Kazakhstan Improves Its Data Protection Laws
By Nataliya Shapovalova,
Associate, Dentons Kazakhstan
A new law[i] regulating the collection and processing[ii] of personal information[iii], and defining the principles and legal framework for these activities, came into force on 26 November 2013. The Law clarifies issues relating to the collection and processing of personal information, significantly expanding Kazakhstan’s body of law in this area.
The Law remedies a number of deficiencies in legislation covering personal information. In particular, it establishes:
1) definitions of actions to be performed with personal information (collection, processing, dissemination, de-personalization, etc);
2) definitions of entities involved in collecting and processing personal information (e.g., owner of personal information, owner of the database containing personal information, database operator, third parties);
3) circumstances in which collection and processing of personal information without the owner’s consent is permitted;
4) conditions for the cross-border transfer of personal information;
5) obligations for the de-personalization of data and subsequent destruction of personal information;
6) rights and duties of owners of personal information and owners and operators of databases containing personal information; and
7) the authority of government agencies regarding security and protection of personal information.
The Law has not changed the main principles of collecting and processing personal information that were established earlier by the Law on Informatization, i.e. that:
1) personal information may be collected and processed only with the consent of the owner of such personal information;
2) persons who collect and process personal information must ensure its confidentiality;
3) personal information may be processed only for the purpose stated at the time of its collection;
4) personal information may be disseminated/disclosed to third parties only with the consent of the owner of the personal information.
The above principles should be particularly taken into consideration when drafting a consent for collection of personal information. In addition to a statement of voluntary disclosure of personal information, such a consent should specify the purpose of the use of personal information and, if necessary, include consent to the disclosure of personal information to third parties.
The Law addresses the form that the owner’s consent to collection and processing of personal information should take. It also specifies that the owner (or his/her legal representative) must grant/withdraw this consent either (1) in writing, (2) via an electronic document, or (3) by other means involving security measures that conform to Kazakhstan’s law.[iv]
For 1), as a general rule, a transaction concluded ‘in writing’ must be signed by the parties or their representatives. Kazakhstan’s Civil Code also establishes transaction forms that are deemed to be equal to the written form.
For 2), consent in the form of an electronic document is, in our view, unlikely to be widespread. According to Kazakhstani law, an ‘electronic document’ is a document where information is provided in electronic-digital form and authenticated by means of an ‘electronic digital signature’.[v] The procedure for obtaining and updating electronic digital signatures[vi] in Kazakhstan is complex and transactions authenticated by a digital signature are not particularly popular.
For 3), «other means that make use of security measures,», neither the Law nor other Kazakhstani statutory instruments describe these means of obtaining consent or the requisite ‘security measures’. With the burgeoning popularity of e-commerce in Kazakhstan, it is increasingly common for sensitive personal data to be collected via website forms. In our opinion, the ‘other means’ of consent referred to above are sufficiently broadly drafted to enable electronic consent to this form of data collection (for example by use of a ‘check box’ in a website form), provided the wording of the consent is clear.
From the information owner’s perspective, legislators could have provided more clarity about the nature of the consent required. It is likely that businesses collecting data in this way will adopt practices which are widely used in e-commerce fields (such as the use of privacy policies, and confirmations required before transactions can be concluded). For any business engaging in e-commerce in Kazakhstan (which includes any site permitting electronic transactions from within Kazakhstan) or otherwise collecting personal data, it will be important to review policies and procedures to ensure that they are compliant with the Law.
Our interpretation is that the Law does not contain clear provisions about the period for storing personal information. The Law establishes that personal information must be destroyed upon termination of legal relations between the owner of the personal information and the owner or operator of the database containing personal information. It may be difficult to determine when legal relations between two parties ‘terminate’. For example, when a consumer purchases goods online, do legal relations terminate with delivery and acceptance of the goods, or upon expiry of an explicit or statutory warranty period? Collectors of personal information may also have a legitimate interest in retaining information beyond the termination of legal relations (for example to substantiate sales records for tax purposes).
If legal relations do not terminate, the storage period will be determined based on the date when the purpose for collecting and processing personal information is completed. However, it may often be difficult to determine the precise date of completion. If data is collected for ongoing marketing purposes, the period may be open-ended. We therefore recommend establishing a specific storage period for personal information in the wording of the consent.
In developing the Law, the Government of Kazakhstan adopted ‘Rules to Protect Personal Data’[vii], which entered into effect on 26 November 2013. The Rules to Protect Personal Data’ establish general requirements to protect confidentiality of personal data, the period over which confidentiality obligations extend, and stipulate some measures ensuring confidentiality - organizational, technical, and legal measures. These Rules to Protect Personal Data require that owners, operators and third parties define the storage place for personal data, persons who collect and process this data, and measures preventing unauthorized access to this data.
Owners and/or operators of databases containing personal information are obliged to bring their policies and procedures into compliance with the Law’s requirements within three months from the date of its enactment, i.e. before 27 February 2014.
[i] Law No. 94-V of the Republic of Kazakhstan On Personal Information and Its Protection dated 21 May 2013 (hereinafter the «Law»).
[ii] Actions related to the processing of personal information are rather extensively defined in the Law on Personal Information and include actions aimed at acquisition, storage, amendment, use, dissemination, depersonalization, blocking and destruction of personal information.
[iii] Personal information is defined in the Law on Personal Information as information related to a specific owner of personal information or owner of personal information identified on the basis of personal information, recorded in electronic, paper and/or other physical storage media.
[iv] Law on Personal Information, article 8.1.
[v] Law of the Republic of Kazakhstan On Electronic Document and Electronic Digital Signature dated 7 January 2003 No.370-II.
[vi] An electronic digital signature must be renewed annually.
[vii] The Rules on Performance by the Owner and (or) Operator, and the Third Party of Measures for Protection of Personal Data adopted by the Decree of the Government of the Republic of Kazakhstan dated September 3, 2013 No. 909 (hereinafter the «Rules on Performance of Measures for Protection of Personal Data»).
Хотите быть в курсе важных новостей?