A new Law On Amendments to Certain Legislative Acts on Informatization in Kazakhstan (hereinafter the Informatization Law) was published on 26 November 2015 and made some amendments to the Law on Personal Data and Protection Thereof dated 2013 (hereinafter the Personal Data Law).

Personal data localization

Under the Informatization Law, owners, operators of databases containing personal data and third parties shall store personal data on the territory of Kazakhstan (personal data localization requirement).

Neither the Personal Data Law, nor the Informatization Law identifies persons to whom the new rule applies. Generally, Kazakhstani laws are effective within the territory of Kazakhstan. It means that the new localization requirement applies to companies established in Kazakhstan, sole proprietors in Kazakhstan as well as representative offices and branches of foreign companies.

So the question then arises does the requirement to store personal data on the territory of Kazakhstan extends to foreign companies without any legal presence in Kazakhstan, whose operations are aimed at Kazakhstan and whose websites are accessible in the territory of Kazakhstan (e.g. Internet companies)? If one considers the issue from a perspective of website accessibility in Kazakhstan, this would mean that Kazakhstani laws apply globally, which would make enforcement of the laws impossible to control.

When drafting the Informatization Law, the Ministry of Transport and Communications of Kazakhstan stated that the localization requirement should not apply to any relations outside Kazakhstan, but should apply to Internet resources supported by hardware located in Kazakhstan.

At the present time, there are a number of issues about the procedure for implementation of the localization requirement that remain unclear. Kazakhstani laws do not identify the segment of the Internet which falls under the state jurisdiction (e.g. hardware located on the territory of Kazakhstan, hosting a website, etc.). Law enforcement authorities may insist that the localization requirement applies also to owners of Internet resources whose supporting hardware is located on the territory of Kazakhstan.

Based on this, we sent an inquiry to the author of the Informatization Law and to the Committee on Communications, Information and Informatization of the Ministry of Investment and Development of Kazakhstan concerning the procedure for implementation of the localization requirement. In addition to the question about businesses to which the requirement applies, we asked the following questions:

  • Is the localization requirement limited to personal data which has been obtained by a company in the course of activities aimed at collecting such data, and not as a result of accidental (unrequested) receipt of personal data (e.g. through providing services as an information intermediary)?
  • Does the localization requirement apply to data collected before the effective date of the Information Law, if such data is amended thereafter?

Cross-border transfer of personal data

The provisions on cross-border transfer of personal data remain unchanged. It is assumed that personal data stored on the territory of Kazakhstan may be further transferred to databases located outside Kazakhstan and operated by third parties in compliance with regulations on cross-border transfer of personal data (receipt of consent from personal data subjects).

Administrative liability for violations of the personal data localization requirement

The newly adopted regulations do not introduce special responsibility for violation of the requirement of localization of personal data. Entrepreneurs may bear general liability for violation of the terms of personal data processing (processing, includes, inter alia, storage of personal data). The responsibility for this violation is provided for in the form of a fine in the amount of about US $195 - US $650. By a decision of the court, confiscation of subjects of the administrative offense is also possible.

Individuals can be held criminally liable for violating the terms of the storage of personal data in the event of substantial harm to the rights and interests of the personal data owner. Substantial harm may include, for example, the emergence of a difficult situation for the affected person, property damage caused to the personal data owner. Criminal liability is provided for in the form of a fine (up to US $12,900), or correctional labor or restriction of liberty, imprisonment for up to two years.

The localization requirement for personal data storage will come into effect on 1 January 2016.

We will update you accordingly when the reply from the governmental authorities of Kazakhstan is received.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.