The development of the legislation in the field of protection of personal information in the Kyrgyz Republic has started relatively recently.
On April 14, 2008, the Kyrgyz Republic adopted Law No. 58 “On Personal Information” (hereinafter the “Law 2008”), aimed to strengthen the state policy in the field of personal data management, as well as to protect the rights and freedoms of people whose personal data are being collected, processed and used. The Law 2008 determines the terms and conditions for handling personal information, the procedure for creation of the arrays of personal information by public authorities, local governments, and legal entities, as well as determines the rights and obligations of personal data subjects, holders (possessors) and recipients of such information.
At the same time, the Law 2008 contained a number of deficiencies. Thus, for example, it did not establish the right of the Government to approve the requirements for ensuring the safety of personal data when processing them in information systems. Also, there were no requirements on the procedure and form of consent of a personal data subject to processing his/her personal data, etc.
In this regard, on July 20, 2017 the President of the Kyrgyz Republic signed the Law “On Amendments to the Law of the Kyrgyz Republic “On Personal Information” (hereinafter the “Law 2017”).
Moreover, on November 17, 2014 the Government of the Kyrgyz Republic adopted the Government Decree No. 651 “On the Program of the Kyrgyz Government on introduction of electronic government (“e-government”) in state executive bodies and local government authorities of the Kyrgyz Republic for 2014-2017”, as well as a relevant Action Plan for its implementation.
As noted by authors, the Law 2017 focuses on the elimination of gaps in the current Law 2008, establishing more effective mechanisms for protecting the rights of personal data subjects, including when processing the data by various holders in personal data information systems.
The introduced Law 2017 provides for the right of the Kyrgyz Government to approve the requirements for ensuring the security of personal data during their processing; the procedure and form of consent of the personal data subjects to processing their personal data and the procedure of notification on the transfer of personal data. In this regard, an amendment is being made that the subject’s consent should be expressed in writing (on paper), or in the form of electronic document signed by electronic signature in accordance with the legislation of the Kyrgyz Republic (Article 9 of the Law 2017).
In order to implement the state and municipal services in electronic form that require personification/authentication of its recipient, the Law 2017 is supplemented with the provision according to which the procedure for obtaining the consent of personal data subject to process his/her personal data for the purpose of providing state and municipal services in the form of electronic document is established by the Government of the Kyrgyz Republic (Article 9.6 of the Law 2017).
Also, an amendment is being introduced that the Law 2017 applies not only to public authorities, local governments and legal entities, but also to individuals, such as private notaries, private lawyers, etc., who may deal with personal data, and are obliged to comply with the legal requirements. In addition, any actions with personal data must meet the requirements of the Law, regardless of whether the information is being collected for transmission to third parties or not.
A provision is being introduced under which a personal data subject has the right to obtain information from the holder (owner) of the array of personal data regarding processing of his/her personal data (Article 10.1.1 of the Law 2017).
Due to the absence of separate articles on the status and specific powers of an authorized body in the previous Law 2008, the Law 2017 has been supplemented with a new article on the status, functions and powers of that authorized body (Article 29.1 of the Law 2017).
Furthermore, according to the developers, taking into account the commitments undertaken by the Kyrgyz Republic within the framework of its membership in the EAEU , the amendments and additions to the Law 2008 are aimed at improving the legal regulation of this sphere, bringing in line with international standards in the protection of personal data and harmonization of Kyrgyz legislation with the legislation of the member countries of the Eurasian Economic Union. These changes in the legislation are important from the perspective of the forthcoming electronic interaction of state bodies and legal entities/individuals, the exchange of personal data within the framework of the EAEU.
It will also help to foster citizens’ trust in the activities of state bodies, private companies (for instance, telecommunication operators, banks) and individuals (notaries, teachers, doctors) when processing personal data of subjects.
The entry into force of the Law 2017 will entail the need to develop and adopt a number of bylaws and regulatory acts aimed at implementing the provisions stated in this Law.
Thus, the proposed Law 2017 with all its amendments will not only reach international standards in this sphere, but will also become one of the basic laws necessary for introduction of e-government, provision of state and municipal services in electronic (interactive) format, which in turn, will allow more effective organization of the activities of the state and society.
This Article has been prepared by Saara Kabaeva, a lawyer of Lorenz Law Firm, on August 10, 2017.
The Eurasian Economic Union is an international organization for regional economic integration. It has international legal personality and is established by the Treaty on the Eurasian Economic Union.