I. Legal Framework
Constitutional privacy framework
The Constitution of Ukraine guarantees the right of privacy and data protection.1 Article 31 states, "Everyone is guaranteed privacy of mail, telephone conversations, telegraph and other correspondence. Exceptions shall be established only by a court in cases envisaged by law, with the purpose of preventing crime or ascertaining the truth in the course of the investigation of a criminal case, if it is not possible to obtain information by other means." Article 32 states, "No one shall be subject to interference in his or her personal and family life, except in cases envisaged by the Constitution of Ukraine. The collection, storage, use and dissemination of confidential information about a person without his or her consent shall not be permitted, except in cases determined by law, and only in the interests of national security, economic welfare and human rights. Every citizen has the right to examine information about himself or herself, that is not a state secret or other secret protected by law, at the bodies of state power, bodies of local self-government, institutions and organizations. Everyone is guaranteed judicial protection of the right to rectify incorrect information about himself or herself and members of his or her family, of the right to demand that any type of information be expunged, and also the right to compensation for material and moral damages inflicted by the collection, storage, use and dissemination of such incorrect information." There is also a right of freedom of information. Article 34 states: "Everyone has the right to freely collect, store, use and disseminate information by oral, written or other means of his or her choice." Article 50 states, "Everyone is guaranteed the right of free access to information about the environmental situation, the quality of food and consumer goods, and also the right to disseminate such information. No one shall make such information secret."
Data protection framework
There have been efforts to enact a data protection act for several years. However, as of June 2007, no data protection act has been enacted. However, on February 23, 2006, the Ukrainian Parliament passed a law titled "On State Service for Special Communication and Information Protection of Ukraine" which went into force on January 1, 2007.2 This law created an agency to develop a state system of "governmental communications, the National System of confidential communications, protection of state informational resources in the informational and telecommunications systems, cryptographic and technical protection of information." A draft Law on Personal Data Protection (No. 2618) passed first hearings on May 15, 2003, and has not yet been submitted for second hearings. This draft law was submitted by Members of Parliament Rodionov, Nikolaenko, Yukhnovsky, Tolochko, and Sytnyk, and drafted by communications experts, employees of the State Committee on Communications and Information, and the Ministry of Internal Affairs. In June 2001, Oleksandr Zadorozhniy (then Chief of the Parliament Committee on Legal Policy, currently the Representative of the President in the Parliament) introduced an alternative draft bill on Personal Information to the Parliament. The bill was prepared with the assistance of Mr. A. Pazyuk, Director of Privacy Ukraine. The draft covers public and private sectors, provides natural persons with the right to informational self-determination. It includes special provisions concerning sensitive data (racial origin, nationality, trade union membership, political, philosophical and religious beliefs, medical and health data, and data on criminal offenses) and imposes limitation of data transfer to third countries with inadequate level of data protection. The draft proposes the establishment of independent authority for supervision. The National Agency on Personal Data Processing Supervision would be empowered to conduct investigations, impose sanctions, maintain a national register of databases, and to adopt or approve codes of fair information practices proposed by the private sector. The draft would require amendments to the Constitution to provide for the appointment of the National Agency chief nominated by the President of Ukraine and subject to the authority of the Parliament. The Agency would be required to submit annual reports to Parliament. MP Zadorozhniy's draft received positive evaluation by the experts of the Council of Europe in 2001 as it is based on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) (Convention No. 108) and the EU Data Protection Directive (1995/46/EC). At the same time, the direct marketing industry opposed strong data protection rules. The main obstacle for the adoption of a data protection legal framework in Ukraine is the misunderstanding of the role of a data protection commissioner and the unwillingness to establish an additional public body with effective powers of control.
The new Civil Code, which entered into force on January 1, 2004, introduced a number of sectoral privacy-related safeguards within Book II (Personality Rights). It ensures a tort cause of action for the violation of an individual's personal privacy interest in his or her health status, personal life, personal papers, correspondence, and inviolability of business reputation. The Code enables an individual to control the publicity of his or her image in photographs, artistic pieces, and movies, as well as safeguard the inviolability of one's name.
The biggest violations of the right to privacy are associated with the privacy of communication. The legislation does not provide clear reasons for information retrieval from communication channels (wiretapping of telephones, mobile phones or keeping track of e-mail messages and Internet browsing), a specific period of such information retrieval and the circumstances under which such information should be destroyed and how it may be used. The guarantees of legitimacy of information retrieval from communication channels are insufficient. As a result, no one can monitor the number of permits and necessity of eavesdropping, while persons, to whom such actions were applied, are not aware of them and, thus, cannot appeal against such actions in the court of law or otherwise protect their right to privacy.3
The Law on Telecommunications No. 1280-IV was enacted on November 18, 2003.4 It provides certain guarantees for privacy protection. Operators and providers have to protect the secrecy of personal data (Article 34). Consumer's personal data and data on telecommunication services can be provided to third parties with the data subject's consent or on the conditions provided by law. Subscribers' personal data may only be included in directories with the data subject's permission. The Law does not restrict personal data collection by service providers but prohibits further dissemination.5 The National Regulatory Commission for Communication (NRCC) is empowered to protect consumer's rights (including data protection) (Article 21).
The Act on the Operational Investigative Activity (OIA) of February 18, 1992, empowers law enforcement agencies to conduct surveillance. The agencies are obliged to obtain a warrant under the court procedure as implemented by the Act of the Supreme Court Plenary Session of November 1, 1996.6 The Statute does not provide wiretapping procedure rules. Those are regulated by secret rules, adopted by the joint Ministry of Internal Affairs and State Committee as Communications Order No. 745/90 of September 30, 1999. The applications are registered and include the names of officials, and the date and type of communications. Statistical data on wiretapping activity is not publicly available. Under Article 11 of the Act, priests, doctors, and lawyers cannot be asked about information concerning their clients, and any such information cannot be used as evidence in court. However, in practice, the courts regularly use such information. The special services investigated the Kazakhstan Energy Grid Operating Company in June 2000 for the illegal tapping of employee conversations and charged one employee with a violation of the criminal code.7
On January 18, 2001, a new law was passed amending the OIA Act of 1992. The new Act clarifies the offenses for which surveillance may be used and significantly improves procedures for judicial supervision and oversight. Individuals are not granted full access to the personal data collected by police during the investigation and are allowed only to receive an explanation of the human rights implications of the surveillance. The Act prohibits the dissemination of information about undisclosed crimes, information that might damage an open investigation, a person's interest or the security of the State. The disclosure of State secrets is also prohibited. An Order of the Chief of the Security Service dated March 1, 2001 defines a State secret as data relating to "the preparation, performance and results of secret OIA measures used against persons who are preparing or have committed especially dangerous or heinous crimes against the State."
- 1. http://alpha.rada.kiev.ua/const/conengl.htm
- 2. http://www.welcometo.kiev.ua/pls/ili/docs/a_law_eng/E3475-IV.html
- 3. http://www.khpg.org/en/index.php?id=1126950808
- 4. http://portal.rada.gov.ua/control/en/index
- 5. E-mail from Andriy Pazyuk, Privacy Ukraine, to C√©dric Laurant, Policy Counsel, Electronic Privacy Information Center (EPIC), (July 9, 2003) (on file with EPIC).
- 6. Directive of the Supreme Court of Ukraine, No. 9 of November 1, 1996, on referring to the Constitution in Administering Justice.
- 7. "Power Company Denies Involvement in Telephone Tapping,", BBC Summary of World Broadcasts, June 2, 2000.