Author: Ivan Horodyskyy, lawyer, CIPP/E
On October 18, 2021 draft Law No. 6177 On the National Commission for Personal Data Protection and Access to Public Information was submitted to the Verkhovna Rada of Ukraine. It suggests establishing a body having controlling competences in the field of personal data protection. There is already an objective need for the reform of the institutional mechanism of human rights protection in this field, and the related discussion has been going on since 2015. At the same time, proposals available in the draft Law raise some doubts as to the independence of the new body from the executive branch of power.
Personal data protection in Ukraine
There appear more and more opportunities for personal data processing in the modern world, and the volume of data processed by the state and by private entities is increasing. In this context, of particular importance are effective national institutions exercising control over compliance with the privacy protection standards. On October 18 a draft Law suggesting establishment of a new competent authority in this field was submitted to the Verkhovna Rada: the National Commission for Personal Data Protection and Access to Public Information.
Establishment of the system of personal data protection in Ukraine was launched within the framework of preparation for the EU-Ukraine Association Agreement conclusion in the early 2010ies. The State Service of Ukraine on Personal Data Protection was established back then, and its activity was coordinated by the Cabinet of Ministers of Ukraine via the Ministry of Justice of Ukraine, which fact ran counter to the standards of independence these bodies were supposed to comply with.
To improve the situation, in 2013 the function of personal data protection was handed over to the Commissioner for Human Rights of the Verkhovna Rada and the Secretariat of the Commissioner as the body independent from the executive branch of the government. However, efficiency of the work of the Commissioner in the field of personal data protection is rather poor, and due to this the Commissioner keeps being constantly criticized.
Over several recent years there have been ongoing discussions concerning the establishment of the new body that would be in charge of both personal data protection and access to public information. National and international experts voiced an idea of establishing the institute of the so called Information Commissioner. That would require amending Art. 101 of the Constitution of Ukraine that presupposes that: “The Authorised Human Rights Representative of the Verkhovna Rada of Ukraine exercises parliamentary control over the observance of constitutional human and citizens’ rights and freedoms”. This article should be supplemented with the provisions stating that the Information Commissioner’s mandate shall be valid for the respective domains (personal data protection, access to public information, etc.).
The key principle in the activity of the human rights protection bodies, including the bodies protecting the right to privacy that includes personal data protection, is independence of those bodies. This is stressed in the Paris Principles (“Principles Relating to the Status of National Human Rights Institutions”) passed on October 9, 1991 and approved by Resolution of the UN General Assembly No. 48/134 as of December 20, 1993. The European Union also confirms this standard for supervisory bodies in the field of personal data protection, stating it in the General Data Protection Regulation, GDPR): “Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers”.
So, what is wrong with the establishment of the National Commission for Personal Data Protection and Access to Public Information
Analysis of the draft Law gives grounds to call into question the capacity of the body suggested by it to exercise adequate control over compliance with the standards of personal data protection and access to public information. Doubts arise due to the following circumstances:
1. The status of the Commission as an executive authority resonates with the status of the former State Service of Ukraine on Personal Data Protection in many aspects. The positive thing is that the draft Law presupposes wider guarantees of independence for members of the National Commission. However, they are accountable to the Cabinet of Ministers that plays the key role in establishing the composition of the Selection Board for selecting members of the National Commission (see more below). That causes some doubts as to whether members of the National Commission will be independent from executive authorities.
2. The draft Law contains a declarative statement about the responsibility of the National Commission to the Verkhovna Rada (Art. 2), that would be supposed to guarantee its independence. But what this responsibility lies in and what the mechanisms for ensuring it are is not clear. Besides submission of annual and other reports to the Verkhovna Rada, as well as participation of the representatives of the Verkhovna Rada in the work of the Selection Board, no other ways to implement this responsibility are envisaged. Thus, this is pretty much a declarative statement that does not create any additional guarantees of the independence of the National Commission.
3. Provision of p. 4.1, Art. 4 on “submission of consultative opinions related to draft laws on personal data protection, access to public information, that are mandatory for consideration, to the Verkhovna Rada” is not quite clear. The Verkhovna Rada is a constitutional body, the only legislative body, and, in the conditions of the semi-presidential republic – the highest body of state power in Ukraine. Therefore, the right of the National Commission as an executive body to make it mandatory for the Verkhovna Rada to consider such opinions seems to rather be doubtful. The National Commission is an ad hoc body, and it will belong to executive power, and this may constitute a violation of the constitutional principle of division of power.
4. Some issues arise concerning the procedure of having a competition for the positions of members of the National Commission and establishment of the Selection Board. Thus, under p. 4, Art. 9, the Selection Board includes one person nominated by each committee of the Verkhovna Rada that deal with the issues of personal data protection and access to public information. At the same time, this provision may not make it binding for the Verkhovna Rada to delegate those issues to the competences of different committees. If these matters are within the competence of one committee, it is not clear whether both members of the Board may be delegated by it. This will cast doubt on the possibility of having a competition and the legitimacy of the Selection Board.
5. The key role of the Cabinet of Ministers in holding a competition for the positions of members of the National Commission should be stressed, since this creates some risks for the independence of the future composition of the Commission. The Cabinet of Ministers, in particular, shall:
1) approve the composition of the Selection Board (p. 2, Art. 9);
2) make an announcement on the competition holding and its results (p. 3, Art. 9);
3) appoint two out of nine members of the Selection Board (p. 4.4, Art. 9);
4) its Secretariat shall provide for the work of the Selection Board (p. 7, Art. 9);
5) appoint members of the National Commission on the basis of the competition results (p. 1, Art. 9);
6) pass a decision on dismissal of a member of the National Commission on the grounds envisaged by sp. 2–9, part one, Art. 10.
The role of other authorities in the competition holding, in particular, that of the Verkhovna Rada and the Commissioner for Human Rights of the Verkhovna Rada, shall be limited to appointment of three out of nine members of the Selection Board. Such role of the Cabinet of Ministers in the process of establishing the composition of the National Commission is not balanced and raises doubt concerning the independence of this body from executive authorities. It is also possible that it is the Cabinet of Ministers that is to approve the Regulation on the Competition, which is mentioned in part three, Art. 9, but the procedure for its development and approval is not described.
6. The draft Law occasionally contains some terminological confusion, for instance, the terms “owner”, “administrator”, and “controller” are used interchangeably to denote one and the same subject of personal data processing. At the same time, the section “Final and Transitional Provisions” does not contain any suggestions concerning coordination and unification of official terminology in the field of personal data protection. Adoption of the Law in such version may cause controversies in the application of the Law as well as weaken the mechanisms of personal data protection in Ukraine.
How can the draft Law be improved
1. Human rights protection is not, by its nature, a regulatory or managerial activity and is beyond the field of executive authorities’ competence. Therefore, the leading role in developing personal composition of the National Commission for Personal Data Protection and providing for its activity should go to the Verkhovna Rada. Since it is it – as the legislative body developed on an elective basis – that should ensure the adequate level of independence in human rights protection.
2. While reforming the system of control over exercising of human rights in the field of personal data protection and access to public information, it is worth going back to the idea of establishing the institute of Information Commissioner. Respective amendments to the Constitution of Ukraine will ensure his/her independence from executive authorities, control over the activity of which will also be within the field of the Information Commissioner’s competence.
3. The initiative of such body establishment cannot be considered separately from the reform of personal data protection legislation, viz. regulation of responsibility for violation of these rights, unification of terminology, etc.
There is an urgent need for upgrading the mechanisms of personal data protection in Ukraine, and related legislative initiatives testify to the movement in the right direction. At the same time, it should be taken into account that the goal for reforming such mechanisms should be improvement of their capacity and efficiency which directly depend on the level of guarantees of their independence. The draft Law under analysis does not presuppose the necessary guarantees of independence for the National Commission. That is why the underlying concept should be changed, and respective mandate should be granted to the body independent of the executive branch of government.
Конституція України із змінами від 28 червня 1996. [Constitution of Ukraine, amended as of June 28, 1996]
URL : https://zakon.rada.gov.ua/laws/show/254к/96-вр#Text
Порядок здійснення контролю за додержанням законодавства про захист персональних даних (с. 111-123) у: Бем М.В., Городиський І.М. Захист персональних даних: правове регулювання і практичні аспекти. К. : Рада Європи, 2021. 157 С. [The Procedure of Exercising Control over Compliance with the Personal Data Protection Legislation (pp. 111-123) in: Bem M. V., Horodyskyy I. M. Personal Data Protection: Legal Regulation and Practical Aspects. K. : Council of Europe, 2021. 157 P.]
Проєкт Закону про Національну комісію з питань захисту персональних даних та доступу до публічної інформації. [Draft Law On the National Commission for Personal Data Protection and Access to Public Information.]
URL : http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?id=&pf3511=72992
Регламент Європейського Парламенту і Ради (ЄС) 2016/679 про захист фізичних осіб у зв'язку з опрацюванням персональних даних і про вільний рух таких даних, та про скасування Директиви 95/46/ЄС (Загальний регламент про захист даних) від 27 квітня 2016 року. [Regulation (EU) of the European Parliament and of the Council 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on Data Protection]
Principles relating to the Status of National Institutions (The Paris Principles): Adopted by General Assembly resolution 48/134 of 20 December 1993.