Ukrainian personal data localisation requirement is already in effect. Positive and negative scenarios when it will be revoked
No important development in the field of personal data protection law was expected by Ukrainian privacy professionals until at least the end of 2021. But apparently, this did happen.
On 10 December 2021, the President of Ukraine signed the Law of Ukraine “On Public Electronic Registers” No. 1907-IX, dated 18 November 2021 (the “E-Registers Law“). The E-Registers Law applies to the maintenance and operation of public registers and, therefore, should be of low relevance for businesses processing personal data. If not for a single provision, the E-Registers Law would have indeed gone mostly under the radar of the privacy law lawyers. However, all the buzz is because of a poor legislative technique in the E-Registers Law that resulted in a personal data localisation requirement with effect already as of 15 December 2021. This was probably unintentional.
In particular, the E-Registers Law introduced amendments to Article 6(5) of the Law of Ukraine “On Personal Data Protection” (the “Personal Data Protection Law“). The amended article now states that it is prohibited to process personal data, the protection of which is required by law, using cloud computing technology and data centres located outside Ukraine, in temporarily occupied territories, and/or belonging to those persons whose activities fall under the Law of Ukraine “On Sanctions” and which are sanctioned either in Ukraine or abroad.
The introduced amendment is treated as a personal data localisation requirement that is not restricted by the scope of the E-Registers Law and should most likely apply to all data processing operations carried out within Ukraine. The reasons for this are as follows:
- the wording “personal data, the protection of which is required by law” is rather broad and should most likely cover any personal data collected and processed in Ukraine
- the introduced amendment does not specifically refer to the E-Registers Law and broadly applies to any data processing operations in Ukraine
- although the E-Registers Law should apply to the maintenance of the public registers only, the amended Article 6(5) of the Personal Data Protection Law is treated as a stand-alone amendment
However, the good news is that this personal data localisation requirement is not something that the Ukrainian Parliament apparently intended to introduce. In particular, we are aware of at least two draft laws aimed at revoking the referred personal data localisation requirement.
Draft laws revoking the controversial data localisation requirement
On 16 December 2021, the Ukrainian Parliament adopted in the second reading the Draft Law “On National Commission for State Regulation of Electronic Communications, Radio Frequency Spectrum and Postal Services” (the “National Commission Draft Law“).
Although the National Commission Draft Law neither concerns the Ukrainian data protection authority nor regulates any personal data protection issues, its final and transitional provisions revoke the personal data localisation requirement in question. The text of the adopted National Commission Draft Law is not available yet, so it is unclear whether the revoking provision was included in the final version of the adopted National Commission Draft Law. Moreover, even if such provision was included, the President of Ukraine must still either sign or veto it.
In parallel, a similar revoking provision is included in the Draft Law of Ukraine “On the Cloud Services” (the “Cloud Services Draft Law“) that is also expected to be adopted by the end of 2021. However, this option is less favourable for business. If adopted and officially published with the current wording, the Cloud Services Draft Law with the revoking provision will become effective six months from the publication date.
Effect on personal data processing localisation
The best-case scenario is that the National Commission Draft Law, including the revoking provision, will be signed by the President of Ukraine and will become effective on 01 January 2022. The personal data localisation requirement would then exist for 17 days only, between 15 December 2021 and 01 January 2022.
In the worst-case scenario, i.e., if any of the below takes place:
- there is a delay with the National Commission Draft Law with the revoking provision coming into force or
- the adopted version of the National Commission Draft Law does not have the revoking provision, but the latter is introduced in the Cloud Service Draft Law
Businesses processing personal data would need to ensure compliance with the personal data localisation requirement until it is revoked.
Next steps for business
Since it appears to be very likely that the introduced localisation requirement is a legislative mistake, it is unlikely that the requirement would be enforced by the Ukrainian data protection authority or other state authorities. Considering the situation pragmatically, businesses can continue personal data processing as before, with no changes in procedures and contractual arrangements.
Where a careful approach can be more important, cross-border transfer of personal data collected in Ukraine should be suspended until the situation with respect to the localisation requirement is resolved.
In any case, it is advisable for businesses to keep monitoring upcoming developments and react accordingly.
Our privacy law team will also have their fingers on the pulse and keep clients updated.
Information contained in this legal alert is for general information purposes only, does not constitute legal or other professional advice, and should not be relied upon as a substitute for specific professional advice tailored to particular circumstances.