Ukraine has been striving to align its personal data protection regulations with the EU standards (an overview of Ukraine’s movement toward this goal is summarised in a previous article1). On 7 June 2021, the Ukrainian Parliament received a draft law on Personal Data Protection2 (‘the Draft Law’). The news about the Draft Law quickly circulated among the data privacy community in Ukraine and beyond its borders. All the buzz is due to the Draft Law’s intention to repeal the currently effective Law of 1 June 2010 No. 2297-VI on Personal Data Protection (‘the Law’) and become the new data protection law. The key objective of the Draft Law is to align the Ukrainian data protection landscape with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Oleg Klymchuk, Counsel at Sayenko Kharenko, provides an overview of the key changes the businesses can expect in case the Draft Law will be signed into law in its current form.
The Draft Law vaguely stipulates what should be its territorial scope. Article 1 of the Draft Law provides that it should apply to: (i) relations related to personal data processing with the use of both automated means and in catalogues; and (ii) all persons engaged in personal data processing. No explicit limitation to the territory of Ukraine is stated in Article 1 (scope of law) or other provisions of the Draft Law.
However, unlike the GDPR, the Draft Law is not expected to have an explicit extraterritorial effect. Despite this, it is expected that at least those non-residents who collect and process personal data in Ukraine will need to com- ply with the new data protection law. We further expect that Article 1 of the Draft Law will be revised in the course of the first and second hearings by the Ukrainian Parliament in order to define the scope of regulation in more detail. It also remains to be seen whether the final and transitional provisions of the Draft Law will include any interim/transitional regulations with respect to the temporarily occupied territories of Donetsk and Lugansk regions in the Eastern Ukraine, as well as the Autonomous Republic of Crimea.
Good news for those non-residents who are subject to the GDPR regulations is that in case they are confident that their company complies with the GDPR requirements, it will likely be compliant with (the most of) the new data protection regulations to be introduced by the Draft Law.
Expected penalties and liability
High penalties for the GDPR violations have remained a driver for business to vigorously comply with the GDPR requirements. On the contrary, the current administrative fines for violation of the Ukrainian data protection laws are relatively low and are effectively a dab of money (i.e., around €1,000 per violation). The risk of criminal liability may be theoretically higher because Article 182 of the Ukrainian Criminal Code – which is applicable to individuals only – envisages criminal liability for ‘illegal collection, storage, use, destruction and dissemination of confidential information pertaining to a person or illegal modification of such information except for the cases specially prescribed by the Criminal Code of Ukraine’, i.e. without any additional qualification criteria or level of the damage caused. However, the enforcement practice to date remains marginal.
The Draft Law is expected to change this status quo. Significant increase of penalties and liability for violation of data protection laws is expected to become a strong argument in favour of compliance.
Section XI is dedicated to financial penalties for violation of the data protection laws and suggests a sophisticated structure of penalties which varies depending on the type of the committed violation:
A 30 per cent increase is expected to apply to violations of those provisions of the Draft Law which are not specifically referred to in paragraphs 1-3 of its Article 71.
Repeated violations within a year may lead to a fine in the amount of 200 per cent of the penalty imposed within such year for the prior similar violation.
If a data processing party conducts several different violations of the Draft Law within one processing action, the total amount of the financial penalty should not exceed the amount of penalty for the most severe violation.
The maximum financial penalties for the violations may reach:
The final and transitional provisions of the Draft Law are silent whether the regulation of administrative and criminal liability would be revised somehow in light of the financial penalties under the Draft Law. We expect that the first and the second hearings by the Ukrainian Parliament will provide more clarity to this issue.
We further expect that the financial penalties under the Draft Law will be decreased to some extent but still the penalties are likely to remain high enough for businesses to take the data protection compliance seriously.
Finally, Article 73 of the Draft Law provides for three years limitation of action for the data privacy violations.
Cross-border transfer of personal data
The cross-border transfer of personal data is expected to be more aligned to the GDPR standards. In particular, the following countries and/or international organisations will be deemed as those which ensure an adequate level of data protection:
Moreover, the Draft Law mirrors to a significant extent the regulation of Articles 46 and 47 of the GDPR concern- ing the cross-border transfers subject to appropriate safeguards and Binding Corporate Rules (‘BCRs’).
Unsafe transfers can be performed under certain circumstances (known as derogations under the GDPR) which are replicated from Article 49 of the GDPR.
Data breach notification
The Law does not stipulate any specific data breach notification requirements. For example, there is no statutory requirement for the data controller/processor to notify the Commissioner about the occurred data leaks/breach- es. A non-binding Master Template of the Personal Data Processing Procedure (‘the Master Template’) approved by the Commissioner just sets forth the general obligations of the data protection officer (‘DPO’)/department to:
The Draft Law is expected to introduce a GDPR-style regulation for the data breach notifications. In particular, the Draft Law introduces the obligation for the controllers to notify the Commissioner about the data breach when it is likely to lead to risks for rights and freedoms of data subjects. The data breach notification would also need to be submitted to the data subjects in case of high risk to their rights resulting from the data breach.
Data protection impact assessment
Article 39 of the Draft Law introduces a Data Protection Impact Assessment (‘DPIA’) regulation that is not a novel- ty for businesses subject to the GDPR requirements but should be a novelty for the Ukrainian data protection laws. The said article establishes the obligation for data controllers to conduct DPIAs before launching any pro- cessing actions if the use of new technologies and the nature, scope, context, and purposes of the processing are likely to result in a high risk to the rights and freedoms of data subjects.
Expectedly, Article 39 of the Draft Law mirrors the DPIA regulation stipulated in Article 35 of the GDPR, but it is important to watch out how this regulation would go through the consideration of the members of the Ukrainian Parliament.
Data protection authority
Although the Commissioner was one of the first to welcome and comment on the submission of the Draft Law3, it is not certain whether the Commissioner will continue to act as Data Protection Authority or a new DPA will be established. The DPA definition given in the Draft Law does not help to get a clear answer to this question. In par- ticular, the DPA definition refers to a standalone law that would regulate the DPA authority in addition to the au- thority under the Draft Law. However, the authority of the Commissioner is already regulated by the Law of Ukraine on the Ukrainian Parliament Commissioner for Human Rights.
In either case, based on the provisions of the Draft Law, it is expected that the Ukrainian DPA will cover the wide range of areas, such as:
The Draft Law provides for specific regulation in the areas which are not specifically addressed in the GDPR, but which are reflected in some guidance issued by the EU authorities (e.g., the European Data Protection Board), for example, regarding:
When to expect in effect?
The Draft Law is currently at a very early stage of its consideration by the Ukrainian Parliament. It is expected that the whole legislative process for the Draft Law will take about one year. As soon as the Draft Law is signed into law, it is expected to become effective as of 1 January 2023. The Government is expected to have three months afterward to adopt the necessary regulatory acts for the Draft Law to apply efficiently. Given the high financial penalties and regulatory burden which the Draft Law is going to introduce for business as soon as it is signed into law, it may be that the effective date for the provisions of the Draft Law would either be postponed or differ- entiated for various provisions of the law.