On Aligning Kazakhstan’s Data Protection Legislation with GDPR to Enhance Digital Trade

Introduction

The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) in 2018 with the purpose of striking a balance between the right to the protection of personal data, which in the EU is considered a fundamental right, and ensuring as unrestricted a flow of data as possible [1]. The significance of the GDPR in global data protection lies in its applicability to organizations that process personal data of individuals located in the EU, regardless of the organization's location, which prompted many non-EU states and companies to align their data protection practices with GDPR standards.

As of January of this year, 11 jurisdictions were able to pass EU Commission’s (EC) ‘adequacy assessment’, meaning they have an adequate level of data protection according to the GDPR [2] and are able to enjoy free flow of personal data of individuals located in the EU. Kazakhstan, a growing digital trade hub with positive prospects of cooperation with the EU, was not one of the countries whose jurisdiction was assessed, but even if it was, local data protection legislation would not meet the GDPR’s adequacy standards. The fact that Kazakhstan’s current data protection laws fall short of the EU’s adequacy standards presents a significant barrier to its digital trade ambitions with the EU. By aligning its data protection framework with the GDPR requirements, Kazakhstan can unlock new economic opportunities and enhance its international standing.

EU’s GDPR and Data Protection in Kazakhstan

The GDPR allows unrestricted data flow within the European Economic Area (EEA), but personal data transfer outside EEA is subject to the EC’s adequacy decision [3]. Adequacy is assessed by comparing the level of data protection in the receiving country with that of the EU. The European Court of Justice clarified in its Schrems II judgment that adequacy does not entail identical legislation to the GDPR, but legislation which is “in substance” equivalent to the GDPR [4].

Data protection in Kazakhstan is primarily governed by the Law of Republic of Kazakhstan, On Personal Data and Its Protection No. 94-V dated 21 May 2013 (PDP Law) [5] and is not compliant with the GDPR’s adequacy standards on principles of data processing, consent requirements, data transfer restrictions, intelligence activities, enforcement and sanctions.

1. Principles of data processing

Article 5 of the GDPR outlines six principles relating to processing of personal data: (1) lawfulness, fairness and transparency; (2) purpose limitation; (3) data minimisation; (4) accuracy; (5) storage limitations; (6) integrity and confidentiality. On the other hand, Article 5 of Kazakhstan’s PDP Law simply states 5 principles: (1) observation of constitution rights and freedoms of person and citizens; (2) legality; (3) confidentiality of personal data of limited access; (4) equality of the rights of subjects, owners and operators; (5) safety ensuring of personality, society and the state [6].

When assessing substance equivalence, Kazakhstani principles of (2) legality, (1) observation of constitution rights and freedoms of person and citizens and (4) equality of the rights of subjects, owners and operators matches the GDPR’s principle of (1) lawfulness, fairness and transparency; principles of (3) confidentiality of personal data of limited access and (5) safety ensuring of personality, society and the state match in part the (6) integrity and confidentiality principle, although “safety” needs clarification to reach equivalence with integrity. It is clear that GDPR’s principles of (2) purpose limitation, (3) data minimisation, (4) accuracy and (5) storage limitations are not stated explicitly as principles of Kazakhstan's PDP law.

While it is the case that Articles 7.8, 7.9 and 12 (1) of the PDP law and Government Resolution No. 1214, dated 12 November 2013 [7] fulfill the principles of purpose limitation and data minimisation, due to the lack of legal literacy this legislation has not been enforced [8]. PDP law states that the content of personal data should not be excessive to the objectives of processing and thus processing must meet data collection purposes, while the resolution clarifies that such purposes need to be “unambiguous, legal and correspond to the objectives of the owner and (or) operator” [9]. Arguably, the principles of purpose limitation and data minimization are met, however, Saule Akhmetova, the Director of the Almaty branch of GRATA International, provides one of many examples where practice differs. Educational institutions often sign educational services contracts with students or their guardians, collecting “the child's full name, date of birth, address, maybe birth certificate, parents' names, numbers of their ID cards, contacts, including contacts at their place of work” and often parent's individual identification number (IIN) [10]. The IIN definitely overreaches the purposes of data collection and processing, however these contracts are very common given the lack of legal literacy in Kazakhstan. The Ministry for Digital Development, Innovations, and Aerospace Industry of Kazakhstan (MDD) responsible for the enforcement of PDP law does not actively check every entity’s state of personal data protection - it only responds to complaints regarding personal data protection issues. Unfortunately, very few people in Kazakhstan are aware of their data privacy rights and thus cases of misconduct never reach appropriate authorities. In January 2021 the National Security Committee’s State Technical Service was tasked with the inspection of personal data security [11], but the efficacy of this decision awaits confirmation. All of this to say that even when principles not explicitly written out as principles are present in local legislation, the enforcement of these principles is far from meeting GDPR’s expectations.

2. Consent requirements

As for consent, GDPR requires consent to be voluntary and informed for it to be considered lawful, however Kazakhstan's legislation makes no effort to clarify that consent must be voluntary and in practice data subjects are uninformed about the purposes of data collection. Art. 4.11 of the GDPR defines ‘consent’ of the data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes.” Although Art. 8 of the PDP law requires consent to be unambiguous and specific, it has no mention of whether consent needs to be given without external pressure or informed. In fact, it is very common for businesses to operate without requested consent to the personal data collection and processing, explanations on the data sufficient for providing their services or demonstration of the terms and security of the data storage [12]. The slim consent requirements of Kazakhstan’s PDP law would not meet those of the GDPR.

3. Data transfer restrictions

Similar to the GDPR’s restrictions on transfers of personal data of individuals located in the EU outside of EEA, Article 16 of the PDP law states that trans-border transfer of personal data to the territory of the foreign states needs to ensure the protection of personal data by these states in accordance with PDP law - essentially the ‘adequacy’ requirement of the GDPR. However, the PDP Law also permits transfers to countries without adequate protection in certain cases, such as to protect Kazakhstan's constitutional order or public health. This poses risks to personal data transferred from the EU to Kazakhstan in case the local government decides subsequent unprotected trans-border transfer of this data is needed for the constitutional order Kazakhstan. Thus Kazakhstan’s data transfer restrictions would not meet the GDPR’s adequacy standards, since EU data is no longer protected everywhere it goes. The GDPR aims to provide protection to personal data of individuals located in the EU wherever it goes, but Kazakhstan cannot provide the EU such security, thus, making it unlikely to meet GDPR’s adequacy requirements.

4. Intelligence activities

Following the Schrems case, one of the main concerns the CJEU cited when it invalidated the EU-US Privacy Shield was US surveillance [13]. US surveillance programs, such as PRISM and UPSTREAM, go beyond what is strictly necessary and proportionate, leading to a disproportionate interference with the rights to protection of data and privacy [14]. PDP law in Kazakhstan does not apply to “the collection, processing, and protection of personal data for intelligence, counterintelligence, operational and investigative activities”, which is a potential area of non-compliance with the GDPR's standards, given the invalidation of the EU-US Privacy Shield.

5. Enforcement and sanctions

Akin to GDPR’s requirements towards intelligence activities being necessary and proportionate, foreign legislature needs to provide sufficient guarantees for the protection of personal data, i.e. some form of sanctions for non-compliance close to those in the EU. According to the GDPR, Data Protection Authorities (DPA) may impose fines of up to €20 million or 4% of the business's total annual worldwide turnover [15]. In contrast, criminal liability for improper collection and processing of personal data in Kazakhstan can include fines up to 2,000 Monthly Calculation Indices (approximately equivalent to €15000 in 2024) [16]. While the fine is high by Kazakhstan standards, it is in no way as dissuasive as the DPA one.

Economic and Trade Implications

Digital trade is the sale of goods and services over digital networks. Kazakhstan has made strong moves towards improving its current state of digital trade. E-commerce is projected to take up 20% of total retail by 2030, so the local government is working to develop infrastructure to support the growth of domestic online stores and enable Kazakh products to reach foreign e-commerce platforms [17]. Significant investments have been made into blockchain technologies and digital currencies, parallel to passing digital asset regulations [18]. Despite these advancements, Kazakhstan could benefit greatly from cooperation and digital trade with the EU.

Kazakhstan is working with the EU and the International Trade Center (ITC) on the Ready4Trade Central Asia project to help micro, small and medium enterprises (MSMEs) digitize [19]. This will allow more MSMEs to obtain a presence online and expand their markets overseas. The same project is also partnering with the United Nations Conference on Trade and Development (UNCTAD) to review and enhance existing e-commerce legislation [20]. The Ready4Trade project has promising potential, but to enable its economy to take full advantage of it, it is crucial for Kazakhstan to return to and reform its Personal Data Protection legislation.

International data transfer is an important aspect of digital trade and is necessary to facilitate the provision of digital services. Non-compliance with GDPR adequacy standards could limit Kazakhstan's digital trade with the foreign nations, especially EU member states. It may result in restrictions on the transfer of personal data from the EU to Kazakhstan, which could hinder the flow of data necessary for digital trade activities between businesses in the EU and Kazakhstan, impacting e-commerce transactions, digital services and other online activities that rely on cross-border data flows. Furthermore, businesses in the EU and worldwide may be reluctant to engage in digital transactions with Kazakhstan if there are concerns about the protection of personal data.

Navigating towards Compliance

Alterations of principles of data processing, consent requirements and cross-border data transfer restrictions should not face resistance from local authorities and are likely to be embraced, purely from the interest the government demonstrates in supporting digitalization of businesses and expanding trade. Unfortunately, enforcement of legislation and limited sanctions are national issues, difficult to make predictions on. There have been efforts to reduce the level of corruption and cases when sanctions became stricter, however much more work is yet needed as a society to battle these persisting problems.

GDPR’s requirements towards intelligence activities being necessary and proportionate will likely be an area of huge contention. In the same way the US was not and probably will not be able to obtain the adequacy decision from the EC (according to Sergi Batlle’s and Arnaud van Waeyenberge’s legal assessment of the EU–US Data Privacy Framework in the European Journal of Risk Regulation [21]) following CJEU’s concerns with US intelligence activities in the near future, Kazakhstan would not pass the adequacy assessment on the basis of similar concerns. It is important to note that while the right to personal data protection is a fundamental right in the EU, it is definitely not in both the US [22] and Kazakhstan. Geopolitical and cultural attitudes towards personal data privacy are absolutely different, creating complications for Kazakhstan in ever meeting GDPR standards.

Conclusion:

The area of personal data privacy law is still very young and is likely to see many developments with the growth of globalization and digital trade, but the GDPR is widely respected for its efficacy in protecting privacy while enabling smooth exchange of data. Kazakhstan demonstrates vast potential in becoming an important player in digital trade but will continue facing barriers until its personal data privacy legislation lives up to GDPR standards. Kazakhstani legal scholars and professionals at international law firms like GRATA International, Dentons and consulting companies like Deloitte are aware of the discrepancies, given the existence of publications by Saule Akhmetova, Aliya Seitova, Victoria Simonova assessing existing legislation. Therefore, the government, legislators, economists and legal professionals should aim to take action in the interest of Kazakhstan’s economy.

Bibliography

[1] European Union, General Data Protection Regulation (GDPR), accessed May 25, 2024, https://gdpr-info.eu/.

[2] ActiveMind, “Adequacy Decision,” accessed May 25, 2024, https://www.activemind.legal/guides/adequacy-decision/.

[3] Data Protection Network, “International Data Transfers Guide,” accessed May 25, 2024, https://dpnetwork.org.uk/international-data-transfers-guide/.

[4] Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18, European Court of Justice (2020).

[5] Morgan Lewis, “Data Protection in Kazakhstan: Overview,” accessed May 25, 2024, https://www.morganlewis.com/-/media/files/publication/outside-publication/article/2023/data-protection-in-kazakhstan-overview.pdf.

[6] Republic of Kazakhstan, “On Personal Data and their Protection,” accessed May 25, 2024, https://adilet.zan.kz/eng/docs/Z1300000094.

[7] Republic of Kazakhstan, “On Approval of the Rules for Determining the List of Personal Data by Owner and (or) Operator Necessary and Sufficient for Fulfillment of Their Tasks,” accessed May 25, 2024, https://adilet.zan.kz/eng/docs/P1300001214.

[8] Dechert LLP, “Some Aspects of the Personal Data Protection Law in Kazakhstan,” Mondaq, May 17, 2023, https://www.mondaq.com/data-protection/1332632/some-aspects-of-the-personal-data-protection-law-in-kazakhstan.

[9] Republic of Kazakhstan, “On Approval of the Rules for Determining the List of Personal Data by Owner and (or) Operator Necessary and Sufficient for Fulfillment of Their Tasks,” accessed May 25, 2024, https://adilet.zan.kz/eng/docs/P1300001214.

[10] Dechert LLP, “Some Aspects of the Personal Data Protection Law in Kazakhstan,” Mondaq, May 17, 2023, https://www.mondaq.com/data-protection/1332632/some-aspects-of-the-personal-data-protection-law-in-kazakhstan.

[11] Dentons, “Kazakhstan Strengthens Personal Data Protection by Gradually Moving Toward GDPR Standards,” last modified January 28, 2021, https://www.dentons.com/en/insights/alerts/2021/january/28/kazakhstan-strengthens-personal-data-protection-by-gradually-moving-toward-gdpr-standards.

[12] Dechert LLP, “Some Aspects of the Personal Data Protection Law in Kazakhstan,” Mondaq, May 17, 2023, https://www.mondaq.com/data-protection/1332632/some-aspects-of-the-personal-data-protection-law-in-kazakhstan.

[13] Sergi Batlle and Arnaud van Waeyenberge, “EU–US Data Privacy Framework: A First Legal Assessment,” European Journal of Risk Regulation 15, no. 1 (March 2024): 191-200, https://doi.org/10.1017/err.2023.67.

[14] European Parliamentary Research Service, “The CJEU Judgement in the Schrems II Case,” European Parliament, last modified September 15, 2020, https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.

[15] Ben Wolford, “What are the GDPR Fines?,” GDPR.eu, last modified August 6, 2018, https://gdpr.eu/fines/.

[16] Morgan Lewis, “Kazakhstan Adopts Personal Data Protection Law,” Morgan Lewis Publications, July 3, 2013, https://www.morganlewis.com/pubs/2013/07/ip_lf_kazakhstanadoptspersonaldataprotectionlaw_03july13.

[17] Government of Kazakhstan, “Kazakhstan Plans to Increase Share of E-Commerce to 20% by 2030,” PrimeMinister.kz, May 17, 2023, https://primeminister.kz/en/news/kazakhstan-plans-to-increase-share-of-e-commerce-to-20-by-2030-26975.

[18] The Astana Times, “Future of Digital Assets: Is Kazakhstan Ready for Web 3.0 Business?” The Astana Times, May 10, 2023, https://astanatimes.com/2023/05/future-of-digital-assets-is-kazakhstan-ready-for-web-3-0-business/.

[19] European External Action Service, “Supporting Inclusive Development through Trade and Digitalization: Kazakhstan − Ready4Trade Central Asia,” last modified July 12, 2020, https://www.eeas.europa.eu/delegations/kazakhstan/supporting-inclusive-development-through-trade-and-digitalization-kazakhstan-%E2%88%92-ready4trade-central_en.

[20] Ibid.

[21] Batlle and van Waeyenberge, “EU–US Data Privacy.”

[22] Ibid.