UHHRU: President formalizes onslaught on freedom of information
Despite calls from human rights, media and business groups, the President yesterday signed into law the potentially disastrous Law on Personal Data Protection, adopted by the Verkhovna Rada on 1 June 2010. The Ukrainian Helsinki Human Rights Union, the Independent Association of Broadcasters and the Association of Ukrainian Banks had all called on the President to veto the law, giving compelling reasons.
The law poses a threat to freedom of speech and access to information and does not ensure personal data protection in accordance with European standards. We are convinced, therefore, that the law formalizes a systematic attack on those values in Ukrainian society and is a significant step towards totalitarianism.
The law cannot be considered to fulfil Ukraine’s international obligations to the Council of Europe and EU.
Personal data, according to the Law, is any data about a person enabling them to be identified. That is, even their name with the number of a mobile telephone. This means that the gathering, processing or circulating of any such data is possible only with the consent of the person or in cases envisaged by law. The Law makes an exception only for first category public officials: National Deputies, the heads of State committees who aren’t members of the Cabinet of Ministers; the heads of other central bodies of power under the Cabinet of Ministers; the Permanent Representative of the President in the Crimea; the President’s Representatives in the regions, Kyiv and Sevastopol; the first deputy ministers; first deputy heads of State committees which are part of the Cabinet of Ministers; the Heads of the President’s Administration; the Secretariat of the Verkhovna Rada and other equivalent positions.
In accordance with European standards, personal data is divided into data of a general nature (first name, patronymic, last name, data and place of birth, citizenship, place of residence) and sensitive personal data (information about state of health, medical history, diagnosis, etc, ethnic origin, attitude to religion, identification codes or numbers, personal symbols, signature, fingerprints, voice print, photographs, data about pay or other legal income, about bank deposits and accounts, property, tax status, credit history, information about any criminal record or other forms of criminal, administrative or disciplinary liability, exam results, or results of professional or other tests, etc). It should be prohibited by law to collect, retain, use and circulate sensitive personal data without the person’s consent, and not any personal information at all, as is the case in the bill passed.
The Law states that it does not cover the activities of journalists in creating and processing personal databases. However it totally covers the rules for circulating personal data about a person who is not in any database, or is in, for example, State databases.
In practice this means that from when this law comes into force, the media will be prohibited from circulating any personal data (as per the very wide definition of this) without the person’s consent if they are not in the categories above-listed.
Moreover, criminal liability is imposed for such actions (Article 182 of the Criminal Code) since the circulation of such information can be viewed as unlawful.
Besides the significant restriction in information, the law does not establish the proper protection of personal data in accordance with European standards.
In many provisions, the law is in breach of the requirements of the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Recommendations from the Committee of Ministers of the Council of Europe and judgments of the European Court of Human Rights, as well as the European Parliament and Council Data Protection Directive 95/46/EU
The Law does not impose independent control over observance of the Law. It states that this will be carried out by an executive body which will not be able to issue mandatory instructions to the President, parliament, judges or law enforcement agencies, which means there will be virtually no control over its implementation.
It should also be noted that the Law creates substantial obstructions to business activities. A new controlling body emerges with the right to issue mandatory instructions, while on the other hand, law enforcement bodies obtain yet another pretext for checks and initiating criminal proceedings. Since even a collection of business cards in your office, in the absence of a person’s written consent, could be deemed a violation of this Law.
In view of the above, UHHRU is calling for amendments to be made without delay to the Law on Personal Data Protection and for these to be passed before 1 January 2011 when the Law comes into effect.