In 2017, the European Union funded a “Twinning Ombudsman” project with a budget of 1.5 million euros to help Ukraine bring its data protection system in line with international and, in particular, European standards. In November 2018, the initiative completed its work. The project’s team prepared more than a dozen recommendations and methodologies for the effective implementation of the reform, but the draft legislative act was never brought to the Ukrainian Parliament.
Contrary to the development of recommendations, the implementation stage was not covered publicly, so one may only wonder why the project has failed. Perhaps there was no political will at the time. Unfortunately, the results of the project's work remain unused two years later.
It is fair to regard Ukraine as one of the leading outsourcing centers in Eastern Europe, having powerful research and development offices and covering all stages of software development. It is also a mother country for a number of worldwide leading startups, from Grammarly and Preply to Gitlab and People.ai. Still, the state of regulation of personal data processing seems to be a digital “wild west.”
This article was prepared by a Ukrainian-based nongovernmental organization “Privacy HUB” to explain the current state of personal data protection in Ukraine, what can be done to change the paradigm, and how not to fail while searching for a balance between the private and public interest in reform initiatives.
Overview of the current legislative framework: Key points
Ukraine has been a member of the Council of Europe since 1995, so Ukrainian national legislation takes into account the developments and standards developed by the council. In particular, in 1997, Ukraine ratified the European Convention on Human Rights. The Convention 108 was ratified in 2010. Following the ratification, Ukraine adopted the Law of Ukraine On Personal Data Protection, which was largely based on the provisions of Convention 108 with the EU’s Data Protection Directive of 1995 and mirrors most of their provisions.
Since that time, only minor changes have been made to the law, mostly concerning the regulatory body and system of obligatory notifications to supervisory authorities. After the EU’s data protection reform in 2016, it is hard to claim that Ukraine provides adequate privacy guarantees.
Supervisory authority: Problems and difficulties
To date, data protection supervision and control in Ukraine are carried out by the Verkhovna Rada’s Commissioner for Human Rights. The commissioner is not a standalone data protection authority but rather a Parliamentary ombudsperson overseeing human rights protection in general.
In 2019, journalism organization Ukrayinska Pravda made an official request regarding the composition of the commissioner's secretary and published the response they received. The department for personal data protection consisted of only 13 people and its budget consisted of no more than 150,000 euros. With a population of more than 40 million people, a department of 13 is incapable of adequately supervising personal data protection. For instance, in 2018, the U.K. regulatory authority, the Information Commissioner’s Office, increased its staff to 700 employees to be able to perform the full scope of work.
Another issue: The primary role of the commissioner is to exercise Parliamentary control. The concept of Parliamentary ombudspersons means indirect dependence on and accountability to the Ukranian Parliament, Verkhovna Rada, in both functional and organizational aspects. At the same time, a privacy regulatory body must be responsible for overseeing not only the private but also the public sector, including the executive, judiciary and legislative branches, so the maximum possible independence is key to the body's activities.
As such, the current enforcement of privacy in Ukraine still lacks resources and independence. Representatives of the Council of Europe, who analyzed the planned data protection reform in Ukraine in 2018, hold the same opinion in their conclusion. And, since the draft reform proposed to keep the commissioner as the only supervisory authority, the Council of Europe’s representative expressed concern that Ukraine did not take the opportunity to establish an independent and non-subordinate regulatory body.
Consent mantra
Under Ukrainian law, there are six legal grounds for data processing. However, consent was widely misunderstood from the beginning and is the most widely used basis to date. Consent has been embedded in almost every possible legal document and usually, it bundles with the other provisions which go against the concept of “freely given.” It has become such a big thing that it is almost worshiped. Even in the most obvious situations in which a “performance of a contract” or even “compliance with legal obligations” should be used, you will most certainly find the phrase “I provide my consent to the processing of my personal data.”
The lack of guidelines and proper enforcement, which should form privacy culture, has led to the common misbelief that consent provides more security for service providers. As a result, other legal grounds, such as “performance of a contract” and “legitimate interest” are being neglected.
Obligatory notice to the supervisory authority
Another notable feature of the Ukrainian system is the controller obligation to notify the supervisory authority about the processing. Similar to the Directive 1995 scheme, Ukrainian controllers must notify only about the processing that poses “particular risks” to the rights of the individuals. The scope of such processing is somewhat similar to the definition of “special categories of data” under the EU General Data Protection Regulation. On top of the scope of Articles 9 and 10 of the GDPR, the list of processing activities to notify about includes the processing of a person’s location data and information about any violence done regarding a particular individual.
Under the notification obligation, controllers must submit two documents to the supervisory authority. First, they must file the notification containing the details about the scope of the risk-forming processing activity. Second, controllers must inform about the formation of the department or designation of the person responsible for overseeing the data protection compliance within the organization.
International transfers
Ukrainian legislation recognizes the general prohibition of international transfers of personal data to other countries unless specific conditions are met. One of the criteria is similar to the GDPR mechanism. In particular, Ukraine can recognize the countries with an adequate level of protection — the transfers to such countries do not need additional safeguards. Under the law, member states of the European Economic Area and signatories to the Convention 108 are deemed to ensure an adequate level of protection. The government of Ukraine — the Cabinet of Ministers of Ukraine — may define other countries that ensure an adequate level of protection. However, there has been no list of such countries since the adoption of the law.
The other mechanism allowing international data transfers are:
- Unambiguous consent from the data subject.
- The necessity to enter into or perform a contract.
- The protection of the vital interests of the data subject.
- The protection of public interest and establishing, fulfilling and enforcing legal claims.
- The guarantee to avoid interference in the personal and family life of the data subject.
However, there is no clear guidance on international transfers in Ukraine. As it becomes apparent from the above examples, the existing system of data protection in Ukraine needs a substantial update to meet the international standards.
Grounds for the reform
EU-Ukraine Association Agreement
It is a well-known fact that Ukraine aspires to become a part of the EU. The path to becoming a member-state began in 2014 when Ukraine and the EU signed an Association Agreement. European integration is a rather lengthy route and lies in the implementation of various reforms. Personal data protection is one such reform. Article 15 of the agreement provides a firm ground for the reform in the personal data protection area, forcing Ukraine to align its data protection system with international and European standards.
However, the reform itself may possess quite a challenge. There is an ongoing debate that to adopt a GDPR-like law there should be changes to the Ukrainian Constitution. The problem is that Article 32 of the Constitution prohibits the processing of a person’s confidential data without prior consent, except in cases that are determined by the law and only in the interests of national security, economic welfare and human rights. The Constitution itself does not define the meaning of a person’s confidential information. Therefore, some argue that this term may include personal data. Though the phrase “cases which are determined by the law” may imply five legal grounds prescribed by specific privacy legislation, yet the debate is still there.
Plans to sign Convention 108+
An additional driver for the reform might become the signature and ratification of the modernized version of Convention 108, Convention 108+. The standards enshrined in the updated document respect the main principles of the current EU system. The undertaking of such international obligations may fasten the national legislative changes in Ukraine. Ukraine is currently considering signing the Convention 108+, although there are no signs pointing toward that happening soon.
Ukraine’s digitalization strategy
An active participant and contributor to the incoming data protection reform is the Ministry of Digital Transformation of Ukraine. We asked Minister Mykhailo Fedorov to give us his vision on the ministry's plans in the context of personal data protection. Below are some of the key findings from that conversation.
- The protection of personal data is a priority of the ministry. It forms the culture on how to address the issue of personal data approaching EU standards. As an example, it produced a TV series devoted to privacy and personal data protection with the participation of a certified information privacy professional. Currently, the ministry has joined its forces with international partners to work on two projects. The first one is a social video that will promote personal data protection and the second one is a toolkit that will assist companies with data protection compliance.
- Each project of the ministry, including national portal Diia, online platform for digitial literacy Diia. Digital Education and the Diia.Business application, is reviewed and approved by the internal group on data protection. Such groups consist of various professionals with different backgrounds that complement data protection. Moreover, each project has a person responsible for data protection.
- Following the privacy-by-design principle, the ministry proactively promotes privacy and personal data protection to prevent privacy incidents and data breaches rather than liquidating their consequences. Especially it assists in the improvement of public registers, deletion of duplicated or inaccurate data, controls any changes, or access to the registers.
- The Ministry of Digital Transformation has implemented internal procedures on how to process personal data of its workers. For the users of its application and websites, there are privacy notices in place. Also, the ministry has a data breach and incidents policy, as well as procedures for the review and adoption of the projects. Last but not least, there is a specific procedure that prohibits launching new projects without a preliminary data protection audit.
- Data protection training and education are a common practice for the servants of the ministry.
- In cooperation with police, it initiated an investigation of chat-bots that were selling personal data scraped or stolen from a different state, banking and commercial registers, and after two months of the investigation, 25 people were arrested, and the public access to the chat-bots was disabled.
- It participates in the coordinating committee on the reform of the data protection and prepares amendments and drafts regarding the protection of personal data according to the European standards.
- As apparent from the comments of the minister, there is a driving power for strengthening privacy culture and regulatory policy in Ukraine. Hopefully, this will translate into a broader promotion of data protection in Ukraine.
Reform forecast
Current developments
It usually takes a long time before a draft law becomes an actual piece of legislation. In this, Ukraine is no different from any other country. Currently, the working committee is developing a draft of the new GDPR-like law. It is not the first committee that has taken this challenge. The original committees were created in late fall 2019 but regrouped into one single committee in spring 2020 so that work would be faster and more productive. There is no official confirmation of the release date of the draft. However, there are hopes it will be presented to the general public by the end of the fall.
Need for an independent supervisory authority
There is still an ongoing discussion on what the future independent regulatory body should look like. The easiest, yet not the best way, is to leave all the functions to the current regulator, Verkhovna Rada’s Commissioner for Human Rights. Advocates of leaving things “as is” argue that the establishment of the new public body requires time and budget. On top of that, there may be issues related to the independence status of a new body requiring amendments to the constitution.
Fortunately, the working committee has recently recognized the priority of the establishment of an independent regulatory body whose main focus will be on the protection of personal data. Even if the working committee decides to include an independent regulatory body in the draft, it is an open question: “What place will the new body have in the system of authorities in Ukraine?” Options include an independent public body, several bodies or an independent division in the structure of the government of Ukraine.
Need to educate people and promote the culture
Due to a short privacy history in Ukraine, our nation has yet to develop a strong privacy culture. However, forming a privacy culture is no easy task and requires the involvement of many stakeholders.
The majority of stakeholders hasn't discovered the importance of privacy and the value it brings. For instance, some representatives from the private sector have made public statements opposing the need to upgrade personal data protection legislation. They fear that strong GDPR-like regulation will destroy their business. As controversial as it sounds, it is understandable — after all, the EU’s private sector shared the very same fears when the GDPR was first introduced.
Another major stakeholder is people. The people of Ukraine don’t understand the importance of privacy, and as a result, they don’t demand a new law. The vast majority of people would negligently share their personal data with the shadiest controllers without a second thought and will do a little close to nothing to try to enforce their rights if something goes wrong. This is a significant problem as the data is the new “oil” it drives the modern world. If left without proper attention it may lead to cases like the notorious Cambridge Analytica. On the other hand, the younger generation starts to show interest in privacy issues, though there is still a long way to go.
There are several obstacles that may slow down the creation of privacy culture: fears of the business, low personal data protection demand from the general public, which results in a little supply.
However, all these problems can be solved as all these are a matter of education. The good news is the education process is up and running. If educated properly and systematically, businesses will understand that privacy adds to the value and is a powerful competitive advantage. The majority of people will realize that personal data may be abused and used against them, but there are means of defending yourself. Lawyers will see the demand for personal data protection and will get more training, providing more supply to the market.
Despite all obstacles and uncertainties, the data protection reform seems both vital and inevitable for the further digital transformation of Ukraine. It will help open the mass Ukrainian IT scene to the European market and ensure further integration into the international economy. Moreover, it does not seem impossible to receive an adequacy decision from the European Commission, which will make Ukraine an even more attractive economic partner.
Photo by Max on Unsplash