Is Ukraine ready for a new data-driven world?
In recent decades more and more attention has been drawn to the importance of data protection. This is facilitated by both digitalisation and globalisation trends. We have witnessed an increasing number of data leakages involving the world’s largest corporations and the inability of existing regulations to respond efficiently to such challenges.
The response of the world community to the above was the development of more restricting legislation adapted to the new reality. GDPR is the most well-known regulation adopted in the recent years.
Starting from 2018, only the lazy one did not devote a post, an article or a webinar on how GDPR can apply to Ukrainian businesses and what monstrous sanctions may be imposed thereunder also against purely Ukrainian businesses.
On the rebound of the mass excitement about the GDPR and privacy issues, some Ukrainian companies adjusted their internal processes to the EU standards (mainly within the IT sector and mainly under the pressure of their foreign business partners), others assessed their data flows and declared that GDPR is not applicable to them.
However, an important thing is often left out – regardless of whether GDPR applies to you or not at the moment, you will still be obliged to stick to its standards. Once Ukraine fulfils its obligations under the EU-Ukraine Association Agreement in part of the obligatory alignment of the Ukrainian privacy legislation to the “aquis” of the EU standards, GDPR will become our new reality.
While the draft law on personal data protection (“Draft Law“) is still under development, it is expected to be submitted to the Parliament in the upcoming months. Below is a brief outline of what Ukrainian companies should expect and what challenges they may face when the new privacy legislation is introduced. Although the Draft Law may provide for different wording of requirements and obligations, the GDPR spirit will be preserved and it is clear already how much effort will be required from companies to be compliant.
Who will be affected?
Like the current data protection law (“DP Law“), the Draft Law will apply to each and every processing operation taking place in Ukraine.
It is a common misunderstanding to think that data processing is mostly applicable to IT or financial area, while other sectors are not that much involved. Any company or state authority keeps at least the details of their employees and representatives of the counterparties they have contracts with. This is already considered ‘data processing’ and, thus, the Draft Law will apply to everyone, either in the public or private sector.
What to expect from the Draft Law and how it will change the rules of data processing?
There is no practical need to introduce each and every GDPR provision into the Draft Law, since the GDPR has many EU specific administrative provisions irrelevant for Ukraine.
However, the key principles and concepts, rights and obligations of the parties involved into the data processing are likely to be borrowed without significant changes.
Principles of data processing
Although all basic principles are already reflected in the DP Law one way or the other, they have currently a more declarative nature. The basic principles are:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation and
- integrity and confidentiality
The Draft Law should allow to interpret the violation of such principles as a valid ground for imposing liability on the violating party.
Rights of data subjects
The existing rights of data subjects are likely to be supplemented with a few new ones, such as the right to be forgotten (RTBF) and the right to data portability. The latter would allow data subjects to require the data controller processing data automatically under individual’s consent and to transmit such data in a structured way to another controller.
As to the RTBF, as of today, data subjects can request a Ukrainian data controller/processor to erase their data only if such data is incorrect or is being processed unlawfully.
The RTBF will allow individuals to demand deletion of their data in a broader number of cases, such as:
- when personal data are no longer necessary for the purposes for which they were collected or otherwise processed
- the data subject withdraws consent on which the processing is based on and there is no other legal ground for the processing
- data subject objects to the processing and there are no overriding legitimate grounds for the processing
- personal data have been unlawfully processed and/or
- personal data have to be erased for compliance with a legal obligation to which the controller is subject to
The RTBF, however, would not be an absolute right, and the controller would be able to refuse to fulfil the request of the data subject, if the processing is necessary for:
- exercising the right of freedom of expression and information
- compliance with a legal obligation which requires processing or for the performance of a task carried out in the public interest or in the exercise of official authority granted to the controller
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the RTBF is likely to render impossible or seriously impair the achievement of the objectives of that processing and/or
- the establishment, exercise or defence of legal claims
Some EU states applied additional grounds under which the request to erase data may not be satisfied by the controller.
For instance, in Germany the controller does not need to erase the data if (1) the requested erasure would be impossible or would involve a disproportionate effort due to the specific mode of storage; (2) the data subject’s interest in erasure can be regarded as minimal; and (3) the personal data have not been unlawfully processed.
As another example, the UK Data Protection Act based on the GDPR also gives some space for controllers to maneuver. To protect itself from an unreasonable request executing the RTBF, the controller may establish a fair fee for the erasure of the data.
Since such approach was not welcomed by the data protecting EU authorities, such additional restrictions to the RTBF are unlikely to be introduced in Ukraine.
Special categories of data
The list of special categories of data (a.k.a. sensitive data) provided by GDPR is exhaustive and, to certain extent, is narrower and varies from the definitions under Ukrainian law (e.g., location data, data about violence committed against an individual, information about administrative liability imposed on the data subject are not categorised as sensitive data under the GDPR).
Ukrainian law allows processing personal data about criminal convictions under certain circumstances. The GDPR approach is different in this part – information about criminal convictions and offences or related security measures can be carried out only under control of public authorities or when the processing is authorised by law ensuring the proper safeguards for the rights and freedoms of the affected data subjects. A register of criminal convictions shall be kept only under control of an official authority.
The above may significantly impact the approach to conducting background checks, including checks of future employees for criminal convictions.
The majority of legal grounds for processing of sensitive personal data is already implemented in the DP Law. The Draft Law may allow some additional grounds as outlined in the GDPR, including the following:
- for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
- for reasons of substantial public interest based on law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject and/or
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
All the above legal grounds will not, though, impact the majority of controllers processing sensitive personal data, especially within the private industry sector.
Obligations of data controller and processor
Current DP Law identifies obligations of controllers and processors rather vaguely, in a way difficult for both data subjects and controllers/processors to systemise. The Draft Law is aimed to define such obligations in a user–friendly manner for data subjects, with more explicit definition of obligations.
One of the major new obligations will probably be a requirement to notify data subjects and the DPA of the data breaches. Looks like this requirement will mirror GDPR, in particular, a notification to the DPA will have to be made within 72 hours. Currently, Ukrainian processing parties are under no such obligation and data subjects may become aware of a data leakage only after a few months via mass or social media. The new requirement will require companies to have enough technical and human resources to adequately identify and react to data breaches, investigate them and notify relevant parties, where necessary, in a timely manner.
Further, regular assessments of data security measures will likely be introduced and cooperation in this respect between controllers and processors will be increased with a view to guarantee a higher level of protection of data subjects’ rights.
Given the specifics of the data processing nowadays, the Draft Law is expected to reflect a new category of joint controllers. This category applies when two or more controllers together determine the purposes and means of data processing activities (e.g., healthcare provider and sponsors in clinical trials). Defining such new category of relationship in the Draft Law will allow to distribute the obligations between the joint controllers fairly and to regulate relations between them which is currently unregulated under the DP Law).
Notification to data subjects
In addition to the current notification obligations, the data controllers will be obliged to inform the data subjects about the following:
- contact details of the controller and, where applicable, of the controller’s representative
- contact details of the data protection officer, where applicable
- legal basis for the processing
- intention to transfer personal data to a third country or international organisation and reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available
The scope of information may also vary depending on whether data is obtained directly from the data subject or indirectly from third parties.
Another novelty will be legal regulations about automated decision making (ADM) processes, including profiling (i.e., processing of data and making decision on this basis without involvement of human factor). Under the GDPR, such processing, if producing a legal effect or significantly affecting the data subject without a valid legal basis, is allowed only (i) under explicit prior consent of the data subject; or (ii) for the performance of a contract; or (iii) according to the law (applies solely to the processing of sensitive data for public interest purposes, e.g., pharmacovigilance).
Legal effects of ADM would include, for instance, refused admission to citizenship, the termination of a contract, the eligibility to financial loan, employment opportunities, etc.
As of today, ADM and restrictions thereto are not covered by the DP Law. The introduction of the above requirements would require some companies (e.g., banks) to review their internal procedures involving ADM and ensure that they have a proper justification and legal basis for using ADM in their processing activities.
We all received annoying messages from different stores and other companies trying to sell us something in various messengers, emails, SMS – sometimes you can hardly unsubscribe from them.
By introducing direct marketing rules and mandatory consent requirement the Draft Law should resolve this problem to a certain extent.
Cross-border data transfers
The existing DP Law devotes one single article to cross-border data transfers – no wonder this issue is not considered by Ukrainian businesses as an important one. The GDPR, on the contrary, emphasizes the critical effect of data transfers abroad, especially to the countries lacking an adequate level of data protection.
Today the majority of the data transfers from the EU are performed by way of entering into standard contractual clauses approved by the EU Commission. Although this tool works for the EU, it is doubtful that this mechanism would be effective in Ukraine and, therefore, implemented locally.
Other GDPR tools aimed at securing cross-border data transfers, such as binding corporate rules, and certification, also seem to be unnecessary in Ukraine and difficult to be implemented, since they require a lot of effort from the DPA side to be workable. Therefore, at least on the initial stage of the Draft Law implementation we do not expect these tools to appear in Ukraine.
The easiest way for businesses but a complicated way for the state would be obtaining an Adequacy Decision for Ukraine from the EU Commission. In this case, no additional safeguards would be required for data transfers between the EU and Ukraine. The latest adequacy decision of the EU Commission in this regard was about Japan. The process of obtaining such a decision for Ukraine, however, may take up to 3-5 years upon the adoption of the Draft Law. The EU Commission evaluates not only the laws themselves but rather their proper enforcement, the national case law in this regard and the efficiency of the national DPA. Therefore, Ukrainian companies will still need to prove to their foreign business partners that they have proper safeguards to ensure security of personal data transferred to them, until such an adequacy decision of the European Commission can be realistically obtained for Ukraine.
Proper enforcement – a key to data privacy improvement
It is no secret that inspections by the Ukrainian DPA and potential fines for data privacy violations are the last thing Ukrainian businesses are thinking of. The vast majority of companies are even not aware of the state authority responsible for privacy issues – the Ombudsman office.
This is the result of insignificant fines (up to UAH 34,000) and poor enforcement – in 2018, only 7 inspections out of 41 performed by the Ombudsman office were in relation to private companies.
Numerous factors – wide range of areas of responsibility of the Ombudsman office, insufficient financial, technical and human resources – result in the absence of adequate resources of the Parliament Commissioner to the data privacy issues.
The situation is likely to be changed upon the adoption of the Draft Law. The new DPA should not become another inspecting body which members are often appointed and dismissed based on political preferences. Instead, an independent DPA to be established should deal exclusively with issues related to data protection rights and violations. It should be conferred with investigative and regulatory, as well as educational powers aimed at raising the awareness of all parties concerning data processing activities. In order to reach this goal, the DPA should have enough internal resources. For instance, upon the adoption of the GDPR the number of staff at the national DPAs within the EU increased at 62 per cent in average, while the budgets for EU DPAs’ activities increased at 64 per cent.
Along with the investigative powers (where the DPA should definitely be more proactive), the DPA will also be responsible for issuing guidance to processing parties clarifying the Draft Law concepts and providing practical tips on processing activities.
As regards the penalties, they are also expected to be increased significantly. Considering the Ukrainian reality, it would be unreasonable and unrealistic to introduce the same level of fines for the data related violations as provided for in the GDPR (up to EUR 20 million or 4 per cent of the worldwide turnover, depending on which one is more). Ukraine may rather borrow the German approach where the regulatory fine was uplifted up to EUR 50,000 per each violation. Apart from the regulatory fines being increased, we also expect a more and more growing appetite of data subjects to bring Ukrainian companies before national courts and to claim more damage compensation claims based on personal data protection violations.
At the same time, the European experts reviewing the Draft Law mentioned that its current version does not contain exact amounts of fines to be imposed on controllers/processors violating provisions of the Draft Law.
Challenges the Draft Law may bring to Ukrainian business?
Like the EU companies, Ukrainian businesses will need to adjust their internal processes to the new privacy requirements of the Draft Law once it is adopted. The key challenges companies may face in course of aligning data processing within their business activity can be:
- non-existing practical support from the national DPA
- lack of educated employees
- difficult technical adaption
- lack of financial resources and
- lack of support within the company
Each of these issues will need to be addressed in an individual way by each company. It is expected that for the midsize companies this would be the biggest burden, since they have enough data flows to be concerned about data protection but not as much resources for implementing proper internal mechanisms as larger corporations.
When to expect the changes?
According to the EU-Ukraine Association Agreement Implementation Plan, the data privacy reform had to be completed by May 2020. This included both the adoption of the Draft Law with its approval by the EU experts and building up institutional capacities to enforce the privacy regulations in Ukraine. According to the Monitoring of the Association Agreement Implementation tool, the level of introducing the reform is at a 0 per cent level.
As of today, the Draft Law is still under development. It was already subject to the legal opinion of the European experts. The latter provided their comments on the Draft Law to the lawmakers, and currently they are in the process of addressing them.
Apart from the GDPR wording, the Draft Law reviewed by the European experts included also some provisions, which were based on the EU case law or EDPB guidelines (e.g., regarding cookies). This shows a fundamental approach to the development of the Draft Law. However, some of these issues should rather be clarified further by the Ukrainian DPA and don’t necessarily need to be outlined in detail in the Draft Law.
Upon the adoption of the Draft Law by the Parliament, it is expected to have a transition period which will allow Ukrainian companies to align their internal processes to the new requirements. Also, this time is needed to establish a new DPA and for it to develop some guidelines before it starts executing its investigative powers against controllers and processors in Ukraine.
Please feel free to reach out to Sayenko Kharenko’s data protection team for any legal support your company may need to prepare for the new data protection standard in Ukraine. We also had the honor to provide our input to the respecting working group of the Verkhovna Rada and to support its efforts to finalise and establish the Draft Law.