In this privacyespresso episode with Oksana Zadniprovska, Partner at Axon Partners, our Ukrainian law firm member, we delved into the evolving landscape of #data transfers to Ukraine amidst the ongoing war.
1. Transfer of data to Ukraine from the EU: is it safe? How should it be done in general under the GDPR, is Ukraine in the list of adequate countries in terms of data protection, what is the situation here with the privacy landscape.
Spoiler. A lot has changed in Ukraine since the war started. It’s not as safe as it was earlier. But there is still some light)
Now, let’s start with what the “transfer to Ukraine” is. The term explained by the EDPB is really wide. If we have:
- a data exporter in the EU and
- a data importer in Ukraine, and
- the data exporter in any way makes the controlled data available to the data importer in Ukraine,
This is international data transfer. So, even if someone accesses data from Ukraine – this is a transfer!
For the purposes of the GDPR, Ukraine is not in the list of countries providing adequate level of protection to personal data. So, the only quick practical choice would be to apply standard contractual clauses (SCCs). But before signing the SCCs, in order to decide if the transfer is safe, the data exporter shall perform the transfer impact assessment (TIA).
2. Transfer impact assessment: how should it be done for the clients from the EU for the Ukrainian jurisdiction?
The TIA requires the data exporter to check if the SCCs are enforceable in the particular country. If the analysis shows essential equivalence of protection – the SCCs could be used. Otherwise, the data exporter either applies additional technical/organizational measures to protect data, or the data exporter does not transfer data at all.
So, what we do for the clients when they come for the TIA in Ukraine is:
- ask for the details of a particular data transfer. That is – what data is transferred; what is the purpose of transfer (for storage or for the analysis; for support only or for including into the databases).
- describe the up-to-date laws and practices on (1) personal data protection, (2) surveillance and disclosure of personal data on request, and (3) efficiency of the judicial system and enforcement of data subject rights.
- help to decide if the protection is enough. This is the hardest part. We always want to say – yes, you should transfer data, this is ok. But in most cases, of course, there should be additional safeguards that would minimize risks.
- remind the data importer that they have certain obligations – they should monitor laws and practices for any changes.
3. What is with privacy law and enforcement, the rule of law and especially the rules on access to personal data by the law enforcement agencies in accordance with martial law?
Let’s start with human rights – yes, they are respected!
- Ukraine is party to the ECHR and Convention 108;
- The principle of the rule of law is included into our Constitution, together with the protection of the right to privacy;
- Ukraine has a separate data protection law from 2010, which is updated from time to time;
- Ukraine has a data protection authority which may audit companies for compliance, handle DS complaints and impose fines;
- Ukraine has the GDPR-like draft laws in the Parliament on the independent DPA and data protection obligations;
- Finally, Ukraine has an EU candidate status from 2022, so it is getting closer and closer to the EU standards of laws and principles.
Now, more complex part – the restrictions – what about law enforcement and access to personal data:
- Earlier we could rely on the Data Protection Law which says that the privacy rights could be restricted only to the extent necessary in a democratic society in the interests of national security, economic well-being or protection of the rights and freedoms of people. No laws allowed silent or indiscriminate surveillance activities. Also, Criminal Procedural Code introduced the independent oversight mechanism (access to personal data only on the basis of the decision of the investigatory judge; options to contest the procedural violations before the judge). The problematic issue is limiting the scope of data which could be accessed within the criminal proceedings. But in general, the SCCs were enforceable.
- Now we are at war. We have martial law which allows restriction of the constitutional rights of persons in cases prescribed by law. This includes the privacy rights. The Criminal Procedural Code allows the prosecutor to temporarily access metadata on communications, medical, bank or other personal data without the court decision if there is no objective possibility for the investigating judge to exercise their powers. The idea is to allow quick investigation. But it also opens doors to abuse of powers and in general makes the independent oversight mechanism less effective.
- However, most of the safeguards which existed before the war are still applicable. We still do not have a law which allows silent or indiscriminate surveillance activities. In case of abuse of powers by the prosecutor, e.g. during the search or seizure activities, the company still may apply the same mechanisms to contest – go to court, try to disregard the unlawfully collected evidence, initiate criminal investigation for the abuse of powers, and then ask to compensate for the damages within the civil proceedings. The information received during the investigation shall not be disclosed and shall be protected, as well as shall be accessed only by those actors to whom this is strictly necessary. A person may exercise the rectification right by court or Ombudsman. Also, the data importer still can effectively inform the data exporter if they are under surveillance or criminal investigations.
So, Ukraine never ensured the essentially equivalent level or PD protection to those in the EU. But the SCC could still be enforceable, even in war times. Of course, each case of transfer should be analyzed on a case-by-case basis. But in general, it would be all about the safeguards and data minimization.