Is Your Personal Data Secure? EU & KZ: General Data Protection Regulation Assessment, Part I.
The issue of personal data security became of importance throughout the last decade while its topicality is raising daily. According to a recent research, 92% of people surveyed about their data security concerns report that privacy issue is important; meanwhile, confidence in due protection of personal data by companies is decreasing, dropping from 56% in 2019 to 31% in 2024 alone.[1] The data indicates the growing concern on personal information safety in the online domain, and the issue is mainly addressed by creating a solid legally binding regulation and maintaining it on the level corresponding to rapid technological advancement. The article lays out a basis for a series of publications devoted to data protection laws in the European Union and Kazakhstan with a critical assessment of their similarities and differences. Also, the article describes the subject-matter and objectives of General Data Protection Regulation and Kazakhstan Law on Personal Data and its Protection; personal data as a notion under both acts; and territorial application of the legal instruments.
The Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” is a comprehensive legal statute that establishes an extensive framework for interaction with personal data. The extensiveness lies in compilation of previously available protection tools in a single document, imposing severe punishment for violations[2]which are to be discussed further as well as the imminence of vast financial and human resources involvement in due compliance[3]. The structural approach with a strong basis for sanctions imposition was designed to ensure the effectiveness of data protection and to facilitate proper statute enforcement. The effects of GDPR are evident as relevant authorities in European countries revealed more than 200 violations and prescribed fines for more than EUR 459 million as of 2020.[4] Even though the long-term impact of GDPR enactment is yet to be assessed, the sole point that remains unquestionable is that companies falling under GDPR regulation must change their attitude towards their customers’ data protection processes.
GDPR turned to be a flagship of personal data and privacy law refinement for many jurisdictions, being a model for changes introduced in existing statutes and the core of new relevant acts to be passed by legislators[5], and Kazakhstan has not been an exception here. Notwithstanding the enactment of the Law of Kazakhstan dated 21 May 2013 No. 94-V “On Personal Data and its Protection” (KZ DPL), the regulation largely conformed to the GDPR model by adopting the following major regulations:
- introducing a supervisory authority and defining its competence scope (introduced in 2020 and 2023, currently Committee on Information Security by the Ministry of Digital Development; Innovation and Aerospace Industry of Kazakhstan) that replaced rather fragmented responsibility of the Kazakhstan Government put on various ministries depending on their competence;
- categorising personal data into “publicly available” and “with limited access,” as well as identifying the requirements to access publicly available personal data (2020 and 2021);
- introducing requirement to specify purposes of personal data processing when collecting data and requesting relevant consent from personal data subjects (2020);
- introducing the right to access by a data subject (2020);
- introducing the requirement for companies to designate a data protection officer (2020);
- introducing the obligation to obtain preliminary consent from a data subject for personal data transfer (2021);
- expanding the right to erasure for cases of non-obtainment of consent for data processing (2021); and
- introducing the obligation to notify the authority in case of a personal data breach.
The said changes show a clear pattern of the KZ DPL development going towards unification of basic legal framework on personal data regulation with GDPR, at the same time maintaining local specifics and requirements.
Objectives of the Acts and Notion of Privacy
The key objective of GDPR and KZ DLP as legal instruments is to protect the right of citizens to privacy. However, to fully grasp the objective, the knowledge of privacy as a legal concept is required.
According to the Black’s Law Dictionary, privacy is “…[t]he right that determines the non-intervention of secret surveillance and the protection of an individual’s information. It is split into four categories:
- Physical: an imposition whereby another individual is restricted from experiencing an individual or a situation[;]
- Decisional: the imposition of a restriction that is exclusive to an entity[;]
- Informational: the prevention of searching for unknown information[;] and
- Dispositional: the prevention of attempts made to get to know the state of mind of an individual.”[6]
The key aspect from the personal data perspective is the informational dimension of privacy: obtaining personal information leads to infringement of one’s dignity and security.
The right’s international recognition stems from the Universal Declaration of Human Rights (UDHR; soft law and customary law) and the International Covenant on Civil and Political Rights (ICCPR, ratified by Kazakhstan by the law No. 91 enactment on 28 November 2005 and ratified by all EU states as well).[7] It is worth noting that personal data collection was not initially the primary concern of the documents as personally identifiable information had not been gathered electronically on a large-scale basis pertinent to technological development at the time of the UDHR and ICCPR texts adoption. In accordance with the General Comment No. 16, “[T]he gathering and holding of personal information on computers, databanks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States [parties to the Covenant] to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant”[8]. The protection of the right in this case is established by creation of the legal framework for personal data to remain confidential and duly protected while not curtail personal data free movement.[9] That is, the regulations do not prohibit or restrict personal data circulation but provide a set of rules under which such data can be legally obtained, processed, transferred, or used otherwise. Now, as the general understanding of the legal instruments purpose is defined, the material scope, specifically the general data as such, is to be expounded.
Scope of Material Application
According to the GDPR Article 4 (1), personal data is “…any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
In turn, the KZ DPL Article 1.2 states that personal data is information relating to a specific subject of personal data or determined on its basis, recorded on electronic, paper and (or) other tangible media.
Both acts provide a broad definition of personal data without providing an exhaustive list[10], which allows to assume that GDPR and KZ DPL are forward-looking regulations aiming at comprising new types of personal data yet to be defined, discovered, or invented. This was the case with, for instance, personal email, internet protocol addresses, cookies, and other data types.
Examples of common personal data are name, phone number, home or employment address, passport or identification card data, geolocation, and other data.
Additionally, the case-law of the EU states that
(a) personal data relates to an “identifiable person” also if features alphanumeric code and an identification database is applied to re-identify a person based on the data received from a third party and on information in possession by the receiving person; and
(b) personal data should also be considered as a combination of pieces of information that allow to identify a person.[11] For example, if dynamic IP address or any other depersonalised data can be combined with any additional information that allows to identify an individual, such combined information piece is considered personal data.
Hence, it should be considered that depersonalised or pseudonymised data transmitted to a third party retains such status only if that third party does not have any additional information to re-identify that person based on the data combination.
Kazakhstan court practice also supports broad interpretation of personal data by relating apartment numbers, last and first names of apartment owners, personal account numbers, amounts of debt, images of individuals, and voting to personal data. However, the legal practice in relation to IP address, cookies, and other digital data is not yet solidly formed.[12] However, it is assumed that even though the relevant practice is not yet developed, it is likely to follow the approach taken by the EU.
Another point that catches the eye is that the application of statutes does not encompass processing of personal data for activities that are intensely personal or related to household matters.[13] Therefore, if one receives certain personal data from one’s family member or a friend and uses it for non-commercial or professional purposes, one will not fall under the restrictive regulations until the data processing purposes change. For example, if one receives personal data from an individual communication channel and uses it for personal purposes, one should not be found in violation of the data protection laws. If the same person, however, uses the received personal information to make a public post or to send a marketing email, prior consent of the data subject shall be obtained.
Exterritorial Application
GDPR spreads its application for processors that operate both within the EU member states’ territories and outside thereof, provided they process personal data in the territory of the EU for either offering of goods or services or monitoring ones’ behaviour.[14] The approach is not only reinforced by the EU case-law but also by the court practice and interpretation in common law states.[15] The exterritorial application leads global internet trading platforms towards deciding on compliance with the GDPR in its entirety or in part.[16] This approach, on the one hand, creates a solid ground for the protection of personal data within the EU from a theoretical perspective while posing a practical risk of avoiding the regulation as such by circumventing the EU market itself or of having to allocate significant resources on research into GDPR applicability and compliance with its provisions, on the other.
As for Kazakhstan, the effect of regulatory legal acts extends for locals and legal entities, as well as foreigners and stateless persons, legal entities of foreign states, their branches and representative offices located in the territory, except for cases provided for by legislative acts and international treaties ratified by Kazakhstan.[17] Since KZ DPL does not directly establish exterritorial application, and the legal scholars and practitioners lean towards application specifically within Kazakhstan[18], it may be concluded that currently KZ DPL does not have exterritorial effect.
Even though the application practice is not well established yet, it should be considered that Kazakhstan may follow the development paths of its neighbouring countries, which establish exterritorial application without directly mentioning such in the local legislation provisions.[19]
…on to the Part II
Reference:
[1] Bharati, Rahul, Cyber Threats and the Erosion of Privacy: Examining the Delicate Equilibrium (July 22, 2024). Available at https://ssrn.com/abstract=4904673, page 5.
[2] Hoofnagle, C. J., van der Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: what it is and what it means*. Information & Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/13600834.2019.1573501. Available at https://www.tandfonline.com/doi/pdf/10.1080/13600834.2019.1573501, page 66.
[3] Addis, Maria Chiara and Kutar, Maria, “The General Data Protection Regulation (GDPR), Emerging Technologies and UK Organisations: Awareness, Implementation and Readiness” (2018). UK Academy for Information Systems Conference Proceedings 2018. Available at https://aisel.aisnet.org/ukais2018/29, page 3.
[4] Barta, G., Ludvai, N., & Puskás, A. (2020). The analysis of data privacy incidents and sanctions in Europe after GDPR enforcement. In INTERNATIONAL WINTER CONFERENCE OF ECONOMICS PHD STUDENTS AND RESEARCHERS (6.)(2020)(Gödöllő). VI. International Winter Conference of Economics PhD Students and Researchers: Conference Proceedings. Budapest, Association of Hungarian PhD and DLA Students (pp. 35-48). Available at https://oszkdk.oszk.hu/storage/00/03/28/26/dd/1/VI__International_Winter_Conference_of_Economics_PhD_Students_and_Researchers.pdf#page=35, page 40.
[5] Bentotahewa, V., Hewage, C. & Williams, J. The Normative Power of the GDPR: A Case Study of Data Protection Laws of South Asian Countries. SN COMPUT. SCI. 3, 183 (2022). https://doi.org/10.1007/s42979-022-01079-z. Available at https://link.springer.com/article/10.1007/s42979-022-01079-z#citeas, page 2.
[6] Black’s Law Dictionary, 2nd Ed., The Law Dictionary. Available at https://thelawdictionary.org/privacy/.
[7] United Nations General Assembly. Universal Declaration of Human Rights. 10 December 1948, 217 A (III). Article 12. Available at https://www.un.org/en/about-us/universal-declaration-of-human-rights.
United Nations General Assembly. International Covenant on Civil and Political Rights. 16 December 1966, United Nations, Treaty Series, vol. 999, p. 171. Available at https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights.
[8] UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April 1988. Available at https://www.refworld.org/legal/general/hrc/1988/en/27539.
[9] Article 1 of the GDPR and Article
[10] Recitals (14), (15), (26), (27), (29) and (30) of the GDPR. Available at https://gdpr-info.eu/recitals/.
Article 29 Working Party Opinion 4/2007 on the concept of personal data. Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.
Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques. Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
[11] JUDGMENT OF THE GENERAL COURT (Eighth Chamber, Extended Composition), 26 April 2023, Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS). Available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=272910&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=106473.
[12] Civil case No. 7599-23-00-2a/10070. Botagoz Basanova v TPK ISIAI LLP. 11 May 2020.
Civil case No. 7111-21-00-2/4286. Aida Maratovna Aytzhanova and Aliya Tashkenovna Aytzhanova v Andrey Viktorovich Maklakov. 01 October 2021.
Civil case No. 7514-23-00-2/7181. Daria Yurievna Vyazovetskaya v Lyayla Bazarbekkyzy Tutenaeva. 18 September 2023.
[13] Article 2.2 of the GDPR and Article 3.3. of the KZ DPL.
GDPR Recital 18. Not Applicable to Personal or Household Activities. Available at https://gdpr-info.eu/recitals/no-18/.
[14] Article 3 of GDPR.
[15] Case C-18/18: Judgment of the Court (Third Chamber) of 3 October 2019 (request for a preliminary ruling from the Oberster Gerichtshof — Austria) — Eva Glawischnig-Piesczek v Facebook Ireland Limited. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CA0018.
Opinion of Advocate General Szpunar delivered on 4 June 2019. Eva Glawischnig-Piesczek v Facebook Ireland Limited. Request for a preliminary ruling from the Oberster Gerichtshof. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CC0018.
Walter Tzvi Soriano v (1) Forensic News LLC, (2) Scott Stedman, (3) Eric Levai, (4) Jess Coleman, And (5) Robert Denault. Case No: CA 2021-000484 (and 000484 A). [2021] EWCA Civ 1952. Available at https://www.judiciary.uk/wp-content/uploads/2022/07/Soriano-v-Forensic-News-judgment.pdf.
[16] Gstrein, Oskar Josef and Zwitter, Andrej, Extraterritorial Application of the GDPR: Promoting European Values or Power? (September 30, 2021). Internet Policy Review 2021, Volume 10 Issue 3, DOI: 10.14763/2021.3.1576 , Available at https://ssrn.com/abstract=3940596, page 10.
[17] Article 48.1 of the Law of the Republic of Kazakhstan dated 6 April 2016 No. 480-V ZRK On legal acts.
[18] Alexander Chumachenko, Problems of Localization Of Personal Data, “Expert Kazakhstan” Journal – 2016 – No. 11. – p. 18-19. Available at https://www.aequitas.kz/upload/files/2022/Problematic_issues_of_localization_of_personal_data.pdf.
[19] Putz, C. (2022, August 4). Uzbekistan unblocks Twitter, TikTok still restricted. The Diplomat. Available at https://thediplomat.com/2022/08/uzbekistan-unblocks-twitter-tiktok-still-restricted/.
Moscow says Twitter to store user data in Russia. 11 July 2017. Available at https://www.france24.com/en/20171108-moscow-says-twitter-store-user-data-russia.