Ukraine: Overview of the expected key changes to the data protection law

Ukraine has been striving to align its personal data protection regulations with the EU standards (an overview of Ukraine’s movement toward this goal is summarised in a previous article1). On 7 June 2021, the Ukrainian Parliament received a draft law on Personal Data Protection2 (‘the Draft Law’). The news about the Draft Law quickly circulated among the data privacy community in Ukraine and beyond its borders. All the buzz is due to the Draft Law’s intention to repeal the currently effective Law of 1 June 2010 No. 2297-VI on Personal Data Protection (‘the Law’) and become the new data protection law. The key objective of the Draft Law is to align the Ukrainian data protection landscape with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Oleg Klymchuk, Counsel at Sayenko Kharenko, provides an overview of the key changes the businesses can expect in case the Draft Law will be signed into law in its current form.

Territorial scope

The Draft Law vaguely stipulates what should be its territorial scope. Article 1 of the Draft Law provides that it should apply to: (i) relations related to personal data processing with the use of both automated means and in catalogues; and (ii) all persons engaged in personal data processing. No explicit limitation to the territory of Ukraine is stated in Article 1 (scope of law) or other provisions of the Draft Law.

However, unlike the GDPR, the Draft Law is not expected to have an explicit extraterritorial effect. Despite this, it is expected that at least those non-residents who collect and process personal data in Ukraine will need to com- ply with the new data protection law. We further expect that Article 1 of the Draft Law will be revised in the course of the first and second hearings by the Ukrainian Parliament in order to define the scope of regulation in more detail. It also remains to be seen whether the final and transitional provisions of the Draft Law will include any interim/transitional regulations with respect to the temporarily occupied territories of Donetsk and Lugansk regions in the Eastern Ukraine, as well as the Autonomous Republic of Crimea.

Good news for those non-residents who are subject to the GDPR regulations is that in case they are confident that their company complies with the GDPR requirements, it will likely be compliant with (the most of) the new data protection regulations to be introduced by the Draft Law.

Expected penalties and liability

High penalties for the GDPR violations have remained a driver for business to vigorously comply with the GDPR requirements. On the contrary, the current administrative fines for violation of the Ukrainian data protection laws are relatively low and are effectively a dab of money (i.e., around €1,000 per violation). The risk of criminal liability may be theoretically higher because Article 182 of the Ukrainian Criminal Code – which is applicable to individuals only – envisages criminal liability for ‘illegal collection, storage, use, destruction and dissemination of confidential information pertaining to a person or illegal modification of such information except for the cases specially prescribed by the Criminal Code of Ukraine’, i.e. without any additional qualification criteria or level of the damage caused. However, the enforcement practice to date remains marginal.

The Draft Law is expected to change this status quo. Significant increase of penalties and liability for violation of data protection laws is expected to become a strong argument in favour of compliance.

Section XI is dedicated to financial penalties for violation of the data protection laws and suggests a sophisticated structure of penalties which varies depending on the type of the committed violation:

for individuals – from UAH 10,000 (approx. EUR 300) to UAH 300,000 (approx. EUR 9,000) per violation and
for legal entities – from UAH 30,000 (approx. EUR 900) or 0.05 per cent of the total annual turnover to 5 per cent of the total annual turnover (but not less than UAH 300,000 (approx. EUR 9,000) per violation)

A 30 per cent increase is expected to apply to violations of those provisions of the Draft Law which are not specifically referred to in paragraphs 1-3 of its Article 71.

Repeated violations within a year may lead to a fine in the amount of 200 per cent of the penalty imposed within such year for the prior similar violation.

If a data processing party conducts several different violations of the Draft Law within one processing action, the total amount of the financial penalty should not exceed the amount of penalty for the most severe violation.

The maximum financial penalties for the violations may reach:

for individuals – up to UAH 20 million (approx. EUR 606,000) and
for legal entities – up to UAH 150 million (approx. EUR 4.5 million) or 8 per cent of the total annual turnover of the year preceding a year in which the penalty is imposed

The final and transitional provisions of the Draft Law are silent whether the regulation of administrative and criminal liability would be revised somehow in light of the financial penalties under the Draft Law. We expect that the first and the second hearings by the Ukrainian Parliament will provide more clarity to this issue.

We further expect that the financial penalties under the Draft Law will be decreased to some extent but still the penalties are likely to remain high enough for businesses to take the data protection compliance seriously.

Finally, Article 73 of the Draft Law provides for three years limitation of action for the data privacy violations.

Cross-border transfer of personal data

The cross-border transfer of personal data is expected to be more aligned to the GDPR standards. In particular, the following countries and/or international organisations will be deemed as those which ensure an adequate level of data protection:

those which are subject to the GDPR and/or the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data (‘Convention 108+’) and
those countries/organisations which are considered by the Ukraine Parliamentary Commissioner for Hu- man Rights (‘the Commissioner’) to provide an adequate level of data protection (analogue of the adequacy decision provided by the European Commission)

Moreover, the Draft Law mirrors to a significant extent the regulation of Articles 46 and 47 of the GDPR concern- ing the cross-border transfers subject to appropriate safeguards and Binding Corporate Rules (‘BCRs’).

Unsafe transfers can be performed under certain circumstances (known as derogations under the GDPR) which are replicated from Article 49 of the GDPR.

Data breach notification

The Law does not stipulate any specific data breach notification requirements. For example, there is no statutory requirement for the data controller/processor to notify the Commissioner about the occurred data leaks/breach- es. A non-binding Master Template of the Personal Data Processing Procedure (‘the Master Template’) approved by the Commissioner just sets forth the general obligations of the data protection officer (‘DPO’)/department to:

inform management of the controller/processor on detected violation of the personal data protection law with the purpose of taking necessary measures and
properly document all facts of breach of processing and protection of personal data

The Draft Law is expected to introduce a GDPR-style regulation for the data breach notifications. In particular, the Draft Law introduces the obligation for the controllers to notify the Commissioner about the data breach when it is likely to lead to risks for rights and freedoms of data subjects. The data breach notification would also need to be submitted to the data subjects in case of high risk to their rights resulting from the data breach.

Data protection impact assessment

Article 39 of the Draft Law introduces a Data Protection Impact Assessment (‘DPIA’) regulation that is not a novel- ty for businesses subject to the GDPR requirements but should be a novelty for the Ukrainian data protection laws. The said article establishes the obligation for data controllers to conduct DPIAs before launching any pro- cessing actions if the use of new technologies and the nature, scope, context, and purposes of the processing are likely to result in a high risk to the rights and freedoms of data subjects.

Expectedly, Article 39 of the Draft Law mirrors the DPIA regulation stipulated in Article 35 of the GDPR, but it is important to watch out how this regulation would go through the consideration of the members of the Ukrainian Parliament.

Data protection authority

Although the Commissioner was one of the first to welcome and comment on the submission of the Draft Law3, it is not certain whether the Commissioner will continue to act as Data Protection Authority or a new DPA will be established. The DPA definition given in the Draft Law does not help to get a clear answer to this question. In par- ticular, the DPA definition refers to a standalone law that would regulate the DPA authority in addition to the au- thority under the Draft Law. However, the authority of the Commissioner is already regulated by the Law of Ukraine on the Ukrainian Parliament Commissioner for Human Rights.

In either case, based on the provisions of the Draft Law, it is expected that the Ukrainian DPA will cover the wide range of areas, such as:

approval of a master template of video surveillance procedure (Article 10 of the Draft Law)
reviewing complaints (Articles 26 and 70 of the Draft Law)
approval of drafts of regulatory acts of public authorities related to data processing activities (Article 29 of the Draft Law)
approval of the typical agreement with data processors (Article 31 of the Draft Law)
receiving access to documents and premises of the processing parties (Article 36 of the Draft Law); receiving and dealing with notifications regarding data breaches (Articles 37 and 68 of the Draft Law); handling preliminary consultations with controller in respect of high risks personal data processing within the DPIA (Article 40 of the Draft Law)
development and approval of recommendations regarding a qualification exam for the position of a DPO at a public authority (Article 42 of the Draft Law)
granting the adequate status to particular countries/international organisations (Article 45 of the Draft Law)
approval of standard provisions of personal data protection (Article 46 of the Draft Law); approval of BCRs (Article 47 of the Draft Law)
providing recommendations on the measures to be taken to ensure a proper level of processing of person- al data in the e-communications area (Article 57 of the Draft Law)
performing regular inspections (Articles 57 and 65 of the Draft Law); and imposing penalties for violations of the Draft Law (Article 71 of the Draft Law)

Unexpected regulations

The Draft Law provides for specific regulation in the areas which are not specifically addressed in the GDPR, but which are reflected in some guidance issued by the EU authorities (e.g., the European Data Protection Board), for example, regarding:

processing personal data during video surveillance or video recording of public events (Articles 10-11 of the Draft Law)
direct marketing issues (Articles 12 of the Draft Law)
processing of personal data by employers (Section VIII of the Draft Law)
specifics of processing personal data in the field of e-communications (Section IX of the Draft Law); and specifics of processing personal data by law enforcement authorities (Section X of the Draft Law)

When to expect in effect?

The Draft Law is currently at a very early stage of its consideration by the Ukrainian Parliament. It is expected that the whole legislative process for the Draft Law will take about one year. As soon as the Draft Law is signed into law, it is expected to become effective as of 1 January 2023. The Government is expected to have three months afterward to adopt the necessary regulatory acts for the Draft Law to apply efficiently. Given the high financial penalties and regulatory burden which the Draft Law is going to introduce for business as soon as it is signed into law, it may be that the effective date for the provisions of the Draft Law would either be postponed or differ- entiated for various provisions of the law.

Share publication: