1. Understanding of importance
There were times when traditional businesses viewed disclosures on Privacy policy and Terms and Conditions as rather formal “must have” element when launching its products or services.
Today number of connected devices is growing exponentially. Competition focus has shifted from purely hardware features to creating an eco-system and better user experience for consumers.
In attempts to provide consumer with unique user experience devices and applications collect more and more user data such as information on our location, our daily route, our itinerary, on-line search preferences, health records etc.
Furthermore recent developments in the Internet of Things (IoT) enable objects embedded with sensors, software and connectivity modules to exchange data with user or other connected devices. Such “objects” in the IoT may include wide variety of devices in various industries ranging from health monitoring implants in healthcare industry to vehicles with built-in sensors in automotive sector.
In this context cyber security now is one of the hottest topics in the technology space. Over 1 billion US dollars have been invested into cyber security startups in 1st quarter of 2015 alone (1).
Cyber security today is being driven by many factors. One of those is so called “industrialization of hacking”. Technologies become cheaper and more accessible therefore hacking becomes a type of an organized crime targeting not only e-mail correspondence as it was 10 years ago or credit card information as it was 2 years ago but compromising personally identifiable information. Perhaps another important factor that is driving cyber security is growing connectivity of the devices and shifting to cloud technologies which require higher level of data protection and security.
It is apparent today the more data is collected the more vulnerable becomes each particular user making cyber security the next “big thing” in IT.
2. Ukrainian regulatory framework
Cybersecurity in Ukraine is mostly viewed through the prism of state defense and security. Therefore applicable legislation is mostly focused on cyber security in state sector and includes Law of Ukraine “On Data Protection in Information and Telecommunication Systems”, Law of Ukraine “On Information”, Law of Ukraine “On State Secrets”, Law of Ukraine “On National Security of Ukraine”, Law of Ukraine “On State Service of Special Connection and Information Protection”.
As for cyber security in private sector the above legislative acts establish only separate basics addressing mostly matters of state security and defense.
In 2005 Parliament of Ukraine has ratified “Convention on Cybercrime” developed by European Council in 2001 which since then has become a part of national legislation.
Among other issues Convention sets forth 4 major types of crimes most of which are adequately addressed in Criminal Code of Ukraine as crimes committed using the computers, systems and computer networks and telecommunications.
More importantly Convention sets several procedural implications that form practical basis for prosecution of cybercrimes. In particular it deals with such procedural issues as expedited preservation of stored data, expedited preservation and partial disclosure of traffic data, production order, search and seizure of computer data, real-time collection of traffic data and interception of content data. In addition, the Convention contains a provision on a specific type of trans-border access to stored computer data which does not require mutual assistance (with consent or where publicly available) and provides for the setting up of a 24/7 network for ensuring speedy assistance among the states-parties to the Convention.
Importance of the above procedural reservations is determined by the relatively limited selection of instruments effectively working for the purposes of evidencing in electronic form within current criminal procedure. Movement of information in electronic form which in fact constitutes the nature of criminal cyber-offence now is evidenced mainly with expert testimony delivered as a result of forensic examination.
At a glance Ukrainian legal system appears to have basic legislative instruments for the private sector to prosecute offences in cyber space.
Data protection regulatory framework in Ukraine is generally aligned with Convention for the Protection of Individuals with regard to Automated Processing of Personal Data of 1981 adopted by the Council of Europe. In June 2010 Ukrainian Parliament has passed the Law “On Protection of Personal Data” (Data Protection Law or Law) which has become subsequently effective since January 2011. In July 2013 Parliament has passed amendments to the Data Protection Law which have removed some onerous provisions and shaped the legislation more in line with imperatives of time.
Who should be concerned?
Despite the broad definitions contained in the Data Protection Law which might affect virtually any industry it would be worthwhile to give special attention to personal data protection in sectors such as on-line and off-line retail, insurance and financial services, FMCG manufacturers and pharmaceutics. Whether it is contemplated to launch new promo campaign for targeted audience or it is expected to launch new on-line application that collects personally identifiable information it would be advisable to make sure that all relevant regulations have been properly observed and certain specific measures have been duly implemented thus ensuring compliance with the provisions of Law.
Why it is important?
As noted above Data Protection Law provides for quite broad definition of personal data which includes any information that identifies or allows identifying specific individual. In fact every time customer is simply placing an on-line order or requesting a quotation on-line simultaneously providing personally identifiable information the recipient of that information would rather be sure that its operates in compliance with the fundamentals of Data Protection Law. In some cases increased attention to the details of data protection declared by the company might serve as additional and (or) unique sales point distinguishing it among other competitors that offer comparable types of services or products but taking less care of protecting personal information that might in most cases be sensitive to the customer.
Case study:
Recent update by Apple of its Privacy policy is a good example of how players in technology industry market its data protection policies as key differentiator of its devices and services among other competitors. Originally in September 2014 Tim Cook, CEO, Apple has personally launched new section on apple.com dedicated to privacy. Since then Apple continues to market itself as a company that cares about privacy. In its letter to users posted on the main page of Privacy section of apple.com, Tim Cook reiterates that Apple does not “monetize” the information that people store in their IPhone or in ICloud, whereas giving contrast references to business model of its competitors like Google or Facebook. Further on Apple continues to play itself against ad-supported businesses appealing to an old thesis that customer using free on-line service is no longer a customer but a “product”.
While marketing its devices and services as those having unique level of data protection Apple is emphasizing that they do not rely on advertising revenue thus they do not need to mine users’ data. Its Privacy policy reinforces that Apple’s business model is very straightforward: Apple sells great products and do not build a profile based on user email content or web browsing habits to sell to advertisers.
Separate attention in Apple’s Privacy policy is paid to the matters of sharing personal information with governmental agencies. In this regard Apple is logically emphasizing that it has never allowed government access to their servers and never will.
Even if this sort of assurances would be hard to keep in future, since Apple still falls under jurisdiction of local laws which might change from time to time, such format of Privacy policy is certainly bringing its well defined marketing effect.
What are the fundamentals?
Consent to personal data processing is the major statutory requirement that is to be complied with before processing personal data of specific individual.
The term “processing” itself has also quite broad definition embracing any act or series of acts including collection, registration, accumulation, storage, adaptation, alteration, updating, circulating, removal, depersonalization and other similar actions with the personal data.
The Law provides for few exceptions to the basic rule where consent to processing personal data does not have to be obtained. Some of those exceptions which have the closest relevance to daily business operations include cases when
(i) Personal data have been obtained in course structuring contractual relations with the individual (typically labor agreements);
(ii) Processing of certain types of personal data is carried out by virtue of law;
(iii) Processing of the personal data is necessary to protect the vital interests of an individual;
Which form of consent for processing personal data is appropriate?
Initial wording of the Data Protection Law required that consent for processing of personal data is to be obtained in documented form which seemed to be impractical in digital era. Amended wording of the Law provides for that consent might be obtained in any form that allows concluding that consent has actually been granted.
This has substantially eased the pain for on-line services and applications that collect personally identifiable information in order to perform its primary function and thus provide its service or sell products to customers.
This being said however it would still be advisable to obtain to the extent it is possible and (or) practical the consent from individuals to processing its personal data in documented form which might certainly be helpful for the purposes of arguing on admissibility of evidences in case of court conflict.
Regardless of the form of consent whether it is written document signed by customer or on-line checkbox the wording of the context should certainly cover all cases of personal data processing (collecting, storage, adaptation, transfer etc), scope of the personal data to be collected and specifically defined purpose of personal data processing.
What types of disclosures are necessary?
The Law clearly outlines the scope of information that should be disclosed to the individuals, whose personal data is being processed, including
(i) the sources of collecting personal data;
(ii) location of personal data storage;
(iii) the purpose of processing the personal data;
(iv) details of the entity that is processing personal data;
(v) the scope and contents of the personal data collected/processed;
(vi) the details of any entities and/or persons to whom the personal data may be transferred; and
The Law sets the basic rule that the above information should be made available to the individual either (a) at the time the personal data is collected, if the personal data is collected directly from an individual; or (b) within 30 working days after collection of personal data in any other cases. In practice the above rule might sufficiently be complied with by posting comprehensive disclosure on data protection policy under condition however that it contains all necessary elements required by Law.
What are the rules for cross-border transfer of personal data?
The Data Protection Law requires that transfer of personal data is allowed only to countries that provide adequate level of personal data protection. In particular the Law refers to (i) member-states of European Economic Area and (ii) states-parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The above is not an exhaustive list and other countries might be deemed to provide a proper protection of personal data if specifically defined by the Cabinet of Ministers of Ukraine.
In addition, the Law provides for several alternative ways to justify cross-border transfer of personal data, including among others (1) unambiguous consent granted by the individual to cross-border transfer of its personal data; (2) the transfer is determined by necessity to perform contractual obligations of the data controller for the benefit of the individual whose personal data is transferred; or (3) reasons of substantial public interest or necessity to pursue legal remedies; or (4) necessity to protect vital interests of the individual.
What is sensitive data?
Data Protection Law establishes that it is prohibited to process personal data relevant to (i) race, ethnic origin and nationality; (ii) political, philosophical and religious beliefs; (iii) membership in political parties and other organizations; (iii) health; (iv) sexual life; (v) biometrical data; (vi) genetic data. Those categories of personal data are sometimes identified as “Sensitive data”.
The Law provides, however, for a number of cases when processing of Sensitive data is allowed, including cases when (i) individual provides its explicit consent to processing of its Sensitive data; and (ii) processing of Sensitive data is required within the framework of labor relations; and (iii) Sensitive data was made public by the individual.
Notably the Law operates such category of personal data as “data constituting high risk for rights and freedoms” which has slightly different legal regime comparing to Sensitive data. For this purpose the Ombudsmen, which had became national regulatory authority along with amendments to the Law in 2013, has established the list of types of data that are deemed to constitute “high risk for rights and freedoms” which in addition to Sensitive date include (i) nationality of the individual; (ii) location and routes of movement of the individual; (iii) whether individual has suffered from violence or other abuse.
Controller of “high risk” personal data is to provide to the Ombudsmen a 30-day post factum notification on the processing of “high risk” personal data. Such notification is subject to form and procedures established by the Ombudsmen.
For the cases where Data Protection Law requires providing notifications to Ombudsmen it is also requires establishing a dedicated structural unit or appoint a sole data protection officer.
What about liability?
Data Protection Law provides for both administrative and criminal liability for breach of its provisions. Any of the following cases may result in administrative liability:
(i) any failure to comply with the Law that results in an unauthorized access to the personal data or a breach of the right of any individual;
(ii) any unimely notification or failure to notify the Ombudsman where it is required to so by Law;
(iii) any failure to act as required by the ombudsman in accordance with the Law.
The Law also provides for that collection, storage, circulation and (or) transfer of personal data without consent of the individual may result in criminal liability in form of fine, community work, arrest or imprisonment for up to five years.
What are exterritorial implications?
The Data Protection Law does not contain express reservations on its exterritorial effect. However the Law clearly establishes that owner of personal data and controller of the personal data are subject to the provisions of the law. It is, therefore, likely to assume that owners and (or) controllers of personal data which relates to Ukrainian citizens or residents of Ukraine should also comply to that extend with provisions of the Law regardless of where such owner and (or) controller of personal data is having its registered place of business.
Is there any other compliance implications?
As noted above Data Protection law operates such definitions as “owner of personal data” and “controller of the personal data”.
The owner of personal data is identified as person or entity that (i) has a right to process personal data based on the consent of individual; and (ii) defines the purpose of processing personal data; and (iii) determines the scope of data and procedure for its processing.
Controller of the personal data is a person or entity that is authorized to processes personal data either by owner of personal data or by virtue of Law.
The Law generally provides for that owner of personal data and (or) controller of the personal data must ensure that personal data is protected against unlawful processing, including loss, unlawful or accidental deletion, as well as against unauthorized access. At that Law does not specify any particular measures, which should be undertaken to protect personal data.
In this regard Ombudsman has issued guidance on security measures that are to be taken. In particular, owner of personal data and (or) controller of the personal data shall (i) setup a procedure of access to personal data by employees of the personal data owner or controller; (ii) set the procedure for access to data processing operations; (iii) develop an action plan for the cases of an unauthorized access to personal data, damage of technical equipment or occurrence of other emergency situations; and (iv) develop regular training programs for employees, who work with personal data.
In addition to the above Data Protection Law provides for general rule whereby entities processing personal data must also set out the purpose of such processing either in its constituent documents (e.g., articles of association or deed of incorporation) or in other internal regulations and (or) policies.
In practice this might be interpreted in a way that companies engaged in processing of personal data would rather ensure adoption of internal regulations and (or) policies on personal data processing which would include, among others: (i) the purpose and the scope of the personal data processing; (ii) means and the procedure for collecting, storage, processing and transfer of personal data; and (iii) any issues related to protection of personal data.
Whereas such formal interpretation might seem excessively conservative this may effectively serve for the purposes of reducing compliance risks.
(1) - According to Christopher Young, Senior Vice President and General Manager of Intel Security Group. IDF 2015.
Published by: TerraLex Connections, Cybersecurity Newletter, January 2016
Author: Andriy Kovalyov