News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Ukrainian GDPR: The reality and future of privacy legislation in Ukraine Related reading: When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine 

rss_feed

""

In 2017, the European Union funded a “Twinning Ombudsman” project with a budget of 1.5 million euros to help Ukraine bring its data protection system in line with international and, in particular, European standards. In November 2018, the initiative completed its work. The project’s team prepared more than a dozen recommendations and methodologies for the effective implementation of the reform, but the draft legislative act was never brought to the Ukrainian Parliament.

Contrary to the development of recommendations, the implementation stage was not covered publicly, so one may only wonder why the project has failed. Perhaps there was no political will at the time. Unfortunately, the results of the project's work remain unused two years later. 

It is fair to regard Ukraine as one of the leading outsourcing centers in Eastern Europe, having powerful research and development offices and covering all stages of software development. It is also a mother country for a number of worldwide leading startups, from Grammarly and Preply to Gitlab and People.ai. Still, the state of regulation of personal data processing seems to be a digital “wild west.”

This article was prepared by a Ukrainian-based nongovernmental organization “Privacy HUB” to explain the current state of personal data protection in Ukraine, what can be done to change the paradigm, and how not to fail while searching for a balance between the private and public interest in reform initiatives. 

Overview of the current legislative framework: Key points

Ukraine has been a member of the Council of Europe since 1995, so Ukrainian national legislation takes into account the developments and standards developed by the council. In particular, in 1997, Ukraine ratified the European Convention on Human Rights. The Convention 108 was ratified in 2010. Following the ratification, Ukraine adopted the Law of Ukraine On Personal Data Protection, which was largely based on the provisions of Convention 108 with the EU’s Data Protection Directive of 1995 and mirrors most of their provisions.

Since that time, only minor changes have been made to the law, mostly concerning the regulatory body and system of obligatory notifications to supervisory authorities. After the EU’s data protection reform in 2016, it is hard to claim that Ukraine provides adequate privacy guarantees. 

Supervisory authority: Problems and difficulties 

To date, data protection supervision and control in Ukraine are carried out by the Verkhovna Rada’s Commissioner for Human Rights. The commissioner is not a standalone data protection authority but rather a Parliamentary ombudsperson overseeing human rights protection in general. 

In 2019, journalism organization Ukrayinska Pravda made an official request regarding the composition of the commissioner's secretary and published the response they received. The department for personal data protection consisted of only 13 people and its budget consisted of no more than 150,000 euros. With a population of more than 40 million people, a department of 13 is incapable of adequately supervising personal data protection. For instance, in 2018, the U.K. regulatory authority, the Information Commissioner’s Office, increased its staff to 700 employees to be able to perform the full scope of work. 

Another issue: The primary role of the commissioner is to exercise Parliamentary control. The concept of Parliamentary ombudspersons means indirect dependence on and accountability to the Ukranian Parliament, Verkhovna Rada, in both functional and organizational aspects. At the same time, a privacy regulatory body must be responsible for overseeing not only the private but also the public sector, including the executive, judiciary and legislative branches, so the maximum possible independence is key to the body's activities. 

As such, the current enforcement of privacy in Ukraine still lacks resources and independence. Representatives of the Council of Europe, who analyzed the planned data protection reform in Ukraine in 2018, hold the same opinion in their conclusion. And, since the draft reform proposed to keep the commissioner as the only supervisory authority, the Council of Europe’s representative expressed concern that Ukraine did not take the opportunity to establish an independent and non-subordinate regulatory body.

Consent mantra 

Under Ukrainian law, there are six legal grounds for data processing. However, consent was widely misunderstood from the beginning and is the most widely used basis to date. Consent has been embedded in almost every possible legal document and usually, it bundles with the other provisions which go against the concept of “freely given.” It has become such a big thing that it is almost worshiped. Even in the most obvious situations in which a “performance of a contract” or even “compliance with legal obligations” should be used, you will most certainly find the phrase “I provide my consent to the processing of my personal data.” 

The lack of guidelines and proper enforcement, which should form privacy culture, has led to the common misbelief that consent provides more security for service providers. As a result, other legal grounds, such as “performance of a contract” and “legitimate interest” are being neglected.

Obligatory notice to the supervisory authority

Another notable feature of the Ukrainian system is the controller obligation to notify the supervisory authority about the processing. Similar to the Directive 1995 scheme, Ukrainian controllers must notify only about the processing that poses “particular risks” to the rights of the individuals. The scope of such processing is somewhat similar to the definition of “special categories of data” under the EU General Data Protection Regulation. On top of the scope of Articles 9 and 10 of the GDPR, the list of processing activities to notify about includes the processing of a person’s location data and information about any violence done regarding a particular individual.

Under the notification obligation, controllers must submit two documents to the supervisory authority. First, they must file the notification containing the details about the scope of the risk-forming processing activity. Second, controllers must inform about the formation of the department or designation of the person responsible for overseeing the data protection compliance within the organization.   

International transfers 

Ukrainian legislation recognizes the general prohibition of international transfers of personal data to other countries unless specific conditions are met. One of the criteria is similar to the GDPR mechanism. In particular, Ukraine can recognize the countries with an adequate level of protection — the transfers to such countries do not need additional safeguards. Under the law, member states of the European Economic Area and signatories to the Convention 108 are deemed to ensure an adequate level of protection. The government of Ukraine — the Cabinet of Ministers of Ukraine — may define other countries that ensure an adequate level of protection. However, there has been no list of such countries since the adoption of the law. 

The other mechanism allowing international data transfers are:

  • Unambiguous consent from the data subject.
  • The necessity to enter into or perform a contract.
  • The protection of the vital interests of the data subject.
  • The protection of public interest and establishing, fulfilling and enforcing legal claims.
  • The guarantee to avoid interference in the personal and family life of the data subject.

However, there is no clear guidance on international transfers in Ukraine. As it becomes apparent from the above examples, the existing system of data protection in Ukraine needs a substantial update to meet the international standards. 

Grounds for the reform

EU-Ukraine Association Agreement

It is a well-known fact that Ukraine aspires to become a part of the EU. The path to becoming a member-state began in 2014 when Ukraine and the EU signed an Association Agreement. European integration is a rather lengthy route and lies in the implementation of various reforms. Personal data protection is one such reform. Article 15 of the agreement provides a firm ground for the reform in the personal data protection area, forcing Ukraine to align its data protection system with international and European standards. 

However, the reform itself may possess quite a challenge. There is an ongoing debate that to adopt a GDPR-like law there should be changes to the Ukrainian Constitution. The problem is that Article 32 of the Constitution prohibits the processing of a person’s confidential data without prior consent, except in cases that are determined by the law and only in the interests of national security, economic welfare and human rights. The Constitution itself does not define the meaning of a person’s confidential information. Therefore, some argue that this term may include personal data. Though the phrase “cases which are determined by the law” may imply five legal grounds prescribed by specific privacy legislation, yet the debate is still there.  

Plans to sign Convention 108+

An additional driver for the reform might become the signature and ratification of the modernized version of Convention 108, Convention 108+. The standards enshrined in the updated document respect the main principles of the current EU system. The undertaking of such international obligations may fasten the national legislative changes in Ukraine. Ukraine is currently considering signing the Convention 108+, although there are no signs pointing toward that happening soon.

Ukraine’s digitalization strategy 

An active participant and contributor to the incoming data protection reform is the Ministry of Digital Transformation of Ukraine. We asked Minister Mykhailo Fedorov to give us his vision on the ministry's plans in the context of personal data protection. Below are some of the key findings from that conversation.

  • The protection of personal data is a priority of the ministry. It forms the culture on how to address the issue of personal data approaching EU standards. As an example, it produced a TV series devoted to privacy and personal data protection with the participation of a certified information privacy professional. Currently, the ministry has joined its forces with international partners to work on two projects. The first one is a social video that will promote personal data protection and the second one is a toolkit that will assist companies with data protection compliance.
  • Each project of the ministry, including national portal Diia, online platform for digitial literacy Diia. Digital Education and the Diia.Business application, is reviewed and approved by the internal group on data protection. Such groups consist of various professionals with different backgrounds that complement data protection. Moreover, each project has a person responsible for data protection.
  • Following the privacy-by-design principle, the ministry proactively promotes privacy and personal data protection to prevent privacy incidents and data breaches rather than liquidating their consequences. Especially it assists in the improvement of public registers, deletion of duplicated or inaccurate data, controls any changes, or access to the registers.
  • The Ministry of Digital Transformation has implemented internal procedures on how to process personal data of its workers. For the users of its application and websites, there are privacy notices in place. Also, the ministry has a data breach and incidents policy, as well as procedures for the review and adoption of the projects. Last but not least, there is a specific procedure that prohibits launching new projects without a preliminary data protection audit.
  • Data protection training and education are a common practice for the servants of the ministry.
  • In cooperation with police, it initiated an investigation of chat-bots that were selling personal data scraped or stolen from a different state, banking and commercial registers, and after two months of the investigation, 25 people were arrested, and the public access to the chat-bots was disabled.
  • It participates in the coordinating committee on the reform of the data protection and prepares amendments and drafts regarding the protection of personal data according to the European standards.
  • As apparent from the comments of the minister, there is a driving power for strengthening privacy culture and regulatory policy in Ukraine. Hopefully, this will translate into a broader promotion of data protection in Ukraine.

Reform forecast

Current developments

It usually takes a long time before a draft law becomes an actual piece of legislation. In this, Ukraine is no different from any other country. Currently, the working committee is developing a draft of the new GDPR-like law. It is not the first committee that has taken this challenge. The original committees were created in late fall 2019 but regrouped into one single committee in spring 2020 so that work would be faster and more productive. There is no official confirmation of the release date of the draft. However, there are hopes it will be presented to the general public by the end of the fall. 

Need for an independent supervisory authority

There is still an ongoing discussion on what the future independent regulatory body should look like. The easiest, yet not the best way, is to leave all the functions to the current regulator, Verkhovna Rada’s Commissioner for Human Rights. Advocates of leaving things “as is” argue that the establishment of the new public body requires time and budget. On top of that, there may be issues related to the independence status of a new body requiring amendments to the constitution. 

Fortunately, the working committee has recently recognized the priority of the establishment of an independent regulatory body whose main focus will be on the protection of personal data. Even if the working committee decides to include an independent regulatory body in the draft, it is an open question: “What place will the new body have in the system of authorities in Ukraine?” Options include an independent public body, several bodies or an independent division in the structure of the government of Ukraine.

Need to educate people and promote the culture

Due to a short privacy history in Ukraine, our nation has yet to develop a strong privacy culture. However, forming a privacy culture is no easy task and requires the involvement of many stakeholders.

The majority of stakeholders hasn't discovered the importance of privacy and the value it brings. For instance, some representatives from the private sector have made public statements opposing the need to upgrade personal data protection legislation. They fear that strong GDPR-like regulation will destroy their business. As controversial as it sounds, it is understandable — after all, the EU’s private sector shared the very same fears when the GDPR was first introduced. 

Another major stakeholder is people. The people of Ukraine don’t understand the importance of privacy, and as a result, they don’t demand a new law. The vast majority of people would negligently share their personal data with the shadiest controllers without a second thought and will do a little close to nothing to try to enforce their rights if something goes wrong. This is a significant problem as the data is the new “oil” it drives the modern world. If left without proper attention it may lead to cases like the notorious Cambridge Analytica. On the other hand, the younger generation starts to show interest in privacy issues, though there is still a long way to go. 

There are several obstacles that may slow down the creation of privacy culture: fears of the business, low personal data protection demand from the general public, which results in a little supply. 

However, all these problems can be solved as all these are a matter of education. The good news is the education process is up and running. If educated properly and systematically, businesses will understand that privacy adds to the value and is a powerful competitive advantage. The majority of people will realize that personal data may be abused and used against them, but there are means of defending yourself. Lawyers will see the demand for personal data protection and will get more training, providing more supply to the market. 

Despite all obstacles and uncertainties, the data protection reform seems both vital and inevitable for the further digital transformation of Ukraine. It will help open the mass Ukrainian IT scene to the European market and ensure further integration into the international economy. Moreover, it does not seem impossible to receive an adequacy decision from the European Commission, which will make Ukraine an even more attractive economic partner.

Photo by Max on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Artem Kobrin, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Headshot Dmytro Korchynskyi, CIPP/E, CIPM, FIP IAPP Member Contributor
Headshot Vladislav Nekrutenko, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Europe
Enforcement
Privacy Law
Transborder Data Flow
1 Comment

If you want to comment on this post, you need to login.

  • comment Gerrit van Rooij • Nov 11, 2021 
    What does this mean for the transfer of personal data to Ukraine on the basis of the model clauses? Is this even possible? What rules are there that limit the GDPR safeguards?
Related Stories
Related Stories
Tags
Europe
Enforcement
Privacy Law
Transborder Data Flow
Recent Comments