The issue of proper processing of personal data has gone topical for Kazakhstanis and companies operating in Kazakhstan after the special Personal Data Law[1] had been adopted in 2013 to establish the key requirements in this area of legal relations. Certain practices have formed over the three years that this Law has been in effect, and all companies keen on complying with the legislation have generally organized their activities in such a manner as to meet the Law requirements. Meantime, starting 1 January 2016, the currently effective personal data storage procedure has been amended, specifically, adding a requirement to localize the bases containing personal data (hereinafter, the "bases") in Kazakhstan.
Since the legislative amendments may require companies operating in Kazakhstan not only to verify their compliance, but also to potentially modify their business processes relating to personal data, it looks necessary to clarify a number of key issues relevant to personal data localization and to understand whether they are really problematic.
Where to Store Personal Data?
Verbatim, the amended Personal Data Law requires that the bases be stored in the territory of Kazakhstan.
Pursuant to the legislator-established terminology, a base is an aggregate of organized personal data. Obviously, this concept is too broadly defined, therefore, in fact, a base may be any place (a company office, a responsible person's room, etc.), equipment (a company server, a particular computer, etc.), a piece of furniture (a cabinet, a shelf in a cabinet, etc.), a data medium (a paper sheet, a CD or DVD, etc.), electronic information resources and other storage facilities.
As mentioned above, the storage (i. e., actions to ensure the integrity, confidentiality and accessibility) of personal data is to be performed in the territory of Kazakhstan. Accordingly, any tangible media with personal data must be physically present here.
As to the Internet resources containing personal data, in this case, the territory of Kazakhstan should most probably be understood as the space of the Kazakhstan segment of the Internet (as it is defined in the Domain Name Usage Rules[2]). In this connection, the hardware-and-software systems (equipment) housing such Internet resources must also be physically present in the territory of Kazakhstan.
Who and to What Extent Falls within the Localization Requirement?
The Personal Data Law contains no specific provisions governing the scope of its application according to the territory and the groups of persons. Therefore, pursuant to the general rule, its regulations should, subject to the statutory exceptions, cover as follows: Kazakhstan residents, stateless persons and foreign individuals residing in the territory of Kazakhstan, and foreign legal entities operating in Kazakhstan via their branches and representative offices. Actually, of all the persons mentioned above, the localization requirement primarily affects the interests of foreign companies (since foreign companies normally process the collected personal data on a centralized basis at the place of their head office location) and Kazakhstan residents using the services of foreign data centers and cloud storages.
It is necessary to mention that Kazakh personal data regulations may apply to the relevant legal relations even in cases where only one party (specifically, a base operator or owner) to such relations falls within the requirements of the Personal Data Law. In this context, the issue remains open of whether the base operator and/or owner is required to store the personal data of a foreign person collected in the framework of the base operator's and/or owner's activities outside Kazakhstan (for example, by a Kazakh representative office of a foreign company in respect of a foreign employee from the company's head office).
Does the Amended Personal Data Law Cover Relations Arising Prior to 1 January 2016?
As a general rule and according to the settled legal principles, regulations aggravating the legal status of persons and establishing new obligations cannot be made retroactive. Exceptions are the cases where retroactivity is expressly provided for by the law, which is not the case in the instance under consideration. Hence, the localization obligation applies to the personal data processing relations arising after 1 January 2016.
However, there exists a different point of view according to which personal data collected before 1 January 2016 are also to be stored at bases in the territory of Kazakhstan. The rationale is that the personal data storage is a process, not a one-time action; hence, starting from the legislative amendments enactment date, storing bases outside Kazakhstan would constitute a breach of legislation.
The opinions of Kazakh authorized agencies (specifically, that of the Minister of Investments and Development[3] and Minister of Internal Affairs[4]) differ on this issue, therefore, the question whether the localization requirement covers personal data collected prior to 1 January 2016 remains open.
Which Actions Relating to Personal Data Storage Constitute a Breach of the Localization Requirement and Entail Liability?
It should be borne in mind that a breach of the personal data protection requirements incurs substantial liability, both administrative and criminal.
The Administrative Code establishes liability for illegal collection and/or processing of personal data (paragraph 1 of Article 79); owner's, operator's or a third party's failure to implement the personal data protection measures and the same acts, but entailing loss, illegal collection and/or processing of personal data (paragraphs 2 and 3 of Article 79); failure to implement or improper implementation of personal data protection measures by the owner or possessor of information systems containing personal data (paragraph 1 of Article 641).
As to the criminal liability, it arises, pursuant to the Kazakhstan Criminal Code, for causing material harm to the rights and legitimate interests of a person as a result of illegal collection and/or processing of personal data (Article 147) and unlawful distribution of electronic information resources containing personal data of individuals or other data the access to which is limited by the laws of the Republic of Kazakhstan or by their owner or possessor (Article 211).
At the first glance, a beach of requirement to localize personal data bases does not fall within the elements of offence described above. However, taking into account that the storage of personal data is a component of their processing and the storage of databases outside the territory of Kazakhstan may well be qualified as illegal storage and, as a consequence, as illegal processing, the elements of offence are definitely in place. Moreover, since the storage is, among other things, actions to ensure confidentiality of personal data, and understood as the personal data protection is a set of measures (actions) implemented, inter alia, in order to ensure the same confidentiality of personal data in the course of their processing, one cannot exclude the possibility that in case of a breach of the requirement to localize personal data such actions may be qualified as failure to ensure the personal data protection measures. Still, it remains unclear which features exactly will the authorized agency use to qualify each of the above elements of offence in case of a breach of the personal data localization requirements. The answer to this question may be given only by the law-application practice, which has not been formed yet.
Who and How Will Be Checking the Operators' and Owners' Compliance with the Localization Requirement?
The Personal Data Law implies that Kazakhstan does not have a single dedicated governmental agency controlling the personal data legislation compliance (in turn, the supervision over application of legislation is performed by the prosecution authorities). Governmental agencies develop and/or approve, within their scope of competence, the regulatory legal acts in the area of personal data and protection thereof; consider applications from individuals and legal entities on the issues of personal data and protection thereof; and take measures to bring to liability the persons committing breaches of legislation on personal data and protection thereof.
Thus, the legislator does not introduce any special inspections and, accordingly, inspecting authorities, to identify breaches in the area of personal data. In all appearance, the authorized agencies must identify the personal data related breaches and bring the offenders to liability based on applications by individuals and legal entities.
_______________
The above list of problematic issues relating to personal data localization is not exhaustive and can be significantly expanded and detailed, including subject to the specific characteristics of each company's activities. Nevertheless, the existence of problems and unresolved issues does not release stakeholders from the necessity to adjust their activities to meet the new requirement of the Kazakh legislation. In this context, absent a clear and detailed legal regulation, it might be useful to study the positive experience and mechanisms used both in the neighboring jurisdictions having similar legislative regulations and globally, where such an institution as personal data protection is at another – more legislatively regulated and practice-proven – level.