Back Data Protection Day: Does Data Protection in Ukraine Meet International Standards?

Data Protection Day: Does Data Protection in Ukraine Meet International Standards?

On January 28, the world community celebrates  Data Protection Day. This year it corresponds to the 40th anniversary of the opening for signature of the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).

Happy 40th Anniversary Convention 108! #dataprotection from Council of Europe OP Services on Vimeo.

“Data Protection Day is a great opportunity to remind about international standards and raise public awareness of the importance of personal data protection. One of the priorities of the Council of Europe in Ukraine is the promotion of the personal data protection and realisation of the right to privacy. Thus, within the framework of the Joint Project “European Union and Council of Europe working together to strengthen the Ombudsperson’s capacity to protect human rights”, international and national experts provide recommendations to the authorities on harmonisation of Ukrainian legislation in accordance with the Council of Europe standards, training activities are held for representatives of the Ombudsman's Office on special aspects of ensuring the right to personal data protection, training courses are developed. The Project itself has become a platform for constant dialogue and professional discussions among international experts, government officials, representatives of the public sector to improve the personal data protection in Ukraine,”  Olena Lytvynenko, Acting Head of the Council of Europe Office in Ukraine, said.

The Convention 108 has become the first international instrument to guarantee the right of an individual to the processing of his or her data. All current national or supranational rules on personal data protection were formed based on the Convention 108. Ukraine ratified the Convention 108 in 2010.

However, in May 2018, the Council of Europe adopted the Protocol CETS № 223, which amended the Convention 108. The modernized Convention 108+ aims to address the privacy issues arising from the use of new information and communication technologies and strengthen the mechanism for the implementation of the provisions.

 “The new text of the Convention (108+) was approved in 2018 taking into account the development of information and communication technologies and stricter rules of the General Data Protection Regulation (GDPR). In particular, new terminology is used, Convention 108+ applies to both automated and non-automated processing, but does not apply to data processing by individuals for their own needs. Convention 108+ integrates principles such as transparency, proportionality, accountability, data minimization, and privacy by design. Additional obligations have been imposed on member states to take the necessary measures to comply with Convention 108+,” Borys Kormych, expert of the Joint Project “European Union and Council of Europe working together to strengthen the Ombudsperson’s capacity to protect human rights”, said.

Thus, Ukraine faced the issue of ratification of the Protocol amending the Convention 108 which can contribute to the improvement of the human rights situation in the field of personal data protection.

According to Andriy Nikolayev, expert of the Joint Project “European Union and Council of Europe working together to strengthen the Ombudsperson’s capacity to protect human rights”, although the Law of Ukraine "On Personal Data Protection" contains almost all key requirements for data processing and protection, defined by the Convention 108 and GDPR, the protection of personal data in Ukraine is far from corresponding to European standards.

“Among the biggest problems of personal data protection in Ukraine are the following: imperfect legislation, difficulties in law enforcement, lack of proper control over the application of legislation, lack of public awareness of the right to personal data protection,” Andriy Nikolayev said.

The problems of legislation:

  • norms of domestic law mostly contain general requirements without details, which significantly complicates their practical application;
  • the Law of Ukraine “On Personal Data Protection” was adopted in 2010. It was not innovative. Data processing technologies are developing very fast and today this law is much outdated and does not correspond to many practical realities of data processing;
  • low quality of bylaws. For example, the Model Procedure for Personal Data Processing, which could help address some enforcement issues, is not very informative and has not been updated since its adoption in 2014.

The problem of law application. The imperfection of the legislation leads to difficulties in its application in practice. A number of issues of personal data processing are regulated only in general terms, and some issues have fallen out of regulation in general, such as profiling. In addition, the imperfection of the language of the law leads to misunderstanding of its rules and different interpretations, such as the legal basis for processing.

The problem of control. Proper compliance with the law is possible provided that effective control over its application is ensured. Currently, the Ombudsman of Ukraine is responsible for the monitoring of compliance with the legislation on personal data protection. However, the Ombudsman does not have enough human resources to perform this function effectively.

The problem of awareness. The level of awareness of the right to privacy and data protection is very low in Ukraine, among citizens (personal data subjects), employees of private and public companies, and bodies directly involved in the processing of personal data.

Oleksandr Shevchuk, expert of the Joint Project “European Union and Council of Europe working together to strengthen the Ombudsperson’s capacity to protect human rights”, said that in order to improve the protection of personal data in Ukraine, it is necessary to:

  • establish an effective supervisory body for personal data protection in Ukraine: an independent supervisory body responsible for the development of guidelines, monitoring, and control over compliance with legislation in the field of data protection;
  • bring the terminology of the Law of Ukraine "On Personal Data Protection" in line with the EU legislation (Regulation 2016/679);
  • detail the content of the principles of personal data protection;
  • introduce and improve a number of subjects' rights to their data, including the right to be forgotten and the right to data mobility;
  • state in detail and clearly the powers, duties, responsibilities of the controller and data owner;
  • introduce the requirement for companies to appoint a personal data protection officer in certain cases;
  • develop and improve codes of conduct on personal data protection in relevant areas;
  • improve the data leak notification procedure.

The publication was created in the framework of   the Joint Project “EU and Council of Europe working together to strengthen the Ombudsperson’s capacity to protect human rights”. The project is aimed at ensuring better protection of human rights in Ukraine and enhancing operational capacities of the Ombudsperson’s Office in particular in the area of ensuring the protection of the right to privacy and personal data.

The views expressed herein can in no way be taken to reflect the official opinion of the European Union or Council of Europe.

Kyiv, Ukraine 27 January 2021
  • Diminuer la taille du texte
  • Augmenter la taille du texte
  • Imprimer la page

Action Plan 2023-2026


 

Follow us