These are the second major amendments to the Personal Data Law in the past six years. The first amendments in 2015 concerned localization of personal data in Kazakhstan. The amendments that are being discussed now give individuals more control over the use of their personal data.
The amendments will affect:
- The letter of consent for collection and processing of personal data;
- The use of personal data by “smart cities”;
- The list of the rights of entities (it is proposed to introduce the right to be forgotten3).
Letter of consent
The Draft Law on Regulation of Digital Technologies on the one hand simplifies the collection of consent for the processing of personal data; on the other hand, it enables data subjects to control the use of their personal data.
Form of the letter of consent
It is envisaged that consent for the collection and processing of data may be issued in electronic form. Such an electronic form will be provided in the Personal Data Law separately from the existing option with the signing of the letter of consent by electronic digital signature (EDS).
Neither the Draft Law on Regulation of Digital Technologies, nor the current legislation of Kazakhstan, defines what an electronic form is. Therefore, the issue of obtaining consent in electronic form can be approached in different ways.
One can use only those options provided for by the legislation of Kazakhstan that can be attributed to the electronic form. This would require a document signed by EDS or exchange of electronic mails. This is a conservative but "safe" approach. There are no other options for obtaining consent in electronic form in Kazakh legislation. A different approach is also possible, not to be limited to an electronic document with EDS and exchange of e-mails, but to use other methods of obtaining consent in electronic form. A fairly common way is to check the box under the consent form in the Internet. However, in this case, the way of obtaining the consent of the data subject must be well thought out in order to eliminate or minimize the risk that the consent will be recognized as not obtained.
Content of the letter of consent
Currently businesses often use very broad wording of purposes for the collection and processing of personal data and leave the list of purposes open.
In case of the adoption of the Draft Law on Regulation of Digital Technologies, the letter of consent will contain specific purposes that must be predetermined.
Thus, the data subject will be given the right to control the use of his/her personal data. Any additional purpose of using the data will require additional consent from the data subject. And the data collected must not be redundant in relation to the purposes for which they are collected.
The Draft Law on Regulation of Digital Technologies proposes to oblige companies to depersonalize personal data for big data analytics. Once data depersonalization happens, it will no longer be possible to identify data subjects. This norm has not yet been tested by practice, however we believe that some entrepreneurs will be limited in their business opportunities. For some services, the ability to identify the data subject may be important.
The right to be forgotten is a right that allows a data subject to demand the removal of his personal data from publicly available data sources. The Draft Law on Regulation of Digital Technologies provides that data can be deleted at the request of the data subject or by the decision of the court. From the Draft Law it is obvious that entrepreneurs are not obliged to delete data at the request of the data subject; they can refuse to delete the data even without indicating the reasons for the refusal. The data subject may still oblige the person to delete his personal data through the court.
It is worth pointing out that currently the issue of creating a regulator in the area of collecting and processing personal data is being discussed; in Kazakhstan there is no such state body yet. Without a regulator, in our opinion, there is no uniform practice in applying the Personal Data Law. For example, there is still no single position on what to consider as personal data because the existing definition of the term “personal data” can be interpreted both broadly and narrowly. The Draft Law on Regulation of Digital Technologies contains language that can be interpreted ambiguously, including the language related to the form of electronic consent mentioned above