Data leak in Ukraine. Parallels with EU legislation

The scandal with the leakage of driver's license data through the Telegram bot thundered all over Ukraine. Suspicions initially fell on the application of public services "І", but the involvement of the application in this incident was quickly denied. Questions from the series “who and how merged the data” will be trusted to the state represented by the Ukrainian police, the Security Service of Ukraine and computer-technical experts, but the issue of compliance of our legislation on personal data protection with the realities of the digital era was considered by the author of the publication Vyacheslav Ustimenko, a consultant at the law firm Icon Partners.



Ukraine aspires to the EU, and this implies the adoption of European standards for the protection of personal data.



Let's simulate a case and imagine that an EU non-profit organization leaked the same amount of driver's license data, and this fact was established by local law enforcement agencies.



In the EU, unlike Ukraine, there is a regulation on the protection of personal data - GDPR.



The leak indicates a violation of the principles described in:

• Article 25 GDPR Personal data protection projected and default;
• Article 32 GDPR. Processing safety;
• Article 5 paragraph 1.f GDPR. Integrity and confidentiality principle.

In the EU, fines for violating the GDPR are calculated individually, in practice, they would be fined 200,000+ euros.

What should be changed in Ukraine

The practice gained in the process of supporting IT and online business both in Ukraine and abroad has shown the problems and achievements of the GDPR.



Below are six changes that should be introduced into Ukrainian legislation.



# Adapt the legal framework for the digital era



Since the signing of the Association Agreement with the EU, Ukraine has been developing new legislation on data protection, and the GDPR has become a guiding star.



The adoption of the law on the protection of personal data was not easy. It seems that there is a “skeleton” in the form of the GDPR regulation and it is only necessary to increase the “meat” (adjust the norms), but there are many controversial issues, both from the point of view of practice and the law.



For instance:

• whether public data will be considered personal,
• whether the law will apply to law enforcement agencies,
• what is the responsibility for violation of the law, will the amount of fines be comparable to European ones, etc.

The key point is that you need to adapt the legislation, and not copy the GDPR. There are still many unsolved problems in Ukraine that are not inherent in the EU countries.



# Unify terminology



Define what is personal data, confidential information. The Ukrainian Constitution, Article 32, prohibits the processing of confidential information. The definition of confidential information is contained in at least twenty Acts.





# Get away from evaluative concepts



There are many evaluative concepts in the GDPR. Evaluative concepts in a country without case law (meaning Ukraine) are more a space for “avoiding responsibility” than a benefit for the population and the country as a whole.



# Introduce the concept of DPO



Data protection officer (DPO) - an independent data protection expert. The legislation must clearly and without evaluative concepts regulate the need for the mandatory appointment of an expert to the DPO position. How they do it in the European Union is written here .



# Determine the level of responsibility for violation in the field of personal data, differentiate penalties depending on the size (profit) of the company.

• 34
  
  
  
  , « » “ , ”. 34,000 .
• 20
  
  
  
  GDPR – 20,000,000 , 4% . 50 , , Google.
  
  
• 114
  
  
  
  GDPR 2- 114 . - .
  
  
  
  Marriott International British Airways , , , Google . , 366 .
  
  
  
  , . , , .
  
  
  
  18 3 , , .
  
  
  
  , 61,000 .
  
  
  
  , , 1000 .
  
  
  
  1000 .

# Happiness is not in fines



“Who wants to know about me, and so will find out, despite the law” - unfortunately, many people in Ukraine and the CIS countries say this.



But fewer and fewer people believe in the misconception about “they will steal a passport photo and take a loan in my name”, because even with the original of someone else's passport in their hands, it is legally unrealistic to do this.



People are divided into 2 camps:

• “Paranoid” who believe in the religion of personal data think before ticking the box and agreeing to the processing of data.
• “Those who do not care”, or people who automatically merge their personal data into the network, do not think about the consequences. And then their credit cards are stolen, signed for recurring payments, accounts in messengers are taken away, mails are hacked or cryptocurrency is removed from the wallet.
  
  

Freedom and Democracy

Personal data protection is about a person's freedom of choice, society's culture and democracy. It is easier to manage a society with more data, you can predict the choice of a person, push to the desired action. It is difficult for a person to act as he wants if he is being watched, a person becomes comfortable, as a result - controlled, that is, a person subconsciously does not as he wants, but because he was persuaded to do.



GDPR is not ideal, but it fulfills the main idea and goal in the EU - Europeans realized that an independent person independently owns and manages his personal data.



Ukraine is just at the beginning of the road, the soil is being prepared. From the state, residents will receive a new text of the law, most likely an independent regulatory body, but Ukrainians themselves must come to modern European values ​​and an understanding that democracy in 2020 should be in the digital space as well.



PS I am writing in the social. networks about jurisprudence and IT business. I will be pleased if you subscribe to one of my accounts. This will certainly add motivation to develop a profile and work on content.



Facebook

Instagram