How a Protest Activist Exposed Serbia's Airport Surveillance Free-for-All

Key Takeaways

• Serbia's data protection commissioner found that Belgrade's Nikola Tesla Airport gave border police, customs, and intelligence agency BIA access to its surveillance cameras without legally required data-sharing agreements.
• Because no agreements or written procedures were in place, the Commissioner could not establish who leaked activist Nikola Ristic's footage, since the cameras were accessible to an "unlimited number of people."
• The Commissioner ordered the airport to sign agreements with all three agencies in May 2025, and by April 2026 it had only signed one, with the BIA.
• Airport operator Vinci has not explained how unregulated access was permitted, when it was corrected, or what it has done to prevent a repeat.

A Tabloid, a Protest Activist, and a Leak That Was Always There

In November 2024, days after a railway station canopy collapsed in Novi Sad and killed 16 people, mass protests erupted across Serbia. Nikola Ristic, an activist who had taken part in those demonstrations, passed through Belgrade's Nikola Tesla Airport. The pro-government tabloid Informer published surveillance camera screenshots of him doing so, including his destination, his departure time, and his flight details. Ristic later confirmed that only his closest associates and agents from Serbia's intelligence agency, the BIA, knew his travel plans. The BIA had questioned him about them during a recent interrogation.

The Serbian Commissioner for Personal Data Protection launched an inspection of Belgrade Airport Ltd to find out how a tabloid ended up with that footage. And what the Commissioner found was very far from a one-time breach. The airport had given border police, customs, and the BIA access to its entire video surveillance system without signing the data-sharing agreements required under Serbia's Law on Personal Data Protection.

The Commissioner found the airport "did not undertake appropriate technical, organisational and personnel measures for the protection of personal data," with the result that Ristic's movements had been made available to an "unlimited number of people." Because there were no agreements and no written procedures, the Commissioner could not even determine who specifically had leaked the footage. The pipeline was too wide to trace.

A Year to Sign Three Agreements, and the Airport Only Managed One

In May 2025, the Commissioner ordered the airport to sign agreements with all three agencies to bring access to its cameras into legal compliance. By April 2026, Belgrade Airport informed the Commissioner it had signed exactly one agreement, with the BIA. Police and customs remained unregulated for nearly a full year after the order was issued.

When BIRN contacted the airport ahead of publication, the company assured them that everything was now in order. "The agreements that you are interested in are signed. Company Belgrade Airport is strictly following all regulations in its work," the airport told BIRN, without specifying when any of this had actually happened.

Belgrade Airport Ltd. has been operated by France's Vinci since 2018 under a 25-year government concession. Neither Vinci nor the airport responded to questions about whether any internal process had been launched to understand how unregulated access was permitted or what measures were being taken to ensure it could not happen again.

When "Unlimited Access" Becomes a Political Tool

The Commissioner's investigation concluded not only that the surveillance infrastructure in Belgrade Airport was real but also that it was so poorly governed that anyone with access could have done it, and the airport had no way of knowing who did. In a country where journalist attacks surged 367% in 2025 with minimal consequences, this kind of conveniently untrackable access is exactly the environment that political targeting requires.

The Serbian state has a data protection law on the books. What it apparently does not have is any mechanism for enforcing it against itself or any appetite for asking uncomfortable questions about a system that has been very useful to certain people.

So, you know, if you're flying through Belgrade and you'd like a little more distance between your movements and whoever has access to the whole surveillance infrastructure that day, just make sure to first get Mysterium VPN (now with 82% off). It may not protect you from the cameras, but I'd bet the security risks are not limited to just them.