21.12.2023 15:53:00
Дата публикации
Introduction
Until recently, the provision of many organizational and technical measures aimed at minimizing the risk of harm to citizens in the event of a leak of their personal data was left to the discretion of the operators themselves.
On December 11, 2023, the President of the Republic of Kazakhstan signed Law No. 44-VIII ZRK “On introducing amendments and additions to certain legislative acts of the Republic of Kazakhstan on information security, informatization and digital assets.” The Law “On Personal Data and Their Protection” has new provisions regulating the procedure for prompt response to a leak of personal data. With the adoption of this law, the legislation of Kazakhstan introduced requirements for operators and owners of personal data, as well as for the authorized government body, to take measures to promptly respond to a leak of personal data. These measures are essential to minimize the consequences of harm to citizens, as well as to establish liability for companies that leak personal data. Obligations have been established for the owner and (or) operator to notify the authorized body. It should also be noted that empowering state control over compliance with legislation on personal data and its protection will allow citizens to be aware of the leakage of their data.
This material contains a general analysis and results of public discussion of the above amendments on issues of rapid response to personal data leakage by independent experts on digital rights and the Office for Personal Data Protection of the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (CIB MTsRIAP RK). In addition, the document includes the results of discussions within the working groups of the Mazhilis of the Parliament of Kazakhstan and online discussions on the above amendments.
This work refers to objective assessments and professional recommendations of experts Ruslan Dayyrbekov and Elzhan Kabyshev (hereinafter: “Experts”), and also reflects the official position of the public foundation “Eurasian Digital Foundation” (hereinafter: “Eurasian Digital Foundation”) on certain legal norms and procedures law. In addition, the work contains recommendations from the Eurasian Digital Foundation for the further development of the institution of personal data in Kazakhstan.
Results of public discussion of amendments on issues of rapid response to personal data leakage
The following legal procedures and norms have been adopted:
The conceptual apparatus of the law was supplemented by the definition of “personal data security violation”, which, in essence, is a legislative attempt to define the concept of personal data leakage, with the following content:
“a violation of the security of personal data is a violation of the protection of personal data, resulting in illegal distribution, modification and destruction, unauthorized distribution of transmitted, stored or otherwise processed personal data or unauthorized access to it.”
The following owner and/or operator responsibility has been added:
“from the moment a violation of the security of personal data is detected, notify the authorized body of such a violation, indicating the contact details of the person responsible for organizing the processing of personal data (if any) [Note: Subclause 4 of clause 11 comes into effect from July 1, 2024].”
In addition, new competencies of the Authorized Body were added:
“exercises state control over compliance with the legislation of the Republic of Kazakhstan on personal data and their protection”;
“sends to the operator of the information and communication infrastructure of the “electronic government” information about a violation of the security of personal data, entailing a risk of violation of the rights and legitimate interests of subjects, for the purposes provided for by this Law and other regulatory legal acts of the Republic of Kazakhstan.”
Until recently, the provision of many organizational and technical measures aimed at minimizing the risk of harm to citizens in the event of a leak of their personal data was left to the discretion of the operators themselves.
On December 11, 2023, the President of the Republic of Kazakhstan signed Law No. 44-VIII ZRK “On introducing amendments and additions to certain legislative acts of the Republic of Kazakhstan on information security, informatization and digital assets.” The Law “On Personal Data and Their Protection” has new provisions regulating the procedure for prompt response to a leak of personal data. With the adoption of this law, the legislation of Kazakhstan introduced requirements for operators and owners of personal data, as well as for the authorized government body, to take measures to promptly respond to a leak of personal data. These measures are essential to minimize the consequences of harm to citizens, as well as to establish liability for companies that leak personal data. Obligations have been established for the owner and (or) operator to notify the authorized body. It should also be noted that empowering state control over compliance with legislation on personal data and its protection will allow citizens to be aware of the leakage of their data.
This material contains a general analysis and results of public discussion of the above amendments on issues of rapid response to personal data leakage by independent experts on digital rights and the Office for Personal Data Protection of the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (CIB MTsRIAP RK). In addition, the document includes the results of discussions within the working groups of the Mazhilis of the Parliament of Kazakhstan and online discussions on the above amendments.
This work refers to objective assessments and professional recommendations of experts Ruslan Dayyrbekov and Elzhan Kabyshev (hereinafter: “Experts”), and also reflects the official position of the public foundation “Eurasian Digital Foundation” (hereinafter: “Eurasian Digital Foundation”) on certain legal norms and procedures law. In addition, the work contains recommendations from the Eurasian Digital Foundation for the further development of the institution of personal data in Kazakhstan.
Results of public discussion of amendments on issues of rapid response to personal data leakage
The following legal procedures and norms have been adopted:
The conceptual apparatus of the law was supplemented by the definition of “personal data security violation”, which, in essence, is a legislative attempt to define the concept of personal data leakage, with the following content:
“a violation of the security of personal data is a violation of the protection of personal data, resulting in illegal distribution, modification and destruction, unauthorized distribution of transmitted, stored or otherwise processed personal data or unauthorized access to it.”
The following owner and/or operator responsibility has been added:
“from the moment a violation of the security of personal data is detected, notify the authorized body of such a violation, indicating the contact details of the person responsible for organizing the processing of personal data (if any) [Note: Subclause 4 of clause 11 comes into effect from July 1, 2024].”
In addition, new competencies of the Authorized Body were added:
“exercises state control over compliance with the legislation of the Republic of Kazakhstan on personal data and their protection”;
“sends to the operator of the information and communication infrastructure of the “electronic government” information about a violation of the security of personal data, entailing a risk of violation of the rights and legitimate interests of subjects, for the purposes provided for by this Law and other regulatory legal acts of the Republic of Kazakhstan.”
Of course, the work done has improved the quality and efficiency of the development of the law and formed an effective partnership between government agencies and civil society institutions, the media, academic and other organizations in solving the problem of personal data protection.
2022: amendments to stimulate innovation, develop digitalization and information security
Experts took part in several working meetings as invited experts in the field of privacy.
On April 22 and 28, 2022, chaired by member of the Majilis of Parliament E. V. Smyshlyaeva, meetings of the working group on the draft law “On introducing amendments and additions to certain legislative acts of the Republic of Kazakhstan on issues of stimulating innovation, developing digitalization and information security” were held.
Due to the fact that at that time the issues of prompt response to a leak of personal data necessary to minimize the consequences of such a leak were not regulated by law, and also understanding the importance of carrying out comprehensive work in these cases, the authors of the draft law proposed to establish for the owner and (or) operator's obligation to notify the authorized body.
As part of the discussion of the draft law, the Office for the Protection of Personal Data of the CIB MCRIAP initiated an addition to Article 25 of the Law of the Republic of Kazakhstan “On Personal Data Protection”, in the following wording:
“11) within two working days, notify the authorized body about the leak of personal data, indicating the contact details of the person responsible for organizing the processing of personal data.”
In turn, the Experts, conceptually supporting the above innovation, drew the attention of legislators to Article 33 of the General Data Protection Regulation (GDPR) “Notification to the supervisory authority of a violation of the security of personal data” regarding the need to consolidate the requirements of the owner and operator for processing personal data - “to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.”
Due to the fact that the national conceptual apparatus does not have a definition of “leakage,” deputies returned this norm for revision. At a subsequent meeting of the working group, after agreement with the relevant government bodies, the deputies were presented for discussion with a revised version of the amendment to Article 25, in which the word “leak” was replaced with “violations of personal data protection”, in the following wording:
“11) within two working days, notify the authorized body of identified violations of personal data protection, indicating the contact details of the person responsible for organizing the processing of personal data.”
However, the Experts drew attention to paragraph 11) of Article 1 of the Law “On Personal Data and Health” of May 21, 2013, which defines “the protection of personal data as a set of measures, including legal, organizational and technical, carried out for the purposes established by this Law.” Thus, according to the meaning of the proposed wording, any violation of the above measures requires notification of the authorized body, which is a burdensome and excessive measure.
In this regard, experts supported the definition of “leak” proposed by the Office for the Protection of Personal Data of the CIB ICRIAP, namely:
“leakage of personal data is a violation of the security of personal data leading to accidental or illegal distribution, modification, addition, use, depersonalization, blocking and destruction or access to personal data.”
Ultimately, the corresponding changes to the procedure for notifying the regulator about a leak of personal data were not included in the law, which was adopted on July 14, 2022.
On October 27, 2022, an online discussion “Personal data leaks: global and Kazakhstani aspects” was held, organized by the Eurasian Digital Foundation with the support of the Eurasia Foundation within the framework of the Social Innovation in Central Asia program, funded by the United States Agency for International Development (USAID).
The basis for the discussion was the presentation of a comparative legal analysis of Kazakh legislation with the European GDPR and Georgian legislation on issues of personal data leakage, which was carried out by experts from the project “Development of the Institute for the Protection of Personal Data in Kazakhstan.”
The experts presented part of a comparative legal analysis on liability in the legislation of the Republic of Kazakhstan in the field of personal data and a comparison with the legislation of Georgia.
The Republic of Kazakhstan provides for administrative and criminal liability for violation of legislation on personal data and its protection. Article 79 “Violation of the legislation of the Republic of Kazakhstan on personal data and their protection” of the Code of Administrative Offenses of the Republic of Kazakhstan provides for the liability to which persons who violated the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” dated May 21, 2013 N 94-V should be held .
According to the European GDPR, the fines are noticeably higher. For example, the fine for violating paragraph 4 of Article 84 of the GDPR (information security, Risk assessment, Data breach notification, etc. less serious violations) can be 10 million euros or up to 2% of the total annual global turnover for the previous financial year , whichever is higher. The fine for violation of paragraph 5 of this article (violation of processing principles, subject rights, cross-border transfer, etc. serious violations) can reach 20 million euros or up to 4% of the total annual global turnover.
Experts took part in several working meetings as invited experts in the field of privacy.
On April 22 and 28, 2022, chaired by member of the Majilis of Parliament E. V. Smyshlyaeva, meetings of the working group on the draft law “On introducing amendments and additions to certain legislative acts of the Republic of Kazakhstan on issues of stimulating innovation, developing digitalization and information security” were held.
Due to the fact that at that time the issues of prompt response to a leak of personal data necessary to minimize the consequences of such a leak were not regulated by law, and also understanding the importance of carrying out comprehensive work in these cases, the authors of the draft law proposed to establish for the owner and (or) operator's obligation to notify the authorized body.
As part of the discussion of the draft law, the Office for the Protection of Personal Data of the CIB MCRIAP initiated an addition to Article 25 of the Law of the Republic of Kazakhstan “On Personal Data Protection”, in the following wording:
“11) within two working days, notify the authorized body about the leak of personal data, indicating the contact details of the person responsible for organizing the processing of personal data.”
In turn, the Experts, conceptually supporting the above innovation, drew the attention of legislators to Article 33 of the General Data Protection Regulation (GDPR) “Notification to the supervisory authority of a violation of the security of personal data” regarding the need to consolidate the requirements of the owner and operator for processing personal data - “to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.”
Due to the fact that the national conceptual apparatus does not have a definition of “leakage,” deputies returned this norm for revision. At a subsequent meeting of the working group, after agreement with the relevant government bodies, the deputies were presented for discussion with a revised version of the amendment to Article 25, in which the word “leak” was replaced with “violations of personal data protection”, in the following wording:
“11) within two working days, notify the authorized body of identified violations of personal data protection, indicating the contact details of the person responsible for organizing the processing of personal data.”
However, the Experts drew attention to paragraph 11) of Article 1 of the Law “On Personal Data and Health” of May 21, 2013, which defines “the protection of personal data as a set of measures, including legal, organizational and technical, carried out for the purposes established by this Law.” Thus, according to the meaning of the proposed wording, any violation of the above measures requires notification of the authorized body, which is a burdensome and excessive measure.
In this regard, experts supported the definition of “leak” proposed by the Office for the Protection of Personal Data of the CIB ICRIAP, namely:
“leakage of personal data is a violation of the security of personal data leading to accidental or illegal distribution, modification, addition, use, depersonalization, blocking and destruction or access to personal data.”
Ultimately, the corresponding changes to the procedure for notifying the regulator about a leak of personal data were not included in the law, which was adopted on July 14, 2022.
- Online discussion “Personal data leaks: global and Kazakhstani aspects”
On October 27, 2022, an online discussion “Personal data leaks: global and Kazakhstani aspects” was held, organized by the Eurasian Digital Foundation with the support of the Eurasia Foundation within the framework of the Social Innovation in Central Asia program, funded by the United States Agency for International Development (USAID).
The basis for the discussion was the presentation of a comparative legal analysis of Kazakh legislation with the European GDPR and Georgian legislation on issues of personal data leakage, which was carried out by experts from the project “Development of the Institute for the Protection of Personal Data in Kazakhstan.”
The experts presented part of a comparative legal analysis on liability in the legislation of the Republic of Kazakhstan in the field of personal data and a comparison with the legislation of Georgia.
The Republic of Kazakhstan provides for administrative and criminal liability for violation of legislation on personal data and its protection. Article 79 “Violation of the legislation of the Republic of Kazakhstan on personal data and their protection” of the Code of Administrative Offenses of the Republic of Kazakhstan provides for the liability to which persons who violated the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” dated May 21, 2013 N 94-V should be held .
According to the European GDPR, the fines are noticeably higher. For example, the fine for violating paragraph 4 of Article 84 of the GDPR (information security, Risk assessment, Data breach notification, etc. less serious violations) can be 10 million euros or up to 2% of the total annual global turnover for the previous financial year , whichever is higher. The fine for violation of paragraph 5 of this article (violation of processing principles, subject rights, cross-border transfer, etc. serious violations) can reach 20 million euros or up to 4% of the total annual global turnover.
The main differences between Georgian and Kazakh legislative initiatives on personal data leaks were also presented.
The Georgian Legislative Initiative planned:
1. Notifying the regulator within 72 hours;
2. The notification to the regulator must contain:
3. Notification of personal data subjects
2023: amendments on information security, informatization and digital assets
The event was attended by more than 60 representatives of various stakeholders, chaired by the head of the Office for Personal Data Protection of the Information Security Committee of the ICRIAP RK Kabdesh Adiletkhan. Among the participants in the online discussion were representatives of the Atameken National Chamber of Entrepreneurs, banking and financial organizations, non-governmental organizations and experts.
Kabdesh Adiletkhan informed the participants that the Government's draft conclusion on the bill has been agreed upon with all interested government bodies and is currently under consideration by the Presidential Administration. In addition, the head of the Department noted that this measure (data leak notification) will serve as an effective measure to curb the growth of unlawful behavior of owners and (or) operators of databases containing personal data, as well as to take measures to protect personal data, since the analysis of law enforcement practice in the Republic of Kazakhstan, confirming the presence of relevant problems, indicates the ineffective current model of legal regulation in this area.
Ruslan Dayyrbekov conceptually supported the initiative to legislate the procedure for notifying the authorized body in the event of a leak of personal data by the operator and drew the attention of legislators to Article 33 “Notification to the supervisory authority of a breach of personal data security” of the GDPR (General Data Protection Regulation of the European Union) in terms of necessity establishing the requirement of the owner and operator for the processing of personal data “to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.”
Participants in the online discussion expressed concerns regarding the proposed wording of the definition of “personal data security breach,” since there are risks for business entities associated with a broad definition of this concept—personal data operators who collect and process them may be held liable for leaking personal data. data to which they have nothing to do.
Elzhan Kabyshev gave an example of the definition of this concept in the GDPR:
(12) “Personal data security breach” is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.”
Individual GDPR guidelines describe in more detail the cases in which the personal data operator must notify of a personal data breach, such as: Guidelines on Personal data breach notification under Regulation 2016/679. However, unfortunately, given the specifics of Kazakhstan’s legislation on personal data and its protection, the proposed expanded interpretation may negatively affect business activities.
Notification is an important procedure that provides the opportunity to at least minimize the consequences of violation of the law, properly notify subjects of personal data about the leak, and also instill in operators the responsibility for careful handling of personal data and the safety of their storage.
The Georgian Legislative Initiative planned:
1. Notifying the regulator within 72 hours;
2. The notification to the regulator must contain:
- circumstances, type and time of the incident;
- categories and volume of personal data, number of personal data subjects;
- expected damage, measures taken;
- subject notification plan;
- Contact details.
3. Notification of personal data subjects
2023: amendments on information security, informatization and digital assets
- Online discussion of the regulatory instrument
The event was attended by more than 60 representatives of various stakeholders, chaired by the head of the Office for Personal Data Protection of the Information Security Committee of the ICRIAP RK Kabdesh Adiletkhan. Among the participants in the online discussion were representatives of the Atameken National Chamber of Entrepreneurs, banking and financial organizations, non-governmental organizations and experts.
Kabdesh Adiletkhan informed the participants that the Government's draft conclusion on the bill has been agreed upon with all interested government bodies and is currently under consideration by the Presidential Administration. In addition, the head of the Department noted that this measure (data leak notification) will serve as an effective measure to curb the growth of unlawful behavior of owners and (or) operators of databases containing personal data, as well as to take measures to protect personal data, since the analysis of law enforcement practice in the Republic of Kazakhstan, confirming the presence of relevant problems, indicates the ineffective current model of legal regulation in this area.
Ruslan Dayyrbekov conceptually supported the initiative to legislate the procedure for notifying the authorized body in the event of a leak of personal data by the operator and drew the attention of legislators to Article 33 “Notification to the supervisory authority of a breach of personal data security” of the GDPR (General Data Protection Regulation of the European Union) in terms of necessity establishing the requirement of the owner and operator for the processing of personal data “to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.”
Participants in the online discussion expressed concerns regarding the proposed wording of the definition of “personal data security breach,” since there are risks for business entities associated with a broad definition of this concept—personal data operators who collect and process them may be held liable for leaking personal data. data to which they have nothing to do.
Elzhan Kabyshev gave an example of the definition of this concept in the GDPR:
(12) “Personal data security breach” is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.”
Individual GDPR guidelines describe in more detail the cases in which the personal data operator must notify of a personal data breach, such as: Guidelines on Personal data breach notification under Regulation 2016/679. However, unfortunately, given the specifics of Kazakhstan’s legislation on personal data and its protection, the proposed expanded interpretation may negatively affect business activities.
Notification is an important procedure that provides the opportunity to at least minimize the consequences of violation of the law, properly notify subjects of personal data about the leak, and also instill in operators the responsibility for careful handling of personal data and the safety of their storage.
Notification of personal data subjects about a breach of personal data security
To date, cases of leakage of the database of many owners and operators collecting and processing personal data, such as the Central Election Commission, Yandex.Eda, Kazpost, the Sportmaster company, etc., have been identified in the country.
Due to the accumulation of a huge amount of data, including personal data, owners and (or) operators face the risk of their leakage due to any circumstances (violation by unrecognized persons, human factor, etc.).
The consequences of a leak can be very serious or minor. However, it should be understood that the leak of personal data, first of all, causes direct damage to the subject of this data.
To date, cases of leakage of the database of many owners and operators collecting and processing personal data, such as the Central Election Commission, Yandex.Eda, Kazpost, the Sportmaster company, etc., have been identified in the country.
Due to the accumulation of a huge amount of data, including personal data, owners and (or) operators face the risk of their leakage due to any circumstances (violation by unrecognized persons, human factor, etc.).
The consequences of a leak can be very serious or minor. However, it should be understood that the leak of personal data, first of all, causes direct damage to the subject of this data.
The above-mentioned draft Law of the Republic of Kazakhstan “On introducing amendments and additions to some legislative acts of the Republic of Kazakhstan on information security issues” provides for supplementing Article 13 of the Law of the Republic of Kazakhstan dated November 24, 2015 No. 418-V ZRK “On informatization” with subparagraph 13-1) with the following content :
“Based on information received from the authorized body in the field of personal data protection, it notifies personal data subjects about a violation of the security of personal data by sending information about this to the user’s account on the “electronic government” web portal.
The operator of the information and communication infrastructure of “electronic government” – Joint Stock Company “National Information Technologies” – will be authorized to notify subjects of leaks of their personal data. Thus, the protection of personal data will be strengthened and new interaction mechanisms will be identified when ensuring information security of state bodies’ informatization objects.
The CIB MCRIAP RK has the right to take measures only in case of requests and complaints and on already committed offenses: when personal data was illegally obtained by third parties, distributed to an indefinite number of persons, etc.
At the same time, previously the prosecutor's office brought offenders to justice in accordance with Article 79 of the Code of Administrative Offenses of the Republic of Kazakhstan in violation of the legislation of the Republic of Kazakhstan on personal data and their protection, and also still exercise supervision in this area.
At the same time, the Prosecutor's Office is not required to have a state control function in the Entrepreneurial Code of the Republic of Kazakhstan for conducting unscheduled inspections; in turn, such a state control function is necessary for the authorized body (CIB MCRIAP).
This measure is necessary to prevent the illegal collection of personal data of citizens, their use for undeclared and commercial purposes, as well as to suppress violations provided for by the legislation on informatization, on personal data and their protection.
Thanks to the bill, according to the Minister of Digital Development, Innovation and Aerospace Industry Bagdat Musin:
“there will be an opportunity to conduct a comprehensive analysis of supervised industries, update data in government databases, and make informed and effective management decisions online. At the same time, to ensure the protection of personal data, requirements for the use of information and communication technologies will be tightened. To this end, the bill proposes to recognize information systems that collect, process and store personal data as critical objects of information and communication infrastructure and to increase the requirements for their security.”
The author of this addition, Smyshlyaeva E.V., in the comparative table justified the need for amendments by the fact that before the determination of the authorized body in the field of personal data protection, the prosecutor's office under Article 79 of the Code of Administrative Offenses of the Republic of Kazakhstan considered 0 administrative cases from 2016 to 2018 and 3 were considered in 2019 administrative matters. Along with this, since the determination (June 2020) of the ICRIAP by the authorized body in the field of personal data protection, more than 210 complaints of subjects of personal data, that is, citizens (publication of personal data by public Internet resources, such as adata.kz, fa -fa.kz, kompra.kz; illegal distribution of personal data in various groups of messengers and social networks; use of personal data without the consent of their subjects and incompatible with their collection purposes, etc.), 157 of which were satisfied.
However, due to the presence of contradictions in the legislation and the lack of state control functions in the field of personal data protection, more than 50 complaints remained unsatisfied.
Recommendations for further improvement of legislation on personal data
Despite the above positive changes in legislation on issues of rapid response to personal data leakage, for the fair and effective use of digital technologies, society must have modern and effective legal tools for independent monitoring of compliance with the human right to privacy and confidentiality of personal data by the state and business.
“Based on information received from the authorized body in the field of personal data protection, it notifies personal data subjects about a violation of the security of personal data by sending information about this to the user’s account on the “electronic government” web portal.
The operator of the information and communication infrastructure of “electronic government” – Joint Stock Company “National Information Technologies” – will be authorized to notify subjects of leaks of their personal data. Thus, the protection of personal data will be strengthened and new interaction mechanisms will be identified when ensuring information security of state bodies’ informatization objects.
- Empowerment of state control over compliance with legislation on personal data and its protection
The CIB MCRIAP RK has the right to take measures only in case of requests and complaints and on already committed offenses: when personal data was illegally obtained by third parties, distributed to an indefinite number of persons, etc.
At the same time, previously the prosecutor's office brought offenders to justice in accordance with Article 79 of the Code of Administrative Offenses of the Republic of Kazakhstan in violation of the legislation of the Republic of Kazakhstan on personal data and their protection, and also still exercise supervision in this area.
At the same time, the Prosecutor's Office is not required to have a state control function in the Entrepreneurial Code of the Republic of Kazakhstan for conducting unscheduled inspections; in turn, such a state control function is necessary for the authorized body (CIB MCRIAP).
This measure is necessary to prevent the illegal collection of personal data of citizens, their use for undeclared and commercial purposes, as well as to suppress violations provided for by the legislation on informatization, on personal data and their protection.
Thanks to the bill, according to the Minister of Digital Development, Innovation and Aerospace Industry Bagdat Musin:
“there will be an opportunity to conduct a comprehensive analysis of supervised industries, update data in government databases, and make informed and effective management decisions online. At the same time, to ensure the protection of personal data, requirements for the use of information and communication technologies will be tightened. To this end, the bill proposes to recognize information systems that collect, process and store personal data as critical objects of information and communication infrastructure and to increase the requirements for their security.”
The author of this addition, Smyshlyaeva E.V., in the comparative table justified the need for amendments by the fact that before the determination of the authorized body in the field of personal data protection, the prosecutor's office under Article 79 of the Code of Administrative Offenses of the Republic of Kazakhstan considered 0 administrative cases from 2016 to 2018 and 3 were considered in 2019 administrative matters. Along with this, since the determination (June 2020) of the ICRIAP by the authorized body in the field of personal data protection, more than 210 complaints of subjects of personal data, that is, citizens (publication of personal data by public Internet resources, such as adata.kz, fa -fa.kz, kompra.kz; illegal distribution of personal data in various groups of messengers and social networks; use of personal data without the consent of their subjects and incompatible with their collection purposes, etc.), 157 of which were satisfied.
However, due to the presence of contradictions in the legislation and the lack of state control functions in the field of personal data protection, more than 50 complaints remained unsatisfied.
Recommendations for further improvement of legislation on personal data
Despite the above positive changes in legislation on issues of rapid response to personal data leakage, for the fair and effective use of digital technologies, society must have modern and effective legal tools for independent monitoring of compliance with the human right to privacy and confidentiality of personal data by the state and business.
Introduce a legal mechanism for assessing risks when processing personal data Data Protection Impact Assessment (DPIA)
The development of the digital economy, even with all its good goals, should not result in a refusal to protect human rights and freedoms. Any current or proposed business practice should include assessments of its privacy implications so that information can be reviewed and reported on how policies and technologies mitigate privacy risks. By analogy with European law on the protection of personal data, domestic legislators should consider the possibility of introducing a legal mechanism for assessing the risks of Data Protection Impact Assessment (DPIA) of the General Data Protection Regulation GDPR. It should be noted that the DPIA risk assessment procedure is not always used, but only in cases where data processing involves a high risk of violating the rights and legitimate interests of citizens.
Provide for the obligation of owners and (or) operators to notify personal data subjects whose data has been illegally distributed.
Establish the obligation of the owner and operator of personal data processing to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.
Article 33 “Notification to the supervisory authority of a breach of personal data security” of the GDPR (General Data Protection Regulation of the European Union), in terms of the need to consolidate the requirement of the owner and operator for the processing of personal data, states that it is necessary to “document any breaches of the security of personal data, including their circumstances, consequences and measures taken to remedy the situation.”
In accordance with the above article of the GDPR, notification to the competent authority must at least:
Set out the definition of the concept of a subject of personal data in the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” in the new edition:
“The subject of personal data is a person who can be directly or indirectly identified, based on information or a set of information containing the last name, first name and patronymic (if available) and (or) individual identification number and (or) image of the face of the subject of personal data and (or ) one or more factors specific to the biological, physical, biometric, physiological, mental, economic, cultural or social aspects of the personality of that natural person”;
In order to specify the application of the norms of the legislation of the Republic of Kazakhstan on personal data and their protection, as well as to eliminate errors in law enforcement practice, we propose to present the concept of the subject of personal data in a new edition.
By analogy with:
AIFC Data Protection Regulations (AIFC Regulations No.10 of 2017, hereinafter referred to as “DPR”), a defined natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors, specific to the biological, physical, biometric, physiological, mental, economic, cultural or social aspects of the individual.
Article 4 GDPR. Definitions: 1) “Personal data” is any information relating to a “data subject”, that is, an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Conclusion
Indeed, ensuring real opportunities for conducting an independent public examination of draft regulatory legal acts developed by executive authorities is an important condition for ensuring the quality of legal regulation.
The development of the digital economy, even with all its good goals, should not result in a refusal to protect human rights and freedoms. Any current or proposed business practice should include assessments of its privacy implications so that information can be reviewed and reported on how policies and technologies mitigate privacy risks. By analogy with European law on the protection of personal data, domestic legislators should consider the possibility of introducing a legal mechanism for assessing the risks of Data Protection Impact Assessment (DPIA) of the General Data Protection Regulation GDPR. It should be noted that the DPIA risk assessment procedure is not always used, but only in cases where data processing involves a high risk of violating the rights and legitimate interests of citizens.
Provide for the obligation of owners and (or) operators to notify personal data subjects whose data has been illegally distributed.
Establish the obligation of the owner and operator of personal data processing to document any violations of the security of personal data, including their circumstances, consequences and measures taken to correct the situation.
Article 33 “Notification to the supervisory authority of a breach of personal data security” of the GDPR (General Data Protection Regulation of the European Union), in terms of the need to consolidate the requirement of the owner and operator for the processing of personal data, states that it is necessary to “document any breaches of the security of personal data, including their circumstances, consequences and measures taken to remedy the situation.”
In accordance with the above article of the GDPR, notification to the competent authority must at least:
- describe the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
- contain the name and contact details of the personal data protection officer or other contact person from whom more detailed information can be obtained;
- describe the possible consequences of a breach of personal data security;
- describe the measures taken or proposed by the controller to address the breach of personal data security, including, where appropriate, measures aimed at minimizing its possible negative consequences.
Set out the definition of the concept of a subject of personal data in the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” in the new edition:
“The subject of personal data is a person who can be directly or indirectly identified, based on information or a set of information containing the last name, first name and patronymic (if available) and (or) individual identification number and (or) image of the face of the subject of personal data and (or ) one or more factors specific to the biological, physical, biometric, physiological, mental, economic, cultural or social aspects of the personality of that natural person”;
In order to specify the application of the norms of the legislation of the Republic of Kazakhstan on personal data and their protection, as well as to eliminate errors in law enforcement practice, we propose to present the concept of the subject of personal data in a new edition.
By analogy with:
AIFC Data Protection Regulations (AIFC Regulations No.10 of 2017, hereinafter referred to as “DPR”), a defined natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors, specific to the biological, physical, biometric, physiological, mental, economic, cultural or social aspects of the individual.
Article 4 GDPR. Definitions: 1) “Personal data” is any information relating to a “data subject”, that is, an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Conclusion
Indeed, ensuring real opportunities for conducting an independent public examination of draft regulatory legal acts developed by executive authorities is an important condition for ensuring the quality of legal regulation.
Taking into account by the developer the opinions and proposals expressed by representatives of civil society when making legislative decisions should strengthen public trust and support for the activities of the authorized body for the protection of personal data.
We express our gratitude for how the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan and deputies of the Mazhilis of the Parliament of the Republic of Kazakhstan, as part of the public discussion of the draft law, took into account in their rule-making activities the objective assessments and professional recommendations of independent experts of the Eurasian Digital Foundation.
You can read and save this report in a convenient PDF format here: https://drive.google.com/file/d/1nNF0sL3cX8qAJC0q6xEblH0-3ZQYCxvH/view?usp=sharing
We express our gratitude for how the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan and deputies of the Mazhilis of the Parliament of the Republic of Kazakhstan, as part of the public discussion of the draft law, took into account in their rule-making activities the objective assessments and professional recommendations of independent experts of the Eurasian Digital Foundation.
You can read and save this report in a convenient PDF format here: https://drive.google.com/file/d/1nNF0sL3cX8qAJC0q6xEblH0-3ZQYCxvH/view?usp=sharing
(text translation is carried out automatically)
