A basic legal framework on intermediary liability beyond copyright infringement is absent in Kazakhstan's law and jurisprudence. However, the Agreement on Enhanced Partnership between the EU and the Republic of Kazakhstan signed in March 2016 provides a safe harbour to European companies under several conditions. According to the agreement, an information intermediary is not liable, for example, if it does not initiate the transfer, if the end-user always takes the initiative, if it does not choose the recipient of the transfer if it does not choose or change the information contained in the transfer if it complies with the conditions of access to information, observes rules for updating information, does not interfere with the lawful use of generally recognized technologies, immediately deletes information or stops access to it, after receiving a notice.

In July 2019, the government introduced under the Law on Communications the Qaznet Trust Certificate, a machine-in-the-middle (MITM) technology enabling it to monitor users’ online activities. The certificate requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices.
It is reported that the commentators and experts inside the country and abroad almost unanimously consider the certificate a government-initiated technology for the interception of encrypted user traffic via MITM attacks. Some of the 37 websites that University of Michigan researchers identified as targets of the certificate included Facebook, Gmail, Instagram, Mail.ru, OK, Twitter, VK, and YouTube, suggesting that its purpose was to “surveil users on social networking and communication sites.”
On 21 August 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. Later, Apple also announced that they would make similar changes to their Safari browser and the certificate would not be installed. After this, the requirement for the installation of the certificate was postponed.
While required, the certificate appeared to affect a fraction of connections passing through the country’s largest ISP, Kazakhtelecom. This means that some, but not all, of the Kazakh Internet population was affected.
In December 2020, Kazakhstan once again tried to enforce the installation of the certificate. However, the enforcement once again halted after the protest of the major internet browsers. Although not enforced, the provisions for mandatory installation of the certificate remain in Kazakhstan's regulations.

As per the requirements of the Law on Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information and Communications (2017), users have been required to identify themselves using government-issued digital signature technology or SMS verification in order to comment on domestic websites.
The law requires website operators to make it mandatory for users to enter into a formal agreement before they are permitted to post comments in local websites. The information provided in the agreement needs to be retained by the website and be handed over to the authorities whenever asked.

According to Art. 25.2(10) of Law No. 94-V, an owner and / or operator of a personal data database, which is a legal entity, should appoint a person responsible for organizing the processing of personal data (this requirement does not apply to the activities of courts). According to Art. 25.3, such a person is entrusted with the following duties:
- Exercise internal control over observance by the owner and / or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
- Inform the employees of an owner and / or operator of the provisions of Kazakh law in respect of processing and protection of personal data;
- Exercise control over receipt and processing of applications from personal data subjects or their legal representatives.

Kazakhstan has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. No. 94-V provides a comprehensive regime of data protection in the Kazakhstan. The Personal Data Law provides general regulations on the collection and processing of personal data, and notably includes broad requirements for data localisation. In addition, the Amendment Law was introduced in July 2020, significantly extending data protection obligations for organisations. The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority including its powers and role.

Art. 21 of the Law of the Republic of Kazakhstan on Communications stipulates that operators of communication networks of all categories included in the unified telecommunications network of the Republic of Kazakhstan shall be obliged to create at their own expense a system of centralized management of their networks, which must be located on the territory of the Republic of Kazakhstan.

In addition to the legal requirement of local processing of personal data in Kazakhstan introduced in 2015 in the Personal Data Law (Art. 12.2), pursuant to Art. 16.2 of the Law, a copy of personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties). Pursuant to Art. 16.3 of the Personal Data Law, if no such protection is available, cross-border transfers of personal data are only possible if:
- The subject gives specific consent;
- In cases specified by international treaties ratified by Kazakhstan;
- In cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
- In the case of the protection of the constitutional rights of an individual and citizen, where getting the consent of the subject or their legal representative is impossible.
It is reported that national legislation does not specify a list of countries to which transfer of data is prohibited, nor are there any criteria listed for determining the countries that provide a proper level of protection of personal data.

Pursuant to Art. 12.2 of the Personal Data Law, personal data should be stored in a database located on the territory of Kazakhstan by the owner and/or operator, as well as third parties. In addition, in accordance with Subparagraph 4) of Art. 26 of the Personal Data Law, the Government of Kazakhstan decreed the approval of the Rules for the Implementation by the Owner and/or Operator, and a Third Party of Measures on Protection of Personal Data (Decree No. 909). In 2021, the Rules were supplemented with the provision that the collection and processing of personal data "of limited access" is carried out through informatization objects located on the territory of Kazakhstan. In accordance with paragraph 10 of these Rules, it is necessary not only to store personal data in Kazakhstan, but to collect and process personal data in Kazakhstan. It is reported that there is no clear distinction between publicly accessible data and data "of limited access". It is presumed that all personal data is of restricted access (including last name, first name, patronymic name, year, date of birth, nationality, information about the place of residence, individual identification number ('IIN'), details of identity documents), until the data subject makes them publicly accessible.

Paragraph 6-1 of Resolution No. 246 prohibits the storage of telecommunication subscriber information outside the country.

Kazakhstan has a telecommunications authority: The Telecommunications Committee of the of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan. However, it is reported that the decision making process of this entity is not fully independent from the government.

Art. 56-1 of the Law on Informatization requires that internet resources with ".kz" and ".қaz" domains must be hosted on hardware and software complexes located in Kazakhstan. In other words, an internet resource (website, web application, web service) using a ".kz" or ".қaz" domain must be hosted on a server (owned / rented / cloud hosted / VDS hosted / virtually hosted) in a data center (server / office) located in Kazakhstan. The server must also be connected to a Kazakh internet provider and use a (dedicated or shared) Kazakhstan IP address.
A similar requirement was in place since 2005, as established in Clauses 7 and 8 of the Regulations for the Allocation of Domain Space in the Kazakhstan Segment of the Internet. These clauses provided that an application for domain name registration may be refused, or registration may be cancelled, if the domain servers were not located inside Kazakhstan.

Pursuant of the Law on Licensing and the Law on Permissions and Notifications, the companies providing telecommunications services require an operating license from the Ministry of Digital Development, Innovation, and Aerospace. It is reported that all telecommunications operators are legally obliged, as part of the licensing requirement, to connect their channels to a public network controlled by KazakhTelecom.

Kazakhstan has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the telecommunication companies are required to purchase and install equipment related to the state’s System for Operational Investigative Measures (SORM) and to cover costs related to the database of International Mobile Equipment Identity (IMEI) codes and to pay regular fees to the State Radio Frequency Service, which is the IMEI database operator. These obligations may deter new players from entering the market.