GDPR-like privateness reform in Ukraine
Why is GDPR-like reform expected?
Considering that Ukraine aims (1) to focus on the IT industry and engage foreign investors, and (2) to join the European Union, taking the GDPR as a reference for privacy reform is a sensitive move. The GDPR is a regulation that most companies aim to comply with – setting mirrored requirements is business-friendly. On top of that, the GDPR outperforms current Ukrainian legislation in terms of data subject protection.
When is reform expected?
If adopted, bill no. 8153 submitted on 25 October 2022 (Privacy Bill), will take effect on 1 January 2024. If the Privacy Bill is not passed until Summer 2023, the effective date will be postponed. Parliament aims to make the Privacy Bill a proper foundation for recognizing Ukraine as a country with an adequate level of protection under the GDPR and has rejected any new insertions that are questionable. The previous Privacy Bill iteration (5628) got canceled due to severe intrusion in activities of internet service providers.
What are the key features and differences from the GDPR? While the Privacy Bill mostly follows the GDPR, there are some derogations:
1. Certification of Data Protection Officer. If large-scale processing is conducted, a data protection officer (DPO) must pass a qualification exam prior to appointment. There are no further details about the exam and option to substitute it with generally accepted certifications (eg, CIPP-E).
2. EU Guidelines and Case Law. Some recommendations of Working Party/EDPB and EU case law were directly hardwired to the Privacy Bill
- Data processing impact re-assessment. DPIA must be concluded at least once every three years1.
- CCTV recording retention period. Legitimate video recordings processed based on the legitimate interest of crime prevention and property protection can be kept for up to six months2.
3. Extraterritoriality. The Privacy Bill does not contain articles defining its material/territorial scope. Like the GDPR, the Privacy Bill obliges foreign legal entities to appoint a representative in Ukraine if they (1) offer services/products to data subjects in Ukraine, (2) monitor the activities of data subjects in Ukraine, or (3) process personal data of Ukrainian citizens. This suggests that the Privacy Bill applies in the cases mentioned, however there is no clear confirmation.
4. Personal data of deceased persons. The Privacy Bill states that consent of a deceased person is valid for ten years (twenty years for deceased minors) after death, unless otherwise demanded by the data subject pre-mortem. Post-mortem processing of personal data (except name, sex, birth/death dates, place of birth and death, death certificate) without a legal basis acquired before death requires consent of the successor.
5. Cross border transfer. Countries operating under the GDPR or Council of Europe Convention No. 108 On Data Protection are recognized as countries which ensure an adequate level of protection. The list may be extended by a supervisory authority. Transfer to other countries is possible under GDPR-like rules (BCR, SCC, etc.)
6. Breach notification. The time needed to prepare supervisory authority notification cannot be used as an excuse for missing the notification deadline (72 hours after becoming aware of the breach); if individual data subject notification involves disproportionate effort, a public announcement on website/social media/news must be used instead.
7. Reasonable fee for data subject requests. A controller may charge a fee based on administrative costs only for repeated request(s) regarding the same personal data (narrower approach compared to the GDPR).
Is there room for improvement?
Removal of the mandatory DPO exam. The GDPR, as well as most other privacy frameworks, does not mention a certification requirement for a DPO. Demanding a certificate from a Ukrainian DPO may seem excessive.
Review of state-specific provisions. The mentioned precautions on data of deceased persons are an example of what could be more specific to resolve ambiguity: is data related to a deceased person considered personal data once the protection period specified in the Privacy Bill expires? If multiple successors do not reach a consensus on processing, how can the dispute be resolved?
Extra care with hardwired recommendations and case law. It may be wise to double-check if sources considered are still relevant.
Defined scope. An article clearly stating material and territorial scopes of the Privacy Bill would help with understanding and applying it.