This Alert summarizes the most significant amendments to digital technology regulations introduced by the Law «On introduction of amendments to certain legislative acts of the Republic of Kazakhstan on digital technology issues» (hereinafter - the "Amendments") entered into force on July 6, 2020.
The Law “On personal data and its protection” (hereinafter - the “PD Law”) has been changed as follows:
• The Ministry of Digital Development, Innovation, and Aerospace Industry of the Republic of Kazakhstan has been designated as the authorized body with the Office for the Protection of Personal Data under the Committee on Information Security of the Ministry.
· The collection, processing of personal data can now be carried out by a third party. We note the need to obtain the prior consent of the subject or his legal representative. Along with this, third parties shall anonymize personal data obtained in the course of scientific, sociological, including marketing research.
· It is worth mentioning that the processing of personal data is to be limited to the achievement of specific, predetermined, and legitimate purposes. The law prohibits the processing of personal data incompatible with the purposes of collecting personal data.
· The Amendments provide for the concept of “voluntary cyber insurance”, the types and procedures of which are determined by the agreement of the parties.
· By analogy with the provisions of the GDPR adopted in the countries of the European Union, the Amendments introduced the concept of “a person responsible for organization of the processing of personal data”. Thus, besides the owner and/or operator of the PD, another person is appointed as responsible for the compliance of the processing of PD with the legislation of the Republic of Kazakhstan. In particular, such a person provides the opportunity to familiarize themselves with personal data related to the subject of the PD; in case the owner and (or) operator is a legal entity, it is entitled to appoint a person responsible for organization of the processing of personal data.
· The competence of the authorized body was put in a separate article, thereby delimiting the competence of state bodies, the Government of the Republic of Kazakhstan, and the authorized body. Moreover, the Amendments provide a requirement of confidentiality with respect to personal data that became known to the authorized body in the course of its activities.
The law-maker introduced the following amendments to the Law “On Informatization”:
· The Amendments introduced the concepts of “blockchain”, “digital mining”, “digital token”, “digital asset”, etc. Blockchain is defined as an information and communication technology that ensures the constancy of information in a distributed data platform based on a chain of interconnected data blocks, given integrity confirmation algorithms and encryption tools.
· Blockchain is a way to store data. Transaction data is stored in blocks, which in turn comprise a chain. The advantage of using this technology is that the risk of break into such a database is reduced since each subsequent block in the chain enhances the verification of the previous one with a hash that links the blocks together and prevents any block from change or insertion between two existing blocks.
· Digital mining - the process of performing computational operations using computer and energy capacities in accordance with the specified encryption and data processing algorithms, which ensures the integrity of data blocks in information objects via blockchain.
· The competence of the authorized body in the field of informatization, namely the Ministry of Information and Social Development of the Republic of Kazakhstan has been expanded. Now, the Ministry:
Ø approves the rules for the collection, processing, storage, transfer of electronic information resources for the implementation of data analytics in order to fulfill the functions of state bodies in coordination with the authorized body in the field of personal data protection;
Ø approves the rules for the formation, verification, and use of electronic documents using the digital document service;
· An authorized body, ensuring information security, namely the Committee on Information Security of the Ministry of Digital Development, Innovation and the Aerospace Industry of the Republic of Kazakhstan, determines the procedure for informing on activities for the implementation of digital mining, and the procedure for the issue and circulation of secured digital assets. These amendments were introduced due to the introduction of new concepts into the Law.
· The competence of the authorized body in the electronic industry - the Department of Electronic Industry Development of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan was set forth in a separate article, thereby clearly delimiting the competence of the authorized bodies in the areas: electronic industry, ensuring information security and informatization.
· The Amendments establish the legal regime of digital assets, as well as their classification. Thus, a digital asset is the result of digital mining and does not serve as a means of payment. The Amendments provide for the classification of digital assets as secured and unsecured. Secured digital assets include a digital token and other digital assets, which are a digital means of certifying property rights to goods and (or) services issued (provided) by a person who issued a secured digital asset. Unsecured digital assets include digital tokens received as a reward for participating in maintaining consensus on the blockchain.
With regard to the formation and use of electronic information resources, the Amendments stipulate a provision in accordance with which third parties' access to electronic documents stored in the digital document service is carried out with the consent of the user in the manner determined by the authorized body. The amendments also affected the Code “On Administrative Violations” (hereinafter referred to as the “Administrative Code”):
· The Amendments provide for liability for improper implementation by a third party of the measures to protect information systems. This measure is necessary to prevent the illegal collection of personal data of citizens, as well as its use for previously undeclared purposes.
The Law “On the electronic document and electronic digital signature”, has been amended as follows:
· Due to difficulties in the technical implementation of the recognition of foreign registration certificates, the provision stipulating this issue was excluded. Thus, a foreign citizen or legal entity shall obtain registration certificates of the National Certification Authority of the Republic of Kazakhstan.