Introduction

The desire of the Republic of Kazakhstan to establish itself as a state of law should be based on the constitutional regulation of fundamental rights and freedoms of man and citizen. The Constitution of the Republic of Kazakhstan stipulates that human rights and freedoms are natural, absolute, belong to him from birth and cannot be alienated. Article 18 of the Constitution of the Republic of Kazakhstan establishes the inviolability of private life, personal and family secrets, the secrets of individual deposits and savings, correspondence, telephone conversations, postal, telegraph and other messages. According to experts, this provision of the Constitution of the Republic of Kazakhstan fully complies with international legal standards.

Article 3 of the Universal Declaration of Human Rights states that everyone has the right to the security of a person. Article 12 of the Universal Declaration of Human Rights clarifies the concept of personal integrity. It states that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

The norms of constitutional, criminal, administrative, civil legislation, and special legislative acts regulate the inviolability of private life in our country. The need for special legislation is due to new socio-economic relations, new information and communication technologies, globalization, and the widespread introduction of the Internet and digital tools in all spheres of society. Among the special acts, the following laws shall be indicated: the Law of the Republic of Kazakhstan dated May 21, 2013, "On personal data and their protection", the Law of the Republic of Kazakhstan dated November 24, 2015, "On informatization", the Law of the Republic of Kazakhstan dated November 16, 2015, "On access to information", the Law of the Republic of Kazakhstan dated December 30, 2016, "On fingerprint and genomic registration", the Law of the Republic of Kazakhstan dated July 5, 2004, "On Communications", the Law of the Republic of Kazakhstan dated September 15, 1994, "On operational-search activity", the Law of the Republic of Kazakhstan dated August 31, 1995, of the year "On banks and banking activities in the Republic of Kazakhstan" and others.

Nowadays, it isn't easy to imagine reality without digital and Internet technologies. Telecommunications and electronic communication networks have become an integral part of modern life, providing access to information and services, including the Internet, through which numerous product and service providers offer customers and end users access to goods, information or content.

Modern technologies make it possible to collect information and information about each citizen, linking all his documents and data to his account and profile, tracking his actions, getting an idea of a person's habits and preferences, and using the information received for various purposes. The Republic of Kazakhstan occupies one of the top places in the world in the implementation and use of digital technologies in the public and political life of the country. Regarding citizens' electronic participation level, Kazakhstan ranks 15th in the world and 28th in the development of e-Government (Sputnik-Kazakhstan 2022a). According to the statement of President K.Tokayev, Kazakhstan is among the thirty most digitized UN member states (Sputnik-Kazakhstan 2022b). Such phenomena as e-government, public service centres (PSCs), electronic services in the public and private sectors, remote work, distance learning, digital interaction between the state and the population, online stores, etc., have firmly entered our lives.

At the same time, there is a specific risk that unscrupulous persons can use personal information about an individual to the detriment of a person, his interests and property.

The Internet and information and communication technologies have made life and interaction with the outside world of each person broad and multifaceted. In current conditions, the systematization and classification of personal data can have several options. For example, public authorities collect and process the following personal information: demographic, personal identification information, medical, financial, judicial and law enforcement data (Saglam R.B., Nurse J.R.C., Hodges D. 2022 : 8). If we consider the healthcare sector, personal information may relate to physiological parameters (height, weight, and others), diet and type of diet, physical and sports activities, reproductive health information, medical records, heart rate monitoring, respiratory rate, and other information (Saglam R.B., Nurse J.R.C., Hodges D. 2022 : 10). In the financial sector, the range of personal information collected and used, in addition to personal identification and biometric data, may include information about ongoing financial transactions. However, other personal data can be indirectly derived from such information. For example, by analyzing the payments made from a bank card, the owner's preferences and economic status can be identified from the purchases made.

The use of new technologies makes it possible to isolate other personal data, for example, related to security (surveillance cameras, audio recording devices), as well as a separate class of data is biometric data (fingerprints and palms, contours of the face and its parts, height, weight, eye colour), including psychological and behavioural biometrics, gestures, and others. (Saglam R.B., Nurse J.R.C., Hodges D. 2022 : 10).

The attitude of Kazakhstani people to the confidentiality of personal data is contradictory. Some are overly secretive and provide limited information about themselves, do not have a social network account, do not give their data on social networks, refuse online subscriptions, and do not make online payments for fear of data leakage, especially banking information. Others, on the contrary, actively maintain online channels, maintain personal pages on social networks and various blogs, participate in public group accounts, track and use various promotions, willingly post their photos and videos, accept various online invitations, and do not think about who and how could use personal information, about data leakage or misuse.

If we compare how people relate to the safety and access to information about their private lives outside the Internet in an offline environment, certain social norms are observed. For example, it is considered unethical to open an envelope and read other people's letters, enter a house without an invitation, hear someone talk, reveal someone's secret, and so on. These rules of undesirable behaviour have been formed in society over many decades. Since social ethics in the online mode has yet to be formed, it is necessary to legislate the observance of privacy and the rules of conduct in the Internet environment, provided by state coercion and sanctions.

Under these conditions, the state, as the primary institution for the protection of human rights, must adopt a precise legal regulation, clearly and accurately enshrine legal actions in legislation, and provide for the necessary measures and restrictions for the state and civil servants, for organizations of all forms of ownership, business entities and private persons so that personal data does not become the object of offences.

The right to privacy is protected by the Constitution of Kazakhstan, along with other fundamental human rights and freedoms. Implementing the constitutional right to privacy includes protecting personal data, which a special law ensures. With the adoption of the Law of the Republic of Kazakhstan dated May 21, 2013, “On personal data and their protection”, Kazakhstani legislation introduced a legal framework for the protection of human rights in the processing of personal data, including to protect the rights to privacy, personal and family secrets.

The Constitution of Kazakhstan allows legislative acts to reveal the content of the right to privacy. Article 18 of the Constitution of the Republic of Kazakhstan prohibits interference in private life, the interpretation of which contains an incomplete, open-to-interpretation (non-exhaustive) wording (Constitutional Council 2018 : 149). The special Law of the Republic of Kazakhstan ‘On Personal Data and their Protection' (subparagraph 2) of Article 1) gives the following definition:

‘personal data - information relating to an identified or identifiable on their basis the subject of personal data, recorded on electronic, paper and (or) other tangible media'

As far as possible, the Constitution and the Law contain a comprehensive formulation of personal data as any information relating to a specific person. Foreign legislation has a similar non-exhaustive definition of personal data.

Although the Law “On personal data and their protection” is changing, following global trends, the problems of legal regulation in Kazakhstan still exist and need to be addressed, considering foreign practices and standards. One of the problems is the legal consolidation of the principles for collecting and processing personal data in Kazakhstani Law ‘On Personal Data and their Protection', which differ from the principles enshrined in foreign sources of legislation.

Kazakhstan cannot avoid the processes of globalization of political, economic and social relations. Our state is “step by step approaching the highest standards in the field of democratization and human rights” (Strategy Kazakhstan 2050 : section I). Following global trends, the state is amending national legislation protecting personal data. Thus, recent amendments to the Law of the Republic of Kazakhstan “On Personal Data and their Protection” gave citizens the ‘right to be forgotten' on the Internet and the right to withdraw consent to use personal data. In addition, administrative and criminal sanctions are provided for violations of the legislation on the protection of personal data (Ministry of Justice 2022 : 40).

However, the new amendments prescribe how to handle personal data, what actions must be taken and how. Although the new wordings of the law correspond to the general meaning and are similar to international standards, they mainly relate to rights, obligations, and permissible actions with personal data.

The state ensures the implementation of the right to personal data protection through laws. Moreover, at the level of the law, the central role is given to principles. The principles determine how rights will be realized and obligations fulfilled. The principles are of paramount importance, as they are the starting points; they express the fundamental, “cross-cutting and general” ideas, which express the general “spirit” and direction of legal regulation (Voplenko 2013 : 5). They are either derived from the general meaning of laws or are directly formulated in the law and designed to regulate legal relations gaps. Given the pace of technological development and digitalization, it is impossible to predict how quickly the law will become obsolete, how fully and adequately it will provide for and regulate new elements of personal data, new social relations and actions with personal data, new threats to the security of personal data. In this regard, the question arises whether the principles of personal data protection are formulated in Kazakhstani legislation in such a way as to ensure their proper protection, to resolve possible gaps in legal relations regarding the use and security of personal data.

Regulatory consolidation of personal data protection principles in the Republic of Kazakhstan.

Article 5 of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” expressly formulates the following five principles for the collection and processing of personal data:

  1. Observance of constitutional rights and freedoms of man and citizen
  2. Legality
  3. Confidentiality of personal data of limited access
  4. Equality of rights of subjects, owners and operators
  5. Ensuring the security of the individual, society and the state

The first three principles are general legal principles since they are characteristic of all branches of law and law in general. The confidentiality of personal data of limited access and the equality of rights of subjects, owners and operators are specific principles for regulating relations in the field of personal data protection.

The law does not describe the principles specified in it, and their interpretation raises the following problems.

Firstly, the principle of confidentiality of personal data of restricted access creates difficulties in law enforcement since, at the legislative level, there is no clear list of personal data of restricted access.

The law defines publicly available personal data as those that are not confidential under the law, access to which is permitted with the subject's consent. If the subject has not consented to access his personal data and information, access to them is limited. Does this mean that the absence of the person's consent entails limited access to his personal data and that the consent determines the availability of personal information?

However, in addition to the consent of the data subject, personal data of limited access are classified as such by other laws. It is necessary to consider what other sources of law of Kazakhstan provide in this regard.

The Law of the Republic of Kazakhstan dated November 24, 2015, ‘On Informatization' classifies electronic information resources according to the type of personal data they contain as electronic information resources (1) containing publicly available personal data and (2) containing personal data of limited access. According to the Law, the owner or possessor of an electronic information resource determines the type of access to it. At the same time, the Law of the Republic of Kazakhstan ‘On Informatization' also does not provide a clear list of electronic information resources with personal data of limited access, referring to the Law of the Republic of Kazakhstan ‘On Personal Data and their Protection'. Furthermore, following the latter Law, personal data of limited access are those to which access is limited by legislation or by the individual himself. Thus, when defining personal data of restricted access, the Law “On Informatization”, like the Law “On Personal Data and their Protection”, does not indicate a list of such data and refers to other legislative acts.

Next, other laws should be considered. The Law of the Republic of Kazakhstan, dated December 30, 2016, "On fingerprint and genomic registration", clearly indicates that fingerprint and genomic information refers to personal data of limited access. Another law, the Law of the Republic of Kazakhstan, dated March 19, 2010, "On State Statistics", specifies that primary statistical data are confidential, except those listed in this Law. In other words, the Law "On State Statistics" outlines the range of non-confidential statistical data. Therefore, any other data is classified as confidential statistical data, which indicates a broad interpretation of the concept. Another legislative act, the Law of the Republic of Kazakhstan dated December 22, 2003, "On State Legal Statistics and Special Accounts", regulates the collection, storage, and processing of personal data for special records, which usually relate to law enforcement functions. By this Law, any information about an individual can be entered into special records, while his consent is not required. However, access to and use of information and data about an individual is strictly regulated and must be carried out in compliance with confidentiality and the requirements of the Law "On Personal Data and their Protection". Such a confidentiality regime, established in the Law "On State Legal Statistics and Special Accounts", classifies the state legal statistical system's electronic information resources containing personal data of limited access. However, the Law itself does not directly indicate this. Next, the Criminal Procedure and Civil Procedure Codes limit the principle of publicity in connection with the protected secret of private life, referring to the requirements of the laws and the requirement of a person to hold a closed trial. That is, the person himself determines the access to and use of personal information and the nature of restricted access, and the court and law enforcement agencies are obliged to observe and ensure the implementation of the right to privacy.

In connection with the unclear normative consolidation of the concepts of personal data of limited access, the positions of regulatory authorities diverge in practice. For example, following the position of the Ministry of Justice of the Republic of Kazakhstan (Open Dialog eGov 2022a), an individual entrepreneur's identification number is publicly available information about a business entity per Article 28 of the Entrepreneurial Code of the Republic of Kazakhstan. On the other hand, the same Ministry of Justice of the Republic of Kazakhstan agreed with the opinion of the Ministry of Internal Affairs of the Republic of Kazakhstan (Open dialog eGov 2022b) that the individual identification number refers to personal data of limited access. In the explanations of these two Ministries, a conflict can be traced: an individual entrepreneur acts in two forms - as an ordinary person and an entrepreneur, a business entity. Accordingly, by distributing in the public domain information about his contact details, individual identification number (IIN), and place of business, which is often also his place of residence, the state did not ensure the individual's right to privacy and protection of personal data. The legislator should have thought over which data should still be carefully protected without exposing the subject to the risk of unlawful encroachment on his interests, property and even life. As for the personal data protection authority, the Ministry of Digital Development and Aerospace Industry of the Republic of Kazakhstan (Open dialog eGov 2022c) still needs to answer what the list of personal data with limited access includes.

Thus, the legislator needed to give a more precise and more understandable interpretation and enforcement of the principle of confidentiality of personal data of limited access both for the individual and for any persons and subjects of legal relations with whom this individual will have to interact.

Secondly, the principle of equality of rights of subjects, owners and operators cannot be implemented in a special law on personal data, legal relations to which it applies, and the legal status and position of the parties to legal relations. Subjects, owners, and operators of personal databases always oppose each other in legal relations. The object of the legal relationship is information about the subject that controls the fate of this information and determines the limits of its distribution and use by the owners and operators of databases. Personal freedom and autonomy presuppose the person's independence, the subject of personal data, and require freedom "from coercion and manipulation by others" (Sætra H.S. 2022 : 5). The subject of personal data is always a weaker person and is in an unequal position since his counterparty in legal relations on the side of the owner or operator of the database is either a state body as an institution of public authority or a business entity that has an economic and technological advantage over an individual. These counterparties collect excessive data and have access to the personal data of a person, despite his consent, and may carry out the subject's non-transparent and uncontrolled processing of personal data. American scholar Daniel Solove (Solove, D.J. 2023 : 22, 40) notes that people are very gullible and can be manipulated. The organizations will find ways to manipulate users to agree to data collection and processing. Most often, a person agrees to the collection and processing of data here and now, as he sees immediate satisfaction and specific benefits - get a discount, use products and services, get wider (premium, elite) access to news, information, entertainment, games, music and many other advantages and benefits. People have no or only a vague idea of what will happen to their data in the distant future. It follows from the preceding that the principle of equality of rights of subjects, owners, and operators, enshrined in the Law of the Republic of Kazakhstan "On Personal Data and Their Protection", is not reflected in practice due to the unequal position of subjects of legal relations in the field of personal data protection.

Regulatory consolidation of personal data protection principles in the Republic of Kazakhstan.

As discussed in the previous section, the Kazakhstani Law “On Personal Data and Their Protection” enshrines general and special legal principles for protecting personal data. However, their interpretation and enforcement are problematic.

What principles do the European laws governing the protection of personal data have? Some of them will be considered below.

First of all, the European Union has the EU General Data Protection Regulation (GDPR), which establishes the minimum legal requirements for personal data protection. These requirements can be detailed and “strengthened” by national legislation of each Union member state. Article 5 of the GDPR establishes six basic principles for the processing of personal data and defines their meaning:

  • Lawfulness, fairness and transparency - personal data shall be processed lawfully, fairly and transparently in relation to the data subject;
  • Purpose limitation - personal data shall be collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with these purposes;
  • Data minimisation – personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
  • Accuracy - personal data must be accurate and, where necessary, updated; all reasonable steps must be taken to ensure that personal data which is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay;
  • Storage limitation – personal data shall be kept in a form that allows the identification of data subject for no longer than is necessary for the purposes for which personal data are processed; Data storage for longer periods allowed by requirements of the law concerning purposes and implementation of appropriate technical and organisational measures.
  • Integrity and confidentiality - personal data shall be processed to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.

Compared to the Kazakhstani principle of lawfulness, the GDPR's principle of lawfulness, fairness and transparency is more definite. It concerns more than compliance with the law in the collection and processing of data. Moreover, it is one of the key concepts and essential conditions for protecting personal data. The legality of the processing of personal data is reinforced in the GDPR by the requirement for an individual's consent (Articles 4.1.11) and 6). The consent must be freely given, specific, informed (conscious) and unambiguous to recognise the collection and processing as legitimate. Accordingly, in the absence of these attributes of consent, the collection and processing of data will be unlawful, with certain exceptions established by law.

In addition, Articles 13 and 14 of the GDPR set out precise requirements for the information that the data controller is obliged to provide to the subject at the time of collection of personal data. Among such mandatory information, upon obtaining consent from the subject, are the contacts of the person responsible for the protection of personal data, the purposes of the processing, the condition for transferring data to third parties indicating the presence or absence of measures to protect personal data from third parties, the period or criteria for determining the storage period data, an indication of the presence of automated data processing, including profiling, and other. In addition, at the time of collecting personal data, the GDPR obliges the data controller to inform the data subject of his rights, in particular, the right to withdraw consent at any time, the right to protection in a public authority for the protection of personal data, the right to access their data, to make corrections to them, the right to their deletion (deletion), and other. Moreover, Article 12 of the GDPR obliges the controller and operator to provide the subject with any information regarding data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Compared to the GDPR, the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" does not have such a range of mandatory information to be provided by the owners of personal databases and their operators prior to obtaining the consent of the data subject to collect and process personal data, nor such obligations of the owners of databases and operators when collecting personal data, nor the mandatory attributes in which consent is considered obtained and legitimate, for example, freely given (that is, without any pressure or "being forced" to give consent) and informed (consciously).

The Kazakhstan Law (clause 4, article 8) and the data protection authority establish (Order of MDDaAI №395) what information the consent should contain, how it can be provided, and even the validity period of the consent, which seems weird and should refer to the period of storage and use of personal data. The law allows the owners and operators of databases to request other personal information from the individual subject to his consent. That means database owners and operators can have a broader list of collected personal data. However, the data protection authority clarified (Open dialog eGov 2022d) that the operators are not entitled to approve and use the wording on the possibility of collecting and processing other personal data; the list of collected and processed data must be exhaustive.

Consider two examples of collecting and processing personal data that an individual has encountered in practice - applying for a fitness centre membership and a child's admission to an educational institution. In the first case, membership in a fitness centre's employee registered membership by entering the person's full name, date of birth, and phone number into the database. Further, the fitness centre employee asked to look into the camera and issued an electronic bracelet, saying it stores all personal data that provides access to fitness centre services. Another example is the conclusion of an agreement for educational services for a student when the educational institution collects information about the child, his parents, their education, social status, place of residence and work, and contact information.

Not a single action of the employees of the fitness centre and the educational institution was accompanied by either a request for the data subject's consent or the provision of explanations about the information sufficient to provide the services of the fitness centre or educational services, the timing and security of storing personal data. Moreover, this happens everywhere due to the need for special and fundamental principles for collecting and processing personal data, obligations for the owners of personal databases and operators, and the lack of awareness and legal culture among the population and entrepreneurship.

Next, we consider the GDPR's principles of data minimization, purpose limitation and personal data storage limitation (Articles 5.1(b),(c),(e)). At the level of the primary fundamental principles, the European Regulation stipulates that personal data is collected to the strictly necessary minimum for definite, explicit, and legitimate purposes, processed in a manner compatible with these purposes, and not stored for longer than necessary to achieve the purpose of their processing.

The Kazakh Law "On Personal Data and their Protection" does not contain these principles but similar obligations for database owners and operators. In particular, paragraphs 8 and 9 of Article 7 of the Law establish that the processing of personal data must be compatible with the purposes of data collection, and the content and volume of data to be processed must not be excessive in relation to the processing purposes. According to paragraph 1 of Article 12 of the Law, the collection of personal data is limited only to those necessary and sufficient to perform the tasks carried out by the owner and (or) operator, as well as by a third party. At the same time, this article 12 raises several questions. Firstly, using terms and formulations can confuse anyone who needs a sufficient level of computer or information literacy. Secondly, the collection is not limited to processing purposes but to "the performance of tasks carried out by the owner and (or) operator, as well as by a third party." Thirdly, the Law allows the processing of personal data compatible with the purposes of collection. However, the owner and operator of the database determine such compatibility; therefore, these actors can manipulate the data subject and form an unreasonably broad list of personal data.

It is difficult for an ordinary citizen to understand the intricacies of legislation concerning personal data protection and information and communication technologies. In the eGov Open Dialogue, there are many inquiries from citizens regarding collecting and processing personal data following the conditions of sufficiency and compliance with the purposes of the processing. For example, the response of the Ministry of Labor and Social Protection of the Population (Open dialog eGov 2022e) regarding the lawfulness of the introduction by the employer of the access system and identification by fingerprinting within the framework of labour relations does not provide complete information regarding the attribution of fingerprints to biometric personal data and persons authorized to collect fingerprint information. In addition, depending on the type of activity of the employer, the collection of fingerprints to pass and identify employees may still violate the conditions for personal data necessary and sufficient for processing because an employee is identifiable at the entrance to the premises simply by photo and identification card. In their responses (Open dialog eGov 2022f) regarding video surveillance and video filming in the course of employment and commercial relations between individuals and business entities, state bodies respond to citizens with general wording from the law, not emphasizing or paying due attention to the degree of necessity and sufficiency of collecting and processing personal data.

The Estonian Personal Data Protection Act 2007 establishes the following principles:

  1. principle of legality - personal data shall be collected only in an honest and legal manner;
  2. the principle of purposefulness - personal data shall be collected only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing;
  3. principle of minimalism - personal data shall be collected only to the extent necessary for the achievement of determined purposes;
  4. principle of restricted use - personal data shall be used for other purposes only with the consent of the data subject or with the permission of a competent authority;
  5. principle of data quality - personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing;
  6. principle of security - security measures shall be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction;
  7. principle of individual participation - the data subject shall be notified of data collected concerning him or her, the data subject shall be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data.

The UK Data Protection Act 2018 regulates the processing of personal data to the extent not regulated by the GDPR, including the processing of personal data by competent authorities for law enforcement purposes and intelligence services. For instance, Data Protection Act 2018 sets out six principles for personal data processing for law enforcement purposes:

  1. lawfulness and fairness of processing - the processing of personal data for any law enforcement purposes is lawful only if and to the extent that it is based on law, if there is the consent of the subject to processing for this purpose or if the processing is necessary for the performance of a task, performed for a law enforcement purpose by a competent authority;
  2. specific, explicit, and legitimate purposes of processing - the purposes of processing must be specific, explicit and legitimate. The data collected must not be processed in a manner incompatible with the purposes of the processing;
  3. adequate, relevant and not excessive personal data - the processing of data must be adequate, related to the purposes of processing and not excessive in relation to the purpose for which they are processed;
  4. accurate and up-to-date personal data - Personal Data must be accurate and up-to-date, corrected, clarified and deleted in a timely manner in accordance with the purposes of processing;
  5. restriction of the storage of personal data - not to be stored longer than necessary for processing, subject to regular review of the need for storage for any law enforcement purposes;
  6. adequate security of the processing of personal data - Processing is carried out subject to the appropriate protection of personal data using appropriate technical or organizational measures (and in this principle, "appropriate security" includes protection against unauthorized or unlawful processing, as well as against accidental loss, destruction or damage).

The intelligent services - the Security Service, the Secret Intelligence Service, and the Government Communications Headquarters - shall process personal data following similar six similar principles. Each principle also has a description.

As seen from the above provisions, European legislation establishes more specific principles for regulating relations in personal data protection. These principles are essential and even paramount for the protection of personal data. Drawn up in legislative acts precisely as principles, fundamental provisions, and not conditions for the performance of individual duties, they play the role of a "conductor" for any persons involved in legal relations for collecting, processing, and protecting personal data.

Conclusion.

Insufficiently specified at the legislative level, the principles of collecting, processing, storing, and transferring personal data by owners and operators of databases, both private and public, allow third parties to access the personal information of data subjects and use it for advertising, user profiling, location tracking and other purposes.

In current conditions of globalization and the real-virtual convergence of a technological society, new technologies will profoundly interfere with the personal life of every person (Althabhawi N.M., Zainol Z.A., Bagherib P. 2022 : 44). The ongoing development of technology will make the exchange of personal information inevitable and necessary for participation in the life of modern society (Saglam R.B., Nurse J.R.C., Hodges D. 2022 : 15). Considering the constant development of information and communication technologies, smart homes, smart cities (Smart City) and other smart objects, the Internet of Things, Artificial Intelligence, and robotization of socio-economic and public-power processes, society may face new legal problems. Singaporean authors (Araz T., Si Min Lim H. 2019 : 119), having analyzed the risks associated with the processing of personal data when using autonomous vehicles (for example, electric vehicles), noted that the risks could be eliminated by adopting new laws on the protection of personal data and developing recommendations on the principles of confidentiality. The foundations of many legal principles and theories should be revised following the new realities created by the new era (Althabhawi N.M., Zainol Z.A., Bagherib P. 2022 : 52). Modern foreign laws have already enshrined new principles applicable to protecting personal data, such as Privacy by Default and Privacy by Design.

The widespread use of advanced information and communication technologies and intensive and extensive data analysis in the commercial and public spheres require a revision of ethical and legal principles (Raab Ch. 2020 : 6). Effective personal data protection requires regulatory principles “that can remain resilient to rapid change, simple in the face of often unfathomable complexity, and uniform across a range of individual innovations” (Raab Ch. 2020 : 14).

The legal structure of fixing the principles of law in a normative legal act plays an important role in practice (Demichev 2014 : 5). The personal data protection principles, formulated in European legislative acts as principles-norms, have become the product of “legal consolidation of an objectively established or desirable practice for the implementation of legal norms”, “have universality, supreme imperativeness and general validity” (Voplenko 2013 : 6). As H. Vrabec points out (Vrabec H. 2021 : 33), these principles establish “boundaries for data processing and provide instructions for controllers and data processors to process personal data lawfully and responsibly.” The law should establish these principles precisely as the main provisions or principles of the law on the protection of personal data since personal data is an integral element of the constitutional right to inviolability of the person and private life, and “each independent right has its principles of restrictions” (Romanovskii 2001 : 34).

Considering the principles of personal data protection reflected in national and foreign legislation, we can draw the following conclusions.

Unlike Kazakhstani legislation, European provisions regarding all actions of controllers, operators and third parties with personal data, as well as their obligations, are based on regulatory principles.

Despite the successful digitalization of Kazakhstani society and the adoption of a special Law “On Personal Data and their Protection”, many of its elements do not meet international standards. The national legislation on personal data protection has no strategic vision of movement towards the adoption of the critical principles of the European General Data Protection Regulation (GDPR)” (Gusarova A., Dzhaksylykov S. 2021 : 5).

The principles of law are the basis for legislation. Principles are guiding ideas not only for fixing them in law but also for implementation. The principles of law set the direction and vector of law enforcement, enforcement, and observance of the right to personal data protection. The principles lay the foundation for all legislation and law enforcement and serve as the basis for any legal relationship, the rights and obligations of its parties, and actions enshrined in legislation now or in the future. In other words, the principles provide "the unity of lawmaking, interpretation and implementation of legal norms; they are the value guidelines for the creation and implementation of the law" (Voplenko 2013 : 7). Therefore, for uniform law enforcement and ensuring the realization of the right to protection of personal data and privacy, it is crucial to consider the regulatory principles of European legislation as much as possible and enshrine them in Kazakhstani legislation.

References

Constitutional Council of the Republic of Kazakhstan. ‘The Constitution of the Republic of Kazakhstan. Scientific and practical commentary [Konstituziya Respubliki Kazakhstan. Nauchno-Prakticheskii Kommentatrii]”. ed.by I.I.Rogov, Astana (2018) : 640 (in Russian) ISBN 978-601-06-4944-6 UDK 342(035.3)

Data Protection Act 2018 - [electronic resource]. - URL: (access date 15.04.2023)

Demichev A. “Positivist classification of the principles of modern Russian law [Pozitivistskaya kalssifikaziya prinzipov sovremennogo rossiyskogo prava].” Gosudarstvo i pravo. No. 5. (2014): 5-13 (in Russian).

Gusarova A., Dzhaksylykov S. “Personal Data Protection in Kazakhstan 2.0: Digital Footprint of Covid-19 [Zashchita personalnykh dannykh v Kazakhstane 2.0: Zifrovoi sled Covid-19”.] Soros-Kazakhstan Fund (2021) (in Russian) - [electronic resource]. - URL: https://www.soros.kz/wp-content/uploads/2021/03/Personal-Data_Covid-Implications.pdf (access date 15.12.2022г.)

Ministry of Justice of the Republic of Kazakhstan "Annual review of the human rights situation in the Republic of Kazakhstan" (2022) (in Russian) - [electronic resource] - URL <https://www.gov.kz/uploads/2022/9/12/97dffcf184945d7c14377ac9e7fbb882_original.1469423.pdf> (access date 15.04.2023)

Nabeel Mahdi Althabhawi, Zinatul Ashiqin Zainol, Parviz Bagherib. “Society 5.0: A New Challenge to Legal Norms”. Sriwijaya Law Review Vol. 6, Issue 1. (2022): 41-54 [electronic resource]. - URL: http://journal.fh.unsri.ac.id/index.php/sriwijayalawreview/article/view/1415/pdf (access date 30.01.2023)

Open dialog eGov  2022а (in Russian) - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/758957 (access date 18.01.2023)

Open dialog eGov  2022b (in Russian) - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/582584 (access date 18.01.2023)

Open dialog eGov  2022c (in Russian) - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/702238 (access date 18.01.2023)

Open dialog eGov  2022d (in Russian) - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/700318 (access date 18.01.2023)

Open dialog eGov  2022e (in Russian) - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/727791 (access date 18.01.2023)

Open dialog eGov  2022f - [electronic resource]. - URL: https://dialog.egov.kz/blogs/all-questions/724888 , https://dialog.egov.kz/blogs/all-questions/724882 , https://dialog.egov.kz/blogs/all-questions/691916 (access date 18.01.2023)

Order of the Ministry of Digital Development, Innovaition, and Aerospace Industry of the Republic of Kazakhstan dated 21 October 2020 No. № 395/NQ “On approval of the Rules on collection, processing of personal data [Ob utverzhdenii Pravil sbora, obrabotki personalnykh dannykh].” (in Russian) - ­[electronic resource]. - URL: <https://adilet.zan.kz/rus/docs/V2000021498> (access date 17.01.2023).

Personal Data Protection Act of the Republic of Estonia 2007 - [electronic resource]. - URL: https://www.riigiteataja.ee/en/eli/523012019001/consolide (access date 15.04.2023)

Raab, Charles. “Information privacy, impact assessment, and the place of ethics”. Computer Law & Security Review Vol.37. (2020):1-16 - [electronic resource]. - URL: https://doi.org/10.1016/j.clsr.2020.105404 (access date 15.04.2023)

Rahime Belen Saglam, Jason R.C. Nurse, Duncan Hodges. ‘Personal information: Perceptions, types and evolution'. Journal of Information Security and Applications, Volume 66, 2022, 1-31, [electronic resource]. - URL: https://doi.org/10.1016/j.jisa.2022.103163, (access date 10.02.2023).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 2016 – [electronic resource]. – URL: <https://eur-lex.europa.eu/eli/reg/2016/679/oj> (access date 12.04.2022)

Romanovskiy G. “ Right to privacy [Pravo na neprikosnovennost chastnoi zhizni].”. Moscow MZ-Press (2001) : 312 (in Russian) ISBN 5-94073-018-3 - [electronic resource]. - URL: https://library.khpg.org/files/docs/1430850257.pdf (access date 15.04.2023)

Sætra, Henrik Skaug. “The ethics of trading privacy for security: The multifaceted effects of privacy on liberty and security”. Technology in Society Volume 68. (2022):1-10, - [electronic resource]. - URL: https://doi.org/10.1016/j.techsoc.2021.101854 (access date 02.03.2023).

Solove, Daniel J. “Murky Consent: An Approach to the Fictions of Consent in Privacy Law”. Boston University Law Review (Forthcoming): 1-51 [electronic resource]. - URL: http://dx.doi.org/10.2139/ssrn.4333743 (access date 24.02.2023г.)

Sputnik-Kazakhstan 2022a - [electronic resource]. - URL: https://ru.sputnik.kz/20221019/tsifrovoy-kazakhstan-strana-vzletaet-v-reytingakh-razvitiya-digital-sfery-28609363.html, (access date 19.01.2023г.)

Sputnik-Kazakhstan 2022b - [electronic resource]. - URL: https://ru.sputnik.kz/20221014/kazakhstan-vkhodit-v-tridtsatku-samykh-otsifrovannykh-stran-oon--tokaev--28483227.html, (access date 19.01. 2023г.)

“Strategy "Kazakhstan-2050": a new political course of an established state.” - [electronic resource] -URL < https://adilet.zan.kz/rus/docs/K1200002050> (access date 23.01.2023)

Taeihagh, Araz, Hazel Si Min Lim. “Governing autonomous vehicles: emerging responses for safety, liability, privacy, cybersecurity, and industry risks”. Transport Reviews Vol. 39, Issue 1. (2019):103-128 [electronic resource]. - URL: <https://doi.org/10.1080/01441647.2018.1494640> (access date 12.04.2023)

Voplenko N.N., Rudkovskiy V.A. “Ponyatiye I klassifikaziya prinzipov prava [The concept and classification of the principles of law].” Vestnik Volgogradskogo Gosudarstvennogo Universiteta 5 no 1(18) (2013) : 5-11 (in Russian) - [electronic resource]. - URL: https://cyberleninka.ru/article/n/ponyatie-i-klassifikatsiya-printsipov-prava-1 (access date 18.04.2023).

Vrabec, Helena “Data Subject Rights under the GDPR” Oxford Scholarship Online July (2021). Print ISBN-13: 9780198868422. DOI:10.1093/oso/9780198868422.001.0001

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.