Kazakhstan, the main regulatory act related to artificial intelligence (AI) is the Law of the Republic of Kazakhstan, 'On Informatisation', dated November 24, 2015. This Law provides for many concepts related to the use of information and communication technologies, systems and programs, the process of collecting, processing, and analysing data, enshrines the concept of 'intelligent robot', the rights and obligations of its owner and proprietor, the concept of 'national artificial intelligence platform', establishes the functions of the national operator of the national AI platform. The law does not provide detailed rules on regulating AI, its creation, use, monitoring, regulations and control over its use, restrictions, and liability.
At the beginning of 2025, the Kazakhstani Parliament announced the draft Law of the Republic of Kazakhstan, 'On Artificial Intelligence' and the Law of the Republic of Kazakhstan, 'On Amendments to Certain Legislative Acts on Artificial Intelligence'.1,2 The primary Law in artificial intelligence will be a special law. In connection with its adoption, the necessary changes will be made to the laws 'On Personal Data and Their Protection', 'On Informatisation', 'On the Protection of Consumer Rights', and 'On Mass Media'.
The draft Law 'On Artificial Intelligence' mainly transfers the provisions of the current Law 'On Informatisation' on the automated processing of electronic information resources, the national platform of artificial intelligence, its operator and its competence, the rights and obligations of the owner of an intelligent robot. The Kazakh draft law consists of 28 articles, and its text at the initial stage can be called 'meagre' compared to the European Artificial Intelligence Act, which includes 113 articles and 13 Annexes.3
At this stage of the development of the Kazakh draft law, we want to identify some problems with the concepts, goals and objectives of the law, principles, and protection of personal data.
1. Concepts.
The Kazakh draft law outlines three key terms related to artificial intelligence: artificial intelligence, artificial intelligence system, and generative artificial intelligence. However, the definitions provided for these terms are overly general and vague compared to the more precise definition of 'AI System' found in the European AI Act. The European definition offers a detailed description of artificial intelligence characteristics, specifically highlighting features such as autonomy, adaptability, and the ability to make conclusions.
The Kazakh draft law acknowledges various characteristics of AI systems and incorporates them as factors for classifying these systems and assessing their risk level. However, the interpretation and enforcement of AI system types depend on the role of the parties involved —specifically, the owner, possessor, and/or user. While the draft law does not provide definitions for 'owner' and 'holder', it defines the term 'user' in relation to the AI system or the outputs of its actions. Therefore, when applying this law on AI, reference to the terminology used in the Kazakh Law 'On Informatisation' will be necessary.
Compared to the Kazakh draft law, the European AI Act in Article 3 introduces several terms relevant to the parties involved in AI systems: provider, downstream provider, deployer, importer, distributor, authorised representative, and operator. Additionally, the European Act includes more concepts related to the regulation of artificial intelligence, such as intended purpose, reasonably foreseeable misuse, training data, validation data, testing data, input data, sensitive operational data, biometric data, biometric identification, biometric verification, biometric categorisation system, remote biometric identification systems, emotion recognition systems, publicly accessible space, risk, serious incident, AI regulatory sandbox, deepfakes, widespread violations, and other definitionas.
It is important to note that the European AI Act outlines the responsibilities of various stakeholders, including operators, providers, authorised representatives, importers, distributors, deployers, and authorised bodies. The Act mandates that providers and deployers ensure AI literacy for personnel involved with AI systems. Failure to meet specific obligations can result in different levels of accountability among stakeholders. For instance, violations of established prohibitions or non-compliance with particular duties may incur fines ranging from €7.5 million to €35 million, or from 1% to 7% of the company's annual turnover. The penalties depend on the type of violator, the size of the business, and the severity of the violation. All provisions of the European AI Act are codified in the for of the statute, which eliminates the arbitrary interpretation and implementation by state authorities.
In contrast, the proposed Kazakh draft law adopts the notion 'user of the AI system', which encompasses any individual or organisation, thereby holding them accountable for using the AI system beyond their granted access rights and for failing to comply with relevant rules and security measures. According to 'responsibility and controllability' principle, the AI system must remain under the user's control, along with that of the owner and operator of the system. While this framing can be justified, as each person does have some control over the AI system's operation, it raises concerns. Many ordinary individuals—regardless of age or social status—might lack the necessary knowledge, information literacy, and competencies to safely manage the operation of the AI system and its outcomes. Given the rapid advancement of information technology and its integration into nearly all aspects of life, the failure to enhance information literacy among the population poses risks. Any unforeseen consequences beyond a user's control could lead to the user being held liable. Although the Kazakh draft law includes extensive provisions on liability, the potential consequences could be severe. With such wording in the laws, those affected by these regulations may face significant challenges in proving a causal relationship and damage in order to be held accountable or, conversely, to prove their innocence and seek exemption from liability.
2. Objectives, tasks, and principles of the law.
The objectives and tasks outlined in the Kazakh draft law differ significantly from those established in the European AI Act. Kazakhstan aims to promote the development and implementation of artificial intelligence. At the same time, the EU AI Act focuses on regulating the use of human-centred and trustworthy AI, ensuring a high level of protection for health, safety, and fundamental rights, including democracy, the rule of law, and environmental protection.
The European Act emphasises human-centeredness and digital constitutionalism, prioritising these principles over mere innovation support. In contrast, the Kazakh draft law does not align with Article 1 of the Constitution of the Republic of Kazakhstan and lacks such prioritisation.
While the Kazakh draft law principles mention human rights, they do so only weakly in relation to innovation. For instance, 'fairness and equality' refer to the right to non-discrimination, while 'transparency and explainability' pertains to the right to information. These principles are transparent and easily interpretable since they are fundamental legal concepts applicable across all areas of law and regulation. However, the principles of 'responsibility and controllability', 'priority of human well-being and freedom of will in decision-making', 'protection of confidentiality and data', and 'security and safety' are more regulatory-special and are not well integrated into the draft law's subsequent provisions. Moreover, the detailed normative regulations are designated for the authorised body, meaning that implementation is relegated to a level of subordinate legislation. This raises concerns about the potential for arbitrary decision-making by the authorised body regarding rulemaking, regulation, enforcement of the law, and prosecutions.
3. Protection of personal data.
The draft law on artificial intelligence includes the principle of 'protection of confidentiality and data'. However, as with many Kazakh laws, the draft law provides a general statement indicating that the collection and processing of personal data must comply with legal requirements. It also states that measures should be taken to protect personal data and prevent unauthorised access. Unfortunately, the draft law does not provide detailed guidelines for implementing this principle in subsequent provisions.
The draft law's adoption includes amendments to the Law of the Republic of Kazakhstan "On Personal Data and Their Protection," dated May 21, 2013. One key change is introducing the concept of automated processing of personal data and modifying the conditions for collecting and processing such data. The amended law adds an article regarding the requirements for automated processing of personal data, which primarily reflects existing provisions found in Articles 18-1 and 36.6 of the Kazakh Law 'On Informatisation'. This maintains the obligation for owners and holders of electronic information resources, as well as intelligent robots, to inform data subjects about any automated decision-making that affects their rights and interests unless there is consent from the data subject or a legal requirement. The provisions of this law prohibit solely automated decision-making that results in significant consequences for the data subject. One notable change in the draft law is the requirement to explain (rather than inform) the procedures for the automated processing of personal data and the potential implications for the data subject. Also, new provision grants individuals the right to object to the automated processing of their data, and establishes a procedure for addressing such objections.
Additionally, the bill includes a ban on creating and releasing fully autonomous AI systems that can exploit an individual's moral and physical vulnerabilities, as well as their behavioural and personal characteristics. Although this information about a person can be indirectly associated with their data, the draft law does not explicitly state this. The current Kazakh Law 'On Personal Data and Their Protection' provides physiological and biological characteristics as biometric data. However, Kazakh law interprets this differently from European legislation. Furthermore, the Kazakh Data Protection Authority does not categorise behavioural characteristics as biometric or personal data.4
identification systems, emotion recognition systems. Additionally, the AI Act establishes numerous specific obligations for providers of high-risk AI systems that utilise biometric data and identification, along with requirements for assessing impacts on fundamental rights. The AI Act specifically references the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680 concerning biometric data.
Generally, the draft law on AI submitted by the Kazakh Parliament requires further revision and careful consideration of the right to privacy and personal data protection. While the current draft represents a significant step by the Kazakh legislator to regulate AI-related matters, it adopts a generalised approach that aims to simplify the legal text despite the complexity of the technology involved, mainly concerning personal data protection.
In the global use of information technologies in public and economic relations, it is essential to define the concept of artificial intelligence (AI), the terminology involved, and the roles of parties related to AI more clearly and accurately. The development and implementation of AI technologies at the national level, particularly in economic and social sectors and occasionally in public services, often rely on foreign innovations and the transfer of technologies. Therefore, national legislation should align closely with international standards concerning terminology, roles, rights and obligations of parties engaged in AI-related legal relations. This alignment fosters consistency between national and international standards, promoting uniform interpretation and enforcement of laws, which facilitates the export of Kazakhstani technologies to the global market, making the implementation and utilisation of local developments more accessible and comprehensible.
The European AI Act imposes stricter regulations on collecting and processing biometric data through AI systems. It defines several key terms, including biometric data, biometric identification, biometric verification, biometric categorisation system, remote biometric identification systems, emotion recognition systems. Additionally, the AI Act establishes numerous specific obligations for providers of high-risk AI systems that utilise biometric data and identification, along with requirements for assessing impacts on fundamental rights. The AI Act specifically references the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680 concerning biometric data.
Generally, the draft law on AI submitted by the Kazakh Parliament requires further revision and careful consideration of the right to privacy and personal data protection. While the current draft represents a significant step by the Kazakh legislator to regulate AI-related matters, it adopts a generalised approach that aims to simplify the legal text despite the complexity of the technology involved, mainly concerning personal data protection.
In the global use of information technologies in public and economic relations, it is essential to define the concept of artificial intelligence (AI), the terminology involved, and the roles of parties related to AI more clearly and accurately. The development and implementation of AI technologies at the national level, particularly in economic and social sectors and occasionally in public services, often rely on foreign innovations and the transfer of technologies. Therefore, national legislation should align closely with international standards concerning terminology, roles, rights and obligations of parties engaged in AI-related legal relations. This alignment fosters consistency between national and international standards, promoting uniform interpretation and enforcement of laws, which facilitates the export of Kazakhstani technologies to the global market, making the implementation and utilisation of local developments more accessible and comprehensible.
Footnotes
1. Dossier on the draft Law of the Republic of Kazakhstan "On Artificial Intelligence" (January 2025), https://online.zakon.kz/Document/?doc_id=34868071, accessed 02 February 2025, in Russian.
2. Dossier on the draft Law of the Republic of Kazakhstan "On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Artificial Intelligence" (January 2025), https://online.zakon.kz/Document/? doc_id=32933085&pos=6;-106#pos=6;-106, accessed 02 February 2025, in Russian.
3. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024 - [электрон.ресурс] – URL: https://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX%3A32024R1689&qid=1725729176314.
4. Letter of the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated May 6, 2024 No. ZhT-2023-03797512.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
