Key contacts
23 August 2021

Ukraine: privacy aspects of the new digital IDs regulation

Source: OneTrust DataGuidance

The next step in the ‘State in a Smartphone’ project handled by the Ukrainian Ministry of Digital Transformation (‘the Ministry’) has been made with much fanfare. On 30 March 2021, the Ukrainian Parliament adopted law No. 1368-IX (‘the Digital ID Law’) that amends the Law of Ukraine ‘On the Unified State Demographic Register and Documents which Confirm Ukrainian Citizenship, Certify Identity or Special Status’ (‘the ID Law’). The adopted Digital ID Law is aimed at legitimising the digital versions of the passport of a citizen of Ukraine (‘the National e-ID’) and the passport of a citizen of Ukraine for traveling abroad (the ‘International e-ID’). Adoption of the Digital ID law has gained precious media coverage with shouting at all crossroads that Ukraine is the first country in the world that has equated the digital IDs to the paper and plastic IDs. Oleg Klymchuk, Counsel at Sayenko Kharenko, provides an overview of the privacy and security aspects of the Digital ID Law and when it will come into effect.

What is the digital ID law about?

The idea to equal electronic and paper passports did not arise in a blink of an eye. While developing the ‘State in a Smartphone’ project, on 15 April 2020, the Ukrainian Government adopted Resolution No. 278 on implementation of the pilot project on the use of electronic display of information contained in the passport of a citizen of Ukraine in the form of a card, and electronic display of information contained in the passport of a citizen of Ukraine for traveling abroad (‘the Resolution’). The Resolution sets out an experimental period in 2020-2021, when a special mobile application called Diia1 (‘the App’) is used to reflect information from both national and international passports.

Although the experiment must continue until the end of 2021, the Ukrainian Government, together with the Ministry, has decided that as the experiment runs successfully so far, it is time to make the next step and give digital IDs more legal effect, without waiting for the end of the pilot project. Consequently, the New ID Law has been adopted.

The Digital ID Law introduces the definitions of the National e-ID and International e-ID (‘the New Digital IDs’).

The National e-ID is defined as a passport of a citizen of Ukraine in the form of digitalised reproduction of the information from a credit-card-sized plastic ID card (passport) prepared using the resources of the Unified State Demographic Register (‘the Register’) with a unique electronic identifier (QR code, bar code, numerical code) and in-formation about the citizen’s place of residence (if available).

By definition, the National e-ID is not available for those Ukrainian citizens who rely on the national passports in paper form i.e., traditional passport booklets. This is mostly because personal information of holders of paper IDs is not (always) available in the Register which is a key source of personal information for the purpose of generating the National e-ID. In case a Ukrainian citizen wants to get a National e-ID, he or she should first obtain the national ID in the form of a plastic ID card.

The International e-ID is defined as the passport of a citizen of Ukraine for traveling abroad in the form of digitalised reproduction of the information from the said passport using the resources of the Register with a unique electronic identifier (QR code, bar code, numerical code), as well as the information about the place of residence and tax ID (if available).

The Digital ID Law adds Article 14-1 to the ID Law which is aimed at equaling the New Digital IDs to the more traditional IDs in the form of paper and plastic original documents. In other words, the New Digital IDs are expected to have the same legal effect as the paper or plastic original documents. The New Digital IDs can equally be used in the situations and cases where the paper or plastic original documents would need to be shown and without the need to also show the paper or plastic original documents.

However, is this goal fully achieved? Apparently not, at least for now. Article 14-1 of the Digital ID Law regulates the scope of use of the New Digital ID. In particular, it can be used domestically to: certify identity (e.g., when visit- ing a bank or post office, hotel check-ins, buying alcohol or cigarettes, railway and air tickets, or when stopped by the police); to confirm one’s citizenship; or when using administrative (public) and other services.

The New Digital ID should not be used for: crossing the border of Ukraine except for the situation when a Ukrainian citizen arrives to Ukraine and it is necessary to certify his or her identity; entering and leaving the temporary occupied territories of Donetsk and Lugansk regions; or entering, residing, living, and moving within the border area, entering territorial sea and domestic waters of Ukraine.

What about data privacy?

The adopted Digital ID Law provides for the very minimum regulation in relation to personal information and how security of the personal information is to be ensured in connection with New Digital ID.

Paragraph 2 of Article 14-1 of the ID Law says only generally that the New Digital ID is created ‘by means of the Unified State Web-Portal of Electronic Services (‘the Web-Portal’)’. The ID Law does not define what the Web-Portal means, nor does it address this issue. Considering the wording of the Resolution, we presume that Web-Portal shall mean the Diia web-portal.

For the purpose of the New Digital ID creation, personal information (except digitised fingerprints) is transferred from the public registers to the Web-Portal. Public registers include the Register and other automated information systems, registers, and data banks maintained by the state and local authorities. As any such information is transferred only in respect of a certain individual (a citizen of Ukraine) when they wish to obtain a New Digital ID, there should be no issue with lawfulness of transfer of such information from such public registers to the Web- Portal. At the same time, it would be interesting to see whether – when transferring the personal information to the Web-Portal – the holders of such public registers rely on consents from data subjects or some other legal basis (no publicly available information in this regard).

The Web-Portal contains the privacy policy that contains information about the data controller (the Ministry), data processor (Diia State Undertaking), location of servers with the personal information, purposes of personal data processing, scope of personal information subject to processing, third parties to which such personal information can be transferred, and information on storage of personal information and rights of data subjects.

In terms of cross-border transfer of the personal information, the privacy policy expressly states that no cross-border transfer of the personal information takes place. In terms of storage of the personal information, the data-in-transition approach is used. According to this approach, the personal information is stored at the mobile device of the user rather than servers of the Ministry. It still needs to be seen whether the privacy policy would be amended as soon as the Digital ID Law is in effect.

What about data security?

Although the situation with data flow and general privacy arrangements is more or less clear, there is minimum official information about security measures which are employed to ensure safe processing of personal data as well as prevent any data leaks.

The Minister of the Ministry, Mr. Mykhaylo Fedorov, proudly introduced the App as the one that meets the global safety standards (and the best practices). In particular, the Minister mentioned cooperation with one of the largest IT companies and emphasised that it has helped the Ministry to ensure a high level of application protection. According to him, the Ministry partner pays a lot of attention to the issue of information security. But does it really go as smoothly as the Minister communicates to the public?

During the legislative process in relation to the adopted Digital ID Law, the Main Expert Scientific Department of the Ukrainian Parliament worried that the experimental period is only midway, and it is a little bit too early to draw any conclusions concerning the results of the pilot project, i.e., whether they are positive or not. Moreover, the Department emphasised that the regulatory framework is not ready for full-fledged work with the New Digital IDs. In particular, the technical infrastructure is not developed to the required extent. Additionally, QR scanners are required to check the validity of the New Digital IDs, i.e., a verifying individual should be able to scan a one-time QR-code that the user and holder of the e-passport generates using the App, and internet connection is required to both generate and scan.

More information on privacy security arrangements can be found in the interviews and articles of the Ministry’s officials. In particular, based on such source of information, the App architecture involves the following mechanisms to ensure the personal data safety:

  • permanent storage of the personal data of users is not carried out on the server side of the App
  • information in data transmission channels is transmitted in encrypted form, and at some stages double encryption is used
  • the ‘defence-in-depth’ approach is used to protect personal data in the App, which is considered to be one of the best security practices in this field
  • the security system of the App can be equaled to the one of the internet banks, in particular, when logging into the App, the user will have to enter a unique password or use a Touch ID and
  • when the App is running, it is not possible to make a screenshot, this is used to mitigate the risks of copying the personal information

In order to give a strong answer to those who criticise the data safety of the App, the Ministry decided to initiate a bug bounty campaign. The campaign took place during 8-15 December 2020 and according to the Ministry was successful. The participants of the bug bounty campaign have not revealed any serious vulnerabilities in the App.

However, the sceptics remained unsatisfied arguing that this bug bounty campaign amounts to nothing and proves nothing in terms of the data safety of the App. In particular, the sceptics raise doubts that the said campaign took only one week instead of at least three. As a result, one week is not sufficient to dig deeply enough and find vulnerabilities. Moreover, the sceptics argue that it is suspicious that only some hackers were invited to test the App safety rather than anyone who would be interested to attend and challenge the App safety (as it is usually the case for such campaigns). Finally, there are rumors that no API was provided for the App part of the technical infrastructure, so the bug bounty participants were not able to adequately test the mobile application for the New Digital IDs.

In any case, any qualified cybersecurity specialist can tell you that the success of bug bounty campaign does not guarantee data safety in a long run. Any such app is about proving credibility almost every day and promptly responding to recurrent data safety threats.

When is the digital ID law in effect and what is the transitional period?

The Digital ID Law takes effect on 23 August 2021. The Ukrainian Government has a two-month transitional period to bring the current regulations into accordance with the Digital ID Law. In particular, the Ukrainian Government must adopt a procedure of creation of the New Digital IDs, their copies, and their verification by the state and local authorities, legal entities, and individuals.

The New Digital IDs will not be mandatory and will be prepared free of charge upon request of an interested citizen of Ukraine. The paper and plastic original passports should remain valid after 23 August 2021 and the Digital ID Law does not oblige citizens of Ukraine to change their paper and plastic original passports to the New Digital IDs during certain transitional period. The New Digital IDs are now more about convenience for the citizens of Ukraine.

Notably, Article 14-1 of the ID Law stipulates that not only the state and local authorities, but also legal entities and individuals (individual entrepreneurs), should ensure verification of the New Digital IDs which are shown by the citizens of Ukraine. In practice, it virtually means that all authorities and private business which – due to specific of their work – need to verify the identity should be properly equipped to be able to scan the relevant QR-code of the New Digital IDs. Although expenditures of the state and local authorities would likely be funded from the relevant public budgets, for business it translates into additional costs to purchase special equipment that al- lows scanning and proper interaction with the New Digital IDs. In any case, it remains to be seen how smoothly the New Digital IDs will be brought into the daily life of the Ukrainian citizens as of 23 August 2021. The practice confirms that no one can guarantee that one can refuse to verify the identity with the New Digital IDs relying on the absence of the QR-code scanner, and ask a holder of such advanced ID document to show a paper passport or a plastic ID.



More Publications
Show More