New legislative initiatives on GDPR are not supported by business

16/ 07/ 2024

On July 11th, the Business Security and Protection Committee of the European Business Association held a roundtable titled Risks of adopting a new law on General Data Protection Regulation (GDPR). In particular, the participants discussed draft legislative initiatives: No. 8153 On Personal Data Protection dated October 25, 2022 No. 6177 On the National Commission for the Protection of Personal Data and Access to Public Information dated October 18, 2021 Serhii Pohrebnoi, partner at Sayenko Kharenko and head of the Security and Business Protection Committee, emphasized the importance of stable and consistent legislation for businesses. During wartime, businesses need favorable conditions and motivation to continue operating, pay taxes, and support their teams. At the same time, it is unacceptable to burden businesses with additional regulations incompatible with the economic situation in the country, imposing additional costs and reporting obligations, especially in the context of legislative changes that are not urgent. Yaroslav Yurchyshyn, Member of Parliament and Head of the Verkhovna Rada Committee on Freedom of Speech, noted that although Ukraine is moving towards the EU and will adapt the necessary EU regulations, it must independently determine the priority of these initiatives based on national interests. Under martial law, the state imposes certain restrictions on access to information. Moreover, European partners do not express any recommendations regarding the urgency of adopting GDPR requirements; there are other more relevant requirements and tasks within the framework of EU integration. In the context of GDPR, maximum involvement of businesses and the public is needed, as well as the development of a vision for the feasibility and phasing of these processes. Serhii Milman, CEO of YouControl, spoke about the main provisions of the draft laws and what they mean for businesses.In particular, the introduction of GDPR standards in the current version will lead to a significant increase in business costs. GDPR in the EU was developed and agreed upon over about ten years with a two-year transition period. This is not foreseen in Ukraine. The hasty introduction of new rules during the war will entail significant costs for businesses to implement them - this includes payment for data protection officers, launching new security systems, software, etc. The new law provides for the creation of a new supervisory authority, which is empowered to conduct inspections and impose fines: on individuals - up to UAH 20 million, on legal entities - up to UAH 150 million, or up to 8% of the total annual turnover (currently, the maximum fine is UAH 34 thousand). Moreover, the budget must allocate significant expenses for the creation of the new regulator. There is a lack of professionals and a procedure for their training. The Ukrainian education system does not provide for the possibility of training/retraining tens of thousands of specialists in this field. Businesses will not be able to hire relevant specialists because they are not available on the market, and the training of such specialists may take at least three years. Additionally, the law restricts the rights of open data users and significantly complicates the compliance,business intelligence, and fact-checking procedures. Danylo Hloba, Head of the Board of the Open Data Association and Deputy Director for Legal Affairs at YouControl, noted that there are no imperative norms for the introduction of GDPR in Ukraine, only adaptation is possible. However, adaptation is not cloning. It should take into account the specifics of Ukrainian legislation, economic realities, the actual capacity of businesses and the state budget, martial law, etc. The development of the aforementioned draft laws took place without the involvement of entrepreneurs and consideration of Ukrainian realities. Following the discussions during the roundtable, business representatives agreed on an appeal to the Speaker and factions of the Verkhovna Rada of Ukraine regarding the inexpediency of considering these legislative initiatives in the Verkhovna Rada.

On July 11th, the Business Security and Protection Committee of the European Business Association held a roundtable titled “Risks of adopting a new law on General Data Protection Regulation (GDPR)”. In particular, the participants discussed draft legislative initiatives:

No. 8153 “On Personal Data Protection” dated October 25, 2022
No. 6177 “On the National Commission for the Protection of Personal Data and Access to Public Information” dated October 18, 2021

Serhii Pohrebnoi, partner at Sayenko Kharenko and head of the Security and Business Protection Committee, emphasized the importance of stable and consistent legislation for businesses. During wartime, businesses need favorable conditions and motivation to continue operating, pay taxes, and support their teams. At the same time, it is unacceptable to burden businesses with additional regulations incompatible with the economic situation in the country, imposing additional costs and reporting obligations, especially in the context of legislative changes that are not urgent.

Yaroslav Yurchyshyn, Member of Parliament and Head of the Verkhovna Rada Committee on Freedom of Speech, noted that although Ukraine is moving towards the EU and will adapt the necessary EU regulations, it must independently determine the priority of these initiatives based on national interests. Under martial law, the state imposes certain restrictions on access to information. Moreover, European partners do not express any recommendations regarding the urgency of adopting GDPR requirements; there are other more relevant requirements and tasks within the framework of EU integration. In the context of GDPR, maximum involvement of businesses and the public is needed, as well as the development of a vision for the feasibility and phasing of these processes.

Serhii Milman, CEO of YouControl, spoke about the main provisions of the draft laws and what they mean for businesses.In particular, the introduction of GDPR standards in the current version will lead to a significant increase in business costs. GDPR in the EU was developed and agreed upon over about ten years with a two-year transition period. This is not foreseen in Ukraine. The hasty introduction of new rules during the war will entail significant costs for businesses to implement them – this includes payment for data protection officers, launching new security systems, software, etc.

The new law provides for the creation of a new supervisory authority, which is empowered to conduct inspections and impose fines: on individuals – up to UAH 20 million, on legal entities – up to UAH 150 million, or up to 8% of the total annual turnover (currently, the maximum fine is UAH 34 thousand). Moreover, the budget must allocate significant expenses for the creation of the new regulator.

There is a lack of professionals and a procedure for their training. The Ukrainian education system does not provide for the possibility of training/retraining tens of thousands of specialists in this field. Businesses will not be able to hire relevant specialists because they are not available on the market, and the training of such specialists may take at least three years. Additionally, the law restricts the rights of open data users and significantly complicates the compliance,business intelligence, and fact-checking procedures.

Danylo Hloba, Head of the Board of the Open Data Association and Deputy Director for Legal Affairs at YouControl, noted that there are no imperative norms for the introduction of GDPR in Ukraine, only adaptation is possible. However, adaptation is not cloning. It should take into account the specifics of Ukrainian legislation, economic realities, the actual capacity of businesses and the state budget, martial law, etc. The development of the aforementioned draft laws took place without the involvement of entrepreneurs and consideration of Ukrainian realities.

Following the discussions during the roundtable, business representatives agreed on an appeal to the Speaker and factions of the Verkhovna Rada of Ukraine regarding the inexpediency of considering these legislative initiatives in the Verkhovna Rada.