On November 26, 2013, Kazakhstan’s new data privacy law, On Personal Data and Their Protection, will come into effect. The law was passed on May 21, 2013. Kazakhstan is the second country in Central Asia to enact a data privacy law, joining the Kyrgyz Republic, which passed the Law on Personal Data in 2008.

The stated purpose of the Kazakhstan law is the protection of human rights in the collection and processing of personal data. Currently, the protection of personal data in Kazakhstan is regulated by sector and the new law will work alongside the existing regulatory framework. Although an official English version of the law has not yet been released, available analyses indicate that the law applies in both the public and private sectors. The law imposes requirements on database operators and other information collectors relating to purpose limitation, notice, consent, access and correction, destruction of data, security and onward transfer restrictions, including export limitations.

The law does not establish a data protection authority. Each state agency is required to develop and supervise data protection within the industry or government sectors for which it is responsible.