Bank Association calls on President to veto Law on Personal Data Protection
The Association of Ukrainian Banks is asking President to use his power of veto over Law No. 2273 passed on 1 June this year due to its non-compliance with international standards and extremely negative consequences for the country’s economy.
“The Association of Ukrainian Banks understands the importance of this issue since in accordance with EU Directive 95/46/EU personal data can only be passed to those countries which safeguard their proper protection at the level of European standards which in the event of non-enforcement significantly restricts cooperation between Ukrainian companies and their foreign partners and places in jeopardy many commercial promising projects. However we are forced to state that Law No. 2273 passed by the Verkhovna Rada contains provisions which could render meaningless all lofty aspirations and initiatives …” The reasons are given in detail, quoting a number of international documents, but focus on the following main issues, echoing the concerns expressed by the Ukrainian Helsinki Human Rights Union which has also
The law does not comply with European standards which divide personal data into that of a general nature (name, date and place of birth, citizenship, place of residence) and sensitive personal data (information about state of health, medical history, diagnosis, etc, ethnic origin, attitude to religion, identification codes or numbers, personal symbols, signature, fingerprints, voice print, photographs, data about pay or other legal income, about bank deposits and accounts, property, tax status, credit history, information about any criminal record or other forms of criminal, administrative or disciplinary liability, exam results, or results of professional or other tests, etc).
The Law should prohibit the collection, retention, use and circulation of sensitive personal data without the person’s consent. Instead the prohibition applies to all personal information.
The Association points out also, again with reference to the Council of Europe Directive that there are situations where the individual is not the only person with the right to permit or prohibit access to their personal information. There are clearly situations where information may be processed in fulfilment of a legal obligation or to protect somebody’s legitimate interests. This is not envisaged by the new law, which does however have another questionable norm which permits the subject of the personal data to demand its destruction at any time.
“Law No. 2273 carries a serious threat to the restoration and development of Ukraine’s economy. … the practical implementation of this law will have a direct impact on the country’s economy. In view of this particular concern is aroused by norms of the law which seriously complicated and in some cases render impossible civil proceedings which in turn will have irreversibly adverse consequences for the development of Ukraine’s economy”.
They point to the provision of the law according to which processing of personal data is carried out for specific and legitimate aims defined with the consent of the person they pertain to. Given that it’s impossible to clearly predict all purposes for which a person gives consent, regarding a loan, debt, etc, this will make processing of information vital for normal functioning impossible.
This is exacerbated, they say, by the envisaged right of the individual to present a motivated demand to change or destroy their personal data if this was unlawfully processed or is inaccurate. Their analysis of the norms of the law lead them to conclude that the right to demand that personal data be destroyed can be made any stage after consent to process it was given, “and even where all legal requirements regarding the processing of the information have been adhered to”.
This will lead to a situation where a person or entity that lent money to somebody will not be able to uphold their legal rights because the debtor will refuse to consent to information being revealed, or will demand that it be destroyed. This will clearly be catastrophic for the banking sector.
The appeal also notes that the Law has not taken into account negative experience of application of an analogous law in the Russian Federation.
“Various problem issues such as the lack of a purpose for processing personal data in the written agreement; lack of regulation of time frames for possible processing; the formation of information systems with personal data of persistent debtors; the passing of personal data to collecting agencies where the right of demand is waived and so forth have led to a situation where at the present time in Russia it is virtually impossible to enforce the law.”. They note that this is demonstrated in the percentage – 65% - of identified violations of personal data security. Russia is therefore forced to change the provisions of this law.
The appeal, signed by the President of the Association O. Suhonyako, therefore calls on the President to veto the law and submit proposals for improving it.