Civil claims in Ukraine for personal data protection

I took a shovel, a little of inner balance and inspiration, and opened the court register to check what claims our compatriots file with civil courts and what the court says to them.

The courts have been trying to interpret the little-known data protection law for years, sweating on their brows. They have succeeded in doing so in a way that makes moral damages in privacy cases out of the question. But at least there are some chances if you go to court to demand that the data be deleted or that the processing be declared unlawful.

Let’s review the cases in detail by type of claim. Warning: This is only for those who do not like cherry on top but rather like hardcore.

Claim 1: Declare loan agreements invalid because of unlawful processing of personal data

We are talking about cases involving credit institutions where personal data and the invalidity of contracts are involved. For example, the plaintiffs ask to declare loan agreements invalid and claim that personal data is processed illegally (no consent, improper consent, impossibility of withdrawal of consent). There are many similar decisions, and not only from the courts of first instance(Decision 1, Decision 2, Decision 3, Decision 4, Decision 5, Decision 6, Decision 7, Resolution 1, Resolution 2).

Courts usually decide in favor of the credit institution because either the courts are satisfied with the consent or they say that in such situations consent is not required because there is another legal basis for processing – the need to conclude/execute a contract. And here the courts would be right. If they did not confuse “consent” and “contract” as grounds for data processing under Article 11 of the Law of Ukraine “On Personal Data Protection”. In one sentence, the courts state that no consent is required because the processing is necessary for the performance of the contract, and in the other, that the plaintiff voluntarily agreed to the processing. Or they correctly say in one sentence that consent is only one of the grounds for processing personal data, so withdrawal of consent is possible only in the case of processing with consent, and do not delve further into the “contract” as a ground for processing.

So, courts tend not to dig deeper and analyze how much information about a person is necessary to conclude a contract or how widely a contract can be used as a basis for processing. Perhaps these are just our dreams of roses. After all, what good is it if the court confuses “notice of processing” and “consent to processing?”

Claim 2. Declare data processing actions unlawful + oblige to delete data

Plaintiffs in civil cases are very fond of asking the court to delete their data. For example, they ask to delete data in the following situations:

• Choice of identifier and religious beliefs

The plaintiff asked to remove data from databases. For religious reasons, they did not want to have a code by which they would be identified for utility billing purposes (Decision). The court sided with the plaintiff and ordered the defendants to register the consumer by name and place of residence. However, the reasoning contained very little about personal data but a lot about freedom of religion and a non-exhaustive list of rights and freedoms under the Constitution.

• Personal data in a residential chat on WhatsApp

In this case, a residential association published a decision of the general meeting in a chat room, with a statement containing the plaintiff’s personal data as an attachment. The plaintiff objected to the publication of his data and requested that it be removed from the chat. The residential association argued that it was not subject to personal data protection legislation. The court ruled that the condominium association was a “third party” within the meaning of our law, and therefore had to delete the plaintiff’s personal data.

The funny thing is that when interpreting the term “third party”, the court looked at a guide to European law on personal data protection. It’s atypical but very informative:)

• Personal data fraud

The plaintiff requested that the agreements be declared invalid and their data be deleted from the databases of the credit institution where the fraudsters had taken out a loan for them. The court agreed with the plaintiff that the data had been collected illegally, referring to paragraphs 6 and 11 of part two of Article 8 of the Law of Ukraine “On Personal Data Protection”. And this is a very funny combination. Clause 6 refers to the right to delete data that was obtained illegally. Clause 11 is about the right to withdraw consent. If the data was obtained illegally, what does “consent” mean? Moreover, the court itself has determined that consent is not required to enter into a loan agreement, as there is a basis for “concluding and performing a transaction”. They confuse because they don’t understand.

• Personal data in Portnov’s Telegram channel. The case is a masterpiece, I advise everyone to read it!

The plaintiff in the case complained that the PortnovUA Telegram channel had published their surname, name, patronymic, date of birth, car license plate, address of residence, and tax identification number data. The plaintiff is the driver of Radio Liberty. Having seriously considered the important role of the driver, the courts of first instance and appeal decided that there was no violation, but rather the dissemination of restricted information that was of public interest (hahaha).

Doubting the public or political interests raised by their data, the plaintiff filed a cassation appeal. In their opinion, the sole purpose of publishing the plaintiff’s personal data was to punish Radio Liberty journalists for their work (and the journalists were working on an investigation into Portnov). Therefore, the data should be deleted.

The Supreme Court questioned the public interest and emphasized that the burden of proof for the use of the exception and dissemination of data without consent should be on the defendant. The Court also stated that the previous courts had not investigated the case thoroughly, so it remanded the case to the court of first instance for a new trial. The key point, according to the Supreme Court, is that the courts:

• incorrectly distributed the burden of proof in the case (did not put Portnov under enough strain),
• it is unclear why they decided that there was a public interest in disseminating the data of the Radio Liberty driver in response to the allegedly illegal investigations of Portnov’s activities by journalists,
• did not establish the fact of dissemination of personal data and whether there was consent or exceptions on the basis of which the data could be disseminated.

The Pechersk District Court of Kyiv has long since appointed the composition of the court (it distributed judges in 2022). However, so far, only the decision to open the proceedings of August 4, 2022, is publicly available. I am very, very eager to read what the Pechersk court will do in the end.

• The term of storage of personal data by the bank and withdrawal of consent

In a court case (Resolution), the plaintiff claimed that the bank had unlawfully stored personal data. The plaintiff explained that they were no longer a customer of the bank and were withdrawing their consent and requesting that the data be deleted. The court of first instance, as well as the court of appeal, reminded the plaintiff that the bank has a statutory obligation to store data for 5 years (as this is a direct requirement of the anti-money laundering law). However, the court took a completely unexpected approach to the issue, stating that the plaintiff had not proved that the data should be deleted on one of the grounds set out in Article 15 of the Law on Personal Data Protection.

Neither the court of first instance nor the court of appeal was interested in another way of defense – to prove that there is still a reason for data processing – “the need to fulfill the obligation of the personal data owner provided for by law”. So again, we see a superficial analysis, albeit a correct decision (in favor of the bank).

Claim 3. Oblige the bank to respond to the request and declare the bank’s “silence” unlawful

The plaintiff complained to three courts that their request for access and deletion of data was ignored by the bank. The plaintiff wanted the bank to consider their request for withdrawal of consent and provide them with data and documents about them: a banking services agreement, bank card and account numbers, current debt status, and a bank statement. In addition, the plaintiff asked the courts to order the bank to do the following:

• stop using their personal data and delete this data,
• provide information and copies of documents containing their personal data, information about the persons to whom and when access to the data was granted;
• provide a certified copy of the bank’s regulatory document governing the processing of personal data.

The first instance and appeal courts ruled in favor of the bank. The court of first instance found that the bank had responded to the plaintiff’s requests and provided documents, so there was no inaction. In its explanation, the court referred exclusively to the provisions of the Law of Ukraine “On Citizens’ Appeals”, without mentioning Article 8 of the Law “On Personal Data Protection”. The Court of Appeal agreed with the court of first instance and stated that the plaintiff had not refuted the bank’s arguments about personal data. The Supreme Court decided to take the easy way out and refused to open cassation proceedings.

The case could have been more interesting only if the bank had not responded. Or, if the plaintiff had done a better job of arguing that his right to access the data had been improperly secured. Or, if the court had known about the existence of Article 8 of the Law on Personal Data Protection.

Claim 4. Establish the fact of unlawful processing

The plaintiff filed a lawsuit in the context of the invalidity of a utility contract. The plaintiff sought a declaration that City Heating Networks had processed her personal data unlawfully without her consent. The Court of Appeal decided that another ground for processing should be applied – permission to process personal data by a service provider, granted by law solely for the exercise of authority. However, the court also noted that the plaintiff had not provided evidence that her data was used for anything other than the provision of services. In the court’s opinion, the plaintiff had to explain well which of her data had been processed unlawfully and why.

Let’s dream and imagine that the Court of Appeal could explain the difference between “permission to process” and “the need to perform a transaction”. After all, we are also talking about a contract and services here, so why can’t a “transaction” be the basis? The courts did not give a direct answer, so we can read between the lines that there is a specific entity here that the executive committee of the Zaporizhzhia City Council decided to appoint as a utility service provider. This means that this entity has very specific public powers, and in order to fulfill them, it needs to process personal data. It’s a fine line, and it would be nice to see an explanation from the Ukrainian Parliament Commissioner for Human Rights.

Claim 5. Recognize the information as unreliable and degrading to honor, dignity, and business reputation (and a bit about anonymization)

The plaintiff filed a lawsuit because a TV channel published an investigation about her without her consent, claiming that she was the mother of a child she allegedly gave birth to and abandoned at the age of 16. The plaintiff confirmed that this information was untrue by taking a DNA test. Instead, the TV channel claimed, among other things, that it had anonymized the plaintiff’s information. In the story, the channel interviewed the plaintiff’s relatives and filmed her mother’s grave, which showed the years of her life, her mother’s name and patronymic, and the location of the shooting, including the location of neighboring graves. The channel also published an audio recording of a conversation with the plaintiff without her consent. The plaintiff argued that all this was information about her private life, and the defendants argued that the plaintiff could not be identified from the video file provided (nice try!).

The Court of Appeal agreed that the footage contained sufficient information to identify the plaintiff. In addition, these materials form an immoral image of the plaintiff among her relatives, friends, and strangers. Therefore, the court confirmed that there was an unlawful dissemination of personal data (without consent), and the published information was unreliable and degrading.

The case is interesting because of the courts’ attempt to explain when data is anonymous and when it is personal. However, they also have to wade through the jungle of procedural rules to reach these conclusions.

Claim 6: Compensation for non-pecuniary damage

Unfortunately or fortunately, the decisions in this section are mostly in favor of the defendants. That is, non-pecuniary damage is mostly not compensated.

• Damage in connection with the dissemination of personal data without consent and the dissemination of false information defamatory of honor and dignity

In the case of the investigation into the story of an underage mother described above, the channel and the producer of the video footage had to pay UAH 800,000 in non-pecuniary damage to the plaintiff. The court of first instance ruled that it could be UAH 200,000 (due to the plaintiff’s moral distress, deterioration of family relations, and the need to make efforts to refute such information). The Court of Appeal took into account the defendants’ arguments that the amount of damage was unproven and obviously overstated and reduced the amount to UAH 100,000. In doing so, the court took into account the nature and extent of the mental suffering caused based on the principles of reasonableness and fairness.

This decision has a slight flavor of betrayal for a right-wing lawyer: if there had been no dissemination of “false” information, would there have been any moral damage at all? For example, if there had been a dissemination of true data without legal grounds for processing?

• Damages for intrusive phone calls

This case straddles the line between consumer protection and personal data protection. The plaintiff was not happy with the terms of her cooperation with the credit institution. So, among other things, she claimed that she had suffered mental anguish because the defendant had violated data protection and consumer rights laws. The defendant constantly called, sent messages, and contacted her through third parties, used threatening language and swear words, and all of this humiliated her honor and dignity. As a result, the plaintiff was in constant fear, which made it impossible for her to live a normal life, she was unbearably anxious, and this affected her health. The plaintiff was willing to endure all this for UAH 10,000 in non-pecuniary damage. The court disagreed, stating that the plaintiff had not proven insults and threats and that there were doubts as to whether the information disseminated by the defendant was false. The court did not say anything about intrusive calls to relatives without their consent.

• Damages for the unlawful publication of personal data on a Telegram channel

In the case of Portnov’s channel, which we have analyzed above, the plaintiff (a driver) also demanded UAH 10,000 in non-pecuniary damage for violation of the right to privacy. The Pechersk court rejected the plaintiff’s claim (because it decided that there was no violation). Perhaps, when the case is reconsidered, there is a chance that this issue will be considered.

• Damages for illegal transfer of data to the SBU

In this case, a company that equips and sells cars provided documents containing information about the plaintiff (name, identification code, registration addresses, passport details, payments, etc.) at the request of the SBU. The plaintiff was convinced that her right to privacy had been violated in this way, as her data had been disclosed without her consent. She sought to recover non-pecuniary damage from the defendant in the amount of UAH 1,476,458.42, the amount spent on the purchase of the car and its refurbishment. The plaintiff explained non-pecuniary damage as follows: the defendant’s unlawful actions had negative consequences for her physical and mental health.

The local court dismissed the claim, explaining that the plaintiff had not confirmed or explained the facts:

• evidence of moral suffering caused by the defendant and under what circumstances the moral damage was caused,
• what actions or omissions caused it,
• how the defendant’s guilt in causing non-pecuniary damage to the plaintiff is confirmed,
• that it was the defendant’s actions that caused the plaintiff non-pecuniary damage,
• the existence of a causal link between the defendant’s actions and the non-pecuniary damage caused to the plaintiff,
• what considerations it was based on when determining the amount of non-pecuniary damage.

The court did not comment on the legality of the SBU’s request, as the plaintiff did not challenge the SBU’s actions as unlawful.

The Court of Appeal partially upheld the claim – the court distributed the court costs differently – but essentially confirmed that the response to the SBU request was lawful. According to the court, the SBU requested the car purchase documents to verify the facts of organized crime and corruption.

The Supreme Court agreed with the previous instances. It further explained the concept of non-pecuniary damage by referring to its earlier cases (e.g. this one). In short, it will be very difficult for a plaintiff to prove all the elements for compensation for non-pecuniary damage (especially causation), whether in privacy cases or others.

This case could have been very interesting if the courts had analyzed in more detail the legality of the SBU’s request and under what conditions the actions of the disclosing defendant could be unlawful. For example, the court did not analyze what elements should be included in a law enforcement request, what requests may be excessive, or what proportionality of the data may be disclosed. Are you laughing at my naivety yet?)

• Damages for unlawful dissemination of a telephone number on an envelope

The plaintiff received a letter from the Kyiv Court of Appeal. The envelope containing the letter contained the plaintiff’s telephone number without his consent. The plaintiff saw this as a violation of his right to privacy and therefore asked the court to recover UAH 100,000 in non-pecuniary damage from the defendant (and then wanted to increase the claim to UAH 200,000 on appeal).

The court of first instance dismissed the claim. The Court of Appeal dismissed the appeal and upheld the decision of the first instance court. Everything turned out to be simple: according to the Rules for the provision of postal services approved by the Cabinet of Ministers, the envelope must contain a telephone number. Therefore, the court (the defendant) did not violate anything. Therefore, moral damages are out of the question. However, the court also found that the plaintiff had not provided adequate and admissible evidence to prove non-pecuniary damage, nor had he explained what the violation of his rights was and what damage he had suffered.

The Court of Appeal ruled that referring to data protection legislation is for losers, so there is no legal justification for this part.

• Damages for unlawful disclosure of PD in correspondence

In this case, the plaintiff claimed that the defendant (the Centre for Social and Psychological Assistance, CSPA) had violated her right to privacy by unlawfully disseminating personal data and confidential information about her and her son. The CSPA sent a letter to the school where the plaintiff’s son was studying. In the letter, the CSPA asked the school to influence the plaintiff as a mother and urge her to be a responsible parent. In support of its request, the CSPA described the circumstances of the plaintiff’s residence in the CSPA’s premises and the improper use of social assistance. As this infringed on her honor and dignity, the plaintiff sought non-pecuniary damage of UAH 100,000.

The court of first instance partially satisfied the claim (recovered UAH 7,000 in non-pecuniary damage from the CSPA). The Court of Appeal overturned the decision and issued a new decision dismissing the claim. The court noted that there was no interference with privacy or dissemination of confidential information, but rather a critical assessment of certain facts about the plaintiff, and the actions of the CSPA were aimed at protecting its right (vacating the premises). And since there was no interference, there was no moral damage.

And, surprise! None of the courts thoroughly analyzed the legislation on personal data protection and whether there were grounds to disclose the information. It would have been interesting to read about the legitimate interest. The local court only said that the data was disclosed illegally because there was no consent from the plaintiff. And it referred to the Constitution and the Law of Ukraine “On Information”, completely forgetting about the special law on personal data. Well, it happens.

So, can all this be called good law enforcement?

Plaintiffs and defendants often influence good court decisions and provide good arguments. We want more and better. Some courts are doing a good job trying to understand what constitutes personal data and guessing that there is something else besides consent. But most of them need to dive into the Law of Ukraine “On Personal Data Protection”, and some just need to know that it exists. At present, Ukrainian courts run the risk of applying legal norms incorrectly without understanding their meaning. What can we expect from organizations that process personal data or ordinary consumers?

Specialized training would be useful in educating the courts. This may be more appropriate when a new data protection law based on the EU General Data Protection Regulation is adopted. The draft law is slowly progressing, so right-wing lawyers should hold out hope for its adoption in the first reading.