The government of the Republic of Kazakhstan has announced that Kazakhstan’s framework data protection law, Law No. 94-V (unofficial English version), has been enacted and will be effective as of November 25, 2013. Kazakhstan is now the second country in Central Asia to enact a data privacy law.

The new statute governs the protection of human rights in the collection and processing of personal data in Kazakhstan. Law No. 94-V will operate in conjunction with existing regulatory rules for data processing, in contrast with the old version of the law, which regulated personal data protection on a sector-specific basis. Law No. 94-V does not appoint a central data protection authority; instead, each state agency is expected to supervise data protection practices within the industry or government sector for which it is responsible.

The key provisions to note from Law 94.V are as follows:

  • Personal data is defined as any information that identifies an individual, including biometric data
  • A database operator (data controller) is defined to include any government agency, business or individual
  • Consent must be obtained prior to the collection of any personal data, except when in accordance with international treaties, by law enforcement agencies and courts, or for the purposes of government statistics
  • Collection, use and storage of personal data must be limited to that which is strictly necessary for the relevant purpose notified to the individual
  • Individuals must be notified prior to any transfer of personal data to any third parties
  • Cross-border transfers of personal data are permitted, provided the country to which data is transferred is deemed to have adequate protection laws in place
  • Data processing does not include personal data collected for personal family circumstances or government national security purposes

The State Prosecutors Office will supervise compliance with Law 94.V, including enforcement in accordance with the fines set out under Article 84-1 of the Code of Administrative Offences (the Code). The Code sets out a scale of fines measured in monthly calculation indexes (MCIs). For illegal data collection and processing, individuals and small to medium-sized businesses could face a fine of 50 MCIs ($556), whilst large businesses can be fined up to 100 MCIs ($1,130). Failure to take technical measures to secure personal data can result in fines of up to 100 MCIs ($1,130) for individuals, 200 MCIs ($2,260) for small to medium businesses, and 300 MCIs ($3,390) for large businesses. Article 142 of the Criminal Code further stipulates that any serious violation of the new privacy law can result in fines of between 400-700 MCIs ($4,520-$7,910). Any substantial harm caused to an individual as a result of a failure to implement adequate security measures can cause a fine of up to 1000 MCIs ($11,300) and prison terms of up to three years, increasing to 2000 MCIs ($22,600) and five years’ imprisonment if committed by a government official or business executive.

To help database operators avoid facing these hefty penalties, a short set of guiding regulations (unofficial English version) have been drafted to implement the new privacy law. Database operators will have three months from the date of enactment (25 November 2013) to ensure they are in compliance with the new privacy law.