A new draft personal data protection law, draft Law of Ukraine No. 5628 (“Draft 5628”), was introduced to the Ukrainian parliament on 7 June 2021. Draft 5628 replaces certain earlier draft laws on this subject and is currently the only draft legislation in the area of personal data protection.
The main purpose of Draft 5628 is to align the existing regulatory framework with the General Data Protection Regulation and the amended Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”). Draft 5628 also purports to regulate new aspects of data processing that have, so far, remained unregulated, such as cross-border transfers within a group of related companies. Draft 5628 is currently under review by the parliamentary committee and, at this point, there are no indications as to when the parliament might vote on it. Currently, 1 January 2023 is set out as the date of Draft 5628’s coming into force.
Draft 5628 more specifically regulates the requirements for personal data processing and provides for certain changes to the cross-border transfer of personal data. Key notable provisions include:
- In addition to the existing methods of granting consent, Draft 5268 broadens and clarifies the ways in which the consent of a data subject can be given, e.g., by choosing the relevant technical settings in the software interface, other assertive actions or behaviour of the data subject suggesting there is consent.
- When processing data of Ukrainian nationals and in certain other circumstances, a foreign data processor must designate a local Ukrainian representative to interact with the local data protection authority and data subjects. So far, there is no certainty as to the extent to which this provision would be applicable for a foreign processor in relation to data controlled by a Ukrainian entity.
- A new basis for cross-border data transfer is introduced, i.e., transfers to foreign countries based on mandatory corporate rules (e.g., of a group of companies), subject to approval by the data protection authority. Draft 5268 regulates the scope of such rules in detail. Should a foreign processor fail to get its rules approved to process data on this this basis, it would be able to rely on the express consent of a data subject, which will remain a valid basis for data transfers, including into countries considered as not ensuring an adequate level of protection. For countries/organisations which are not bound by the GDPR and Convention 108 (and therefore are not considered as providing an adequate level of protection by default), the data protection authority may still determine that such countries/organisations do ensure an adequate level of protection for Ukrainian law purposes. A list of such countries/organisations will be published on the site of the data protection authority.
- Fines will be significantly increased, with the amounts depending on the type of violation. Fines for legal entities are defined as a percentage of their total annual turnover. Maximum fines, depending on the type of violation, range from UAH 50 MIO, or up to 3 per cent of the total annual turnover, to UAH 150 MIO, or up to 8 per cent of total annual turnover of a legal entity.
- Data processors will be required to document (by way of maintaining protocols) their actions with respect to personal data. The protocols must be available for inspection by the regulator.
- Data processors will be clearly required to notify the data protection authority within 72 hours after they become aware of a security breach in relation to personal data, except in certain cases. The content of this notification is regulated by Draft 5268.
- Draft 5628 specifies new types of data falling into the category of sensitive data, e.g., psychometric data or data on sexual orientation. We note that the scope of sensitive data currently envisaged by Draft 5268 is somewhat different from the one provided for in the effective law. In addition, a stricter regime is envisaged for the processing of sensitive personal data.
- Draft 5628 sets out special rules for the processing of personal data by electronic communication businesses. These rules cover, in particular, data storage, data disclosure as well as rules on reporting of data leakages.
- In addition to maintaining the existing general requirement to have a data protection officer in the case of sensitive data processing, Draft 5628 further provides for an obligation to appoint a data protection officer in a number of other situations, including: where regular, systematic or large-scale monitoring of actions of data subjects is involved; where large-scale processing of data takes place; and where sensitive or biometric personal data is processed.
- Data processing for purposes of direct marketing (including without the data subject’s consent based on the legitimate interest of the processor) would be expressly regulated in Ukraine.
- The principle of personal data protection by design and by default will become part of Ukrainian law.
- The notion of joint processors – i.e., where purposes and means of data processing are determined by two or more processors jointly – will be introduced. Joint processors will be obliged to interact based on an agreement in relation to the distribution of obligations for complying with data processing requirements.
- An impact assessment would be required for certain types of data processing.
- Draft 5268 assumes that a new data protection authority will be created under another law, which is being developed. A new data protection authority is expected to act in two domains – protection of personal data and access to public information.
By Zoryana Sozanska-Matviychuk, Partner, Head of M&A, Andriy Nikiforov, Partner, Head of TMT Sector, and Sergiy Bert, Senior Associate Redcliffe Partners