- On 9 June 2021, the Parliament registered the draft law On Protection of Personal Data, proposing to completely replace the existing law and aiming to implement the General Data Protection Regulation (GDPR) in Ukraine.
- On 29 September 2021, the Parliamentary Committees on Digitalization and on Human Rights Protection together with the Ukrainian Parliament Commissioner for Human Rights (current Ukrainian Data Protection Agency) and the Joint EU and European Council project presented the draft law On the National Commission for Personal Data Protection and Access to Public Information (according to government officials, this draft would be registered shortly in the Parliament).
- The Parliament aims to implement both drafts and other necessary regulatory norms within the next three to six months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU legislation as required by the EU-Ukraine Association Agreement, and the wider government digital agenda.
The draft law on the National Commission for Personal Data Protection and Access to Public Information (Draft Law on the DPA)
The Draft Law on the DPA proposes to establish an independent government agency that would be responsible for both policymaking (adopting mandatory regulations) and enforcement (prosecuting infringers) in the sphere of data privacy and access to public information.
The National Commission for Personal Data Protection and Access to Public Information (DPA) would have quasi-investigative functions and would be able to investigate violations with the help of experts in technology and other spheres.
The main powers of the DPA would be the following:
- obtain information necessary for its activities, including confidential and with restricted access, from any individual company or organization
- receive access to information and telecommunication systems, registers, data banks, including information with limited access — the owner (administrator) of which are state bodies or local authorities — using state, including government, means of communication and communications, special communication networks and other technical means
- receive information from databases, registers of foreign countries, including paid information, if that is required for access to information
- investigate possible violations of the law of Ukraine “On Personal Data Protection” and the law of Ukraine “On Access to Public Information” based on complaints but also based on its own initiative
- collect from government and private companies, organizations, employees and individuals written explanations on the circumstances that may indicate a violation of the corresponding laws
- apply to the courts for enforcement of corresponding laws
- issue fines to controllers and processors of personal data
- have access to personal data processed by the controller and/or processor and necessary for the performance of its duties
The DPA would be able to inspect the controllers and processors based on the following:
- annually approved plan
- complaint on data privacy/access to information violation
- DPA’s own initiative based on the acquired information on possible violation
The Draft Law on the DPA establishes new (additional) fines.
The noncompliance with decisions/requests of the DPA and/or nonprovision of the access of the DPA for the purposes of investigating the activities of the company or individual would result in:
- a fine in the amount of UAH 20,000 to UAH 100,000 (approximately USD 752 to USD 3,759) for individuals, and for legal entities in the amount of 0.5% to 1% of the total annual turnover of such legal entity for the previous year, but not less than 3,000 tax-free minimum incomes (approximately USD 1,917)
- a fine of 200% from the previous fine for each next noncompliance
The decisions of the DPA could be appealed to the administrative courts of Ukraine.
The Draft Law On Protection of Personal Data (Draft Law on PPD)
The Draft Law on PPD aims to implement the GDPR in Ukraine, incorporating some guidance of Article 29 Working Party and European Data Protection Board.
Some key updates under the Draft Law on PPD are the following:
- unified and extended terminology (new terms defined: biometric data, data breach, genetic data, health data, overall annual turnover, pseudo-anonymization, profiling, data processing at massive scales, etc.)
- new principles of the data processing (lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, accountability, etc.)
- updated grounds of processing and new ground of processing “legitimate interest”
- updated consent concept with clarified ways on how consent could be obtained, when consent cannot be considered as granted, and restrictions to use consent as a ground for processing when other grounds apply
- updated concept of sensitive data with an extended list of grounds for processing such data
- new data privacy regulations concerning video surveillance conducted by natural and legal persons and use of tracking technologies in electronic communications and services
- specific regulations depending on type of relationship between controller and data subject (e.g., employer-employee, electronic communications service provider-user)
- new requirements for data processing agreements with an extended list of mandatory provisions (the DPA would approve the standard data processing agreement)
There is no extraterritorial application so far.
The Draft Law on PPD introduces an extensive list of new obligations on controllers and/or processors. New obligations include:
- Representative in Ukraine: The Draft Law on PPD determines cases when representatives of controllers and processors not established in Ukraine shall be designated in Ukraine.
- Records of processing activities: Each controller (or the controller’s representative) is obliged by the Draft Law on PPD to maintain a record of processing activities under its responsibility. The records shall be made in the form of a protocol.
- DPIA and prior consultation: The Draft Law on PPD obliges controllers to conduct regular data protection impact assessments (DPIA). Where the processing would result in a high risk, the controller shall have prior consultation with the data protection authority.
- DPO: The Draft Law specifies cases when controller and processor shall appoint data protection officers (DPO) along with qualification requirements for such officers.
Notification and communication of breach:
New requirements for the DPA notification in case of a personal data breach, notification details and communication to the data subjects
International data transfers:
New grounds and new conditions for transfers of personal data to the jurisdictions not ensuring adequate level of personal data protection, including appropriate safeguards and binding corporate rules
Completely new range of different administrative fines that may be imposed on natural and legal persons violating the data protection regulations
The amount of fines differs depending on the severity of violations. For the most severe violations, the fine framework might be up to 5% of the company’s annual turnover, but not less than UAH 300,000 (approximately USD 11,100) per each violation.
If adopted, the Draft Law will become effective as of 1 January 2023.