Ukraine to establish new personal data protection agency: Why it matters

Date: 01 June 2026
A+ A- Subscribe

As part of its accession to the European Union, Ukraine must align its personal data protection legislation with EU standards and establish an independent supervisory authority. At present, oversight of personal data protection rests with the Ukrainian Parliament Commissioner for Human Rights (ombudsman) and the ombudsman’s Secretariat.

Photo credit: Center for Civil Liberties

The issue was discussed during the Human Rights Dialogues conference, organised by the Center for Civil Liberties in Kyiv on 27-28 May, ZMINA reported.

As part of the EU accession process, Ukraine is required to establish an independent supervisory authority for personal data protection. This obligation is included in the Fundamentals cluster, the first chapter of Ukraine’s EU accession negotiations. However, no such authority currently exists in the country. Under current Ukrainian law, supervisory powers in the field of personal data protection are exercised by the Ukrainian Parliament Commissioner for Human Rights.

Yulia Derkachenko, the ombudsman’s Representative for Information Rights, said Ukraine’s personal data protection framework requires substantial reform to bring it into line with the EU General Data Protection Regulation (GDPR).

“The Human Rights Commissioner exercises not only parliamentary oversight in the field of personal data protection but also supervisory functions, including planned and unannounced inspections. For the Commissioner, this supervisory role is not a natural one,” she elaborated.

Derkachenko noted that the number of complaints submitted to the ombudsman concerning privacy rights increased sharply throughout 2024 and 2025.

“As a result, we have to respond to these complaints within a very short timeframe. Most of these violations of the right to privacy fall under Article 182 of Ukraine’s Criminal Code,” she said, referring to the unlawful collection of confidential personal information without an individual’s consent.

“In 2025, the Commissioner initiated 35 criminal proceedings related to such violations.”

She also recalled that parliament has registered two draft laws: the Draft Law on Personal Data Protection (No. 8153) and Draft Law No. 6177, which proposes establishing an independent National Commission for Personal Data Protection and Access to Public Information.

Draft Law No. 6177 proposes creating a supervisory authority that would combine oversight of personal data protection with oversight of access to public information.

According to Ihor Rozkladai, deputy director of the Centre for Democracy and Rule of Law (CEDEM) and the organisation’s chief expert on media law and social media content moderation, two institutional models exist internationally. In one model, both functions are exercised by a single authority, while in the other, they are carried out by separate institutions. Which model works best depends largely on a country’s legal culture.

In his view, Ukraine will have to determine through practice which model suits it best and develop its own institutional standards, just as it successfully did while drafting the Law on Media.

“Our goal is to protect personal data. At the same time, we must safeguard government transparency, and access to public information must remain open,” Rozkladai said.

“The key question is not whether such an institution will be created or how it will function. The real question is whether both rights will be effectively protected, whether the proper balance will be maintained, and whether our democracy as a whole will be safeguarded.”

He also noted that without Ukraine’s law on access to public information, the Revolution of Dignity might never have happened because investigations into the Mezhyhirya residence and the corruption surrounding former president Viktor Yanukovych would not have been possible.

At the same time, Rozkladai believes establishing an independent supervisory authority under current Ukrainian conditions will be extremely challenging, not least because such an institution would require substantial funding.

Tetiana Avdieieva, a senior lawyer at the Digital Security Lab and a member of the Expert Committee on Artificial Intelligence under Ukraine’s Ministry of Digital Transformation, stressed that one of the European Union’s key requirements for the new institution is political independence.

According to Avdieieva, members of such a supervisory authority should not be appointed by political parties or by bodies that are subject to political influence.

She suggested that Ukraine could draw on the model used by the National Council of Television and Radio Broadcasting of Ukraine, effectively replicating its procedures for conducting independent competitive selection processes. However, she cautioned that recruiting sufficiently qualified professionals could prove difficult.

“Where are we going to find experts with knowledge of European legislation, data processing rules and the technical expertise to understand how different data processing systems and platforms operate?” Avdieieva said.

Under the government’s roadmap for Ukraine’s accession to the European Union, the National Commission for Personal Data Protection and Access to Public Information is expected to become operational by the end of 2026.

According to Derkachenko, the draft law on personal data protection is currently being revised. The document has undergone expert assessment by the Council of Europe and received positive conclusions. The next step is the first meeting of the working group tasked with finalising the revised draft.

As ZMINA previously reported, the Ukrainian ombudsman received more than 152,000 appeals in total last year, around 15,000 of which concerned violations of information rights. Of those, 2,254 related specifically to alleged violations of the right to privacy.

Experts say Ukraine still lacks both an effective legal framework and practical mechanisms for protecting personal data. Among those highlighting the problem is Maksym Shcherbatiuk, programme director of the Ukrainian Helsinki Human Rights Union.

A shadow report prepared by a coalition of civil society organisations for the European Commission’s 2024 report on Ukraine concludes that Ukraine’s personal data protection legislation has neither been modernised nor brought into line with the EU’s core legal framework.

Ukraine’s Law on Personal Data Protection, adopted in 2010, is now widely regarded as outdated. Experts say it fails to address many of today’s key data protection challenges, including online data protection, the digitalisation of public and commercial services, cybersecurity and the growing use of advanced technologies.

Share:
Нашли ошибку? Выделите её и нажмите Ctrl+Enter или ⌘+Enter.