Kazakhstan is planning to adopt amendments to the law “On personal data and protection” before the end of 2021.
In June 2020, the country designated for the first time the authority responsible for personal data protection, Committee for Information Security, and a new kind of insurance activity was adopted, “voluntary cyber-insurance”, whose mechanism is yet to be determined. Moreover, penalties and punitive measures for illegal capture and/or processing of personal data were introduced. Also, the right to be forgotten was introduced meaning that personal data can be removed from open data sources.
In autumn 2021, the parliament discussed the question of expansion of authorities of the Office for personal data protection, including the right to hold violators of the personal data law liable.
According to the government, such measures contribute to protection of private data and control of malicious software. However, according to human rights defenders, it will lead to total censorship and full control over the internet.
Anna Gusarova, director of the Central Asian Institute for Strategic Studies, and Dana Mukhamedzhanova, deputy director of Graduate School of Law of the Narikbayev KAZGUU University, tell us about the changes in personal data protection for Kazakhstanis.
Article 145, “Right to one’s own image”, will be amended. The amendment suggests that the use and distribution of an image of another person (including photos, videos or works of visual art, where such person is depicted) are allowed upon consent of that person or their legal representatives, and after their death – upon consent of their heirs.
Such consent is not required if:
— the image of the person is captured at a location open to the public or at a public event (meetings, congresses, conferences, concerts, performances, sports competitions and similar events), except where such an image is the primary object of use;
— a person was posing for a fee;
— a person committed an administrative or criminal offence;
— a public servant or employee of a quasi-public sector performs official duties during working hours;
— it is required by law.
Moreover, a paragraph was added that dissemination of personal data to public sources, as well as the collection, processing and dissemination of personal data from public sources, is permitted with the consent of the subject or their legal representative. This wording places even greater responsibility on citizens and businesses, since it excludes public bodies and their activities, whereas the recent leaks of personal data in Kazakhstan were from government databases.
For more details on the amendments, please see “Open regulatory legal acts”.
The first package of amendments is rather limited, and the sphere of personal data protection remains unregulated. Therefore, it makes sense to expect that the second package of amendments will not be the last. The new sphere requires new solutions. However, amendments are not always the best strategy as it is important to make the personal data law work. But it is stalled so far.
Most of the amendments will affect small and medium businesses. Business entities will have to “submit information to the authority required to confirm their compliance with the personal data protection measures.” Thus, Ministry of Digital Development will have a legal opportunity to perform audits and preventive checks of all entities involved in the process of personal data collection and processing.
Citizens will have a wider opportunity to withdraw or consent to the use of their personal data, to check where their personal data are kept. Moreover, the last revision includes the obligation to notify the data owner of who requested access to their personal data kept in the e-government system.
Among positive changes related to amendments, Kazakhstan has appointed the authority responsible for personal data protection – the Committee for Information Security.
Citizens can contact the Ministry of Digital Development to ask for a special check if they find any facts of illegal collection and leak of personal data. It can be done by e-mailing at moap@mdai.gov.kz, or via the e-government website (section E-requests), as well as by writing to the minister’s personal blog.
The ministry has the powers to check the violator. Every check is first registered with the Legal Statistics and Special Records Committee of the General Prosecutor’s Office of the Republic of Kazakhstan and is carried out under the Entrepreneurship Code of Kazakhstan and the Administrative Code of Kazakhstan with the purpose of protection the rights of entrepreneurs. If the fact is confirmed, administrative sanction will be imposed.
This being said, the authority may initiate administrative proceedings without checking small business entities despite the moratorium on unscheduled checks of small businesses in force until January 1, 2023. The main thing is to submit all required documents to prove the fact of the offence.
Requests must contain sufficient data indicating the signs of an administrative offence: supporting documents, information about the violator, and date of the violation. Anonymous requests will be disregarded.
The citizens will also have a right to perform public control over public administration via the open laws and regulations website, when Kazakhstanis are involved into the procedure of shaping, discussing and adopting laws and regulations.
This is an electronic information resource containing information about operators, personal data processed by them, and conditions of collection. It is needed by public authorities to ease work and control over compliance with the personal data law. This register will contain absolutely all who work with people, and, consequently, with their personal data.
First, keep in mind that there is no most appropriate way. They will be such as the Committee for Information Security, which is the key authority in the field of personal data protection, sees them. Moreover, it is quite important to speak to and involve the civil society, small and medium businesses into the discussion process.
There is a task force consisting of journalists, lawyers, technical specialists, researchers, who call attention to the relevance of the problem and give their recommendations and suggestions on amendments to personal data protection laws. It’s only through dialogue we can say that amendments will be adopted in a more or less transparent way, which is not making them worse.
Just as before. The focus will be on business, not public authorities who are responsible for violating the personal data protection laws. We should not forget about latest leaks of data of Kazakhstanis from the government databases.
Simple examples of daily violation of personal data protection laws are workers of public utilities, condominiums, housing associations, and property owner associations. They place lists of debtors at entrance halls, distribute them in chats. Often, these lists contain personal data: full name, address, telephones of owners. Two management companies of metropolitan residential compounds were held liable for illegal distribution of personal data of residents via WhatsApp messenger and administrative penalty was imposed on them for 20 minimum penalties, or 134 dollars.
Title photo: newsbel.by