In November 2015, Kazakhstan passed the so-called Informatization Law, effective January 2016. This law is similar to a law recently enacted in Russia, in that both laws require that databases and record systems containing personal data about citizens of that country be maintained within the boundaries of the country.
These laws are distinct from data protection laws. Kazakhstan already had a law governing personal data protection on the books dating from 2013 that was similar to EU privacy law with respect to data transfers outside of country. Likewise, the Russian data localization law is separate and distinct from data privacy laws on the books in Russia.
In the specific case of Kazakhstan, the data privacy law already protected data stored on systems outside of Kazakhstan. The new law takes a different approach to this topic, or is arguably on the books for a different reason. After all, if data on Kazakh citizens is maintained within the country, it is much more available to the Kazakh authorities. Therefore, at least one possible reason for the detailed localization law is to make sure that data is more readily available to Kazakh authorities given the inherent problems of forcing access to data located outside of a country. Such a motivation is also possible in the case of Russia.
In neither case to the drafters of the legislation site the specific reason for requiring the localization, so any speculation as to motive is of course, just that, speculation. And since both laws are very new, it’s difficult to know yet what will actually be required in practice, and the ways that the authorities will actually utilize the provisions of the law.
Equally uncertain is exactly who both of these laws apply to. Facially, both appear to apply to businesses and other entities conducting operations physically within the boundaries of the country, but data is often collected over the Internet but organizations that have no physical presence in a country. And if Europe is a comparable example, is highly likely that authorities will attempt to enforce these laws on entities that have no physical presence in the countries, but instead have a virtual presence via the Internet. European authorities have in some cases already taken this approach with respect to data privacy issues, so it appears that we’re witnessing the beginning of a trend that could have very significant outcomes for businesses and other entities that conduct operations worldwide, even when that business is entirely virtual. But exactly how, we’ll have to wait and see.