Соціально-правові студії
ISSN 2617-4162
e-ISSN 2617-4170
Видавець: Львівський державний університет внутрішніх справ
Анотація
Дослідження присвячене аналізу чинної нормативно-правової бази, що регулює профілювання і таргетовану рекламу в Казахстані, з урахуванням європейського досвіду. Дослідження включало огляд нормативно-правових актів Казахстану, що регулюють використання персональних даних, і порівняльний аналіз з положеннями Загального регламенту про захист даних. Аналіз продемонстрував, що хоча в Казахстані встановлені базові стандарти захисту персональних даних, рівень прозорості та контролю за процесом обробки даних залишається помітно нижчим порівняно з європейськими нормами. Основними проблемами є відсутність чіткої згоди користувачів на використання їхніх даних для таргетованої реклами, обмежені можливості для управління особистою інформацією, а також недостатні фінансові ресурси для застосування передових технологій і певні правові обмеження, спричинені жорсткою державною політикою. Аналіз казахстанських онлайн-платформ, зокрема таких, як Kaspi, Tengrinews і Krisha, показав, що процедури обробки даних на цих платформах не відповідають стандартам Загального регламенту про захист даних. Це створює юридичні ризики для бізнесу, особливо у звʼязку з потенційним виходом на європейський ринок. Результати дослідження підкреслили необхідність удосконалення національного законодавства у сфері захисту персональних даних. Рекомендується запровадити механізми, що забезпечують явну згоду користувача на обробку даних, підвищити прозорість політик конфіденційності, розширити права користувачів, зокрема можливість видаляти збережені дані та передавати їх. Приведення законодавства Казахстану у відповідність до європейських стандартів не тільки посилить захист прав громадян, а й підвищить конкурентоспроможність казахстанських компаній на міжнародній арені
Ключові слова: обробка персональних даних; міжнародні стандарти; політика конфіденційності; цифровий ринок; захист прав користувачів
Цитувати
[1] Act of Japan No. 57 “On the Protection of Personal Information”. (2003). Retrieved from https://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf.
[2] Akhmetbek, Y., & Špaček, D. (2021). Opportunities and barriers of using blockchain in public administration: The case of real estate registration in Kazakhstan. NISPAcee Journal of Public Administration and Policy, 14(2), 41-64. doi: 10.2478/ nispa-2021-0014.
[3] Akhmetova, S. (2023). Some aspects of the personal data protection law in Kazakhstan. Retrieved from https://www.mondaq.com/data-protection/1332632/some-aspects-of-the-personal-data-protection-law-in-kazakhstan.
[4] Amanzholova, S., Akhmetova, D., & Sagymbekova, A. (2021). Development of a web-resources testing system for compliance with GDPR regulation. In ICEMISʼ21: The 7th international conference on engineering & MIS 2021 (pp. 1-6). Almaty: ACM Press. doi: 10.1145/3492547.3492661.
[5] Bak, M., Madai, V.I., Fritzsche, M.C., Mayrhofer, M.T., & McLennan, S. (2022). You canʼt have AI both ways: Balancing health data privacy and access fairly. Frontiers in Genetics, 13, article number 929453. doi: 10.3389/fgene.2022.929453.
[6] Brazilian General Data Protection Law. (2018, August). Retrieved from https://surl.li/mybgqw.
[7] Chan, K., Chen, E., Heneghan, M., Soffer, D., & Wachirapornpruet, P. (2022). Against the grain: The data regulatory regimes of Kazakhstan and Uzbekistan vis-à-vis Russia, China, and Big Tech. London: Lse Ideas.
[8] Code of Ethics and Business Conduct of Kaspi Bank JSC. (2025). Retrieved from https://cdn-kaspi.kz/kkz/rese/files/terms/ code_of_ethics_and_business_conduct_of_kaspi_bank_jsc.pdf.
[9] Directive of the European Parliament and of the Council No. 2002/58/EC “Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector” (Directive on Privacy and Electronic Communications). (2002, July). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058.
[10] E-commerce and online banking platform Kaspi. (2024). Retrieved from https://www.Kaspi.kz.
[11] EUʼs top court rules against targeted advertising on Facebook. (2023). Retrieved from https://dig.watch/updates/eus-top-court-rules-against-targeted-advertising-on-facebook.
[12] Gal, M.S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349-391. doi: 10.1093/joclec/nhaa012.
[13] General Data Protection Regulation (GDPR). (2016, May). Retrieved from https://gdpr-info.eu/.
[14] Gentile, G., & Lynskey, O. (2022). Deficient by design? The transnational enforcement of the GDPR. International & Comparative Law Quarterly, 71(4), 799-830. doi: 10.1017/S0020589322000355.
[15] Gulyamov, S., & Raimberdiyev, S. (2023). Personal data protection as a tool to fight cyber corruption. International Journal of Law and Policy, 1(7), 1-32. doi: 10.59022/ijlp.119.
[16] Iskakova, Zh.T., & Kadyrzhanova, T.S. (2022). Analysis of problems and challenges in the legislation of the Republic of Kazakhstan on personal data protection and international legal regulation. Bulletin of L.N Gumilyov Eurasian National University, Law Series, 141(4), 48-60.
[17] Jones, M.L., & Kaminski, M.E. (2020). An Americanʼs guide to the GDPR. Denver Law Review, 98(1), 93-128.
[18] Kajcsa, A., & Dogaru, L. (2022). The challenges brought by GDPR to the use of intelligent systems. In L. Moldovan & A. Gligor (Eds.), 15th International conference interdisciplinarity in engineering: Conference proceedings (pp. 298-306). Cham: Springer. doi: 10.1007/978-3-030-93817-8_29.
[19] Kazakhstan strengthens personal data protection by gradually moving toward GDPR standards. (2021). Retrieved from https://www.dentons.com/en/insights/alerts/2021/january/28/kazakhstan-strengthens-personal-data-protection-by-gradually-moving-toward-gdpr-standards.
[20] Khamidullina, Y. (2019). Kazakhstan – the impact of the GDPR outside the EU. Retrieved from https://iuslaboris.com/insights/kazakhstan-the-impact-of-the-gdpr-outside-the-eu/.
[21] Kive, M., & Grasis, J. (2020). Problems of application of the right to data portability. Acta Prosperitatis, 11, 116-127.
[22] Kocharyan, H., Vardanyan, L., Hamuľák, O., & Kerikmäe, T. (2021). Critical views on the right to be forgotten after the entry into force of the GDPR: Is it able to effectively ensure our privacy? International and Comparative Law Review, 21(2), 96-115. doi: 10.2478/iclr-2021-0015.
[23] Kretschmer, M., Pennekamp, J., & Wehrle, K. (2021). Cookie banners and privacy policies: Measuring the impact of the GDPR on the web. ACM Transactions on the Web (TWEB), 15(4). doi: 10.1145/3466722.
[24] Law of the Republic of Kazakhstan No. 18-8 “On Online Platforms and Online Advertising”. (2023, July). Retrieved from https://adilet.zan.kz/eng/docs/Z2300000018.
[25] Law of the Republic of Kazakhstan No. 347-6 ZRC “On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan Regarding Regulation of Digital Technologies”. (2020, June). Retrieved from https://adilet.zan.kz/rus/docs/Z2000000347.
[26] Law of the Republic of Kazakhstan No. 399-4 “On Introducing Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Issues of Restoration of Economic Growth”. (2021, January). Retrieved from https://adilet.zan.kz/rus/docs/Z2100000399.
[27] Law of the Republic of Kazakhstan No. 44-VIII “On Amending Certain Legislative Acts of the Republic of Kazakhstan on Information Security, Informatisation and Digital Assets”. (2023, December). Retrieved from https://adilet.zan.kz/rus/docs/Z2300000044.
[28] Law of the Republic of Kazakhstan No. 508-2 “On Advertising”. (2003, December). Retrieved from https://adilet.zan.kz/eng/archive/docs/Z030000508_/09.09.2024.
[29] Law of the Republic of Kazakhstan No. 94-5 “On Personal Data and their Protection”. (2013, May). Retrieved from https://adilet.zan.kz/eng/docs/Z1300000094.
[30] Lawson-Hetchely, C. (2022). The potential impact of the future AI Act on the GDPR. Oslo: University of Oslo.
[31] Luisi, M. (2022). GDPR as a global standards? Brusselsʼ instrument of policy diffusion. Retrieved from https://www.e-ir.info/2022/04/09/gdpr-as-a-global-standards-brussels-instrument-of-policy-diffusion/.
[32] Lukings, M., & Lashkari, A.H. (2022). Comparative legal strategies. In Understanding cybersecurity law in data sovereignty and digital governance: An overview from a legal perspective (pp. 181-204). Cham: Springer. doi: 10.1007/978-3-031-14264-2_5.
[33] Luxembourg DPA fines Amazon EUR 746 million for GDPR violations. (2021). Retrieved from https://www.huntonak.com/ privacy-and-information-security-law/luxembourg-dpa-fines-amazon-756-million-euros-for-gdpr-violations.
[34] Maulenov, K., Kudubayeva, S., Kaziyeva, N., Zharlykassov, B., & Turebayeva, R. (2024). Biometric access system with automatic registration and loyalty check in the system of recognition and database entry. Information Security Journal. doi: 10.1080/19393555.2024.2403458.
[35] Mentukh, N., & Shevchuk, O. (2023). Protection of information in electronic registers: Comparative and legal aspect. Law, Policy and Security, 1(1), 4-17.
[36] News Portal Tengrinews. (2024). https://www.Tengrinews.kz.
[37] Nurbatyrova, R., Japarov, B., Apakhayev, N., Abdulaziz, B., & Khushkeldiyeva, S. (2024). Digital transformation of archives in the context of the introduction of an electronic document management system in Kazakhstan. Preservation, Digital Technology and Culture, 53(3), 147-155. doi: 10.1515/pdtc-2024-0017.
[38] Open Dialog. (2021a). Retrieved from https://dialog.egov.kz/blogs/all-questions/691916.
[39] Open Dialog. (2021b). Retrieved from https://dialog.egov.kz/blogs/all-questions/715842.
[40] Open Dialog. (2022a). Retrieved from https://dialog.egov.kz/blogs/all-questions/724888.
[41] Open Dialog. (2022b). Retrieved from https://dialog.egov.kz/blogs/all-questions/727791.
[42] Penal Code of the Republic of Kazakhstan. (2014, July). Retrieved from https://adilet.zan.kz/eng/docs/K1400000226.
[43] Platform for Selling and Buying Real Estate Krisha. (2024). https://www.Krisha.kz.
[44] Poelman, M., & Iqbal, S. (2021). Investigating the compliance of the GDPR: Processing personal data on a blockchain. In 2021 IEEE 5th International conference on cryptography, security and privacy (CSP) (pp. 38-44). New York: Institute of Electrical and Electronics Engineers. doi: 10.1109/CSP51677.2021.9357590.
[45] Porcelli, L., Mastroianni, M., Ficco, M., & Palmieri, F. (2024). A user-centered privacy policy management system for automatic consent on cookie banners. Computers, 13(2), article number 43. doi: 10.3390/computers13020043.
[46] Prasad, A., & Perez, D.R. (2020). The effects of GDPR on the digital economy: Evidence from the literature. Informatization Policy, 27(3), 3-18. doi: 10.22693/NIAIP.2020.27.3.003
[47] Presthus, W., & Sønslien, K.F. (2021). An analysis of violations and sanctions following the GDPR. International Journal of Information Systems and Project Management, 9(1), 38-53. doi: 10.12821/ijispm090102.
[48] Prinsley, M.A., Yaros, O., Randall, R., & Hajda, O. (2020). British Airways ultimately fined £20m for personal data breach by the UK ICO under the GDPR (reduced from £183.39m). Retrieved from https://surl.li/aszrnc.
[49] Privacy Collective. (2020). Oracle and salesforce taken to court in the Netherlands over GDPR infringement. Retrieved from https://edri.org/our-work/oracle-and-salesforce-taken-to-court-in-the-netherlands-over-gdpr-infringement/.
[50] Privacy Policy. (2025). Retrieved from https://tengrinews.kz/page/confidential/.
[51] Prokk, B.C., & Schneider, I. (2021). The geopolitical relevance of the GDPR. Hamburg: University of Hamburg.
[52] Regulation of the European Parliament and of the Council No. 2016/679 “On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive No. 95/46/EC (General Data Protection Regulation)”. (2016, April). Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[53] Regulation of the European Parliament and of the Council No. 2024/1689 “Laying Down Harmonised Rules on Artificial Intelligence and Amending Regulations (EC) No. 300/2008, (EU) No. 167/2013, (EU) No. 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)” (2024, June). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689.
[54] Santos, C., Rossi, A., Chamorro, L.S., & Bongard-Blanchy, K. (2021). Cookie banners, whatʼs the purpose?: Analyzing cookie banner text through a legal lens. In WPESʼ21: Proceedings of the 20th workshop on workshop on privacy in the electronic society (pp. 187-194). New York: Association for Computing Machinery. doi: 10.1145/3463676.3485611.
[55] Shtovba, О. (2024). Multi-armed bandit-based adaptive control of advertising in social networks. Innovation and Sustainability, 4(1), 83-92. doi: 10.31649/ins.2024.1.83.92.
[56] The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR. (2022). Retrieved from https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr.
[57] The CNILʼs restricted committee imposes a financial penalty of EUR 50 million against GOOGLE LLC. (2019). Retrieved from https://surl.li/yhwzav.
[58] Top Websites Ranking. (2024). Retrieved from https://www.similarweb.com/top-websites/.
[59] Toqmadi, M., & Zakharchenko, N. (2021). I agree to terms and conditions: Negotiating privacy online in Central Asia. JeDEM- EJournal of EDemocracy and Open Government, 13(1), 71-100. doi: 10.29379/jedem.v13i1.633.
[60] Veit, R.D. (2022). Safeguarding regional data protection rights on the global internet – the European approach under the GDPR. In M. Albers & I.W. Sarlet (Eds.), Personality and data protection rights on the Internet: Brazilian and German approaches (pp. 445-484). Cham: Springer. doi: 10.1007/978-3-030-90331-2_18.
[61] Wiedemann, K. (2022). Profiling and (automated) decision-making under the GDPR: A two-step approach. Computer Law & Security Review, 45, article number 105662. doi: 10.1016/j.clsr.2022.105662.
[62] Wodi, A. (2023). The EU General Data Protection Regulation (GDPR): Five years after and the future of data privacy protection in review. SSRN. doi: 10.2139/ssrn.4601142
[63] Yakymenko, B. (2023). Formation of the institute of personal data protection and experience of its implementation in the countries of the EU. Scientific Journal of the National Academy of Internal Affairs, 28(4), 68-79. doi: 10.56215/naia-herald/4.2023.68.
[64] Yerbolatov, Y.Y., Zhetpisov, S.K., Boretsky, A.V., Alibayeva, G.A., & Kolesnikov, Y.Y. (2022). Personal data protection in Kazakhstan and the EU: Comparative-legal analysis. Journal of Sustainability Studies, 12(1), 69-88. doi: 10.3280/RISS2022-001005.
[65] Younas, A., Umarova, A., Hassan, A., & Usman, Z. (2020). Overview of big data and cloud computing laws, regulations and policies in Central Asia. Lahore: AI Mo Innovation Consultants Ltd. doi: 10.2139/ssrn.3672779.
[66] Zaeem, R.N., & Barber, K.S. (2020). The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS), 12(1). doi: 10.1145/3389685.
[67] Zaki, H.O., Kamarulzaman, Y., & Mohtar, M. (2021). Cognition and emotion: Exploration on consumers response to advertisement and brand. Jurnal Pengurusan, 63, 1-14. doi: 10.17576/pengurusan-2021-63-05.
[68] Zhetpissov, S., Mussabekova, N., Alibayeva, G., Dubovitskay, O., & Talipova, Zh. (2024). Vulnerability of personal data of Kazakhstani citizens and the need to implement the European experience. Rivista di Studi sulla Sostenibilita, 2, 305-323. doi: 10.3280/riss2024-002017.