Kazakhstan Joins the Trend of Data Localization Laws

In November 2015, Kazakhstan passed the so-called Informatization Law, effective January 2016. This law is similar to a law recently enacted in Russia, in that both laws require that databases and record systems containing personal data about citizens of that country be maintained within the boundaries of the country.

These laws are distinct from data protection laws. Kazakhstan already had a law governing personal data protection on the books dating from 2013 that was similar to EU privacy law with respect to data transfers outside of country. Likewise, the Russian data localization law is separate and distinct from data privacy laws on the books in Russia.

In the specific case of Kazakhstan, the data privacy law already protected data stored on systems outside of Kazakhstan. The new law takes a different approach to this topic, or is arguably on the books for a different reason. After all, if data on Kazakh citizens is maintained within the country, it is much more available to the Kazakh authorities. Therefore, at least one possible reason for the detailed localization law is to make sure that data is more readily available to Kazakh authorities given the inherent problems of forcing access to data located outside of a country. Such a motivation is also possible in the case of Russia.

In neither case to the drafters of the legislation site the specific reason for requiring the localization, so any speculation as to motive is of course, just that, speculation. And since both laws are very new, it’s difficult to know yet what will actually be required in practice, and the ways that the authorities will actually utilize the provisions of the law.

Equally uncertain is exactly who both of these laws apply to. Facially, both appear to apply to businesses and other entities conducting operations physically within the boundaries of the country, but data is often collected over the Internet but organizations that have no physical presence in a country. And if Europe is a comparable example, is highly likely that authorities will attempt to enforce these laws on entities that have no physical presence in the countries, but instead have a virtual presence via the Internet. European authorities have in some cases already taken this approach with respect to data privacy issues, so it appears that we’re witnessing the beginning of a trend that could have very significant outcomes for businesses and other entities that conduct operations worldwide, even when that business is entirely virtual.   But exactly how, we’ll have to wait and see.

2 replies
  1. Nishith Mohanty
    Nishith Mohanty says:

    Hi John,
    Please give a detailed explanation for the above mentioned Law.
    I have a couple of questions:-
    1.does the requirement to store personal data on the territory of Kazakhstan extends to foreign companies without any legal presence in Kazakhstan, whose operations are aimed at Kazakhstan and whose websites are accessible in the territory of Kazakhstan (e.g. Internet companies)?
    2. Can a company have their data center or database in Kazakhstan and run business for other countries?

    I would like to get insights from you as I personally don’t have access to the Law document.

    Thanks and Regards
    Nishith Mohanty

  2. John Montana
    John Montana says:

    Excellent questions. And the more so because the scope of this law appears to be very broad, governing pretty much anybody doing business in Kazakhstan. This law has to be viewed in the context of its interaction with Kazakhstan’s Data Privacy Law. And it must also be viewed in the context of Kazakhstan’s political situation. So to your 1st question:

    I think it fair to say that the law applies to any organization that transacts business in Kazakhstan. That means that if you are physically located in another country, but reach into Kazakhstan with an electronic presence and conduct business with and collect data on Kazakh citizens, you would probably be regarded as being subject to this law. Many if not most countries take a position of this sort, and regulate businesses located outside of their boundaries but who transact business into their country via electronic means. That should come as no surprise, if they did not take that position, it would be pretty easy for a business to simply locate itself someplace where there were no laws and controls, and then reach into a country and deal with its citizens with no limitations or protections for them.

    With respect to your 2nd question:

    There is no prohibition in the law on transacting business reaching and other countries from the data center in Kazakhstan. It would, of course, be subject to the law of Kazakhstan, and as I analyzed above, it would no doubt be subject to the laws of the other countries as well. This is a common situation, and one that complicates matters for all multinationals, since they may find themselves subject to not only the data privacy laws of many countries, but also to the tax and accounting laws of those countries, human resources laws of those countries and so on. But, solving those problems and making it work can be done and has been done, so that should really be no impediment to doing so should you choose. It then becomes a more or less standard compliance problem, that we have certainly seen a number of times, and have helped people solve.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *