Kazakhstan has enacted a new data protection law which is due to come into force at the end of November. Ukraine has enacted amendments to its data protection law which are due to come into force in January 2014.

Kazakhstan’s new data protection law, The Law of Republic of Kazakhstan No. 94-V, “On Personal Data and Its Protection” (May 21, 2013) (PDP), introduces a new regulatory framework governing how personal data is collected, used, disclosed, transferred and destroyed, and applies to the public sector, businesses and to individuals.

The PDP will require “database owners” and “database operators” to create a list of the personal data required for each purposes for which it will be processed, and use of third parties to process data will only be permitted if they are also subject to data protection requirements relevant to the processing they will perform. Individuals must provide consent for the processing of their data, except in certain limited circumstances. Transfers of personal data are permitted to countries that ensure adequate level of protection, including to members of the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Transfers to other countries will require individuals’ consent. Compliance failures/breaches are subject to administrative (civil) penalties as well as criminal penalties and imprisonment of up to five years.

Ukraine enacted fundamental changes to its existing data protection law in July, with the changes coming into force 1 January 2014. The Law of Ukraine “On Amending Certain Legislative Acts of Ukraine Regarding Improving the System of Personal Data Protection” No. 383-VII, dated July 3, 2013 (Amendments) abolishes the Data Protection Office, the current regulatory entity, and transfers regulatory oversight to Ombudsman. The changes aim to bring Ukrainian law into compliance with European Union standards (even though Ukraine is not a member of the European Union) by establishing an independent supervisory authority for data protection.

The Amendments introduce other changes to Ukraine’s data protection regime, including that businesses will no longer have to register their databases, but instead must notify the Ombudsman only where the processing of personal data will result in a “special risk” to a “data subject’s” rights and freedoms. Data controllers will be able to automatically process data where necessary to fulfil legal obligations. In addition, consent will be clarified and biometric and genetic data are recognised as sensitive personal data. The Amendments also introduce new data subjects’ rights, including the right to know the sources collecting data and its location. The Amendments have not changed the provisions relating to transfers of personal data, so transfers are still subject to consent or may only be transferred to adequate protection countries.

The Amendments require the Ombudsman to adopt secondary regulations addressing the types of personal data that will be considered a “special risk” for “data subjects” rights and freedoms, as well as the method and manner of notifying it. The Amendments also require certain business sectors to develop and agree codes of conduct governing the processing of personal data.