UHHRU calls on the President to Veto the Bill on Personal Data Protection
To President Yanukovych
Dear Mr President,
The Ukrainian Helsinki Human Rights Union would ask you to use your power of veto on the bill “On Personal Data Protection”, adopted by the Verkhovna Rada on 1 June 2010.
The adoption of a law on personal data protection is an important step in affirming respect for the individual’s private life. It is also a vital step for Ukraine in fulfilling its international obligations before the Council of Europe and European Union.
The adoption of such a law is particularly important given negotiations over the introduction of a non-visa regime between Ukraine and the EU since one of the conditions is that Ukraine introduces a system of personal data protection. The lack of such a law has also seriously hampered Ukraine’s preparation for Euro-2012 given the impossibility of working with the relevant bodies in Poland and the EU on issues involving the exchange of personal data.
It must however be noted that they do not just expect Ukraine to pass any old law on personal data protection. The law must meet quality criteria, that is, be in line with established European standards, in particular the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and additional Protocols to this, Recommendations from the Committee of Ministers of the Council of Europe and judgments of the European Court of Human Rights, as well as the European Parliament and Council Data Protection Directive 95/46/EU
UHHRU is convinced that the bill “On Personal Data Protection” does not meet European standards and could significantly jeopardize freedom of speech in Ukraine. It can therefore not be considered to fulfil Ukraine’s international obligations.
The bill establishes a mechanism to protect against the retention, processing and use of personal data without the person’s consent. However there is no link with protection of the right of respect for private life, one of the elements of which is protection of personal data. Under such circumstances the provisions of the law can be applied for other purposes than protection of human rights.
In accordance with European standards, personal data is divided into data of a general nature (first name, patronymic, last name, data and place of birth, citizenship, place of residence) and sensitive personal data (information about state of health, medical history, diagnosis, etc, ethnic origin, attitude to religion, identification codes or numbers, personal symbols, signature, fingerprints, voice print, photographs, data about pay or other legal income, about bank deposits and accounts, property, tax status, credit history, information about any criminal record or other forms of criminal, administrative or disciplinary liability, exam results, or results of professional or other tests, etc). It should be prohibited by law to collect, retain, use and circulate sensitive personal data without the person’s consent, and not any personal information at all, as is the case in the bill passed. In our view, this definition of personal data with the differentiation needs to be added to the bill.
Such differentiation later explains varying levels of protection of personal data. For example, it is not necessary to receive permission to collect and circulate data of a general nature but sensitive information needs a high degree of protection. The bill in question establishes the same level of protection for any personal data. As a result this would mean that any personal data, even a person’s first and last name, could only be circulated with the written consent of the individual.
Furthermore, the bill does not contain the possibility of circulating personal data which is of public importance this being a significant restriction on freedom of speech.
The bill does not contain the concept of public figure where, as we know from European Court of Human Rights case law, there is more scope for permissible intrusion in a person’s private life. This means that it is possible to collect and circulate information of a personal nature about such people without their consent if it is of public importance. From a blanket ban on the circulation of personal data, the bill makes an exception only for people standing for or in positions of electoral office or first category civil servants (Article 5 § 4 of the bill) which is considerably narrower than the concept of “public figure”.
This means that the circulation of personal data of other people can be considered an infringement of this law and result in civil or criminal liability. For example, without written consent it is prohibited, according to the bill, to even mention all officials of bodies of local self-government, many officials of State bodies of power, politicians, actors, writers, singers and other public figures. Such requirements are a manifestly disproportionate restriction on freedom of speech will impede the development of publishing, advertising, cripple the postal service, etc.
If the bill comes into effect, its provisions could destroy historical and other sciences in Ukraine. For example, in accordance with Article 6 § 9, “the use of personal data for historical, statistical and scientific persons can be undertaken only in depersonalized form”. That means that one should remove from history textbooks or other academic works any personal data, including a person’s name!
The bill allows law enforcement agencies to collect and process information about racial or ethnic origin, religious beliefs. This practice, according to Council of Europe Recommendations is a demonstration of discrimination and should be prohibited.
The bill also fails to meet international standards in that it does not impose independent control over the gathering, processing and use of personal data. The function of registering personal data bases and exercising control is given to the Authorized State body on personal data protection. This will clearly be the Ministry of Justice. Yet this body does not have the guarantees of independence demanded by the Additional Protocol to Council of Europe Convention No. 108. Nor do the status and powers of this body with regard to providing mandatory instructions to any legal subjects should there be a violation of the law on personal data protection meet these requirements. It is difficult to imagine this body issuing mandatory instructions to the President, Cabinet of Ministers, courts, parliament or prosecutor. Yet without independent control personal data protection will remain ineffective and will not meet international standards.
The bill also contains certain discrepancies. For example, registration of personal data bases is carried out in de facto manner through notification (Article 9 § 2), yet an authority can refuse registration (Article 8 § 5), this contradicting the very de factor principle, and turning it into a registration one.
One is also startled by the need to inform the authority “about each change of information needed for registration of the relevant base” which, among other things, includes information about all users of such a base.
The bill also contains many terms not set down in legislation making it more difficult to apply the law, for example, “civic organizations of a worldview focus”, “worldview convictions”, etc.
In view of the above, we would ask you to veto the bill On Personal Data Protection and return it to parliament for refining.
UHHRU Executive Director