In Kazakhstan, personal data protection has become critical in responding to the outbreak of COVID-19. On one hand, facial recognition, artificial intelligence, and biometrics have been chaotically introduced across different sectors of public life under ‘Digital Kazakhstan’ the national digitisation strategy, including healthcare.[1] On the other, despite all optimism and success of technology-based solutions, they result in disturbing and far-reaching consequences with regard to privacy, confidentiality, and data protection.
The Kazakh Government’s large-scale digitalisation efforts expose the manipulation of technology for the purpose of digital surveillance of citizens (particularly activists) and excessive collection of personal data during a state of emergency and quarantine to stop the spread of COVID-19.[2] While these violate fundamental rights and freedoms, including privacy, the Kazakh digital endeavour is not in line with its Privacy Law.[3] It reveals the poor application of law enforcement with an omnipresent threat of the violation of the rule of law, pervasive corruption, and opaque public administration, challenging state ability and credibility to respect and ensure safe collection, processing, and storage of Kazakhstanis personal data and meet international standards and protocols in data protection and cyber resilience.[4]
The conflict between the apparent benefits of biometric tools, including applications such as SmartAstana and Ashyq, designed explicitly as a health instrument to combat COVID-19, and capturing our physical characteristics will likely stay for years on end.[5] Technological solutions, caused by the need to curtail country’s epidemiological situation in biggest cities and nationwide, will continue to transform into long-term mechanisms for collecting, processing, and storing the personal data of millions of Kazakhstanis. While containing the COVID-19 outbreak is vital, and the health of many might outweigh the privacy of one, will this push us three steps further towards a fully-fledged surveillance society in Kazakhstan?[6] How experienced are Kazakhstanis in matters of personal data protection? How anxious are they about controlling access to their personal data and how do they perceive the role of the state in these matters?
This paper explores the nexus between the Kazakh statecraft of data protection, technology-driven digitisation efforts and the culture and awareness of data protection. It builds on the need and the pitfalls of a GDPR – like regime to be designed and implemented in one of the Central Asian countries with an emphasis on evidence-based policy recommendations to protect personal data, introduce crisis management toolkits and adopt long-term strategic cyber resilience in a post-COVID authoritarian system.[7]
Data protection and Kazakh Digitalisation Agenda
The outbreak of coronavirus in Kazakhstan has adversely impacted the protection of personal data despite the construction of a specialised agency. The entire routine of life has switched to an online format: citizens began to consume online services such as trading, online banking, and shopping day-to-day. While COVID-19 has generated rapid and quite shocking digital and technological shift anticipated so long by the Kazakh Government’s large-scale digitalisation efforts, universally protected human rights and freedoms, such as the right to privacy, freedom of movement, the right to access information of those infected have been severely violated.
One can easily recall ridiculous examples of human rights abuse reported by local media about how the doors were welded and the entrances closed when an infected individual was identified; or how information about a person was disseminated in chat rooms for the purpose of further bullying, humiliation and discrimination; or the use of medical secrecy to not disclose information on sick Parliament members and other authorities; or used as obstacles for election observers and activists to hold peaceful assemblies.[8] All these matters underpin the essence of the usual violation of human rights and freedoms in regular times in Kazakhstan, something which turns out to be even worse during a COVID-19 outbreak.
In addition, leaks of personal data continue to happen, and private IT specialists are staying alert on those cases. For instance, the Centre for Analysis and Investigation of Cyber Attacks ‘TSARKA’ announced another medical leak in their Telegram channel in 2020. Their system found “245,000 audio recordings of telephone conversations and tens of gigabytes of personal data from the integrated state database, which has been available to any unauthorised user for more than six months.”[9] Interestingly, the Kazakh Ministry of Healthcare denied the fact of a data breach and any further resolution of the situation, while no public information has even been available. A similar outcome can be traced in the DAMUMED case, with data leaks and postscripts of non-existent family members or fake visits to doctors since 2018 without proper solution until nowadays.[10] Another example was in 2019 when several leaks of personal data from Central Election Commission and General Prosecutor’s Office were also publicly reported by TSARKA without proper and transparent investigation from the Ministry of Interior.[11] All these cases highlight the negligence of rule of law and respect for human rights guaranteed by privacy legislation, constitution, and international human rights norms.
There is no doubt that digitalisation comes with risks. In Kazakhstan, digital transformation is subject to the predominant role of the state, excessive attention to the ICT sector and the need to obtain quick quantitative results (most often these are the country’s positions in the UN global e-government development index, ranking of smart cities and cybersecurity) through the creation of new jobs and receiving potential financial profit from the introduction of new technologies.[12] In addition, the Kazakh ability to achieve its strategic digitalisation goals is fairly limited and contingent on foreign aid and support in technology, investment, and skills.[13]
An excessive emphasis on ICT perhaps could lead to a more rapidly digital transformation, which has been repetitively indicated in national programmes and addresses of the President to the people. However, such an aggressive and opaque approach to digitisation of public services ignores knowledge and strategic culture in understanding the long-term benefits, repercussions and side effects for people, their freedoms and trust in Government. These far-reaching implications of quick solutions in bringing and introducing technologies for the modernisation agenda have led to the choice of the Russian and Chinese software, technologies, and digital securitisation practices by under-regulating data protection and expanding digital surveillance. As of now, it still remains unclear how and whether government agencies, particularly security services, will respect the rights of citizens to protect personal data and how the Government will balance between the right to privacy and maintaining public order and ensuring national security.
Public opinion and digital whataboutism
To understand what the Kazakh people think about digital rights and freedoms two rounds of research were conducted by Anna Gussarova and Serik Jaksylykov in 2019 and 2020 for the first time in the country.[14] Almost half (48 per cent) of those who became more concerned over security of their personal information during the quarantine are afraid of becoming a victim of fraud. Those respondents who noted that they began to care more and think about data protection were asked about types of threats they are worried the most. Almost half (48 per cent) also fear being scammed. Most of all people are concerned about the safety of their bank accounts, savings, and property. Next goes the threat of violating the secrecy of personal information (29 per cent) and unwanted advertising, such as spam (16 per cent).
When it comes to bridging the gap between the state and the people, at least every third respondent expressed their negative attitude to the Government’s plans to implement the ‘National Monitoring System’.[15] The National Security Committee intends to use this tool to ensure national and public security, identify threats, emergencies, violations of public order and terrorist acts, as well as provide exchange of information with external information systems.[16] The desire of state bodies to collect more personal and biometric information about its citizens concerns 53 per cent of the respondents. However, almost two thirds of the respondents seem to be supportive of the collection and use of their personal information, including through outdoor CCTV for facial recognition in order to improve security in the country. These quite contradictive polling results also correspond to ongoing debates over so called ‘security certificate’.[17] There is both criticism of and support for this initiative. While the former group are outraged by the violation of the right to privacy, the latter are ready to sacrifice this right for the sake of national security. However, big tech companies have blocked this certificate as it allows the state to spy on its citizens and intercept their Internet traffic.[18]
One of the noteworthy observations when comparing the results of focus group discussions in 2019 and the national survey in 2020 was the attitude towards the role of the state. Whereas in 2019 there was a deep belief in conspiracy theories and an explanation of what is happening by surveillance and wiretapping by law enforcement agencies, in 2020 the public opinion poll recorded certain desperateness. This showed through sentiments that “people have no choice and authorities will still do what they want anyway,” despite inconsistent support for national digital initiatives, vigilance, and a risk of being scammed.[19]
Another major finding from the 2020 national poll is a critically low level of digital awareness and understanding of their rights. One of the key characteristics of digital culture in the country is the level of knowledge among Internet users about their rights in the field of data protection. Focus group discussions held in 2019 strongly suggested that only a small part of Kazakhstanis who use the Internet know their rights both in national law and international best practices. The results of the 2020 survey fully endorsed the observations collected a year ago. Only 12 per cent of respondents were able to say that they are well aware of their rights in the field of data protection. 55 per cent of respondents either do not know their rights (26 per cent), or their knowledge is very limited (29 per cent). And more importantly the majority (60 per cent) of the respondents expressed their need to learn more about their digital rights.
Finally, the most attractive example to be guided by in choosing a policy in data protection and digital rights is the European Union, which collected 13 per cent of answers while China was mentioned by almost every fifth respondent as the least desirable trajectory for the Kazakh society.
While the research findings seem quite cynical and pessimistic and civil society is telling the truth to state authorities, there is still no dialogue between the two and what matters to the latter is to maintain power and insult minorities and activists. The transformation of the well-known Soviet practice of whataboutism has continued to result in human rights violation, including in the digital domain, supported by censorship, and spying to preserve the authoritarian status quo. This is truly rigid to guarantee in a digitalised world when the entire state apparatus can hardly fully control or securitise.[20]
New trends and loops
One of the key trends in the Kazakh digitalisation efforts is massive and chaotic introduction of artificial intelligence and facial recognition systems. While these emerging technologies could lead to long-term economic benefits, the authorities should consider risks associated with the provision, collection, analysis, and storage of personal data.[21] Making these processes more transparent will significantly curtail potential vulnerabilities, adequately respond to crisis situations, and enhance the cyber resilience of the Kazakhstani ecosystem. Besides, these developments could add more transparency ‘by default’ and state’s failure to manage them, as ‘security by design’ has not been introduced.
Considering the recent large-scale cases of personal data leaks, it is essential to draft and develop a national strategy for the use and implementation of artificial intelligence algorithms in various spheres of public life with the focus on ethical norms and human rights as well as legal framework that still does not exist. What is needed is to develop a two-pillar policy: i) long-term vision for AI (an inclusive approach which supports evidence-based research and multi-stakeholder cooperation); and ii) ethical principles and values for AI, as human rights, such as confidentiality and privacy, protection of personal data, human dignity, non-discrimination, and consumer protection, are at stake. And here exploring European and British partners’ capacity and expertise will become more useful and vital than the rapid introduction and copy-pasting of the Chinese abusing experience in the implementation of AI and facial recognition technologies.[22] In addition to convenience of collecting, analysing, and processing big data, it is crucial to ensure its security and prevent leaks, hacks, and unauthorised access to personal data of citizens, while respecting their rights and freedoms.
Another thing refers to inability to apply privacy and data protection legislation against state agencies and government officials (and state-affiliated companies). The law on personal data and its protection does not work, and the state does not fulfil its obligations to protect the personal data of its citizens. Recent attempts to cooperate with civil society organisations to introduce amendments to the law could seem encouraging, while many controversial articles remain unaddressed (i. e the right to be forgotten).[23] Fines and liability for violation of the law should apply to everyone, including government agencies and their representatives. Dismissal cannot remain a punishment for violation of the law because it defines clear mechanisms for bringing to justice. Since personal data is subject to protection and its guarantor is the state, this means that everyone, without exception, must comply with the developed technical and legal parameters.
Development and introduction of transparent risk management protocols are essential in balancing between national security and people’s freedoms and rights. The National Data Protection Agency needs to develop regulations on data leakage incidents and unauthorised access to personal data. Incidents of data leakage, unauthorised access to personal data should be timely reported by organisations where such crisis situations occur to national data protection agency. This is a normal standard protocol; a set of tools and practices not only present in the European GDPR but across the world. Besides, this step will not only strengthen the component for protecting systems and personal data, but also reduce the existing grey areas that can be used for corruption purposes. More importantly, these practices should be massively implemented in all government agencies working with databases.
Finally, any speculations or suggestions about the state of surveillance mostly lack empirical evidence and research findings. However, Kazakhstan is still trying to find its place in the digital space, exploring Shoshana Zuboff’s Surveillance Capitalism and Jack Balkin’s National Surveillance State.[24] On the one hand, the Kazakh Government uses surveillance tools, data collection to detect problems, control the population and provide social services. On the other hand, it is a long way from solving management problems by analysing received information due to lack of knowledge, expertise, and qualified manpower. While coronavirus will probably stay with us longer than anticipated, there is no longer any excuse to exploit fear, curtail human rights and enact emergency legislation with long-term repercussions beyond health crisis.
Hence, it is vital to have a working privacy law with enough expertise and power of the Data Protection Agency (the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry) to make sure legislation is properly applied without violation of separation of power and intrusion from security services to ‘control the situation and public order’. The Kazakh DPA should become the guardian of digital rights and data protection in the country. Besides, it should have coordinating functions to gather all government bodies to resolve digital issues, including on a regular basis, and form a digital agenda in the country, considering the risks to the architecture of privacy and personal data.
The Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry should strengthen bilateral and multilateral cooperation with similar foreign departments and agencies across the EU to develop national “cyber diplomats” in all government bodies.
The Kazakh Data Protection Agency should develop regulations on data leakage incidents and unauthorised access to personal data. These cases should be reported by organisations in which similar crises occur within certain timeframe and communicate with the clients. This is a normal standard protocol, a set of tools and practices not only present in the European GDPR, but also in many companies across the world. The introduction of transparent risk management protocols will not only strengthen the component for protecting systems and personal data, but also reduce the existing grey areas that can be used for corruption and espionage purposes. These practices should be massively implemented in all government agencies working with databases.
Anna Gussarova is Director of the Central Asia Institute for Strategic Studies. She is a Chevening Scholar and alumni of King’s College London War Studies. She has served as adjunct professor at the George C. Marshall Center and the OSCE Academy in Bishkek. She has extensive research, policy and facilitation experience and expertise in counterterrorism, cybersecurity, and information environment. Anna is a contributing author to the Eurasia Daily Monitor by the Jamestown Foundation (USA) and European Eye on Radicalisation (Brussels).
[1] ‘Digital Kazakhstan’ State Program, Zerde Holding, “Digital Kazakhstan” state program (zerde.gov.kz); Petrenko E.S., Shevyakova A.L. (2019) Features and Perspectives of Digitisation in Kazakhstan. In: Popkova E. (eds) Ubiquitous Computing and the Internet of Things: Prerequisites for the Development of ICT. Studies in Computational Intelligence, vol 826. Springer, Cham. https://doi.org/10.1007/978-3-030-13397-9_91.
[2] Anceschi, Luca. “The Persistence of Media Control under Consolidated Authoritarianism: Containing Kazakhstan’s Digital Media.” 23, no. 3 (2015): 277-295.
[3] Law of the Republic of Kazakhstan on Personal Data and Its Protection, Zakon.kz, Закон Республики Казахстан от 21 мая 2013 года № 94-V «О персональных данных и их защите» (с изменениями и дополнениями по состоянию на 01.07.2021 г.) – ПАРАГРАФ-WWW (zakon.kz).
[4] Anna Gussarova, Beyond the GovTech: The Pitfalls of Kazakhstan’s Digitalisation Agenda, in Digital Silk Road in Central Asia: Present and Future ed. By Nargis Kassenova and Brendan Duprey, DAVIS Center, Harvard, June 2021, https://daviscenter.fas.harvard.edu/sites/default/files/files/2021-06/Digital_Silk_Road_Report.pdf
[5] Dana Zhaik, Virusny monitoring: Kak koronavirus rasprostranil mirovuyu slezhku [Monitoring of Virus: How COVID-19 spread global surveillance], The Steppe, April 2020, https://the-steppe.com/tehnologii/virusnyy-monitoring-kak-koronavirus-rasprostranil-mirovuyu-slezhku
[6] Natalie Ram and David Gray, Mass surveillance in the age of COVID-19, Journal of Law and the Biosciences 7, no. 1, May 2020, https://academic.oup.com/jlb/article/7/1/lsaa023/5834621; Moran Amit, Heli Kimhi, Tarif Bader, Jacob Chen, Elon Glassberg, and Avi Benov, “Mass-surveillance Technologies to Fight Coronavirus Spread: The Case of Israel, Nature Medicine 26, no. 8, May 2020, https://www.nature.com/articles/s41591-020-0927-z
[7] EU General Data Protection Regulation on law in privacy and data protection, implemented in 2018. Full document can be found here General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)
[8] Aisha Kutubaeva, Minzdarv ne rekomendoval zavarivat’ dveri i zakryvat’ tselye pod’ezdy na karantin [Healthcare Ministry does not recommend to weld doors and shut down entrances to houses], Liter, May 2020, https://liter.kz/eto-ne-my-mizdrav-ne-rekomenduet-zavarivat-dver-i-zakryvat-czelyj-podezd-na-karantin/ ; “Karagandintsev zakryli v pod’ezde na zamok [People from Karaganda were denied and locked entrance],” March 20, 2020, Карагандинцев закрыли в подъезде на замок (liter.kz)
[9] Rabiga Dyussenkulova, MinYust vysskazalsya ob utechke dannykh kazakhstantsev [Ministry of Justice commented over leaks of personal data], Tengrinews, July 2020, https://tengrinews.kz/kazakhstan_news/minyust-vyiskazalsya-ob-utechke-dannyih-kazahstantsev-408386/
[10] Also reported by TSARKA and citizens from different parts of Kazakhstan.
[11] TSARKA Official account on Facebook, https://m.facebook.com/story.php?story_fbid=2636221533272242&id=1674347306126341; Rathel, Utechka dannykh iz bazy Genprokuratury: schet idet na mesyatsy [Data leak from General Prosecutor’s Office Database: It goes for months], Ratel, February 2020, http://www.ratel.kz/kaz/utechka_dannyh_iz_bazy_genprokuratury_rk_schet_idet_na_mesjatsy?fbclid=IwAR2Rvr0DA GyJGUIGLBCDuic-sGpyWH9IBlCn2tUoP34XfREbMXOWjoI-t5s
[12] Kazakhstan has ranked 29th in the UN e-Government Development Index, 26th in e-Participation Index, 31st in ITU Global Cybersecurity Index out of 182 countries significantly improving its positions for the past ten years.
[13] Anna Gussarova and Serik Jaksylykov, Zaschita personal’nykh dannykh v Kazakhstane 2.0. Tsyfrovoy sled COVID-19 [Data Protection in Kazakhstan 2.0. COVID-19 Digital Footprint], Soros Foundation Kazakhstan, March 2021, http://files.caiss.expert/Personal%20Data_Covid%20Implications.pdf
[14] 12 focus groups in biggest cities of Kazakhstan in 2019 and a national poll of 1,500 respondents in 2020 were conducted to understand data protection issues in Kazakhstan by the author. Anna Gussarova and Serik Jaksylykov, Zashchita personal nykh dannykh v Kazakhstane: status, riski i vozmozhnosti [Data Protection in Kazakhstan: Status, Risks and Opportunities], Public Policy Initiative, Soros Foundation Kazakhstan, April 2020, https://www.soros.kz/wp-content/uploads/2020/04/Personal_data_report.pdf; Anna Gussarova and Serik Jaksylykov, Zaschita personal’nykh dannykh v Kazakhstane 2.0. Tsyfrovoy sled COVID-19 [Data Protection in Kazakhstan 2.0. COVID-19 Digital Footprint], Soros Foundation Kazakhstan, March 2021, http://files.caiss.expert/Personal%20Data_Covid%20Implications.pdf
[15] On the approval of the Rules for the functioning of the National video monitoring system, November 30, 2020, On the approval of the Rules for the functioning of the National video monitoring system – “Adilet” ILS (zan.kz)
[16] “Bol’shoy Brat: Kak Budet Rabotat’ Sistema Videomonitoringa v Kazakhstane [Big Brother: how the national video monitoring system will work in Kazakhstan],” Forbes, February 2020, Большой брат: как будет работать национальная система видеомониторинга в Казахстане — Forbes Kazakhstan
[17] This has been the third attempt to implement a security certificate in Kazakhstan: the first time in January 2016, the second time in 2019 and in 2020 again when the initiative triggered a negative response from civil society and IT companies, including Apple, Google, and Mozilla. “O sertifikate bezopasnosti [About Security Certificate], Digital Rights and Freedoms Landscape, December 17, 2020, О сертификате безопасности (drfl.kz).
[18] “Certificate cannot be trusted” warning in Kazakhstan, https://support.mozilla.org/en-US/kb/certificate-cannot-be-trusted-warning-kazakhstan; Catalin Cimpanu, Kazakhstan government is intercepting HTTPS traffic in its capital, ZDNet, December 2020, https://www.zdnet.com/article/kazakhstan-government-is-intercepting-https-traffic-in-its-capital/
[19] Ibid.
[20] Mordechai Gordon, Opinion: The problem with ‘whataboutism’, CT Post, February 2021, https://www.ctpost.com/opinion/article/Opinion-The-problem-with-whataboutism-15964005.php
[21] Damir Serikpaev, Askar Mamin: U iskisstvennogo intellekta v Kazakhstane est’ potentsial [Askar Mamin: AI Has Potential in Kazakhstan], Forbes, January 2020, https://forbes.kz/process/technologies/askar_mamin_ekonomicheskiy_effekt_ot_primeneniya_ii_mojet_sostavit_okolo_25_mlrd/
[22] For instance, drafting a Strategy for AI and Ethics in using digital technologies is one of the examples to learn from the UK or the EU. Or exploring the concept of digital rights and freedoms for economic welfare could be another option. Besides, Cyber Security Awareness Month could be something to begin with to involve civil society and business to build public-private partnerships and introduce cyber hygiene. Other bilateral efforts in capacity building for the Kazakh civil servants would definitely strengthen local ecosystem and invest in manpower.
[23] Tamara Vaal, “V Kazakhstane usovershenstvuyut zakon o zaschite personal’nykh dannykh [Kazakhstan Will Ament the Law on Data Protection and Its Protection],” Vlast, April 13, 2021, В Казахстане усовершенствуют закон о защите персональных данных – Аналитический интернет-журнал Vласть (vlast.kz)
[24] Shoshana Zuboff, Surveillance Capitalism, Project Syndicate, January 2020, https://www.project-syndicate.org/onpoint/surveillance-capitalism-exploiting-behavioral-data-by-shoshana-zuboff-2020-01/russian?barrier=accesspaylog; Jack M. Balkin, The Constitution in the National Surveillance State, Minnesota Law Review 93, 2008, https://digitalcommons.law.yale.edu/fss_papers/225/