While all eyes of the Ukrainian data privacy community are on two draft laws at the Ukrainian Parliament aiming to implement the GDRP and establish a modern DPA in Ukraine, on 18 November 2021 the parliament adopted another law with an unrelated name, the Law of Ukraine on Public Electronic Registries (“Law“).
Interestingly enough, between the first and second readings, this Law is supplemented with wording introducing amendments to the current Law of Ukraine on Protection of Personal Data.
In particular, the new language is added to part 5 Article 6 of the Law of Ukraine on Protection of Personal Data regulating the general requirements to data processing:
It is prohibited to process personal data, the protection of which is required by law, using cloud computing technology and data centers located outside the administrative-territorial borders of Ukraine…
We understand that the Ukrainian authorities did not intend to implement the far-reaching ban restricting the processing of all personal data abroad. This would contradict some the recent government initiatives aiming to create the global software development and support hub out of Ukraine, including adopted on December 14, 2021 the Diia City Tax Bill providing a special tax regime to the eligible IT companies. The restriction was most likely intended to only cover the processing of personal data of the public electronic registries, which would be logical and within the scope of the Law.
The Law has been signed by the speaker of the Parliament and by the President of Ukraine on December 10, 2021. The discussed above provisions would enter into force on the next day after official publication of the Law. Now the Ukrainian Parliament aims to withdraw the above noted norm and has already included the respective provision to the Draft Law of Ukraine on Cloud Services which is high on the agenda and is hoped to be voted before the end of the 2021 year. The problem with this approach is that while provisions of the Law of Ukraine on Public Electronic Registries enter into force immediately after the publication, the Law of Ukraine on Cloud Services would enter into force only after 6 months after its adoption and publication. Thus, theoretically, even with the proposed fix implemented, we still might have a six month period when the processing of the Ukrainian personal data abroad would be prohibited.