Ukraine: Trends in data protection
In Ukraine, the Law of 1 June 2010 No. 2297-VI on Personal Data Protection (as amended) ('the Law') was adopted in 2010 and has not changed much since. In general, it reflects the key findings adopted by its predecessor, the Data Protection Directive (Directive 95/46/EC) in terms of, inter alia, consent, the definition of 'personal data,' and the obligation to inform data subjects on rights the data subject can claim and enforce. At the same time, some approaches the Law brought with it into the 2020s have been considered to be an unreasonable burden on the data protection authorities. Kateryna Dubas, Head of Privacy at Legal IT Group, provides an introduction into the current privacy framework in Ukraine and how potential reform and other recent developments may impact its application.
The overhaul of the national data protection law
The Law is backed up with the corresponding provisions in other laws and bylaws, with some of them setting forth the mandatory forms or wordings. For instance, the exact wording of the consent that most state-owned (e.g. universities) or heavily regulated institutions (such as banks and financial service providers) offer their service recipients mimics the guidance text issued by the Ukraine Parliamentary Commissioner for Human Rights ('the Commissioner') or ministries' decrees, potentially leaving laypersons confused. Instead of enlisting the bodies and cases of disclosures, or exact list of processing operations, as the Law requires, the authors of the consent note usually rely on the language used in the Law. 'Simple and plain, data subject friendly' consent policies are usually found on the software launching pages run by small to medium-sized enterprises ('SMEs') or tech-savvy companies that use their websites and apps as effective marketing tools and take some (usually minor) risks of oversimplifying the consenting process (compared to the usage adopted on the market) to facilitate user comprehension and help address the suspicion that an exhaustive, detailed consent policy can raise in the mind of the average consumer.
Among the issues that privacy experts refer to when describing the national law, they usually outline the lack of proper guidance issued by a competent authority. Apart from the 'Typical procedure for processing personal data,' an order of the Commissioner issued in 2014, no large-scale attempts to summarise and explain the rules were made by the Commissioner (except the case-by-case Supreme Court decisions and the recommendations given at the request of the individual applicant). Other areas of enhancement include the consent procedure, the right to have data deleted (as it needs to be upheld by the court decision or the Commissioner), the right to data portability, and the need of an exhaustive list of rights and obligations of data controllers and data processors, etc.
With sometimes confusing references to the Law and separated, patchwork-like data protection provisions of industry laws that often do not follow the general framework established by the Law, the data protection framework as a whole can be considered as rather outdated. At the time of publication, there is debate around a bill to amend Ukraine's data protection legislation ('the Bill'). Given that Ukraine is committed to honour the promises made in the EU-Ukraine Association Agreement, privacy professionals are waiting for the complete overhaul of the Law to harmonise it with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Taking into account the range of services that Ukraine-based IT firms are offering to clients from the EU and USA, the adequacy decision granted by the European Commission with respect to the transfer of personal data to Ukraine for processing is a deeply desired outcome of the Bill.
Increased complexity of data flow maps: cross-border laws applicable in Ukraine
Sometimes the most sophisticated issue any compliance officer encounters is to detect all the applicable laws. Data protection laws are no exception to this rule.
National laws are checked first. But as markets are entwined, the compliance project does not end when the newest bylaw is found and learnt. Despite the fact that the company is registered and operating in Ukraine, technology as well as more traditional companies need to check whether any foreign laws have extraterritorial reach. The GDPR and, more recently, the California Consumer Protection Act of 2018 ('CCPA'), are common examples of such laws.
The company officer may be surprised by the applicability audit revealing that the company should take steps to comply with foreign privacy laws. Many international organisations which maintain a marketing department engaged with market expansion (in the tech world, these are mostly product companies and big outsourcing companies) suspect or know that the local privacy laws are to be included. However, the GDPR covers sales ('cold calls' are a common example), human resources (processing the CVs of European applicants), customer relationships (customer's requests to delete their data), and IT support (Privacy by Design, Privacy by Default, data migrations). Apart from purely domestic tasks, each department plays its role in ensuring that the processing of EU data runs smoothly and effort-sufficiently.
Many compliance officers decide to comply with the strictest legal framework to cover the cross-border applicability issue. It is often the case with the CCPA which, while considered similar to the GDPR, can be incompatible with the solutions that otherwise would have been considered necessary to comply with the GDPR. It is often the commercial reasonableness that divides the compliance projects, nudging the company to try to merge the two where possible.
While thorough, the GDPR will likely not meet a benchmark of compliance with the laws of Australia, Israel, or Singapore. This compliance jigsaw puzzle usually is a source of several regular risk management exercises and are considered the expenditures on legal compliance. However small the risk of the fine is, it is the reputation that urges the top management of Ukrainian companies to follow suit. Even though all the processing is carried out within the Ukrainian borders, the company is inevitably a link in the chain of processing operations, and can attract the unwanted attention from data protection authorities or hackers. The risk of being fined for the supplier's lack of compliance is high enough to look for another supplier. While de iure no pressure is made (yet, at least), de facto the companies do their best to meet the requirements of the international privacy laws.
Fear of tightened state grip and mass surveillance
It is just a matter of time before the GDPR-like standards are transposed into the Ukrainian legal playbook. Nevertheless, many privacy experts share their apprehension that the government may discuss the possibility to set up mass surveillance programs or, at least, start building the infrastructure to filter the data flows within the state territory on a large scale.
After the judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), more companies have turned their attention to supplier controls in place and are curious as to whether Ukraine is a safe jurisdiction to entrust the data they are in control over. In short: no mass surveillance schemes are (at least, officially) set up and the procedure codes require the enforcement bodies to demonstrate a compelling need for the intrusion into each particular third party's privacy, for the judge of the competent court to issue a warrant enabling the police or security service to seize metadata (and, usually, a separate warrant to gain access to the contents of the communication).
To dispel qualms, Ukrainian sole traders and SMEs usually produce a piece of their sales toolkit explaining the applicable laws and privacy practices they adhere to. Otherwise, they can undergo the automated compliance program, or fill in some kind of a questionnaire produced by the European client. Ukrainian agents can also provide the prospect client with a description of technical specifications describing the safety and security measures taken to meet the requirements of the foreign law.
Threatening trends are, however, somewhere in the air. There were recently some new bills registered that aim at changing the Law of Ukraine on Telecommunications, of 18 November 2003 No. 1280-IV that would compel national telecommunication companies to retain metadata of their customers that raises questions from human rights watchdogs and tech neutrality advocates. Needless to say: any metadata matched with any other data, if not per se, can become personal data, thus making the companies one of the biggest data stewards and, arguably, an invaluable tool to impose surveillance measures of any kind on. The lack of limits to the authorities' discretion or an exact procedure with purposes for which the access to the data must be granted, for how long, and to which authorities (including the limits on upwards and downwards transfer of data obtained to the other authorities and private organisations), makes the results of the public assessment of the new bills rather disturbing.
On the other hand, Ukraine is a long-standing member of the Council of Europe ('CoE') and, most importantly, the body of privacy and data protection laws developed by the European Court of Human Rights ('ECHR'). The primacy of the ECHR decisions as the source of law is enshrined in the procedure law of the state. Moreover, the Commissioner's office, while in charge of the national data protection enforcement, traditionally pays close attention to the CoE's recommendations and opinions, and serves as an active promoter of increased awareness of human rights. Taking into account the presence of qualified privacy and information security experts trained with the introduction of the GDPR in the Ukrainian market, the assistance of the EU and exchange of knowledge, as well as tight cooperation with the CoE and the EU during the work on the Bill, the odds are high that the new data protection law will follow suit and adhere to the standards set forth by the GDPR.
Kateryna Dubas Head of Privacy
Legal IT Group, Kiev