• Insights

Kazakhstan – The impact of the GDPR outside the EU

Written by
AEQUITAS Law Firm, the top labour and employment practice in Kazakhstan.
Since August 2019 Kazakhstan has been preparing a draft law that includes amendments to the data protection regime in the country based on the GDPR and the introduction of a specialised agency responsible for personal data protection.

The Enhanced Partnership and Cooperation Agreement (the ‘Agreement’) between the European Union and its member states and the Republic of Kazakhstan was signed on 21 December 2015. The Agreement was ratified by Kazakhstan on 25 March 2016 and it has been temporarily applied since 1 May 2016 according to a verbal statement from the European Union. Pursuant to Article 237 of the Agreement:

‘The Parties shall cooperate in order to ensure a high level of protection of personal data, through the exchange of best practices and experience, taking into account European and international legal instruments and standards. This may include, where appropriate and subject to applicable procedures, accession to, and implementation of, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional Protocol by the Republic of Kazakhstan’ (‘Convention 108’).

As of September 2019, Kazakhstan has not yet acceded to Convention 108.

In 2018 and 2019, the issues around implementing GDPR standards were actively discussed by legal advisors, representatives of business, governmental authorities and the media at various conferences and seminars and huge number of articles were prepared on this issue.

During discussions, representatives of governmental authorities, including the Deputy Chairman of the Information Security Committee of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan, often mentioned the problems of enforcing violations of personal data legislation and the great number of gaps in Kazakhstan’s Law on Personal Data and Protection Thereof (‘Data Protection Law’), as well as the absence of a single authorised governmental agency on personal data protection (the role of which could include studying international best practice on personal data protection and the introduction of these practices in Kazakhstan).

Kazakhstan’s legal databases contain a file with a draft Law on ‘the Introduction of Amendments into Certain Legislative Acts of the Republic of Kazakhstan on the Issues of Digital Technologies Regulation’ (the ‘Draft Law File’).  As of August 2019, the Draft Law File provides for the introduction of amendments into a great number of laws and codes of Kazakhstan, including into the Data Protection Law. The Draft Law File contains references to the GDPR as the examined international practice. According to the Draft Law File, an authorised governmental agency dealing with personal data issues has been proposed.

In view of the above, we believe that in the years to come, Kazakhstan will gradually work on harmonisation of the national rules on personal data protection with GDPR standards.

To date, no Kazakhstan companies have faced GDPR enforcement.

Yekaterina Khamidullina
Partner - Kazakhstan