European data privacy standards and Ukrainian practices
23:29 06.02.2013 Oleksander Plotnikov, Lexology
The history of privacy protection in Ukraine goes back to 1992 when the Law of Ukraine On Information was adopted, according to an article by Oleksander Plotnikov, for Lexology. This law stipulated that “collection of information about a person without his prior consent shall be prohibited except for the cases stipulated by a law”. Adoption of the Ukrainian Constitution in 1996 was a further step on the way of the data privacy protection. The Constitution took a lot from the European Convention on Human Rights and stipulated in article 32 that “nobody shall suffer from interference in his private and family life except for the cases stipulated by the Constitution of Ukraine. Collection, storage, use and distribution of confidential information about a person without his consent shall be prohibited, except such as is in accordance with the law and is necessary in the interests of national security, the economic well-being and human rights”. These rules, though declarative, created a basis for further development of local privacy protection legislation.
A new age of privacy protection in Ukraine started in 2010 when the Ukrainian Parliament following the global tendency of strengthening the data privacy standards ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention) and the Additional Protocol to it (the Protocol). Simultaneously, the Law of Ukraine “On personal data protection” (the Law) was enacted. This Law has become a comprehensive national statutory act that sets rules of personal data protection both for public and private sectors, and is applicable to automated personal data files and to those which are not processed automatically.
Being a member of the Council of Europe, Ukraine intends to follow the best European standards of data privacy and has implemented them in the local legislation. Although Ukraine is not a member of the European Union, a lot of provisions of the Directive 95/46/EC of 24 October 1995 On the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of Such Data (the Directive) have been implemented in the Law in addition to the principles of the Convention.
Speaking generally, Ukraine has implemented almost all main standards and rules set by the Convention and the Directive, including the following.
- Prohibition to process personal data without a data subject’s prior consent, unless such processing is allowed by a law and only in the interest of national security, the economic well-being and human rights.
- General requirements to the quality of data (Article 5 of the Convention) – all implemented in the Law.
- Additional protections for particular categories of sensitive data: personal data revealing racial origin, political opinions or religious or other beliefs, membership in political parties and trade unions, as well as personal data concerning health or sexual life (Article 6 of the Convention).
- Rights of a person in relation to his personal data (Article 8 of the Convention):
- to establish the existence of a personal data filing system (the filing system) which contains his personal data, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the filing system;
- to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the filing system as well as communication to him of such data;
- to obtain, as the case may be, rectification or erasure of personal data if these have been processed illegally or are misleading;
- to have a remedy in the case of a violation of his rights related to personal data protection.
- Establishment of an independent supervisory data protection authority (the State Commission for Personal data Protection (the Commission)).
- Restriction on personal data export to countries which do not ensure an adequate level of privacy protection.
- Requirement to process the personal data for the definite period of time (established by a law or by a data subject’s consent).
It is obvious that Ukrainian law makers did not intend to make something new in privacy protection and simply combined main rules of the Convention and the Directive in order to comply with the European standards. Unfortunately, it was made without deep understanding of practical aspects of data privacy protection and without due consideration of the effective Ukrainian legislation. As a result we have the Law very similar to those European regulations, but full of unclear and contradictory provisions. After almost two years since the Law enactment, we can say that some provisions of the Law may be hardly fulfilled in practice and some provisions, thought executable, impose an unreasonable burden on the controllers, processors and the supervisory authority.
Since the Law is applicable to all companies, either local or foreign, which collect or process personal data in Ukraine, this article addresses main problem issues that should be taken into account by foreign companies while processing personal data originating from Ukraine.
Form of the data subject’s consent
According to the Law the data subject’s consent shall be provided in documentary, inter alia, written form. Due to certain underdevelopment of the Ukrainian legislation, very limited number of forms of consent may be considered as complying with this requirement. In practice, everything comes down to the written consent or electronic consent attested by the electronic signature. This requirement significantly narrows the set of means that maybe used by controllers for obtaining of the consent, and makes absolutely impossible obtaining of the consents through the Internet by clicking “accept” button on a web-site.
Processing of personal data without data subject’s consent
Contrary to the European rules the Law stipulates very limited number of cases in which personal data may be processed without the data subject’s consent. They are:
- Processing by virtue of a law that empowers the controller/processor to process the data without consent of the data subject; and
- If processing is necessary in order to protect vital interests of the data subject.
It is worth mentioning that as of today Ukrainian laws do not precisely stipulate any cases in which the personal data processing may be performed without the data subject’s consent.
Thus even in cases where, according to the Directive, personal data processing do not require person’s consent, namely (i) for the performance of a contract to which the data subject is party or (ii) in order to take steps at the request of the data subject prior to entering into a contract, or (iii) for compliance with a legal obligation to which the controller is subject, or (iv) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or (v) for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, the consent of the respective data subject shall be obtained in Ukraine.
Proving information to data subject and third parties
The Law stipulates that the data subject shall be informed of his rights, the purpose of collection of his data and persons to whom his data will be disclosed, exclusively in a written form. Again, due to the imperfectness of the Ukrainian legislation this excludes the possibility to inform the data subject via e-mail and requires only paper notification.
Moreover, the Law imposes an obligation on the controller to inform third parties to whom the data have been disclosed of any rectification or erasure of such data. Unlike the European rules which release the controller from the obligation to notify third parties due to impossibility of such notification or if this involves disproportionate effort, the Ukrainian Law does not provide for such a release. As a result the controller must make respective notification irrespective of any obstacles and required efforts.
Registration of filing system
One more burdensome requirement of the Law is the obligation of the controller to register all its filing systems with a Commission. The difference between this registration and the notification prescribed by the Directive is that as a result of such registration a certificate of registration shall be provided to a controller by the Commission. Moreover, the Commission has the rights to deny the registration if the application does not comply with the Law. Since the Commission has its own understanding of the Law, sometimes quite disputable, there are a lot of cases where the registration has been denied (though this does not prevent the controller to apply again). As of today millions of applications have been submitted to the Commission for registration and most of them are still pending because the Commission doesn’t have sufficient resources to process such a huge number of applications quickly.
In connection with filing system registration it should be also emphasized that according to the Law each filing system shall have its own specific and precise purpose of data processing. Due to this rule the Commission requires registration of each filing system with a specific purpose separately. This causes significant increase of formalities related to privacy protection and leads to the situation where each company shall have several filing systems registered with the Commission.
Exemptions from general rules
According to the Law, it shall not be applied to the processing of personal data (i) by a natural person in the course of a purely personal or household activity, (ii) by a journalist in connection with performance of his official or professional duties, and (iii) professional art worker for his art activity.
In practice numerous disputes and discussions were caused by the provision exempting filing systems controlled by journalists from the subject of regulation by the Law. From the first glance this positive step inspired by the Directive is aimed at protection of free mass media. However, it appears in practice that most of personal data filing systems used by journalists are controlled and processed not by journalists but by companies they work for. And due to this fact all those filing systems are subject to limitations and restrictions imposed by the Law, which unreasonably complicates use of such filing systems by journalists for their professional activity. The situation would be different if the exception were made for filing systems processed for purposes of journalism, irrespective of their controller. But the commission is quite reluctant to address this issue to the Parliament.
Transborder flow of personal data
In the modern world transborder flow of data is inevitable. Thus, intention of the parties to the Convention and members of the EU to establish certain rules for such data transfer is absolutely understandable and reasonable. In this regard the Law partly repeats the provisions of the Directive and stipulates that “transfer of personal data to foreign receivers shall be made exclusively subject to ensuring an adequate level of protection of personal data and subject to the respective authorization … ”. The second part of this rule, requiring the authorization, leads to another dispute between the Commission and controllers. The problem is that it is not clear which exactly authorization is meant and by whom it shall be granted, since the Law does not give an answer to this questions. The fact that the term “authorization”, which is used in this provision, is different from the term “[data subject’s] consent”, gives grounds to the Commission to state that such authorization shall be granted by the Commission. However, opponents of such position argue that the Law does not contain precise provision which empowers the Commission to grant such authorizations. This issue has not been resolved yet and there is no any procedure for granting mentioned authorizations by the Commission. Thus, for the time being all disputes regarding this issue are in pure theoretical area. From the practical point of view, a controller or processor intending to transfer personal data abroad must ensure that the country of the recipient provides for the adequate level of personal data protection. According to clarifications given by the Commission, it is presumed that countries – members of the Convention and the Protocol ensure the adequate level of protection and transfer of data to such countries does not require additional formalities. And in case of data flow to other countries, separate agreements with data recipients stipulating specific rules of such data processing shall be executed.
One more important provision related to transborder flow of personal data is a prohibition to transfer personal data to other countries for the purpose different from the initial purpose of their collection.
As practice shows a rule of law does not work without an efficient mechanism of its enforcement. In Ukraine, violations in sphere of persona data protection are subject to civil, administrative and criminal liability.
Speaking about the civil liability for violation of privacy it should be mentioned that there are no specific provisions of law related directly to privacy protection and the court practice in this part is still undeveloped. The data subject may require compensation of damages caused by a violation of his privacy based on the general rules of the civil law.
Administrative liability is established by the Code of Ukraine on Administrative Violations. In particular, administrative liability is foreseen for the following violations:
- Failure to notify or untimely notification of the data subject of his rights, the purpose of personal data collection and persons, to whom such data is disclosed;
- Failure to notify or untimely notification of the Commission of the change of information, which was submitted for the state registration of a filing system;
- Evading state registration of a filing system;
- Violation of the procedure of personal data protection, which has led to illegal access to respective personal data;
- Failure to perform legal demands of the Commission aimed at elimination of violations of legislation on privacy protection.
The amount of the fine for the abovementioned violations varies approximately from EUR 170 to EUR 1700.
Criminal liability is foreseen for illegal collection, storage, use, disposal, dissemination and change of confidential information about a certain person. Sanctions for such a crime is a fine in the amount up to EUR 1700, or corrective labor for up to 2 years, or arrest for up to 6 months, or custodial restrain for up to 3 years.
In conclusion I would like to say that today much more attention is paid in Ukraine to the issues of privacy protection than two years ago. Though privacy protection remains an exotic activity for considerable part of the Ukrainian society, a lot of positive steps have been made in this field for the past two years. Now this is beyond all doubt that Ukraine will follow the European standards of privacy protection. And we do hope that the Ukrainian Parliament will treat with due consideration experts’ opinion regarding defects of the Law and ways of its improvement.