Active use of the Internet—in particular social networks—by users in Kazakhstan, where the information contains personal data (i.e. name, date of birth, residential address, place of work/study, personal photos, etc.); the growing number of cases of leaked personal data; concerns regarding "Internet surveillance" on the part of some states about nationals of other states – all these elements have set the scene for the initiation of a legislative requirement for "localization of personal data" in Kazakhstan.
Such measures have proved controversial when introduced in other countries. Although proponents of these rules say that they are necessary to protect against foreign threats to information security, critics describe them as leading to potential restrictions on freedom of information, loss of privacy and the facilitation of State surveillance and censorship.
It is planned to add to the RK Law dated 21 May 2013 No. 94-V "On Personal Data and Protection Thereof" (hereinafter referred to as "the Law") a rule obliging owners and/or operators to keep personal databases in the territory of Kazakhstan (proposed changes are underlined):
1 Article 12 of the Law: Accumulation and Storage of Personal Data 1. Accumulation of personal data shall be carried out by collecting personal data, necessary and sufficient to accomplish the tasks carried out by the owner and/ or operator, as well as by a third party.
2. Storage of personal data shall be carried out by the owner and/ or operator, as well as by a third party in the database, which is kept in the territory of the Republic of Kazakhstan.
The period of storage of personal data shall be determined by the date of the achieving the objectives of the data collection and processing, unless otherwise provided by the legislation of the Republic of Kazakhstan".
To date, Kazakhstan operators and/or owners of the databases that contain personal data are typically registered abroad and, as a consequence, they maintain the databases outside the jurisdiction of the Republic of Kazakhstan (such operators and owners, for example, are Google, Microsoft, Facebook, Apple, VKontakte, etc.). In such cases, law enforcement agencies are deprived of direct access to the personal data of RK citizens. It is argued that this creates a threat to the informational security of the country. The aim of the planned changes is to prevent the moving and storage of personal data outside of the Republic of Kazakhstan.
The requirement for "localization of personal data" exists in China and India, where the storage of sensitive data (medical data of citizens; information about political, religious and sexual preferences of citizens) outside the country is prohibited. In 2014 in Russia, amendments to the Federal Law on Personal Data dated 27 July 2006 No. 152-FZ were adopted. Thus, starting from 1 September 2015, personal data of Russian citizens may only be stored on servers located on the territory of the Russian Federation.
In Kazakhstan, it is expected that the requirement for localization of personal data will apply to all companies (including subsidiaries), as well as to branches and representative offices of foreign companies. The amendments will materially affect transnational companies working with large amounts of personal data. Such companies include banks; travel agencies; companies engaged in international passenger transportation; companies which use IT-infrastructure-based services outside of Kazakhstan, for example, web hosting, software, which is available online via the Internet; pharmaceutical companies that collect information about medical workers and patients, etc. The amendments would likely create business opportunities of local IT companies, as data storage and encryption services should be in demand.
As can be seen, the current proposed amendment to the Law is very simple, and many questions remain regarding the implementation of the requirement for personal data localization and possible implications for business in the country. Neither is it clear what the penalties for noncompliance will be. It is only known that the Majilis of the RK Parliament approved in the first reading on 22 April 2015, the draft RK Law on Amendments to Some Legislative Acts of the Republic of Kazakhstan on the Issues of Informatization, ,which contains the proposed amendment concerning localization of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.