A new Law On Amendments to Certain Legislative Acts on Informatization in Kazakhstan (hereinafter the Informatization Law) was published on 26 November 2015 and made some amendments to the Law on Personal Data and Protection Thereof dated 2013 (hereinafter the Personal Data Law).

Personal data localization

Under the Informatization Law, owners, operators of databases containing personal data and third parties shall store personal data on the territory of Kazakhstan (personal data localization requirement).

Neither the Personal Data Law, nor the Informatization Law identifies persons to whom the new rule applies. Generally, Kazakhstani laws are effective within the territory of Kazakhstan. It means that the new localization requirement applies to companies established in Kazakhstan, sole proprietors in Kazakhstan as well as representative offices and branches of foreign companies.

So the question then arises does the requirement to store personal data on the territory of Kazakhstan extends to foreign companies without any legal presence in Kazakhstan, whose operations are aimed at Kazakhstan and whose websites are accessible in the territory of Kazakhstan (e.g. Internet companies)? If one considers the issue from a perspective of website accessibility in Kazakhstan, this would mean that Kazakhstani laws apply globally, which would make enforcement of the laws impossible to control.

When drafting the Informatization Law, the Ministry of Transport and Communications of Kazakhstan stated that the localization requirement should not apply to any relations outside Kazakhstan, but should apply to Internet resources supported by hardware located in Kazakhstan.

At the present time, there are a number of issues about the procedure for implementation of the localization requirement that remain unclear. Kazakhstani laws do not identify the segment of the Internet which falls under the state jurisdiction (e.g. hardware located on the territory of Kazakhstan, hosting a website, etc.). Law enforcement authorities may insist that the localization requirement applies also to owners of Internet resources whose supporting hardware is located on the territory of Kazakhstan.

Based on this, we sent an inquiry to the author of the Informatization Law and to the Committee on Communications, Information and Informatization of the Ministry of Investment and Development of Kazakhstan concerning the procedure for implementation of the localization requirement. In addition to the question about businesses to which the requirement applies, we asked the following questions:

  • Is the localization requirement limited to personal data which has been obtained by a company in the course of activities aimed at collecting such data, and not as a result of accidental (unrequested) receipt of personal data (e.g. through providing services as an information intermediary)?
  • Does the localization requirement apply to data collected before the effective date of the Information Law, if such data is amended thereafter?

Cross-border transfer of personal data

The provisions on cross-border transfer of personal data remain unchanged. It is assumed that personal data stored on the territory of Kazakhstan may be further transferred to databases located outside Kazakhstan and operated by third parties in compliance with regulations on cross-border transfer of personal data (receipt of consent from personal data subjects).

Administrative liability for violations of the personal data localization requirement

While the Informatization Law has made some amendments to Kazakhstan’s Code of Administrative Violations, no administrative liability has been introduced for violation of the personal data localization requirement.

The localization requirement for personal data storage will come into effect on 1 January 2016.