Дата публикации
The Eurasian Digital Foundation has been a co-organizer of the Eurasian Congress on Data Protection for many years. Recently, within the framework of the congress, an online conference took place where our experts discussed how personal data collection, use, and protection—especially biometric data—is regulated in the Republic of Kazakhstan.
(Translated text, machine translation may contain errors or inaccuracies)
Participants:
Moderator: Dana Utegen, Teaching Professor at the Maqsut Narikbayev University School of Law, and Advisor on Academic Affairs at the Eurasian Digital Foundation. Topic: Privacy Compliance when Using Machine Algorithms and Artificial Intelligence.
Yelzhan Kabyshev: Head of the Legal Practice at the Eurasian Digital Foundation. Topic: State Control Over Personal Data Protection in Kazakhstan.
Danila Bekturganov: Sociologist, political scientist, president of the Public Fund 'Civil Expertise'. Topic: How Legislative Regulation of Biometric Personal Data Collection Lags Behind Technological Developments.
The speakers highlighted the risks faced by the state, businesses, and citizens, and discussed possible solutions to these issues.
Dana Utegen, the moderator, spoke about the impact of digital technologies, including Artificial Intelligence (AI), on data privacy. Kazakhstan aims to adopt the best international practices from the EU and the USA to become a leader in Central Asia in digital technology. Special attention is given to the development of the "Digital Code" and the concept of using AI, which takes into account issues related to data storage, anonymization, information security, and international data flows.
The use of AI for criminal purposes, including deepfakes, was also discussed. To prevent such risks, it is essential to involve the academic community and government in the development of ethical and legal standards.
The expert emphasized:
"Kazakhstan, aiming to adopt practices already in use in the EU, USA, and other countries with advanced digitalization, is working towards implementing AI technologies and regulating them within the country in the near future. The state's goal is to become a leader in the Central Asian digital space."
Furthermore, the development of AI must address personal data protection. There needs to be a clear division of responsibility among AI developers, owners, and users, as well as the development of tools for data storage, anonymization, and cybersecurity. I also consider it a good practice that the Concept for AI Development in Kazakhstan is being formulated with the involvement of the academic community."
Yelzhan Kabyshev discussed the topic of state control in this area. Since December of last year, the authorized government body has had the right to conduct checks on compliance with personal data legislation (previously only upon request). The expert also explained that the inspection process has a lifecycle, and they can be both scheduled and unscheduled:
"The issue of personal data protection became particularly relevant after the adoption of the law in December 2023, which granted the authorized body the right to conduct checks on compliance, including both scheduled and unscheduled ones. The first wave of such checks is expected on December 1, which is especially important in light of the recent increase in data breaches."
A joint order by the Minister of Digital Development and the Minister of National Economy regarding the approval of an inspection checklist has been posted on the Ministry of Justice portal. Companies are encouraged to review it to always have guidelines on their rights, responsibilities, and actions during inspections.
Danila Bekturganov discussed the gap between technology and regulation. He also noted that the use of biometrics is rapidly increasing, from unlocking smartphones to accessing government and banking services. However, national legislation, including laws on personal data and informatization, has not yet fully aligned with international standards. The speaker proposed solutions based on a human-centric approach. Among them: clear definitions and minimizing excessive data collection, as well as international harmonization of norms to protect citizens' rights, including those of foreign residents:
"While biometric data usage is rapidly expanding, it remains in contradiction with regulation. Technology always outpaces the law, creating risks, particularly in data security. Biometric systems are used in smartphones, government services, banks, and at border crossings, but even sophisticated protection systems do not guarantee complete security."
In Kazakhstan, there is also regulation in this sector, and in my opinion, a human-centric approach is necessary, harmonization with international standards, and clear norms to minimize leak risks, ensure transparency, and limit excessive data collection."
The conference emphasized the need to create a comprehensive personal data regulation system in Kazakhstan. Participants agreed that the "Digital Code" could be an important step forward if it incorporates international experience and ensures a balance between the interests of the state, businesses, and citizens.
Congress participants believe that the use of biometrics, big data, and AI is indeed crucial for the development of services, including public ones, but it is equally important to strengthen data protection, training tools, and clear norms to treat personal data as a valuable resource requiring strict regulation.
Events such as the Eurasian Congress on Data Protection are important for the exchange of expertise from various countries, as many processes in the digital world are cross-border. Positive international experience helps optimally formulate tasks and minimize risks related to the use and regulation of personal data.
The full conference can be viewed here:
