The scandal with the leakage of driver's license data through the Telegram bot thundered throughout Ukraine. Suspicions initially fell on the public services application DIA, but the application's involvement in this incident was quickly denied. Questions from the series “who leaked the data and how” will be entrusted to the state represented by the Ukrainian police, the Security Service of Ukraine and computer and technical experts, but the question of the compliance of our legislation on the protection of personal data with the realities of the digital era was considered by the author of the publication Vyacheslav Ustimenko, a consultant at Icon Partners law firm.
Ukraine aspires to the EU, and this implies the adoption of European standards for the protection of personal data.
Let's simulate a case and imagine that a non-profit organization from the EU leaked the same amount of driver's license data and this fact was established by local law enforcement.
In the EU, unlike Ukraine, there is a regulation on the protection of personal data - GDPR.
A leak indicates a violation of the principles described in:
- Article 25 GDPR Protection of personal data by design and by default;
- Article 32 GDPR. Processing safety;
- Art. 5 para. 1.f GDPR. The principle of integrity and confidentiality.
In the EU, fines for violating the GDPR are calculated on a case-by-case basis, in practice, they would be fined 200,000+ euros.
What should be changed in Ukraine
The practice gained in the process of supporting IT and online business both in Ukraine and abroad showed the problems and achievements of the GDPR.
Below are six changes that should be introduced into Ukrainian legislation.
#Adapt the legislative framework for the digital era
Since the signing of the Association Agreement with the EU, new data protection legislation has been developed in Ukraine, and the GDPR has become a guiding star.
Adopting a law on the protection of personal data was not so easy. It seems that there is a “skeleton” in the form of the GDPR regulation and it is only necessary to increase the “meat” (adapt the norms), but many controversial issues arise, both from the point of view of practice and the law.
For example:
- whether open data will be considered personal,
- whether the law will apply to law enforcement agencies,
- what is the responsibility for breaking the law, will the amount of fines be comparable to European ones, etc.
The key point is that you need to adapt the legislation, and not copy the GDPR. There are still many unresolved problems in Ukraine that are not inherent in the EU countries.
#Unify terminology
Determine what is personal data, confidential information. The Constitution of Ukraine, Article 32, prohibits the processing of confidential information. The definition of confidential information is contained in at least twenty Laws.
Quotes from the original source in Ukrainian here
- information about nationality, education, family camp, religious change, health camp, addresses, date and place of people (Part 2, Article 11 of the Law of Ukraine “On Information”);
- information about the place of residence (part 8 of article 6 of the Law of Ukraine "On freedom of change and free choice of residence in Ukraine");
- information about the special life of the hulks, captured from the hulks of the hulks (Article 10 of the Law of Ukraine "On the hulks of the hulks");
- primary data taken in the process of conducting the Population Census (Article 16 of the Law of Ukraine “On the All-Ukrainian Population Census”);
- certificates that are submitted by the applicant for recognition as a refugee or a special one, so that they require additional taxation (Part 10, Article 7 of the Law of Ukraine “On refugees and osib, if they require additional tax or time protection”);
- information about pension contributions, pension payments and investment income (cash), which is subject to the individual pension account of a participant in the pension fund, pension deposit account of physical assets, contracts for insurance of secondary pension ii (Part 3, Article 53 of the Law of Ukraine “On Non-State Pension Insurance”) ;
- information about the pension assets covered by the accumulative pension account of the insured individual (part 1 of article 98 of the Law of Ukraine "On the state pension insurance");
- on the subject of the contract for the completion of scientific and advanced, or advanced design and technological work, and the completion of results (Article 895 of the Civil Code of Ukraine)
- information that can be used to identify the person of an incompetent offender, otherwise it is worth the fact of self-destruction of an incompetent person (part 3 of article 62 of the Law of Ukraine “On television broadcasting and radio broadcasting”);
- information about the deceased (Article 7 of the Law of Ukraine On the burial of the funeral right”);
statements about paying for the doctor's medical expenses (Article 31 of the Law of Ukraine “On payment for the healthcare” The information about the payment for the expenses is given only in case of changes by legislation, but for the sake of good luck for the help of the doctor); - applications and materials for the type of patents (Article 19 of the Law of Ukraine "On the protection of rights to wines and colored models");
- vіdomosti, scho mіstjatsya in the texts of the judge's decisions and give the possibility of identifying a physical person, zokrema: names (im'ya, after father, name) of physical features; place of residence or rebuking of physical osib іz assigned addresses, telephone numbers and other calls, e-mail addresses, identification numbers (code); registration numbers of transport facilities (Article 7 of the Law of Ukraine "On Access to Court Decisions").
- data about a person taken for protection from criminal judiciary (Article 15 of the Law of Ukraine "On the security of security of persons, like taking a part in criminal judiciary");
- materials of the application of a physical person of a legal entity for registration of a variety of roslin, the results of an examination of a variety of roslin (Article 23 of the Law of Ukraine “On the protection of rights to a variety of roslin”);
- data about the practitioner to the court or law enforcement agency, taken under the defense (Article 10 of the Law of Ukraine "On the sovereign defense of practitioners in court and law enforcement agencies");
- The collection of information about physical disabilities suffered from violence (personal data), which is kept in the Register, and information with access to the public. (Part 10, Article 16 of the Law of Ukraine "On the prevention and prevention of domestic violence");
- information about the cost of the miles of comrades who move through the milestone cordon of Ukraine (part 1 of article 263 of the milestone code of Ukraine);
- information that is to be provided in the application for the state registration of the medical protection and the supplement to them (part 8 of article 9 of the Law of Ukraine “On medicinal protection”);
#Get away from evaluative concepts
There are many evaluative concepts in the GDPR. Estimated concepts in a country without case law (meaning Ukraine) are rather a space for “avoiding responsibility” than a benefit for the population and the country as a whole.
#Introduce the concept of DPO
Data protection officer (DPO) is an independent data protection expert. Legislation should clearly and without evaluative concepts regulate the need for mandatory appointment of an expert to the position of DPO. How they do it in the EU .
#Determine the level of responsibility for violations in the field of personal data, differentiate penalties depending on the size (profit) of the company.
- 34 thousand hryvnia
There is still no culture of personal data protection in Ukraine, the current Law “On the Protection of Personal Data” says that “violation entails liability established by law”. Penalty under the admin code for illegal access to personal data and for violation of the rights of subjects up to UAH 34,000.
- 20 million euros
The penalty for violating the GDPR is the largest in the world - up to 20,000,000 euros, or up to 4% of the company's total annual turnover for the previous financial year. Google received the first fine of 50 million euros for data privacy violations concerning French citizens.
- 114 million euros
The GDPR celebrated its 2nd anniversary in May and collected 114 million euros in fines. Regulators often target giant companies with millions of user data.
Marriott International and British Airways are facing multi-million dollar fines this year for data breaches that are expected to overtake Google in the battle for the heaviest fines. UK regulators have warned they plan to punish them for a total of about $366 million.
Six zero fines are issued to global companies whose services we use every day. However, this does not mean that small unfamiliar companies are not subject to punishment.
An Austrian postal company was fined 18 million euros for creating and selling profiles of 3 million people that contained information about addresses, personal preferences and political affiliations.
The payment service in Lithuania did not delete the personal data of customers when the need for processing was no longer needed and received a fine of 61,000 euros.
A non-profit organization in Belgium carried out a direct marketing email campaign even after the recipients opted out of receiving the email and received a fine of 1000 euros.
1000 euros is nothing compared to damage to reputation.
#Happiness is not in fines
“Whoever wants to find out information about me, and so finds out, despite the law” - this is how many people say in Ukraine and the CIS countries, unfortunately.
But less and less people believe in the misconception about “they will steal a passport photo and take a loan in my name”, because even with the original of someone else’s passport in their hands, it is legally unrealistic to do this.
People are divided into 2 camps:
- “Paranoids” who believe in the religion of personal data think before ticking and agreeing to the processing of data.
- “those who don’t care”, or people who automatically leak their personal data to the network, do not think about the consequences. And then their credit cards are stolen, they sign up for recurrent payments, their accounts in instant messengers are taken away, mails are hacked or cryptocurrency is withdrawn from the wallet.
Freedom and Democracy
The protection of personal data is about the freedom of choice of a person, the culture of society and democracy. Society is easier to manage with more data, you can predict the choice of a person, push to the desired action. It is difficult for a person to do as he wants if he is being watched, a person becomes comfortable, and as a result, manageable, that is, a person subconsciously does not do as he wants, but as he was persuaded to do.
The GDPR is not ideal, but it fulfills the main idea and goal in the EU - Europeans have realized that an independent person independently owns and manages his personal data.
Ukraine is only at the beginning of the journey, the ground is being prepared. Residents will receive a new text of the law from the state, most likely an independent regulatory body, but Ukrainians themselves must come to modern European values and an understanding that democracy in 2020 should also be in the digital space.
PS I write in the social. networks about jurisprudence and IT business. I will be pleased if you subscribe to one of my accounts. This will certainly add motivation to develop a profile and work on content.
Only registered users can participate in the survey. , you are welcome.
Write about the legislation of the Russian Federation on personal data?
-
51,4%Yes 19
-
48,6%Better choose another topic
37 users voted. 19 users abstained.
Source: habr.com