In the last four years, there have been major legal developments in Kazakhstan in relation to data protection. Law No. 94-V on Personal Data and Protection of 21 May 2013 (the ‘Personal Data Law’) established a new regime for the protection of personal privacy. Businesses organised their activities to comply but there was another major change to the law in January 2016. The change included a ‘localisation requirement’, by which ‘databases’ needed to be stored within Kazakhstan. Businesses have had to look again at their compliance and, in many cases, modify their business practices.

Author: Alexandr Chumachenko

Firm: AEQUITAS Law Firm LLP

Under the amended law, ‘databases’ must be stored in the territory of Kazakhstan. A ‘database’ means an aggregate of organised personal data and this is very broadly defined, covering virtually any type of storage facility. It might be:

  • a place (e.g. an office);
  • a piece of equipment (e.g. a company server or computer);
  • a piece of furniture (e.g. a cabinet or shelf in a cabinet);
  • a data medium (e.g. a sheet of paper, a CD or DVD); or
  • electronic information resources (e.g. a cloud computing service or an electronic information resource).

‘Storage’ means actions taken to ensure the integrity, confidentiality and accessibility of personal data.

The practical effect of the requirement is that any tangible media containing personal data must be physically present in the territory of Kazakhstan.

Matters are more complicated for internet resources containing personal data. In this case, the territory of Kazakhstan can be understood as the Kazakhstan segment of the Internet (as defined in the ‘Rules for the Registration, Use and Allocation of Domain Names in the Space of the Kazakhstan Segment of the Internet’ approved by Order No. 118 of 28 January 2016). For these resources, the related hardware and software must be physically present in the territory of Kazakhstan.

Who falls within the localisation requirement?

The Personal Data Law contains no provisions governing the scope of its application and therefore can be assumed to be generally applicable to all.

The impact of the localisation requirement may be particularly high for foreign companies because they often process personal data centrally at their head office. For example, in a situation involving multiple parties, only one of whom is in Kazakhstan (specifically, a database operator or owner), Kazakh data protection law still applies but it is not clear how the localisation requirement fits in.

Consider, for example, a Kazakh representative office of a foreign company that is storing data about a foreign employee from the company's head office. In this case, the representative office may be regarded as a database owner or operator. If the localisation requirement generally applies to foreign companies, then the representative office may be required to store the personal data of a foreign person in Kazakhstan, even if the data are collected in the course of their activities outside Kazakhstan.

When does the localisation requirement apply?

New legal obligations apply from the date they come into force unless expressly provided for by the law. The localisation requirement does not apply retrospectively. However, this creates some confusion, because the localisation requirement could apply to:

  • data collected on or after 1 January 2016; or
  • data processed on or after 1 January 2016 (in which case, it would apply to data collected before 1 January 2016).

The rationale for the requirement applying to data processed on or after 1 January 2016 is that personal data storage is a process, not a one-time action.

The Kazakh public authorities differ on this issue (i.e. the Minister of Investments and Development and the Minister of Internal Affairs), but the question will need to be resolved.

Sanctions for breach

Breaching data protection law can incur substantial liability, both administrative and criminal, but there are no specific sanctions for breaching the localisation requirement. This means the authorities will look to the Administrative Code or the Criminal Code for guidance. However, at the time of writing, there is no case law dealing with this issue, so it is currently unclear which penalties the authorised agency will use to enforce the localisation requirement.

Conclusion

The 2016 changes have been problematic both legally and for businesses, but this does not release businesses from the need to comply. We recommend you take advice if you have operations in Kazakhstan and want to understand how best to process data in light of the changes.