Receiving of consent for personal data collection and processing will be simplified in Ukraine
Andriy Buzynnyi, lawyer of law firm “Pravova Dopomoga” prepared materials about changes in legislation that deal with collection and processing of personal data on a request of newspaper “Law and Business”.
The material may be found in printed version of the newspaper as well as on its website under the link - http://zib.com.ua/ru/12507-poluchit_soglasie_na_sbor_personalnih_dannih_stanet_prosche.html.
“Ukrainian Parliament decided to simplify the procedure of person’s consent receiving for his personal data collection. In this case any actions of a person from which one can conclude agreement will be sufficient (on condition of his awareness). In other words if there is a notice that upon entering you provide consent for personal data collection and processing your first step over threshold will be considered as the consent.
First we write – then we rewrite
It is not a secret practice but rather a habit of our Parliament to adopt legislative ideas from abroad. While adopting from our northeastern neighbor (Russia) there appear no significant difficulties of implementation. Meanwhile it is not so easy with the European standards. The law of Ukraine “On personal data protection” is a good example of such difficulties.
Its adoption in 2010 didn’t become a big deal. Text analysis allows us to conclude that it is a compilation of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and some European countries laws that started the regulation of these relations.
The real agiotage appeared only at the end of the first year - one month before the introduction of penalties for provisions violations.
The concerns were so significant that legislators postponed the implementation of penalties for six months. Although after a closer look the delay was caused not by the kindness but rather by the fact that specifically created State Service of Ukraine on Personal Data Protection simply drowned in a mass of applications and extra time was provided for their processing.
Although until the fall of 2012 application practice of law number 2297 as a whole did not go beyond the written consent of personal data subject and sending application for registration of database the Parliament decided that the document should be improved. Reasons provided in an explanatory note about alignment of the law with the Convention are absolutely meaningless, since the law was adopted on its basis and the application experience is very scarce.
However many provisions of the law are rewritten and these innovations are waiting for the President’s consent. It is expected that veto may be applied only to a few provisions concerning the powers of the State Service of Ukraine on Personal Data Protection so one should define the major changes.
First we read –then we reread
The first thing that attracts attention is a significant change in the field of application of the law. According to new formulation it is much wider: before changes the act regulated relations connected with processing of personal data and now it applies to all legal relations that deal with personal data. And if you carefully read full text of the law in the new version it becomes clear that number of illegal collection, storage, use and destruction of information cases which are listed in Article182 of Criminal Code gets larger.
A pleasing aspect of this situation is partial simplification of consent receiving procedure. While previously such consent had to be documented (including written form) now according to the law the approval can be expressed in any way that suggests provision of consent. It must comply with the condition of person’s awareness.
Mentioned innovation will positively affect for example the service sector of economy where loyalty programs are often used. If previously for the issuance of a nominal discount card at a restaurant or nightclub there was a need to explain for a client the purpose of what he is signing (get written consent) now it is enough to inform the visitor that receiving of the card indicates on a consent to process his personal data (such information may be placed also on the card). However innovations provide the right to withdraw person’s consent.
It was also proposed to expand the causes for personal data processing. Now it is not only the person’s consent or the provision of a law but also interest protection of personal data subject or personal data owner as well as the fact of any operation with the data.
But registration of personal databases will not always be required: databases which are related to labor relations as well as activities of political parties, trade unions, community and religious organizations will not be subject to registration.
In general the innovation can be found as both positive and negative. Some simplifications regarding procedure of personal data obtaining make life a little easier. However the provision of the Criminal Code on the illegality of actions related to collection of personal data, expansion of law application area will result in increase of potential violations list. And it is quite a disturbing fact”.