The process of legislative settlement of issues related to the protection of personal data began in the European Union (EU) with the entry into force of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data and on the free movement of such data (Directive). After adoption the Charter of Fundamental Rights of the European Union (2000), which Article 8 defined the protection of personal data as a human right, establishment of the sufficient principles in the Lisbon Treaty (2009), there were amended two key EU acts: the Treaty on EU and the Treaty establishing the European Community. As a result, everyone in the EU was guaranteed the right to protect their personal data. In 2016 the EU adopted Regulation 2016/679/EC of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Regulation), which radically updated the methods of collecting and processing personal data, and not only in the EU. As a result, to comply with its requirements, both EU-based companies and those operating in the EU or working with consumers from the EU market were forced to update their privacy/personal data policies. In turn, in Ukraine, significant progress in the development of legal regulation of personal data protection occurred later. As of 2010, public relations regarding collection, storage, use and dissemination of information about a person were regulated by more than two dozen uncoordinated laws and secondary legislation. To specify and define the mechanisms for implementing the provisions of Article 32, Constitution of Ukraine, which proclaimed the right of a person to non–interference in its personal life and established a ban on the collection, storage, use and dissemination of confidential information about a person without its consent, the Verkhovna Rada of Ukraine in 2010 adopted the law of Ukraine “On Personal Data Protection”. Having played a vital role in the legislative codification of the rules for processing personal data, the law, like the Directive, failed to respond to technological changes and the processes caused by this in society, despite numerous amendments made by MPs. Since the Association Agreement between EU and Ukraine came into power, there is noticeable arising necessity to harmonize the Ukrainian legislative framework with EU, as though contexts of adoption of the Regulation and the Law are different, so are the ways of resolving personal protection issues in Ukraine and the EU. Therefore, it is necessary to establish the new legislative amendments, the degree of compliance of personal data protection standards in Ukraine with the relevant standards in the EU. In this paper, as an outcome of estimations of relevant international research, further analytical and comparative analyses, there are some proposals to future institutional features of such modernization, affecting such issues as: clarification regarding material effects in order to limit legal regulation and avoid excessive legal burden on individuals, as well as in some cases on state authorities; providing new definitions of concepts that are not yet available in domestic regulation; establishment of fundamental guidelines for the processing of personal data in accordance with international standards; fostering more sustainable standards for the processing of sensitive personal data; in-depth structuring the issue of processing personal data for a different purpose than the one for which they were collected; regulating the implementation of the rights of personal data subjects, in particular, the right to information, the right to access, the right to correct personal data, the right to be forgotten, the right to personal data mobility, the right to restrict the processing of personal data, the right to protection from automated decision-making, the right of the data subject to protection of their rights and compensation for damage; clarifications regarding the definitions of the duties and responsibilities of the personal data controllers and operator; sustainable regulations concerning the issue of cross-border transfer of personal data.
Read full abstract