Ukraine Made No Progress on Personal Data Protection Despite EU Requirements
Ukraine Made No Progress on Personal Data Protection Despite EU Requirements
Photo: Kostiantyn Korsun's Facebook page

The European Commission reports Ukraine failed to align its personal data protection laws with EU standards. Citizens’ data remain vulnerable, while independent oversight remains blocked by authorities.

“Ukraine has made no progress in aligning its legislative framework on personal data protection with EU law,” the European Commission notes in its Report on Ukraine’s progress within the EU enlargement process (page 42). It was reported by Kostiantyn Korsun.

Translated from diplomatic language into plain speech, this roughly means: “No one in Ukraine has seriously dealt with personal data protection, is dealing with it now, or intends to deal with it in the future.” Perhaps the Divine Misha would like to discuss this very topic at his pompous win-win conferences? No? Why not?

It seems that unlike cybersecurity issues (see the previous post), the issue of personal data protection was something the European Commission still had to record — exactly as it stands.

In one paragraph — but had to. Because the Ukrainian authorities have done about as much in this direction as Nazar, Iryna, Kharyton, Ulyana, and Yaroslav.

And I know why this is happening.

Because personal data protection is the exact opposite of what Ukraine’s Ministry of Digital Transformers was created for.

Engaging in genuine personal data protection would be like shooting themselves in the foot for the “digitalizers.”

After all, if an independent and professional National Commission for Personal Data Protection existed (the draft law for which has been lying around since 2022), the “Diia” project (and other similar initiatives) would have been shut down — or perhaps not even allowed to launch in the first place.

When the European Union says “EU legislation on personal data protection,” it means the GDPR — according to which every EU member state must establish an independent data protection authority. Independent — like NABU and SAP in the field of anti-corruption. That means the head of such an institution cannot be dismissed at the whim of the President, nor even by the Divine Vice Prime Minister himself.

The Europeans have been demanding the creation of such a body for more than ten years, but somehow it’s always “not the right time.” Allocating 4 billion hryvnias to the Ministry of Diia — that’s timely. But protecting people’s personal data? “Let’s do it after the war.”

Without an independent institution, there’s no way to verify whether the government is lying when it says, “Don’t worry, everything’s safe,” “Rezerv+ is securely protected,” or “Diia can’t be hacked, it’s just enemy psy-ops.”

Only an independent authority could assess the real level of registry protection.

Only an impartial professional could determine whether the government is collecting too much information about citizens — and whether that violates their constitutional rights.

Remember this conclusion from the European Commission — “Ukraine has made no progress…” — every time you hear about the sale of Ukrainians’ databases or another registry breach. Or when fraudsters call you knowing your full name, place and date of birth, and your mother’s maiden name.

I always say that “Ukraine is like Somalia when it comes to personal data protection.”

The European Commission can’t allow itself to put it that way, so it diplomatically writes, “Ukraine made no progress…”

What should you do when your own state refuses to protect its citizens?

I can only advise: “learn to protect yourself” — because no one will protect you better than you can.

It would also help to delete all government tracking apps from your smartphone.

In particular, I’ve explained here how to remove Diia — and why that helps.

And you also need to realize that once you hand over your personal data to the “state,” you lose control over it — and under current conditions in modern Ukraine, there is no way to monitor how it is used. None, period.

For that, an independent institution should exist, but digitalizers reliably block its creation. So my advice is: don’t hand over your data — whenever possible.

You could also demand something from the hired officials, like “be responsible and qualified” or “stop engaging in Diia-populism” — but of course, that’s utopia.

And why demand anything if “Diia is so convenient” (C)?

P.S.: Do you see the zeros on the right in the graph? That’s the number of data leaks officially acknowledged by the government. So leaks happened — but none were recognized.

In 2024, 857 complaints were filed by victims, but only two sanctions were imposed. That means the response effectiveness was about 0.23% — and these are official figures from the Ukrainian authorities themselves. Most problems were simply hidden, and the majority of victims didn’t even bother filing complaints — because they saw no point.

And I understand them.

Related Articles

Log in with your credentials

Forgot your details?