accountability to developers and operators for harm that arises from these, regardless of fault or negligence.
In parallel, the existing Product Liability Directive (the PLD) similarly establishes a “no–fault” or “objective” liability for harm stemming from product defects. Significantly, the PLD acknowledges software as a product, thereby extending its purview to include software–related liabilities. The PLD also introduces the concept of “assumption of causality” between the software and the incurred damages, thereby easing the burden of proof for plaintiffs in damage compensation claims.
In Serbia, the rules governing liability and damage compensation are laid out in the CTA, which defines damages as the diminution of one’s property (ordinary damage), obstruction of its potential augmentation (lost profit) or infliction of physical or emotional distress (non–material damage). However, given the theoretical perspectives and the challenge of directly attributing damages to AI, the practicality of proving such damages in legal or dispute resolution forums remains uncertain. The CTA acknowledges “objective” or “no–fault” liability in very limited cases, such as harm caused by hazardous objects or activities.
The CTA’s alignment with the PLD – and potentially with the AILD, once adopted – seems inevitable in the future.
To date, no regulations have been proposed on the imposition and allocation of liability in relation to AI in Serbia.
As of now, there have been no specific regulatory measures enacted or proposed to govern bias within AI systems. The absence of such regulations means that the standard legal framework, such as the rules contained in the CTA with regards to damage compensation, the general principles of the Discrimination Prohibition Act demanding that persons in Serbia are equal, enjoy equal status and equal legal protection regardless of personal characteristics, and a variety of other specific laws (laws on education, laws on youth, employment regulations and many others that contain anti–discriminatory provisions) are applicable.
Despite its significance, the DPA does not comprehensively address various privacy concerns associated with AI, leaving practitioners with unresolved issues concerning the development and deployment of AI technologies.
Privacy issues related to AI can be distilled into two fundamental categories: input–related and output–related issues.
Input–Related Privacy Issues
Issues concerning input-related privacy issues include the following:
Output–Related Privacy Issues
Issues concerning output-related privacy issues include the following:
The necessity for AI–specific privacy regulations in Serbia is evident, as they would provide a more nuanced approach to balancing the relevant interests. Moreover, the absence of AI–specific cybersecurity regulations within local legislation underscores the need for targeted amendments that address specific challenges posed by AI technologies.
The DPA encompasses a broad definition of biometric data, which is identified as personal data that is derived from specific technical processes related to physical, physiological or behavioural attributes of an individual. Such data facilitates or allows unique identification of the person, including but not limited to, facial imagery or fingerprint data. The critical aspect of this definition is that the data need only provide potential for identification, rather than conclusively verifying that individual’s identity. Consequently, a variety of facial recognition technologies that utilise facial characteristics capable of distinguishing an individual’s face may be classified as biometric data under the DPA, particularly when combined with other personal information.
Should such data be processed without explicit consent of the individual, it would constitute a breach of the DPA. Furthermore, even if it were argued that a particular dataset utilised for facial recognition does not constitute biometric data, the preparation of a Data Protection Impact Assessment (DPIA), along with the prior consent of the Commissioner, is arguably a prerequisite. The Commissioner is allotted a 60–day period to review and provide feedback on the DPIA submissions. During this time, data controllers are prohibited from initiating any processing activities that involve their facial recognition systems.
In the event that data controllers engage in the processing of such data without obtaining the individual’s consent or without conducting a DPIA and receiving the regulator’s approval, they may be subject to penalties.
In Serbia, informed data controllers are generally hesitant to implement systems that utilise biometric data, while the Commissioner currently has a rather conservative approach on this matter. As a result, it rarely endorses the use of biometric data or facial recognition systems.
Conversely, many technology developers continue to employ facial recognition technologies, often without recognising that such data may indeed be categorised as biometric data under the DPA. This oversight is particularly prevalent when the facial recognition data is not associated with other personal identifiers, such as the individual’s name.
Many firms in Serbia already utilise AI and automation to enhance efficiency and reduce costs. While broader regulations in Serbia are lacking, the DPA governs a specific aspect – automated processing, as already elaborated on in 11.3 Facial Recognition and Biometrics. The GDPR and the DPA safeguard individuals against solely automated decisions that have significant impacts, allowing human intervention and right to challenge such decisions.
Current laws in Serbia only address decisions made without human input, neglecting those with minimal human involvement. Responsibility for damages caused by automated decisions – whether it falls to AI developers, deployers or others – is an unresolved issue in the evolving AI world.
AI technologies can analyse vast datasets to predict and influence consumer choices. This is prevalent in sectors like retail and banking, with companies such as Zara, Wolt and Raiffeisen Bank utilising chatbots.
In Serbia, there are currently no specific legal regulations governing chatbot usage. In particular, no regulation contains an obligation for companies to inform consumers and users that they communicate with a chatbot.
However, the Guidelines do provide principles that suggest the need for transparency, including indirect guidance on consumer manipulation prevention. The transparency principle requires AI systems to be designed and operated in a manner that ensures traceability and explainability, and that users are made aware when they are interacting with AI.
In addition, the DPA mandates transparency when collecting data for automatic decision–making or profiling. Data controllers are required to issue privacy notice to individuals before processing.
Price–setting in the era of computer algorithms has been a topic of interest in the antitrust community for a long time, with the rise of AI technology introducing important new elements to the discussion.
Using classic, human–informed algorithms for the purposes of collusion can be relatively easy to fit in the traditional frame, as it usually assumes some sort of actual agreement between competitors. However, price–setting using AI technology can occur without any human conspiracy whatsoever, given that algorithms can now learn about the market environment and principles, as well as learn to collude on their own – all that at a much–higher operating speed than humans. Therefore, AI as a tool could hypothetically reshape the notion of price fixing, in the sense of at least widening the interpretation of agreement to collude as its core element, including edges of the tacit collusion concept.
As for Serbia, given the increasing use of AI in the everyday landscape of numerous industries, shifts and developments are expected on all fronts – including academia and legislation, as well as antitrust enforcement.
AI technology introduces a range of novel risks that should be considered and addressed in contracts between customers and AI suppliers. As AI systems become more integrated into business operations, contracts must evolve to reflect specific challenges posed by these technologies – including IP concerns, liability, performance standards, data privacy, security and ethical considerations.
As for Serbia, there is no established market practice yet when it comes to adequate contractual clauses ensuring that both customers and suppliers are protected.
The progress of AI in HR processes offers cost–saving advantages by automating tasks such as recruitment, promotion and employee monitoring. However, these systems are not infallible, as they depend on the data they are trained on. Biased data can lead to biased outcomes, as seen in instances like Amazon’s AI recruitment tool, which showed a preference for male candidates. Such biases can expose employers to discrimination claims, although Serbian case law indicates that courts may award lower damages for discrimination.
In Serbia, courts are known to favour employees, making it easier for them to challenge dismissals based on AI–determined under–performance. This contrasts with the EU, where the EU AI Act classifies employment–related AI systems as high–risk, imposing stringent regulatory requirements on their providers and users. Although Serbia is not an EU member and the AI Act does not apply, the Guidelines recognise the high–risk nature of employment AI tools.
The deployment of AI in HR has the potential to revolutionise employer operations, but also entails potential risks to employees.
Advancements in AI have significantly enhanced the ability to monitor employee activities and analyse vast amounts of data. Wearable devices are increasingly used to track workers’ movements, work pace and breaks in real–time.
In Serbia, employee monitoring extends beyond manual labourers to include white–collar professionals, particularly with the rise of remote work during and after the COVID–19 pandemic. Common monitoring methods for office workers include screen capture software, keystroke logging, CCTV, conversation recordings, email surveillance and more. In some cases, such as an automated warehouse in Serbia, technology not only streamlines operations and reduces costs but also enables more effective employee supervision. Employers also use tracking systems for disciplinary actions, including termination, should proceed with caution, due to courts often siding with employees.
Furthermore, employers must adhere to privacy laws by providing privacy notices, conducting Legitimate Interest Assessments (LIA), and completing DPIA. Monitoring cannot commence without approval from the Commissioner, while non–compliance may result in fines, cessation orders and data deletion orders.
AI plays a significant role in digital platform companies, where several Serbian companies (such as the food delivery companies Wolt and Donesi.com) already rely on AI. Companies employ AI to substantially enhance the user experience, streamline their operational processes and elevate overall efficiency.
However, the use of AI in these sectors also raises regulatory considerations, such as algorithmic accountability, data privacy and data security, transparency and consumer manipulation prevention.
Major banks in Serbia are implementing AI solutions for customer service, fraud and cyber–attack prevention, data management and operational streamlining. For example, Raiffeisen Bank employs the Rea chatbot to assist customers with queries and transactions, improving customer interaction and support. OTP Bank Serbia is leveraging AI to replace traditional call centres with AI–driven systems, enhancing response times and service quality.
Presently, the financial services sector in Serbia operates without specific regulatory frameworks or statutory provisions governing the deployment of AI technologies. The absence of direct oversight leaves uncertainty regarding the position that regulatory bodies, such as the National Bank of Serbia and the Serbian Securities Commission, may adopt concerning the utilisation of AI. Said regulators are generally known for their conservative philosophy wherein activities not expressly authorised are presumed to be prohibited. This cautious approach could significantly influence the stance of supervisory authorities towards the adoption and integration of AI by financial institutions.
To date, there are no specific regulations that govern the application of AI within the healthcare industry in Serbia. There is a pressing need for the creation of adaptable regulatory frameworks, particularly in niche markets and specific domains, to allow the experimental deployment of AI–driven innovations and business models within a controlled environment.
The Strategy identifies the healthcare system as a pivotal area for the advancement of AI technologies. This strategic focus underscores the sector’s importance in the national agenda for AI proliferation.
Automated vehicles are gaining traction globally, with Tesla, Waymo, Nissan and General Motors leading the charge. In Serbia, Rivian introduced this technology by establishing a R&D centre in 2022. This prompted significant legislative updates to accommodate the development, testing and deployment of autonomous vehicles.
As mentioned above, in 2023 Serbia amended the RTSA to establish a legal framework for autonomous vehicles. Key changes include:
In December 2023, the Serbian Government further refined these regulations with a new decree outlining the conditions for autonomous driving.
Serbia’s current legislation does not specifically address liability for autonomous vehicles, as their use is currently restricted to testing with a ministry–issued permit. The AILD suggests a risk–based liability approach, with strict liability for high–risk AI systems. Further, the CTA covers general liability, including strict liability for dangerous activities or products, where cars are generally considered dangerous products. The EU’s evolving regulations may influence Serbia’s future legal framework.
The ISA and DPA govern cybersecurity, relevant to autonomous vehicles.
Data privacy for autonomous vehicles falls under the DPA, which mandates adherence to personal data collection, processing and protection standards.
Finally, Serbia aims to align with global standards through development of a Connected and Automated Mobility (CAM) Network, which leverages 5G technology to facilitate vehicle communication and infrastructure integration.
Serbian regulations pertaining to product safety encompass a range of laws, regulations and standards which are, to some extent, harmonised with EU legislation, aimed at protecting consumers and ensuring product safety in the market. The two key acts are the General Product Safety Act (the PSA) (prescribing basic safety requirements for products available on the market, as well as obligations and withdrawal procedures) and the CPA (ensuring consumers’ rights). Additional specific regulations pertain to certain types of products, such as toys, medical devices, cosmetics products and others.
None of these specifically mentions or regulates AI, but general principles contained therein may be applied to AI products as well – such is the case of production of chocolate by Barry Callebaut in Novi Sad, whose owner is a Swiss company with automated production, known for the use of AI tools, like Lisa, for chocolate printing.
Depending on the industry, specific sectors have specific regulations governing liability, including the standard of care. For example, legal professionals must adhere to ethical and legal standards as mandated by the ECLP, which includes client service obligations, confidentiality, liability and professional responsibility, client consent and disciplinary actions. The ECLP also outlines principles of general liability, leading to mandatory liability insurance. Similar specific regulations are in place for other professions (in the medical, pharmaceutical and notary sectors, etc).
In the absence of AI–specific regulations, the above–described general framework will apply to specific professionals when they use AI to provide professional services.
Works of copyright in Serbia enjoy protection from the moment of creation (ie, there is no registrability requirement). Therefore, there are no, nor would one expect to see, agency decisions regarding copyright works.
When it comes to patents, there are currently 40 pending patent applications before the Serbian Intellectual Property Office (the IPO) concerning AI. The applications have been filed in a period between 2017 and 2023 and relate to inventions based on AI technology, ie, “computer implemented inventions”. None of the patent applications lists AI as the “patent owner” or “inventor”. So far, none of these has resulted in a registered patent – with the patent examination phase pending, the position of the IPO regarding AI–assisted inventions and the patentability of those remains unclear. That said, the general view of the academic society in Serbia is that using AI in connection with an invention does not preclude obtaining a patent for that invention.
Considering that works generated by AI cannot qualify for copyright protection at present, protection through alternative routes is often discussed, and in particular on the basis of trade secret legislation and confidentiality contractual provisions.
The Trade Secret Act (the TSA) allows protection for information that is secret due to not being generally known or easily accessible and has commercial value. For the trade secrets to enjoy protection, the person holding it must have “taken reasonable measures to preserve its confidentiality”. The information protected as trade secrets include, for example, knowledge and experience, business information and technological information. Accordingly, the TSA has the potential to cover much broader subject matter than traditional IP and is generally more flexible than copyright or patent law (for example trade secret protection does not require prior application or registration, is not limited in duration but can last as long as the information is kept a secret, etc). In the context of AI, the TSA can be useful in protecting AI–related information and materials intended for internal and confidential use and others.
In addition to statutory protection of confidential information on the basis of the TSA, it is a market standard in Serbia to include appropriate contractual confidentiality clauses in all arrangements concerning AI – such as non–disclosure agreements at the early development stage, broad confidentiality clauses in the employment and co-operation agreements, as well as appropriate confidentiality undertakings in all other agreements. While it is difficult to assess the exact scale of businesses relying on trade secret protection, one may assume that most AI–related materials currently developed in Serbia are being protected (also) through trade secret and confidentiality clauses.
Serbia is a country from the continental legal tradition. Serbia’s IP laws are generally considered to stem from the droit moral French law, commonly considered to originate in the culture of Western European Romanticism which idealised the creative individual as being uniquely invested with the power and mystique of the original genius. The non–pecuniary interest that an author has in his/her work, encapsulated within the scope of “moral rights”, was transposed into Serbian law, shaping the basic IP concepts and the logic behind IP protection.
This legal logic is evident in a number of other features of the Serbian IP law today, including the somewhat romantic notion of the author. Based on the already discussed definition of “copyright work”, it is evident that Serbian law is predicated on the notion of an author as a unique individual whose spirit and personality are encapsulated in his/her work.
It is a common opinion among experts that the current definitions of author, originality and copyright work cannot be reconciled with the modern AI creativity, and that “stretching” the IP law to cover AI–related subject matter might require fundamental changes to IP laws. However, at present, in Serbia, there are no initiatives or even considerations to amend the existing IP laws to specifically allow protection for works generated by AI.
OpenAI faces the same IP challenges common to generative AI, including issues with training material use and AI–generated content’s protectability. Legal proceedings in the USA, including those by The New York Times and others, highlight these challenges. OpenAI’s latest model, Sora, a text–to–video generator, adds complexity due to its use of internet–sourced training data, potentially infringing IP rights. Under Serbian law, such use without consent would likely be deemed infringement.
The liability for IP infringement in AI spans developers, providers, customers and users, with courts yet to clarify the application of copyright laws to AI training. Questions of liability, exceptions, compensation and potential destruction of infringing AI outputs remain unanswered. Sora’s use of trademarks, designs and potentially sound elements in videos raises new IP concerns, although OpenAI aims to mitigate these through licensing and contractual agreements.
Regarding authorship, Serbian law recognises only natural persons as authors, casting doubt on copyright protection for AI outputs. While OpenAI assigns rights to the content to users, the enforceability of copyright for such content is uncertain.
AI tools have the ability to process and analyse data at a scale and speed that far exceeds human capability, which allows for real–time insights into market trends, financial forecasts, risk management and operational efficiency. AI can also help in reducing biases that human directors might have, potentially leading to more objective decision–making. Moreover, AI can be available around the clock, providing constant monitoring and analysis.
Currently, there are only few examples of AI acting as “robo–director” in the world (such as VITAL, Alicia T and Einstein). However, AI tools are being used worldwide, as well as in Serbia, to support human directors by providing enhanced analytics and decision–making support.
Implementing AI best practices requires a holistic approach that addresses technical, ethical, legal and operational challenges. To ensure the successful adoption of AI technologies, key issues to be considered are:
As notable from the general overview of Serbia’s current position and as summarised in this paper, it is evident that a substantial portion of identified challenges have been confronted with a degree of diligence. The key area which requires further adjustments, as shown above, is the broader legal infrastructure which requires comprehensive legal reforms to address AI–specific aspects.
Finally, do note that this paper addressed various non–legal matters related to AI. Given the rapid evolution and considerable complexity of these fields, the descriptions and statements may become outdated quickly as new advancements occur.
Bulevar vojvode Bojovića 6-8
RS-11000
Belgrade
Serbia
+381 11 320 26 00
+381 11 320 26 10
office@schoenherr.rs www.schoenherr.rs