By Oleksandr Melnyk, Firm: Vasil Kisil & Partners
Despite an Association Agreement with the EU concluded in 2014, Ukraine has not yet implemented GDPR provisions into national law, however the local business community has been proactive in seeking to comply with the GDPR.
More than one year since the GDPR took effect, the Ukrainian authorities have demonstrated themselves to be more declarative than proactive in its implementation or clarification. Unlike the state, however, the Ukrainian business community and associations have taken a vigorous approach in implementing GDPR-compliant practices, even in the absence of guidance from the local DPA (the Parliamentary Commissioner on Human Rights).
Back in June 2014, Ukraine concluded an Association Agreement with the EU (the ‘Agreement’). Apparently, the Agreement could not provide for GDPR implementation since the GDPR did not exist at that time. However, under Article 15 of the Agreement, Ukraine and the EU agreed to cooperate ‘in order to ensure an adequate level of protection of personal data in accordance with the highest European and international standards.’
Led by this commitment, in October 2017, the Ukrainian Government planned to implement GDPR into national legislation by 25 May 2018, that is, simultaneously with the GDPR taking effect in the EU.
It comes at no surprise that such an ambitious goal could not be reached in less than six months, and even at the time of writing the GDPR has not been implemented into Ukrainian national legislation. The local DPA, supported by the EU Twinning project, has made several attempts to draft an implementation bill, on which Parliament has not voted. With a new Parliament being elected recently and a new state policy of complete digital transformation, we expect to see new GDPR-related bills.
At the same time, the Ukrainian DPA has not tried to clarify the GDPR provisions to local businesses, leaving them unclear how the GDPR will apply in Ukraine, and if the Ukrainian DPA will assist its partners from the EU to enforce it locally.
On the other hand, the Ukrainian business community and professional associations have tried to implement GDPR-compliant practices, even in the absence of clarifications from the local DPA. Companies in the e-commerce, fintech, IT outsourcing and product sectors, as well as banks, mobile operators, and others, have adopted their own policies and procedures to be GDPR-compliant. It is also worth mentioning that Ukrainian IT associations are working on getting the EU Commission’s adequacy decision for the Ukrainian IT industry as a ‘specified sector within third country’, pursuant to Article 45 of the GDPR. This decision could significantly boost the IT services market and make it more competitive for European customers.
Finally, we have not seen any GDPR-related cases within the last year, or any attempts by European DPAs to enforce GDPR against Ukrainian companies. But with GDPR enforcement gaining speed in the EU, we may soon see how it will work in Ukraine too.