Criminal liability for large-scale data leaks may be introduced in Kazakhstan

Tengrinews.kz — Kazakhstan is considering introducing criminal liability for the large-scale leakage of personal data. Details were provided by the Ministry of Artificial Intelligence and Digital Development.

What happened

In March, at one of the government meetings, Deputy Prime Minister and Minister of Artificial Intelligence and Digital Development Zhaslan Madiyev said that Kazakhstan plans to introduce modern data protection tools, including masking and hashing. The ministry also intends to restrict the downloading of data from state databases.

According to Madiyev, the plans also include:

• introducing criminal liability for the mass dissemination of personal data;
• increasing administrative fines to 5,000 MCI (21.6 million tenge in 2026).

The editors of Tengrinews.kz contacted the ministry for further details.

What the ministry said

Criminal liability for large-scale data leaks may indeed be introduced. The relevant provision is planned to be added to Article 147 of the Criminal Code, which provides punishment for violations of privacy and personal data protection laws.

“The introduction of criminal liability for large-scale personal data leaks is under consideration. This concerns supplementing the current provisions of Article 147 of the Criminal Code, which establish liability for the unlawful collection and dissemination of personal data, with sanctions for the large-scale nature of such violations. The specific parameters of the sanctions will be determined as part of legislative amendments,” the ministry said in response to an official request from the editors of Tengrinews.kz.

In other words, Article 147 currently does not mention the large-scale nature of leaks, and this is the detail the drafters of the amendments want to add. What exactly the criminal punishment will be is still unclear.

As for fines, they will also be increased. Potential violators of personal data protection requirements may indeed face fines of more than 21 million tenge. However, as the ministry clarified, the issue will still be worked out jointly with interested government bodies.

At present, the maximum fine for violating the personal data law under the Code of Administrative Offenses (Article 79) is 2,000 MCI (8.6 million tenge). This sanction applies to large businesses; fines for other categories are lower.

The ministry did not specify which data from state databases will no longer be allowed to be downloaded. It is only known that the export of personal data is planned to be restricted.

“Priority will be given to the integration of information systems, and data exports will be prohibited, except in specific cases strictly defined by law,” the response says.

The amendments are currently at the stage of drafting and coordination. According to the digital ministry, some of them were developed as a logical continuation of the constitutional norm on personal data protection, while another part of the amendments (it was not specified which exactly) was prepared as part of a parliamentary initiative.