This article discusses specific issues of legal regulation and application of Law of RK No.94-V, dated 21 May 2013, 'On Personal Data and Their Protection' compared to the European General Data Protection Regulation (GDPR) provisions. The findings and opinions set out in the article do not purport to be authoritative due to the need for more in-depth and extensive research.
For several years, personal data protection issues have attracted increasing attention from governments, businesses and the public. However, it is hard to say that in Kazakhstan, the governmental and private sectors and the population are entirely 'mature' or fully aware of the importance of paying due attention to personal data and its collection and processing.
The European experience shows how the European Union, its data protection regulators, the private sector, and, most importantly, the population commit to data protection. Since the 1970s, Europe has systematically and progressively improved personal data protection legislation and law enforcement. Unharmonised national laws and difficulties in law enforcement, particularly with international data transfer, have led to the development of international instruments such as the OECD Guidelines1 and Convention 1082, among the first to set the basic principles and standards of personal data protection in the European Union. Based on the principles of these international documents, the Directive3 on the Personal Data Protection of 1995 (Data Protection Directive 1995) was adopted in Europe.
20+ years of Data Protection Directive's enforcement practice and the European Court of Justice decisions formulated the global "gold standard" in the legal regulation of personal data protection, namely, the EU General Data Protection Regulation (GDPR4). It is no secret that the EU Data Protection Directive 1995 and now the GDPR forced non-European states to adopt or amend their data protection legislation to meet the adequacy requirements for protecting the personal data of European Union residents outside Europe. By the way, it is hard to say that Kazakhstan's regime fully meets those requirements, which may mean that there could be risks to the collection and processing of personal data of European Union individuals in Kazakhstan.
Nevertheless, Kazakhstan strives to be in step with the times and global trends. Kazakh Law No. 94-V dated 21 May 2013, 'On Personal Data and Their Protection' (the 'Personal Data Law'), continues to evolve and succeed. However, we still need to catch up to world standards, exhaustive interpretation, and implementation of legal norms.
Principles of Personal Data Collection and Processing
The GDPR (Article 5) defines six basic principles for personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitations; integrity and confidentiality. Most practitioners and legal scholars also note the accountability of data controllers and operators as the seventh principle.
Kazakhstani Personal Data Law lists five principles (Article 5) that differ from those provided by the European Regulation, except for the principle of legality. Some similarities with the rest of the GDPR principles can be found in the provisions of Articles 7, 11-14 of the Kazakh Law. At the same time, the interpretation and enforcement practice of European and Kazakh Law may not coincide because, unlike the Kazakh Law, the GDPR provisions concerning all actions of controllers, operators and third parties with personal data and their obligations are riddled with the above principles.
Principle of Lawfulness, Fairness and Transparency. Data Subject's Consent.
Here we consider some European and Kazakhstani requirements for the data subject's consent to the personal data collection and processing.
In European data protection legislation, the consent has been and is one of the key concepts and essential conditions of the fundamental data protection principle – lawfulness. Article 2 of the Data Protection Directive 1995 defines consent as "Any freely given specific and informed indication of his wishes, by which the data subject signifies his agreement to personal data relating to him being processed". The current GDPR (Article 4.11) in the definition of consent establishes mandatory conditions for collecting and processing personal data. The consent must be freely given, specific, informed, and unambiguous to be recognised as lawful. Accordingly, in the absence of these mandatory signs of consent in Europe, the collection and processing of data will be illegal, with certain exceptions.
The Kazakh Personal Data Law (Article 8.4) and the Order5 of the data protection authority establish what the consent shall contain, how it can be given and even the consent term (which seems absurd and should concern more the information about the period of storage and use of personal data). Moreover, Kazakhstani law allows database owners and operators to request, with the consent of the subject, other information about him. However, the data protection authority clarified6 that operators are not entitled to approve and use the wording on the possibility of collecting and processing other personal data; the list must be exhaustive.
Thus, the Kazakh norms do not provide for the mandatory features which allow the consent to be considered as obtained and legitimate, for example, freely given (i.e. without any pressure or 'compulsion' to give consent) and informed. Please note that mandatory requirement to informed consent of a person (patient) is stipulated by the Code of the Republic of Kazakhstan No. 360-VI, dated 7 July 2020, 'On Public Health and the Healthcare System' (as amended on 26 February 2023).
As to informed consent, we consider an example of the personal data collection and processing faced by a Kazakhstani resident who applied for a fitness centre membership and services. An officer processed membership to the fitness centre by entering the person's name, date of birth, and phone number into the database. Further, the fitness centre officer asked to look into the camera and issued an electronic bracelet, saying that it keeps all the personal data, giving the citizen access to the fitness centre services according to the membership terms. The other example implies a contract conclusion for educational services for a school student when the educational institution collects information about the child, his parents, their education, social status, place of residence and work, and contact details.
Neither the fitness centre officers, nor the educational institution employees requested consent to the personal data collection and processing, gave explanations on the data sufficient for providing services of the fitness centre or educational services, and the terms and security of the data storage. It happens everywhere due to the need for fundamental principles for the owners of personal databases and operators and the lack of awareness and legal culture among the population and businesses.
Unlike the Kazakh regulations, Articles 13 and 14 of GDPR set out precise requirements for the information that the data controller must provide to the data subject at the time of collection of personal data. Such mandatory information includes the contact details of the person responsible for the protection of personal data, the purposes of the processing, the condition on the transfer of data to third parties indicating the presence or absence of measures to protect personal data by third parties, the period or criteria for determining the duration of data storage, an indication of the existence of automated data processing7, including profiling, etc. Furthermore, the GDPR obliges the data controller at the time of collecting personal data to inform the data subjects of their rights, in particular, the right to withdraw consent at any time8, the right to protection by the personal data protection authority, the right to access and rectify personal data, the right to erase (delete) personal data, etc.
The Kazakh Personal Data Law does not contain such a range of information to be provided by the owners of personal data bases and their operators, nor such obligations of databases owners and operators to collect personal data, i.e., before obtaining the consent of the data subject to the collection and processing of personal data. Besides, Kazakhstani Law does not contain the obligation of the database owner and operator, like that provided for by Article 12 of the GDPR, to provide information on data processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
As is evident from the above provisions, the European rules on personal data protection establish more specific obligations for data controllers, operators, and third parties. Individuals can control any actions with their personal data and have more information on how their data is used and protected. In turn, information awareness increases legal awareness and culture in society and contributes to effective law enforcement.
Principle of Data Minimisation, Purpose Limitation, and Storage Limitation.
In practice, we often, without thinking, send photos of personal and other documents, not to mention bank cards and additional information, via messengers and mobile apps to people we know and do not know at all at the request of government officials and businesses. We do not think about what is necessary for a particular situation and what is superfluous, to whom the information will be further transferred and who may have access to it. Of course, to get a public service, product, or business service quickly, people do not think about the consequences. Most often, this is due to illiteracy and uninformedness, not only of the citizens but also of state officials and businesses. Businesses only consider it once an inspection occurs and initiates an administrative case.
At the same time, any business entity, organisation, and public authority may be classified as owners and operators of personal databases, which are required to comply with the conditions for collecting, processing, and storing personal data. In particular, Articles 7.8 and 7.9 of the Personal Data Law state that personal data processing must meet the purposes of data collection, and the content and extent of data to be processed must not be excessive concerning the processing purposes. The provisions of the above Articles allow obtaining (collecting) more personal data than is necessary for processing, but only those that meet the purpose of processing should be processed. Article 12(1) of the Personal Data Law, however, does not allow the excessive collection of personal data, limiting it to those necessary and sufficient for the tasks performed by the owner and/or operator and a third party. Thereat the said Article 12 raises several questions. First, the legislator uses the wording 'accumulation via collection". At the same time, Article 1 of the Personal Data Law defines the accumulation and collection of personal data, which could confuse the average person with an insufficient computer or information literacy. Second, data collection is not limited to the purposes of the processing but 'to the fulfilment of tasks performed by the owner and/or operator as well as by a third party". This provision is clarified by the Government Resolution No. 1214, dated 12 November 2013 'On Approval of the Rules for Determining by the Owner and(or) Operator the List of Personal Data Necessary and Sufficient to Perform the Tasks Carried Out by Them". The Resolution provides that the purposes are unambiguous, lawful, and compatible with the tasks carried out by the owner and(or) operator. However, the interpretation of this wording still needs to be clarified. Third, given that Article 7.8 of the Personal Data Law allows personal data processing that meets the purposes of collection, the owner and the operator, as the persons determining compatibility with the purposes of the processing, may form a broad list of personal data.
Governmental Resolution No. 1214 provides for the obligation of database owners and operators to analyse the tasks they perform regarding using personal data. In other words, owners and operators shall analyse their activities and actions with personal data as to why and for what purpose they perform them (whether there is a legitimate reason), what kind of personal data they need for this purpose. Following the analysis, the owners and operators shall approve a list9 of personal data required and sufficient for the performance of the tasks and adjust it annually. Therefore, per this list, the consent must be obtained from the data subject with an indication of the specific personal data (Article 8.4.7 of the Personal Data Law).
Before seeking consent, the Personal Data Law requires database owners and operators to clearly define what kind of personal data, in what minimum scope are necessary, and for what purposes and tasks are required. However, the practice differs. For instance, in above mentioned example with a contract for the educational services, it is sufficient only to provide the child's full name, date of birth, address, maybe birth certificate, parents' names, and numbers of their ID cards, contacts, including contacts at their place of work. But educational institutions (and many other companies) often require parent's individual identification number (IIN). How is the parents' IIN related to providing educational services to the child? Does it meet data processing purposes in this case? It is sufficient for the education provider to check the parents' details on the birth certificate and their names on the ID cards. Would collecting and storing the parents' IIN by the educational institution violate Article 7.8 and Article 7.9 of the Personal Data Law? The average citizen needs help understanding the intricacies of legislation on personal data protection and laws on information and communication technology.
Kazakh citizens are concerned about these issues and seek more information to improve their legal literacy. In the eGov Open Dialog, there are many appeals from citizens regarding the collection and processing of personal data under the conditions of sufficiency and compliance with the purposes of the processing. Below there are some of them:
A woman applied10 to the Minister of Labour and Social Protection about the lawfulness of the introduction by the employer of a pass system and identification through fingerprinting, referring to the fact that fingerprints are personal data. In reply, the Ministry referred to the need to comply with the Personal Data Law's requirements and obtain the employee's consent. The Ministry's response should have provided complete information that fingerprints refer to personal biometric data and that designated authorities may collect fingerprint information. Moreover, depending on the employer's activity, collecting fingerprints for admission and identification of employees may still violate the conditions that only personal data necessary and sufficient for processing can be collected and processed.
Several appeals to ministries concerned video surveillance and video recording11 in employment and commercial relationships between individuals and business entities. The state authorities' responses were limited to general wordings on the need to make the collection and processing of personal data comply with the legal requirements to notify of and get consent to video surveillance. There may be a hidden message in these responses about the legality of collecting and processing personal data through video surveillance, provided that the person's image is necessary and sufficient information for processing (in particular, the tasks of the employer and the business entity). State authorities, however, need to emphasise or give due consideration to the extent of the necessity and sufficiency of the collection and processing of personal data. As mentioned above, the need for proper awareness among the public and businesses forms the legal culture and effective law enforcement in the country.
GDPR has similar provisions on the limits for collection, processing, and storage. GDPR enshrines the fundamental principles of personal data protection: purpose limitation (Article 5.1(b)), data minimisation (Article 5.1(c)), and storage limitation (Article 5.1(e)).
The principle of purpose limitation means that personal data shall be collected for defined, explicit, and legitimate purposes and shall not be further processed in a way that does not meet those purposes.
Data minimisation requires that personal data is adequate (sufficient), relevant and limited to what is necessary for the purposes of the processing.
The principle of storage limitation means that personal data shall be stored in a form that allows the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Thereat, subsequent storage of personal data for a more extended period is permitted solely for archiving in the public interest, scientific or historical research, or statistics, provided that appropriate technical and organisational measures are taken to protect the rights and freedoms of the data subject.
These principles are essential, even paramount, for protecting personal data. These provisions named in the European Regulation precisely as principles (guiding principles) act as a 'guide' for all persons involved in the legal relations concerning collecting, processing, and protecting personal data. These fundamental ideas can be found in other GDPR provisions concerning the rights and obligations of controllers, operators, third parties, public authorities, and data subjects. The principles lay the groundwork for all legislation and enforcement and serve as the basis for any future law, legal relationship, the rights and obligations of its parties, their actions.
It is worth agreeing with A. Gussarova and S. Dzhaksylykov that in Kazakhstan, "despite the existence of the Personal Data Law, many of its elements are stuck in practice, and there is no strategic vision for moving towards the adoption of the key principles of the European GDPR"12.
Citizens' Awareness of the Rights on Personal Data Protection
It is important to note that the population and personal data protection authorities in Europe have played a significant role in forming the legal framework and law enforcement practice. One famous example is Google Spain case13 (known not only in Europe), which first established the Right to be Forgotten that defined the role of search engines in the processing of personal data and the issue of compatibility and excessiveness of personal data processing according to the purposes of collection and processing. In recent years, several appeals by Mr Maximilian Schrems to the European Court of Justice have impacted the adequacy requirement for personal data protection.
As elsewhere in the world, the issue of personal data protection is essential for the people of Kazakhstan. The security of personal information has been a significant concern among citizens during the pandemic, especially concerning ASHYQ app. The eGov Open Dialog has many questions about the collection and processing of personal data, in particular an Individual's Identification Number (IIN), by ASHYQ platform. In its answers14, the data protection authority indicated that IIN and the person's status in ASHYQ app are not personal data since they are used separately from other additional information about the person; they do not allow identifying the person. In other words, depending on the situation, the IIN itself, without additional personal information, does not allow to identify or make the person identifiable.
The significant increase in internet use and the provision of personal data during the COVID-19 pandemic has affected the culture of handling personal information in Kazakhstan. For instance, in 2019, a public opinion survey conducted within the research15 showed a lack of knowledge or superficial knowledge16 on protecting personal information and ignorance17 of their rights as subjects of personal data. The study by A. Gussarova and S. Dzhaksylykov in September 2020 showed that already 20% of respondents are well aware of protecting personal data18. In other words, there is a slight positive trend. However, the oldest Internet users and rural inhabitants had the lowest knowledge of personal data protection19. However, in the same year, 2020, according to the Official Information Resource of the Prime Minister of the Republic of Kazakhstan, 78% of the population is aware of cybersecurity threats20. It may not be entirely correct to compare results of the study on personal data protection and official governmental information on cybersecurity. Still, they are interrelated phenomena, and the official data likely does not reflect the actual situation.
Undoubtedly, we should increase the citizens' awareness of their rights to personal data protection, mainly by the public authorities regulating this area via the provision and dissemination of simple and understandable printed and video materials. Perhaps Kazakhstan should adopt the European experience, which, at the level of a high-level regulatory act, consolidated the obligations of controllers and data operators to provide complete information about the list of personal data collected and the rights of an individual before obtaining consent to the collection and processing of data.
Some Aspects of the Personal Data Destruction and Depersonalisation
The growth of online shopping and the active use of the Internet during the pandemic made most citizens get concerned about the security of personal data because of the fear of becoming fraud victims. For instance, according to a data protection authority's representative21, "Kazakhstanis have become more active in exercising the right to demand that their personal data posted on various publicly accessible websites be deleted."
In the eGov Open Dialogue, there are many requests for personal data deletion (destruction). However, implementing this right by citizens, especially state bodies, raises some questions. Thus, in most cases, public authorities noted22that by submitting a request to the blog platform, the user agrees to "the conditions of use, which provide that the personal data (full name) and the text of the request, including all the information contained in it, will be available for public".
Although the right to delete personal data is exercised, names and, in some cases, telephone numbers and individual's identification number (IIN) remain available. Hopefully, some appeals to eGov Open Dialog will be of meaningful value for other citizens and the public, could be used in court proceedings, help to find solutions in various life situations and even improve legal literacy. A suitable solution to protect personal data in many requests in eGov would be data 'pseudonymisation' as provided in GDPR (Article 4(5)). 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
Kazakh Personal Data Law does not provide for the 'pseudonymisation' of personal data while enshrining depersonalisation and the right to destroy (or delete). According to Article 17 of the Personal Data Law, data depersonalisation is only used for statistical, sociological, scientific, and marketing research purposes and data analytics when carrying out activities by public authorities. The Personal Data Law defines depersonalisation as actions resulting in the impossibility of identifying the personal data subject (Article 1.7), and the Order of the data protection authority excludes the possibility of restoring the original personal information23. The obligations of controllers, data operators, and third parties to protect personal data do not apply to depersonalised data.
The European Regulation contains similar provisions on depersonalised data and the release from the GDPR requirements (Recitals 26). However, unlike Kazakhstani law, GDPR contains broader provisions on processing personal data for statistical, GDPR provides for the following provisions:
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered lawful processing operations compatible with the purposes for which the individual's consent was originally obtained. In other words, if a subject has registered a news subscription, the subscription service provider may process the subject's data for statistical purposes without the separate consent of the subject (Recitals 50). In so doing, however, the controller or data operator shall take technical and organisational data protection measures;
- if necessary, the data may be retained by the controller or data operator after their deletion for archiving purposes in the public interest, for scientific or historical research purposes, for statistical purposes, or for the establishment, exercise or defence of legal claims (Recitals 65);
- data processing for the aforementioned purposes shall be carried out in a way that protects the rights and freedoms of the individual and respects the principle of data minimisation (Recitals 156);
- unlike Kazakh law, the European Regulation states that its requirements (and thus obligations for controllers, operators and third parties) apply to the processing of data for statistical purposes because it is not depersonalised (Recitals 26).
Lastly, in comparison to Kazakh Personal Data Law, the GDPR at the level of law specifies what statistical purposes are, sets out requirements at the level of national laws to fix statistical content, access control, specifications for processing personal data for statistical purposes and measures to protect the rights of the data subject and ensure statistical confidentiality.
Thus, the GDPR, unlike Kazakh Personal Data Law, provides for the type of personal data processing such as 'pseudonymisation'. Compared to Kazakhstani regulations on the depersonalisation of personal data, the European Regulation allows for identifying a person by pseudonymised data but with the use of additional information. Pseudonymised data, therefore, is considered information about an identifiable individual, i.e., personal data subject to protection and the principles of personal data protection. At the same time, to determine whether the individual is identifiable, the account should be taken of all the means reasonably likely to be used to identify the individual directly or indirectly (Recitals 26).
It is important to note that the European Regulation provides for a general obligation for any data controllers and operators to apply data 'pseudonymisation' as a technical and organisational measure to protect individuals' rights and freedoms in relation to the processing of personal data. This obligation is not limited to any purpose of the processing.
Pseudonymisation as a personal data protection measure should also be provided for in Kazakhstani legislation. As stated above, valuable and helpful responses to citizens' requests in the eGov Open Dialog could be subject to pseudonymisation, thus striking a balance between access to information and protection of personal data.
Footnotes
1. OECD Council Recommendation on the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, dated 23 September 1980, as amended on 11 July 2013.
2. Council of Europe Convention No. 108, dated 28 January 1981, On the Protection of Individuals with regard to Automatic Personal Data Processing.
3. Directive 95/46/EC of the European Parliament and of the EU Council, dated 24 October 1995, On the Protection of Individuals with regard to the Personal Data Processing and On the Free Circulation of such data.
4. Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, On the Protection of Individuals with regard to the Personal Data Processing and on the Free Circulation of such data, and On the Repeal of Directive 95/46/EC (General Data Protection Regulation).
5. Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan, dated 21 October 2020, No. 395/?? 'On Approval of the Rules for the Collection, Processing of Personal Data'
6. https://dialog.egov.kz/blogs/all-questions/700318
7. Please note that Article 36.6 of the Law of the Republic of Kazakhstan 'On Informatisation' provides for the obligation of owners of electronic information resources containing personal data not to use automated data processing only in decision-making without the consent of the data subject, as well as the obligation to inform about the use of automated processing. At the same time, unlike the GDPR requirements, the legislation does not specify when such an obligation is performed.
8. The Kazakh Law on Personal Data and Protection Thereof (Article 8.2) establishes that consent may be withdrawn by the data subject if this is contrary to the law or there is an unfulfilled obligation of the data subject. On one hand, such a wording contains restrictive conditions, and on the other hand, it can have a broad interpretation, because the law does not specify what kind of unfulfilled obligation we are talking about, thereby allowing the database owner to refuse to withdraw the consent due to any unfulfilled obligations, for instance, to maintain the confidentiality of the terms of the contract after its expiration.
9. The respective form is approved as an Appendix by the Government Resolution No. 1214, dated 12 November 2013 'On Approval of the Rules for Determining by the Owner and(or) Operator the List of Personal Data Necessary and Sufficient to Perform the Tasks Carried Out by Them".
10. https://dialog.egov.kz/blogs/all-questions/727791
11. https://dialog.egov.kz/blogs/all-questions/724888 ,https://dialog.egov.kz/blogs/all-questions/724882 ,https://dialog.egov.kz/blogs/all-questions/691916
12. A. Gussarova, S. Dzhaksylykov 'Protection of Personal Data in Kazakhstan 2.0: Digital Footprint of Covid-19', 2021, p.5, https://www.soros.kz/wp-content/uploads/2021/03/Personal-Data_Covid-Implications.pdf
13. Google Spain v Agencia Espan~ola de Proteccio?n de Datos (AEPD) and Gonza?lez, Case C-131/12, 13 May 2014, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131. In the GDPR, the 'right to be forgotten' is renamed to the 'right to erasure'. However, the right under Articles 17 and 18 of the GDPR is actually much broader than the right set out in Google Spain as it applies to all data controllers, including social media, news sites and cloud service providers.
14.https://dialog.egov.kz/blogs/all-questions/715842 ,https://dialog.egov.kz/blogs/all-questions/719761, https://dialog.egov.kz/blogs/all-questions/684120
15. A. Gussarova, S. Dzhaksylykov, 'Personal Data Protection in Kazakhstan: Status, Risks and Opportunities", 2020, p.33, https://www.soros.kz/wp-content/uploads/2020/04/Personal_data_report.pdf
16. ibid, pp. 35, 37.
17. ibid, pp. 36, 51.
18. A. Gussarova, S. Dzhaksylykov 'Protection of Personal Data in Kazakhstan 2.0: Digital Footprint of Covid-19', 2021, p.61, https://www.soros.kz/wp-content/uploads/2021/03/Personal-Data_Covid-Implications.pdf
19. ibid
21. Zhanbolat Mamyshev, 'Kazakhstanis are more likely to delete personal data from the public domain", 29.10.2021, Kursiv,, https://kz.kursiv.media/2021-10-29/kazakhstancy-stali-chasche-trebovat-udalit-personalnye-dannye-iz-otkrytogo/
22. https://dialog.egov.kz/blogs/all-questions/755230, https://dialog.egov.kz/blogs/all-questions/751245, https://dialog.egov.kz/blogs/all-questions/750232, https://dialog.egov.kz/blogs/all-questions/750162,
23. Paragraph 21 of the Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan dated 21 October 2020, No. 395/?? 'On Approval of the Rules for the Collection, Processing of Personal Data'. Article 25.2 of the Law obliges the database owner and the operator to approve policies for the collection, processing and protection of personal data, including a document on personal data depersonalisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
