Ukraine Data Privacy

On June 9, 2021, Verkhovna Rada, the Parliament of Ukraine, registered the “Protection of Personal Data” (“Draft Law”), which would replace the existing PDP Law to be more in favor of GDPR, the General Data Protection Regulation.

What is the primary Ukraine data privacy protection law?

The main legislative act covering personal data processing in Ukraine is the Law of Ukraine on Personal Data Protection No 2297-VI of June 1, 2010 (“PDP Law”). The PDP law regulates legal relations involving processing and protecting personal data by protecting people’s fundamental rights and freedoms.

And the PDP Law has continued to evolve. New amendments were made in 2012 and 2014 to update the law with the times. However, Ukraine’s data protection law is not as comprehensive as the GDPR.

When will the Draft Law take effect?

In the Ukrainian Parliament, a law must undergo two hearings first. Furthermore, it’ll probably go through multiple revisions, further delaying the process. With that in mind, it’s difficult to say when Ukrainian legislation will pass and for the Draft Law to take effect.

What are the important updates in the Draft Law?

The new law aims to bring the current Ukraine data privacy legislation in line with the GDPR. To make that happen, the Draft Law proposes several features including:

1. new data processing principles such as data minimization and storage limitation

2. updated legal grounds of data processing and “legitimate interests.”

3. Updated GDPR-like language

4. updated definition of sensitive data with new standards for processing each type

5. new video surveillance data protection rules

6. new tracking technologies data protection

What about international data transfers?

The Draft Law provisions on international data transfers are similar to what the GDPR outlines. Countries that are considered to provide an acceptable level of personal data protection include:

1. Countries required to comply with GDPR

2. Countries are required to comply with Convention 108+

3. Countries that the Ukrainian data protection authority deems worthy of providing an acceptable level of protection.

Similar to GDPR, the Draft Law also includes Binding Corporate Rules to assist in transferring personal data to countries with an acceptable protection level.

What about data breach notifications?

The Draft Law also proposes new requirements for data breach notifications similar to GDPR. The new law will require data controllers to notify the proper authority of data breaches when it’s a high risk of violating rights and freedoms. Additionally, the controller will have to inform those affected by the breach.

What does the Draft Law define as the data protection authority?

Since 2014, the Ukrainian Parliament Commissioner for Human Rights (“Ombudsman”) has filled the role of the data protection authority (“DPA”). The Draft Law changes that. Under the new legislation, the data protection authority feres a standalone law regulating the DPA.

The Draft Law proposes a new, independent agency that would take over policymaking by adopting mandatory regulations and enforcement.

The leading powers of the Commission include:

1. Following up on complaints and potential violations of the law of Ukraine “On Personal Data Protection.”

2. Collecting written explanations from potential violators of the law of Ukraine “On Personal Data Protection.”

3. Issuing fines for those who control and process personal data

4. Filing for enforcement with the courts for violations of the law of Ukraine “On Personal Data Protection.”

The Commission would have the ability to inspect data controllers and processors that received data privacy complaints.

What are the potential fines?

The Draft Law introduces a new range of potential penalties for violations of the data protection law. Additionally, the Draft Law drastically increases the cost of the penalties from the current law. The fines range depending on the type and severity of the violation. Current suggestions include:

1. for individuals – ranges from 10,000 UAH (approximately 325 USD) to 300,000 UAH (approximately 9,850 USD)

2. for legal entities – ranges from 30,000 UAH (approximately 985 USD) or 0.05 percent of the total annual turnover to 5 percent of the total yearly turnover (but not less than 300,000 UAH (about 9,850 USD)).

The goal is to eliminate fines, but also discourage repeat offenders. The Draft Law is a clause that allows for a 200% penalty fine if the same violation occurs within a year.

GDPR and the Draft Law

The current Ukrainian data privacy legislation was not as detailed as GDPR. However, the new Draft Law has been proposed with the Verkhovna Rada to help close the gap. While not expected to pass soon, it could be in place by the end of 2023 if no further significant changes are needed.