UPDATE 17 January 2022: As we have informed before, to fix the data localization requirement the Ukrainian Parliament on December 16, 2021 adopted the Law On the National Commission for State Regulation of Electronic Communications, Radio Frequency Spectrum and Postal Services.
However, due to some political issues this Law has not been signed by the Speaker of the Ukrainian Parliament and has not been sent for signature to the President of Ukraine.
Therefore, the data localization requirement introduced on December 15, 2021 is still in force.
The situation could be remedied by the Parliament, that would start its plenary hearing at the end of January 2022. Hopefully, the data localization requirement would be removed within the next month.
UPDATE 17 December 2021: Law of Ukraine on Public Electronic Registries has been officially published on December 14, 2021. Therefore, the amendments on data localization came into force on December 15, 2021.
At the same time, on December 16, 2021 the Parliament of Ukraine adopted another unrelated Law On the National Commission for State Regulation of Electronic Communications, Radio Frequency Spectrum and Postal Services (The Law on the National Commission). By this law the Parliament also introduces amendments to the Law of Ukraine of Protection of Personal Data withdrawing the data localization requirements.
Once the Law on the National Commission would be signed by the President and officially published, it will enter into force on January 1, 2022.
Therefore, in the optimistic scenario, the data localization requirements in Ukraine would be revoked from January 1, 2022.
While all eyes of the Ukrainian data privacy community are on two draft laws at the Ukrainian Parliament aiming to implement the GDRP and establish a modern DPA in Ukraine, on 18 November 2021 the parliament adopted another law with an unrelated name, the Law of Ukraine on Public Electronic Registries (“Law“).
Interestingly enough, between the first and second readings, this Law is supplemented with wording introducing amendments to the current Law of Ukraine on Protection of Personal Data.
In particular, the new language is added to part 5 Article 6 of the Law of Ukraine on Protection of Personal Data regulating the general requirements to data processing:
It is prohibited to process personal data, the protection of which is required by law, using cloud computing technology and data centers located outside the administrative-territorial borders of Ukraine…
We understand that the Ukrainian authorities did not intend to implement the far-reaching ban restricting the processing of all personal data abroad. This would contradict some the recent government initiatives aiming to create the global software development and support hub out of Ukraine, including adopted on December 14, 2021 the Diia City Tax Bill providing a special tax regime to the eligible IT companies. The restriction was most likely intended to only cover the processing of personal data of the public electronic registries, which would be logical and within the scope of the Law.
The Law has been signed by the speaker of the Parliament and by the President of Ukraine on December 10, 2021. The discussed above provisions would enter into force on the next day after official publication of the Law. Now the Ukrainian Parliament aims to withdraw the above noted norm and has already included the respective provision to the Draft Law of Ukraine on Cloud Services which is high on the agenda and is hoped to be voted before the end of the 2021 year. The problem with this approach is that while provisions of the Law of Ukraine on Public Electronic Registries enter into force immediately after the publication, the Law of Ukraine on Cloud Services would enter into force only after 6 months after its adoption and publication. Thus, theoretically, even with the proposed fix implemented, we still might have a six month period when the processing of the Ukrainian personal data abroad would be prohibited.
