Social and Legal Studios
ISSN 2617-4162
e-ISSN 2617-4170
Publisher: Lviv State University of Internal Affairs
Abstract
The study was dedicated to analysing the current legal framework regulating profiling and targeted advertising in Kazakhstan, considering the European experience. The study involved a review of regulations of Kazakhstan governing the use of personal data and a comparative analysis with the provisions of General Data Protection Regulation. The analysis demonstrated that while Kazakhstan has established basic standards for the protection of personal data, the level of transparency and control over the data processing process remains noticeably lower compared to European norms. The main issues included the lack of explicit user consent for the use of their data for targeted advertising, limited opportunities for managing personal information, and insufficient financial resources for employing advanced technologies and certain legal restrictions caused by stringent state policies. An examination of Kazakhstani online platforms, including examples such as Kaspi, Tengrinews, and Krisha, demonstrated that data processing procedures on these platforms do not comply with the standards of the General Data Protection Regulation. This creates legal risks for businesses, particularly in relation to potential entry into the European market. The findings of the study highlighted the necessity of improving national legislation in the field of personal data protection. It was recommended to introduce mechanisms ensuring explicit user consent for data processing, enhance the transparency of privacy policies, and expand user rights, including the ability to delete stored data and transfer it. Aligning the legislation of Kazakhstan with European standards will not only strengthen the protection of citizensʼ rights but also increase the competitiveness of Kazakhstani companies in the international arena
Keywords: personal data processing; international standards; privacy policy; digital market; user rights protection
Suggested citation
[1] Act of Japan No. 57 “On the Protection of Personal Information”. (2003). Retrieved from https://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf.
[2] Akhmetbek, Y., & Špaček, D. (2021). Opportunities and barriers of using blockchain in public administration: The case of real estate registration in Kazakhstan. NISPAcee Journal of Public Administration and Policy, 14(2), 41-64. doi: 10.2478/ nispa-2021-0014.
[3] Akhmetova, S. (2023). Some aspects of the personal data protection law in Kazakhstan. Retrieved from https://www.mondaq.com/data-protection/1332632/some-aspects-of-the-personal-data-protection-law-in-kazakhstan.
[4] Amanzholova, S., Akhmetova, D., & Sagymbekova, A. (2021). Development of a web-resources testing system for compliance with GDPR regulation. In ICEMISʼ21: The 7th international conference on engineering & MIS 2021 (pp. 1-6). Almaty: ACM Press. doi: 10.1145/3492547.3492661.
[5] Bak, M., Madai, V.I., Fritzsche, M.C., Mayrhofer, M.T., & McLennan, S. (2022). You canʼt have AI both ways: Balancing health data privacy and access fairly. Frontiers in Genetics, 13, article number 929453. doi: 10.3389/fgene.2022.929453.
[6] Brazilian General Data Protection Law. (2018, August). Retrieved from https://surl.li/mybgqw.
[7] Chan, K., Chen, E., Heneghan, M., Soffer, D., & Wachirapornpruet, P. (2022). Against the grain: The data regulatory regimes of Kazakhstan and Uzbekistan vis-à-vis Russia, China, and Big Tech. London: Lse Ideas.
[8] Code of Ethics and Business Conduct of Kaspi Bank JSC. (2025). Retrieved from https://cdn-kaspi.kz/kkz/rese/files/terms/ code_of_ethics_and_business_conduct_of_kaspi_bank_jsc.pdf.
[9] Directive of the European Parliament and of the Council No. 2002/58/EC “Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector” (Directive on Privacy and Electronic Communications). (2002, July). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058.
[10] E-commerce and online banking platform Kaspi. (2024). Retrieved from https://www.Kaspi.kz.
[11] EUʼs top court rules against targeted advertising on Facebook. (2023). Retrieved from https://dig.watch/updates/eus-top-court-rules-against-targeted-advertising-on-facebook.
[12] Gal, M.S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349-391. doi: 10.1093/joclec/nhaa012.
[13] General Data Protection Regulation (GDPR). (2016, May). Retrieved from https://gdpr-info.eu/.
[14] Gentile, G., & Lynskey, O. (2022). Deficient by design? The transnational enforcement of the GDPR. International & Comparative Law Quarterly, 71(4), 799-830. doi: 10.1017/S0020589322000355.
[15] Gulyamov, S., & Raimberdiyev, S. (2023). Personal data protection as a tool to fight cyber corruption. International Journal of Law and Policy, 1(7), 1-32. doi: 10.59022/ijlp.119.
[16] Iskakova, Zh.T., & Kadyrzhanova, T.S. (2022). Analysis of problems and challenges in the legislation of the Republic of Kazakhstan on personal data protection and international legal regulation. Bulletin of L.N Gumilyov Eurasian National University, Law Series, 141(4), 48-60.
[17] Jones, M.L., & Kaminski, M.E. (2020). An Americanʼs guide to the GDPR. Denver Law Review, 98(1), 93-128.
[18] Kajcsa, A., & Dogaru, L. (2022). The challenges brought by GDPR to the use of intelligent systems. In L. Moldovan & A. Gligor (Eds.), 15th International conference interdisciplinarity in engineering: Conference proceedings (pp. 298-306). Cham: Springer. doi: 10.1007/978-3-030-93817-8_29.
[19] Kazakhstan strengthens personal data protection by gradually moving toward GDPR standards. (2021). Retrieved from https://www.dentons.com/en/insights/alerts/2021/january/28/kazakhstan-strengthens-personal-data-protection-by-gradually-moving-toward-gdpr-standards.
[20] Khamidullina, Y. (2019). Kazakhstan – the impact of the GDPR outside the EU. Retrieved from https://iuslaboris.com/insights/kazakhstan-the-impact-of-the-gdpr-outside-the-eu/.
[21] Kive, M., & Grasis, J. (2020). Problems of application of the right to data portability. Acta Prosperitatis, 11, 116-127.
[22] Kocharyan, H., Vardanyan, L., Hamuľák, O., & Kerikmäe, T. (2021). Critical views on the right to be forgotten after the entry into force of the GDPR: Is it able to effectively ensure our privacy? International and Comparative Law Review, 21(2), 96-115. doi: 10.2478/iclr-2021-0015.
[23] Kretschmer, M., Pennekamp, J., & Wehrle, K. (2021). Cookie banners and privacy policies: Measuring the impact of the GDPR on the web. ACM Transactions on the Web (TWEB), 15(4). doi: 10.1145/3466722.
[24] Law of the Republic of Kazakhstan No. 18-8 “On Online Platforms and Online Advertising”. (2023, July). Retrieved from https://adilet.zan.kz/eng/docs/Z2300000018.
[25] Law of the Republic of Kazakhstan No. 347-6 ZRC “On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan Regarding Regulation of Digital Technologies”. (2020, June). Retrieved from https://adilet.zan.kz/rus/docs/Z2000000347.
[26] Law of the Republic of Kazakhstan No. 399-4 “On Introducing Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Issues of Restoration of Economic Growth”. (2021, January). Retrieved from https://adilet.zan.kz/rus/docs/Z2100000399.
[27] Law of the Republic of Kazakhstan No. 44-VIII “On Amending Certain Legislative Acts of the Republic of Kazakhstan on Information Security, Informatisation and Digital Assets”. (2023, December). Retrieved from https://adilet.zan.kz/rus/docs/Z2300000044.
[28] Law of the Republic of Kazakhstan No. 508-2 “On Advertising”. (2003, December). Retrieved from https://adilet.zan.kz/eng/archive/docs/Z030000508_/09.09.2024.
[29] Law of the Republic of Kazakhstan No. 94-5 “On Personal Data and their Protection”. (2013, May). Retrieved from https://adilet.zan.kz/eng/docs/Z1300000094.
[30] Lawson-Hetchely, C. (2022). The potential impact of the future AI Act on the GDPR. Oslo: University of Oslo.
[31] Luisi, M. (2022). GDPR as a global standards? Brusselsʼ instrument of policy diffusion. Retrieved from https://www.e-ir.info/2022/04/09/gdpr-as-a-global-standards-brussels-instrument-of-policy-diffusion/.
[32] Lukings, M., & Lashkari, A.H. (2022). Comparative legal strategies. In Understanding cybersecurity law in data sovereignty and digital governance: An overview from a legal perspective (pp. 181-204). Cham: Springer. doi: 10.1007/978-3-031-14264-2_5.
[33] Luxembourg DPA fines Amazon EUR 746 million for GDPR violations. (2021). Retrieved from https://www.huntonak.com/ privacy-and-information-security-law/luxembourg-dpa-fines-amazon-756-million-euros-for-gdpr-violations.
[34] Maulenov, K., Kudubayeva, S., Kaziyeva, N., Zharlykassov, B., & Turebayeva, R. (2024). Biometric access system with automatic registration and loyalty check in the system of recognition and database entry. Information Security Journal. doi: 10.1080/19393555.2024.2403458.
[35] Mentukh, N., & Shevchuk, O. (2023). Protection of information in electronic registers: Comparative and legal aspect. Law, Policy and Security, 1(1), 4-17.
[36] News Portal Tengrinews. (2024). https://www.Tengrinews.kz.
[37] Nurbatyrova, R., Japarov, B., Apakhayev, N., Abdulaziz, B., & Khushkeldiyeva, S. (2024). Digital transformation of archives in the context of the introduction of an electronic document management system in Kazakhstan. Preservation, Digital Technology and Culture, 53(3), 147-155. doi: 10.1515/pdtc-2024-0017.
[38] Open Dialog. (2021a). Retrieved from https://dialog.egov.kz/blogs/all-questions/691916.
[39] Open Dialog. (2021b). Retrieved from https://dialog.egov.kz/blogs/all-questions/715842.
[40] Open Dialog. (2022a). Retrieved from https://dialog.egov.kz/blogs/all-questions/724888.
[41] Open Dialog. (2022b). Retrieved from https://dialog.egov.kz/blogs/all-questions/727791.
[42] Penal Code of the Republic of Kazakhstan. (2014, July). Retrieved from https://adilet.zan.kz/eng/docs/K1400000226.
[43] Platform for Selling and Buying Real Estate Krisha. (2024). https://www.Krisha.kz.
[44] Poelman, M., & Iqbal, S. (2021). Investigating the compliance of the GDPR: Processing personal data on a blockchain. In 2021 IEEE 5th International conference on cryptography, security and privacy (CSP) (pp. 38-44). New York: Institute of Electrical and Electronics Engineers. doi: 10.1109/CSP51677.2021.9357590.
[45] Porcelli, L., Mastroianni, M., Ficco, M., & Palmieri, F. (2024). A user-centered privacy policy management system for automatic consent on cookie banners. Computers, 13(2), article number 43. doi: 10.3390/computers13020043.
[46] Prasad, A., & Perez, D.R. (2020). The effects of GDPR on the digital economy: Evidence from the literature. Informatization Policy, 27(3), 3-18. doi: 10.22693/NIAIP.2020.27.3.003
[47] Presthus, W., & Sønslien, K.F. (2021). An analysis of violations and sanctions following the GDPR. International Journal of Information Systems and Project Management, 9(1), 38-53. doi: 10.12821/ijispm090102.
[48] Prinsley, M.A., Yaros, O., Randall, R., & Hajda, O. (2020). British Airways ultimately fined £20m for personal data breach by the UK ICO under the GDPR (reduced from £183.39m). Retrieved from https://surl.li/aszrnc.
[49] Privacy Collective. (2020). Oracle and salesforce taken to court in the Netherlands over GDPR infringement. Retrieved from https://edri.org/our-work/oracle-and-salesforce-taken-to-court-in-the-netherlands-over-gdpr-infringement/.
[50] Privacy Policy. (2025). Retrieved from https://tengrinews.kz/page/confidential/.
[51] Prokk, B.C., & Schneider, I. (2021). The geopolitical relevance of the GDPR. Hamburg: University of Hamburg.
[52] Regulation of the European Parliament and of the Council No. 2016/679 “On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive No. 95/46/EC (General Data Protection Regulation)”. (2016, April). Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[53] Regulation of the European Parliament and of the Council No. 2024/1689 “Laying Down Harmonised Rules on Artificial Intelligence and Amending Regulations (EC) No. 300/2008, (EU) No. 167/2013, (EU) No. 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)” (2024, June). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689.
[54] Santos, C., Rossi, A., Chamorro, L.S., & Bongard-Blanchy, K. (2021). Cookie banners, whatʼs the purpose?: Analyzing cookie banner text through a legal lens. In WPESʼ21: Proceedings of the 20th workshop on workshop on privacy in the electronic society (pp. 187-194). New York: Association for Computing Machinery. doi: 10.1145/3463676.3485611.
[55] Shtovba, О. (2024). Multi-armed bandit-based adaptive control of advertising in social networks. Innovation and Sustainability, 4(1), 83-92. doi: 10.31649/ins.2024.1.83.92.
[56] The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR. (2022). Retrieved from https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr.
[57] The CNILʼs restricted committee imposes a financial penalty of EUR 50 million against GOOGLE LLC. (2019). Retrieved from https://surl.li/yhwzav.
[58] Top Websites Ranking. (2024). Retrieved from https://www.similarweb.com/top-websites/.
[59] Toqmadi, M., & Zakharchenko, N. (2021). I agree to terms and conditions: Negotiating privacy online in Central Asia. JeDEM- EJournal of EDemocracy and Open Government, 13(1), 71-100. doi: 10.29379/jedem.v13i1.633.
[60] Veit, R.D. (2022). Safeguarding regional data protection rights on the global internet – the European approach under the GDPR. In M. Albers & I.W. Sarlet (Eds.), Personality and data protection rights on the Internet: Brazilian and German approaches (pp. 445-484). Cham: Springer. doi: 10.1007/978-3-030-90331-2_18.
[61] Wiedemann, K. (2022). Profiling and (automated) decision-making under the GDPR: A two-step approach. Computer Law & Security Review, 45, article number 105662. doi: 10.1016/j.clsr.2022.105662.
[62] Wodi, A. (2023). The EU General Data Protection Regulation (GDPR): Five years after and the future of data privacy protection in review. SSRN. doi: 10.2139/ssrn.4601142
[63] Yakymenko, B. (2023). Formation of the institute of personal data protection and experience of its implementation in the countries of the EU. Scientific Journal of the National Academy of Internal Affairs, 28(4), 68-79. doi: 10.56215/naia-herald/4.2023.68.
[64] Yerbolatov, Y.Y., Zhetpisov, S.K., Boretsky, A.V., Alibayeva, G.A., & Kolesnikov, Y.Y. (2022). Personal data protection in Kazakhstan and the EU: Comparative-legal analysis. Journal of Sustainability Studies, 12(1), 69-88. doi: 10.3280/RISS2022-001005.
[65] Younas, A., Umarova, A., Hassan, A., & Usman, Z. (2020). Overview of big data and cloud computing laws, regulations and policies in Central Asia. Lahore: AI Mo Innovation Consultants Ltd. doi: 10.2139/ssrn.3672779.
[66] Zaeem, R.N., & Barber, K.S. (2020). The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS), 12(1). doi: 10.1145/3389685.
[67] Zaki, H.O., Kamarulzaman, Y., & Mohtar, M. (2021). Cognition and emotion: Exploration on consumers response to advertisement and brand. Jurnal Pengurusan, 63, 1-14. doi: 10.17576/pengurusan-2021-63-05.
[68] Zhetpissov, S., Mussabekova, N., Alibayeva, G., Dubovitskay, O., & Talipova, Zh. (2024). Vulnerability of personal data of Kazakhstani citizens and the need to implement the European experience. Rivista di Studi sulla Sostenibilita, 2, 305-323. doi: 10.3280/riss2024-002017.