Kazakhstan: Amendments to privacy law
In February 2021, the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan ('MDDIAI') announced their acceptance of proposals to the draft legislation on personal data. Such legislation is aimed at strengthening the protection of personal data and expanding the rights of citizens regarding personal data. Leila Makhmetova and Aliya Zhumekenova, Partner and Counsel respectively at GRATA International, discuss these changes and what their impact may be.
In April 2021, the MDDIAI has republished for public discussion the draft legislative amendments which aim to strengthen the protection of personal data of individuals, their rights, and their freedoms, as well as tightening control over operators of personal data, and a number of other changes. The expected main changes are:
- a ban on collection and dissemination of personal data from publicly available sources without consent of the individual; and
- strengthening control over the legitimacy of processing and protection of personal data.
The owners and operators of personal data would be given one year to adjust their activity in line with the new regulations.
What is the reason behind the introduction of further amendments?
In the era of digitalisation, enhancing personal data protection measures by different states has become a global trend. Introduction of these amendments is justified by the increase in cases of illegal use of personal data of the citizens on various internet resources in the territory of Kazakhstan.
Therefore, relying on international practice of personal data protection, the developers plan to tighten control over operators who collect and process personal data of the subjects. These amendments are meant to solve the problem of uncontrolled use of personal data of citizens by third parties.
The amendments provide for various changes in the field of personal data. The main ones are highlighted below.
Supervisory authority powers and notification obligations
The MDDIAI as a competent authority would become empowered to monitor compliance with legislation in the field of personal data protection by operators, owners, and third parties. Such a power was not envisaged before for the authority, with corresponding amendments to be introduced into the Entrepreneurial Code of Kazakhstan.
Moreover, collection and processing of personal data in the territory of Kazakhstan would only be possible if a notification of the respective activity being commenced is sent to the competent authority. The notification must contain a list of information regarding the process of collection, processing, and protection of personal data. This list includes the purposes of collection and processing of personal data, categories of personal data, contact details of the operator, and some other information.
Currently, such an activity must only comply with the requirements of Kazakhstan's legislation in the field of personal data protection. This amendment will allow for greater transparency into the area of personal data protection in Kazakhstan, as well as monitoring of companies' compliance with these new legal requirements.
The main aim of the amendments are to protect the rights of individuals by maintaining the register and carrying out preventive and control measures in cases of violation of the legislation by operators.
It is planned that the provided notification to the competent authority will be used to create and maintain the register. In accordance with the amendments, the register means an electronic information resource containing publicly available information about operators, personal data processed by them, and the conditions for the collection and processing of personal data.
The state body that will form and maintain the register will currently be the MDDIAI.
To achieve this, Kazakhstan is aiming to introduce a registration obligation for operators of personal information, in the form of information resource.
Furthermore, dissemination of personal data from publicly available sources, as well as the collection, processing, and distribution of personal data from publicly available sources would be allowed with the consent of the individual or his/her legal representative. This requirement does not apply to state bodies when they implement their duties to disclose certain information. This amendment was introduced following a large number of complaints from citizens, whose personal data had been collected from open governmental sources and then formed into separate databases and used for operator's purposes.
In addition, Article 8 of Personal Data Law will be rephrased, which will provide clarity and clearer language on how to obtain consent from subjects for the collection and processing of their personal data.
The current wording of the Article establishes that consent could be obtained in writing, in the form of an electronic document or through the Personal Data Security Service ('the Service'), the purpose of which is to ensure interaction of the owners and/or operators with the individual, as well as 'in any other way using elements of protective actions that do not contradict the legislation of Kazakhstan.' The latter option often causes misunderstanding and, therefore, the competent authority has had to clarify this rule frequently.
The wording of the Article is proposed as follows: 'The individual or his/her legal representative may give consent to the collection, processing of personal data in writing, through the Service or in another way that allows the subject to be identified and confirms that consent has been obtained.' Thus, consent may be obtained in any format that allows the identification of the subject and the confirmation of the fact that their consent has been obtained. This will help to avoid misunderstandings about the acceptability of using certain methods of obtaining the respective consent from individuals.
In addition, according to the proposed amendments, along with the owners and/or operators, a competent authority would now be among the entities who are able to interact with the individual through the service.
The formation of the register, as mentioned above, is intended to stop the uncontrolled and often illegal collection and dissemination of personal data. The introduction of the register should help to prevent unauthorised dissemination of personal data.
These changes would demand companies in Kazakhstan to adjust internal policies and rules of dealing with personal data of employees and/or third parties in line with new legislative requirements. At least, such an internal audit would likely add to the activity of personal data compliance officers in the companies, which are now required to have a personal data compliance officer as established by the previous amendments to the Personal Data Law enforced in January 2021.
This measure would certainly have an impact on companies dealing with the personal data of employees. It should be noted that employers in Kazakhstan already submit personal data of employees to a special database owned by the Ministry of Labour of Kazakhstan, and so we cannot exclude the possibility of internal collaboration between the MDDIAI and said Ministry to optimise the register without a need to overly burden companies.
Companies engaging the operators in Kazakhstan, irrespective of their residence, will likely have to be more careful while setting the terms of the service contracts with operators in terms of adjusting the level of liability. At the same time, business companies can be more confident as to the reliability and legitimacy of the data collected by operators.
The most pressure under new rules would be on companies which specifically engage with activities related to the collection and processing/dissemination of personal data, such as companies specialising in marketing, statistics, agency services, etc.
It is worth to note also that the draft legislation also raises a number of questions from opposing mass media, whose activity would now be complicated in terms of availability of information collected from public sources. The journalists' concerns are that the changes in their proposed form would mean that access to information and freedom of speech will be undone, whereas it will be easy to demand the deletion of any information on individuals with a tainted reputation from the public sources by enforcing the protection of their personal data.
In general, our belief is that these legislative changes will help to streamline the activities of operators, build trusted relationships between companies and their employees in terms of processing personal data, as well as avoid unauthorised or illegal use of personal data and dissemination of personal data for personal gain.
Finally, it is expected that the level of confidence of citizens should increase when contacting banks and other private organisations which collect or process the personal data of citizens. There is also an expectation that the changes will encourage foreign investors to enter the market, who can be confident in the Kazakhstani system for storing and processing personal data.