In 2023, it’s difficult to ignore Kazakhstan’s achievements in digital development. Our country is now among the leaders in this field, ranking 28th according to the UN's e-Government Development Index for 2022. But this comes with the added weight of taking the brunt of arising challenges such as data breaches, and all the other issues of protecting citizens’ personal data.
The Ministry of Digital Development, Innovations and Aerospace Industry has been taking serious steps to improve the safety of user data in collaboration with other government bodies and industry experts. QazMonitor analyzed the latest developments in national law enforcement regarding the ‘digital rights’ and protection of data of Kazakh citizens.
Combatting plausible data breaches, improving cybersecurity
With the increasing concerns surrounding the use of personal data by the government and third parties, as well as the escalating incidents of data breaches, authorities are now actively pursuing legislative avenues to resolve the piling list of security breaches, with the lower chamber of Parliament proposing the draft law on personal data protection.
Yekaterina Smyshlyayeva, one of the deputies behind this proposed law, explained that the bill involves amendments and additions to twelve legislative acts, strengthening state oversight of citizens' personal data security and prohibiting the collection and processing of copies of identity documents. Efforts are in progress to amend the Administrative Offences Code, intending to impose more severe penalties for breaches of personal data security. Deputies hope that tripling the fines will incentivize services handling personal data to implement stronger security measures.
In parallel, the lower chamber approved the first reading of a bill aimed at tightening the responsibility of staff at the Citizen Service Centers (CSC) for breaches of citizens' personal data. This bill equates CSC employees to individuals authorized to perform public functions, with the aim of preventing abuses and offenses against citizens on their part.
Perhaps the most prominent alteration is the new requirement for personal data operators to promptly notify both citizens and the Digital Ministry of data breach occurrences through eGov resources and SMS notifications. As part of this broader context, Kazakhstan has outlined plans to establish a state information security center under the National Security Committee, which will function as the central hub for handling information security matters.
Another issue concerns the handling of personal data of users from Kazakhstan by foreign companies — a discussion sparked by the recent Yandex situation. In one of the most recent examples, the Digital Ministry instructed Yandex to host the hardware and software facilities within the territory of Kazakhstan, providing a notice until December 31 to relocate servers to the country in compliance with national legislation. Nevertheless, the broader issue of foreign companies storing the personal data of Kazakh citizens outside our country remains a pressing issue.
Better safety with biometrics
Rising to the occasion, the Ministry of Internal Affairs will subject all citizens of Kazakhstan and foreigners permanently residing in the country to undergo fingerprint registration starting next January when obtaining new ID documents. The authorities have explained that personal data, including fingerprint information, will be protected by the state, as the database will only store a digital model of fingerprint and its unique identifier, while personal data such as full names and Individual Identification Numbers, which could potentially compromise citizens' security, will be excluded from the database.
White hats in Kazakhstan
Lastly, in the context of the aforementioned issues, legislative bodies are preparing to pass a bill regarding the legality of 'white hats'— ethical security hackers—in our country. Olzhas Satiyev, the CEO of the Center for Analysis and Investigation of Cyber Attacks, explained that the proposed norm on ethical hackers will establish a legal framework for the operation of bug bounty platforms in our country, where customers will be able to request the testing and subsequent assessment of their security measures by professional hackers. Experts are hopeful that the passed bill will significantly enhance the resilience of domestic information systems to hacker attacks.