Fresh take on personal data protection in Ukraine
September 2014 | EXPERT BRIEFING | DATA PRIVACY
Ukrainian laws allow characterising information as a trade secret only if the data are commercially valuable and adequate measures for keeping them secret have been taken, according to the Civil Code of Ukraine, Article 505. Personal data is a part of a trade secret where it constitutes the commercial interest of an enterprise – that is, the objective of the processing is aligned with the objectives of the business, if the loss or impairment of the data or database can affect the competitive position of the business, and, not least, when the business entity in fact maintains a secrecy regime surrounding such data. Personal data, however, must be kept confidential at all times. The criteria for a secrecy regime of personal data on one hand, and of trade secret data on the other hand, are not aligned.
Some information cannot be a trade secret as a matter of law. This includes constituent documents, tax reports and primary documentation, staff documentation and salaries – even though each contains personal data of shareholders, directors, officers and employees. Such data must be disclosed to the authorities where required by law and, at the same time, can be kept confidential. Local courts decided that documents kept secret by the entity can be withheld from a third party or, on the other hand, data can be disclosed when it does not contain a trade secret.
The Law of Ukraine On Protection of Personal Data seemingly compromises trade secrets through an obligation of the data holder (database owner) to disclose personal data requested by the personal data subject (the person concerned), except where access to data is prohibited by the law. The structure of the database itself provides half of the success of the business; Ukrainian courts remain silent on this conflict of laws, although the right to privacy is likely to prevail following the Facebook scandal. In 2011, this giant social network refused to disclose certain personal data to an individual – reportedly, the data was of key importance to the customer, but also threatened Facebook’s trade secrets and intellectual property. The case is continuing to gain publicity around the world. In this sense, it may be advisable for businesses to include additional modules in their databases, so that they win priority of their secrets in a dispute with competitors disguised as employees or mystery shoppers.
Changes to the personal data protection laws of Ukraine, which took effect on 1 January 2014, create a new paradigm for privacy protection; rather than regulatory, they adhere to EU practices under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. The Ombudsman instead of the State Service is now responsible for invasions of privacy and regulatory work. The responsibilities of the government were shifted from supervision to mediation between businesses and individuals, and individuals and governmental agencies.
Contrary to the old law, not every instance of personal data processing needs to be reported. Only those who process sensitive personal data need to notify the Ombudsman’s Personal Data Protection Officer upon self-assessment. Thus, the trade secret protection and the freedom of contract principles were advanced by the twofold standard of privacy: (i) that all personal data requires confidentiality and must be disclosed to the personal data subject; and (ii) only limited data “constituting a special risk to the rights and freedoms of a person” must be reported to the Ombudsman, including data of a racial, ethnic and national origin; political, religious convictions or personal belief; membership in political parties or organisations, professional unions, religious or civic organisations with ideology; health status; sexual life; biometric data; genetic data; administrative or criminal liability record; pre-trial investigation record; actions taken against a person under the Law of Ukraine On Investigative Activities; any violence committed against a person; and the location or movements of a person.
Re-application to the Ombudsman under the new rules was due until 1 July 2014, whereas fresh applications with respect to processing of personal data that commenced in 2014 had to be made by mid-February 2014. All data received are supposed to be laid open to the public on the Ombudsman’s website, when an appropriate technical platform is developed.
The newly appointed privacy officer has issued several opinions on the application of the amended law; they all foster a restrictive interpretation of ‘sensitive’ data. First, the Officer has expressly excluded employment relations from the list of sensitive data to be reported (even if the processed data is otherwise ‘sensitive’). This approach seems aligned with general EU standards, although EU law requires that national law specifically authorises collection of the personal data concerned. In Ukraine, reporting the data processed for employment purposes therefore falls under conflicting standards, creating uncertainty for recruitment and headhunting firms, clients of temping agencies and companies contracting private entrepreneurs.
Another thought-provoking issue is the disclosure and protection of a cardholder’s personal data during the processing of cards via a POS-terminal – in retail, for example. In his recent clarification, the Ombudsman declared the absence of harmful disclosure when only the name of a person and some digits of a card are printed on receipts, which, in the officer’s somewhat controversial view, does not allow the person to be identified. The personal data officer, however, made a reservation that issuing banks and processing centres should be responsible for personal data protection in this case.
They are also ambiguous, with the following items at risk of misinterpretation. First, there is neither a definition, nor a list of labour-related personal data. The Officer currently applies a broad interpretation of the term ‘labour relationship’, thereby making the risk of non-compliance with reporting rules somewhat remote. Second, the national origin (natsionalne pokhodzhennia) as opposed to ethnic origin (etnichne pokhodzhennia) presents a grey area in Ukraine’s legal system. Perhaps nationality or citizenship (hromadianstvo) were the intended terms, however, citizenship (nationality) can be made public and, as it may be exempt from confidentiality treatment. Third, ‘personal beliefs’ (svitohliadni perekonannia) and ‘religious convictions’ (relihiini perekonannia); the former was later clarified as being of a ‘general’ nature though – for example, pacifist, feminist, vegetarian). Fourth, the concept of ‘ideological’ (svitohliadnoho spriamuvannia) civic organisations being placed in the matrix of non-governmental associations under Ukrainian law; it is unclear whether they can be considered synonyms. Fifth, which view of ‘violence’ (nasylstvo) should be adopted (e.g., criminal law, international humanitarian law, human right instruments, etc.).
Although we expect recommendations from the Council of Europe to be used as guidance, there were no specific disputes; at the same time, Mr Markiian Bem, Ukrainian Ombudsman’s Officer for Personal Data Protection, repeatedly expressed his willingness to provide advice and opinion letters when requested.
Fines for non or late reporting differ: up to UAH 3,400 (€210) for individuals and up to UAH 6,800 (€420) for individual entrepreneurs and officers of enterprises. More severe criminal penalties are adopted in cases of serious harm to the individual – fines of UAH 8,500-17,000 (€525-1050), arrest for up to six months, up to two years of communal works or 3-5 years incarceration.
In the Ukrainian context, personal data rules apply not only to processing, storage and dissemination but also to cross-border transmission. Serious concerns raise the necessity to report cross-border transfer of personal data, since small businesses using worldwide services and mobile applications have limited resources to track the flow of data. It is also important to ensure that consent for personal data processing from an individual contains permission for cross-border transfer. From a dogmatic perspective, the data processor must describe the jurisdictions served and the location of the destination servers as well as the jurisdictions for traffic transit. Most telecommunications services and cloud resource providers, however, do not present a sound legal solution in this respect. Accordingly, piecemeal compliance by each member of the internet community leads to compromised trade secrets. Data holders are advised to invest their legal resources in a coherent model of disclosure and confidentiality for personal data in a multi-jurisdictional environment.
Supervision of personal data protection still has some regulatory gaps to fill, such as implementing transparency rules for online services, equipping analytical tools, protecting whistleblowers and developing enforcement procedures under the Directive on privacy and electronic communications; and drawing clear lines between trade secrets and privacy.
The Ombudsman’s office now has the responsibility to ensure the rules reflect civilised practices and demonstrate that reform must be taken seriously.
Dr Oleh Zahnitko is co-head of Banking and Finance and Olena Savchuk is a junior lawyer at Gide Loyrette Nouel. Dr Zahnitko can be contacted on +38 044 206 0980 or by email: firstname.lastname@example.org.
© Financier Worldwide
Oleh Zahnitko and Olena Savchuk
Gide Loyrette Nouel