The Taza Koom Project and recent changes to Kyrgyz data protection law
As part of the Taza Koom project - a national, high-tech programme focusing on the use of information technology for public services and businesses - the Government of Kyrgyzstan has taken steps to introduce substantial amendments to the regulation of personal data. The amendments breathe new life into the data protection framework, now nearly ten years old, in line with the pattern of digital modernisation in the country. Asel Momoshova, Senior Associate at Kalikova & Associates, examines how the amendments will contribute to the strengthening of data subjects’ rights and the enforcement of data protection requirements in Kyrgyzstan.
Introduction
The Law of the Kyrgyz Republic No. 58 on the Information of Personal Nature (‘the Personal Data Law’) was adopted on 14 April 2008. Nevertheless, since its introduction, the Personal Data Law has remained rather theoretical, lacking a commensurate enforcement practice. On 21 August 2012, there was an attempt to enforce the Personal Data Law through the judicial system when the Bishkek Inter-District Court decided in favour of a claimant who requested that the Government introduce an authorised state body charged with the supervision of the registration of data holders (effectively, data controllers) and databases containing personal information, within six months from the date of the court’s decision. However, the decision has never been enforced and the data protection authority has never been appointed. A number of amendments to the Personal Data Law, however, were adopted by the Parliament in July 2017, pursuant to the Law of the Kyrgyz Republic of 20 July 2017 No. 129 (‘the Amendments’). The Amendments entered into force on 8 August 2017. Comprehensive reforms of the data protection framework are also expected to be implemented pursuant to the national high-tech Taza Koom project (Transparent Society) (‘the Taza Koom Project’), initiated in April 2017, with the aim of introducing a technology-based, publically accessible governance system and supporting the digitisation of business processes.
Amendments to the Personal Data Law
One of the main changes introduced into the Personal Data Law is the reinforcement of the consent requirement. Prior to the Amendments, consent to data processing needed only be the freely given, specific and conscious expression of a will, including the written confirmation by which the data subject notifies the data holder of their consent to data processing. However, the Amendments require that consent be expressed in written form, or in an electronic document bearing an electronic signature, in line with electronic signature legislation. The recent reforms also establish that the Government shall adopt a specific form for obtaining consent for data processing. The recent Amendments also expand the right of the data subject to access their personal data, so as to include a right to receive information, including a confirmation of the data processing, the grounds, purpose and means of the processing, the name and location of the data holder, information on persons having access to personal databases and the timeline of data processing and data storage. Additionally, the data holder must provide the subject with information on the procedure for the enforcement of the data subject’s rights set forth by the Personal Data Law and information on cross-border data transfers; either those initiated or planned. Further, the Amendments impose additional obligations on the data holder, such as the obligation to take legal, organisational and technical measures to protect personal data from unauthorised access, copying, alteration, blocking distribution and other unauthorised actions. The Amendments also require that the data holder ensure the application of requirements approved by the Government related to processing of personal data and ensure the recovery of personal data deleted or modified, following unauthorised access to the database system. Further to this, the Government will approve the appropriate security level for data processing in information systems, and will adopt an order on notification of data transfers to data subjects.
Conclusion
The Amendments introduce several changes to the Personal Data Law, which provide further detail on the rights of data subjects and the prerogatives of the data protection authority related to control of data processing, in connection with implementation of the Taza Koom Project. Nevertheless, it appears that more reforms will occur as the project gets implemented further, including the appointment of an empowered and proactive data protection authority and the adoption of comprehensive sub-legal acts, particularly because the supervision of the compliance of data processing requires thorough and consistent state control and monitoring.