Ukraine: Transfers of personal data from the EEA to Ukraine in the post-Schrems II era
Ukraine is not yet recognised as a jurisdiction providing an adequate level of protection in terms of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This means that any cross-border data transfers from the EEA to Ukraine are possible only based on appropriate safeguards, for example, Standard Contractual Clauses ('SCCs') or Binding Corporate Rules. Sofiya Brutsyak, Junior Associate at ETERNA LAW, provides an overview of the considerations to be taken when transferring data from the EEA to Ukraine.
Until recently, the rule of thumb for any company intending to transfer data from the EEA to Ukraine was to make sure of two things: firstly, that a data recipient is a reliable counterparty; and secondly, that an appropriate safeguard is in place (such as signed SCCs).
However, the landmark Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') made cross-border data transfers to 'non-adequate' jurisdictions, including the Ukraine, even more complex and unclear. In particular, the Schrems II Case has required all companies to conduct individual assessments of each such transfer and the law/practices of the country recipient.
To help exporters with such assessment, the European Data Protection Board ('EDPB') adopted the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data version 2.0 ('the EDPB Recommendations').
Such recommendations are, currently, the key guidance for all data transfers from the EEA countries to Ukraine.
The EDPB Recommendations
The EDPB Recommendations provide a step-by-step toolkit for data transfers to 'non-adequate jurisdictions' to ensure their security and reliability. It consists of the following steps:
- Step 1. Knowing your transfers.
- Step 2. Verifying the transfer tool in accordance with Article 46 of the GDPR if there is a transfer to 'non-adequate' jurisdiction.
- Step 3. Assessing the law and the practices of the third country recipient.
As part of the compliance assessment of the transfer, the EDPB recommends assessing the nature of the data transfer as well as the law and the practices of the third country recipient. In case of revealing any issues, an exporter must evaluate whether such issues can have an impact on the transfer security.
Assessing the Ukraine's Personal Data Protection Law
Following the EDPB Recommendations, it is necessary to assess whether the third country law of the data recipient provides anything that may affect the reliability and effectiveness of the transfer tool you rely on. And it is especially important to focus on the laws governing the access of public authorities to personal data.
Currently, the Ukrainian legislation does not provide an equal level of personal data protection in comparison with the GDPR. At the same time, no major concerns were revealed while analysing how Ukrainian state authorities may de jure require the access to personal data of individuals.
According to the Law of 1 June 2010 No. 2297-VI on Personal Data Protection (as amended) ('the Personal Data Protection Law'), processing of personal data can be carried out for specific and lawful purposes, if there is a data subject consent, or in cases provided by the laws of Ukraine.
Transfers of personal data without data subject consent is allowed only if prescribed by law and only if necessary for the interests of national security, economic welfare, and human rights, for example, upon the request of law enforcement agencies during the performance of search and counterintelligence as well as counter-terrorism assignments.
The biggest drawback is that Ukrainian legislation does not implement the principles of proportionality and data minimisation, as well as some other important GDPR guarantees. So, it is still possible that state authorities may acquire access to personal data on legal grounds but the volumes of data processed will not follow the principle of 'what is strictly necessary' as required by the GDPR.
Practices of public authorities concerning personal data processing
The Ukraine Parliament Commissioner for Human Rights ('the Commissioner') is authorised to monitor and control the compliance of personal data protection legislation in Ukraine.
According to the annual Commissioner's report on the status of observance and protection of human rights and freedoms of citizens of Ukraine ('the Report'), published in 2020, the number of complaints about data protection violations has raised in comparison with previous years.
For example, in a recent case investigated by the Commissioner, some services of an application were available only if data subjects provided their consent for the processing of personal data – and in cases when it was not necessary. Based on the results of the inspection, the Commissioner recommended a review of the technical requirements for the electronic information system.
Therefore, many requirements set out by the Ukrainian data protection legislation are not de facto adhered to by state bodies and private entities.
Despite this, violations by state bodies are not systematic or severe – so we do not expect that practices of state bodies concerning personal data protection should impinge the effectiveness of transfer tools. What is more, any person can make a complaint to the Commissioner - an independent supervisory authority – if his/her rights are violated and personal data is processed improperly.
Key considerations to make your transfer safe
What can be done to be on the safe side while transferring personal data to Ukraine?
The EDPB Recommendations offer few solutions for exporters who have any doubts about the security of data transfers any third country, such as:
- considering pseudonymisation/encrypting your data depending on what way is effective for your purposes;
- minimising the volume of data to be transferred; and
- adopting strict internal policies concerning data processing and certifying your company or group enterprise with the ISO certification.
New rules for transferring data to Ukraine
The rule of thumb for companies transferring data to Ukraine has changed.
Now, companies must make sure of three things: evaluating a data recipient, ensuring the existence of appropriate safeguards in accordance with the GDPR, and looking specifically at the essence of each transfer and Ukrainian legislation that might relate to the data transfer.
No major issues are revealed in the Ukrainian data protection legislation or relevant practices of state bodies that might endanger the security of transferred personal data. The Ukrainian legislation does not allow silent surveillance (exceptions concern cases of permitted surveillance within criminal proceedings), and generally, the processing of personal data must be based on legal grounds in every case.
However, the Ukrainian legislation still does not provide an equal level of data protection in comparison with the GDPR. Besides that, the rules governing access to personal data are not quite precise.
In conclusion, it is necessary to evaluate each transfer, and if transferred personal data concerns, for example, sensitive data or its disclosure may result in high risks for rights and freedoms of data subjects, it is highly advisable to implement supplementary measures and minimise the data transferred.
Sofiya Brutsyak Junior Associate
ETERNA LAW, Kyiv