Ukraine: amended personal data protection law

On 20 December 2012 new substantial amendments to the Ukrainian Law On Personal Data Protection (in this text – the “Data Protection Law”) became effective.

Though new amendments were initially aimed at making mechanism of the personal data protection more effective and transparent, some of them are step backwards comparing to the previous version of the Data Protection Law. Moreover, vague and unclear formulations of some of the key provisions of the Data Protection Law may potentially affect individual’s right to privacy and mass-media’s freedom of speech in Ukraine.

The main changes imposed to Data Protection Law are outlined below:

(i) introduced new grounds for the processing of personal data that, alternatively to the individual’s consent and the permit for the data processing, include the following:

• agreement entered with the data subject (i.e. individual to whom the data refers) or for his/her benefit;

• protection of the data subject’s vital interests;

• need to protect legitimate interests of the data controllers or third parties.

(ii) changed requirements to the individual’s consent on processing of his/her personal data: the consents shall now be informed but may be granted in any form that makes it identifiable (previously, the consent must have been granted in documented (i.e., generally, written) form only);

(iii) expanded individual’s rights with respect to his/her data being processed (e.g. right to include certain reservations/limitations to the data processing into the relevant consent or even revoke such a consent);

(iv) cancelled requirements to register employees’ databases;

(v) personal data relating to the public officers of the first rank or candidates to such posts shall now be treated as restricted information;

(vi) journalists’ professional activities are exempted from the Data Protection Law provided only “a balance between a right to privacy and a right to self-expression is maintained”.

Another important change introduced to the Personal Data Protection Law is with respect to the cross-boarder transfers of the personal data. Thus, according to the amended law personal data may be transferred only to the states that ensure its adequate protection. Such states include EEA countries and countries that ratified the Convention of the Council of Europe on Protection of Persons in Connection with Automated Personal Data Processing. A complete (expanded) list of the countries with the adequate protection of the personal data shall be further elaborated by the Ukrainian government.

In addition to the adequate protection requirement, the cross-boarder transfers of the personal data are possible only if one of the following conditions is met:

1. a data subject has granted his/her express consent for such transfer;
2. it is necessary to enter into or perform a contract between the data controller and a third party data subject for the benefit of the data subject;
3. data transfer is necessary to protect vital interests of the data subject;
4. data transfer is necessary to protect public interests or pursue legal remedies;
5. the data controller has provided relevant guarantees to protect privacy of the data subject.

As already mentioned, some of the key provisions of the amended Data Protection Law are laid down quite vaguely that increases a risk of their misinterpretation. Such unclear provisions include definition of the legal grounds for the personal data processing and requirements to its transfer abroad. Some clarity with respect to such dubious provisions may be brought by the national personal data protection authority (State Service of Ukraine for Personal Data Protection) if the latter issues its guidelines or recommendations in this respect.

The Law: Law of Ukraine No. 5491-VI “On Amending the Law on Personal Data Protection” dated 20 November 2012