Kazakhstan has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Kazakhstan has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Kazakhstan has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

In accordance with Art. 12.2 of Law No. 94-V, personal data must be stored in a database situated within the territory of Kazakhstan by the owner and/or operator, as well as by third parties. Pursuant to Art. 27-1, the Rules for the Implementation of Measures to Protect Personal Data by the Owner, Operator, and Third Parties were approved. According to Paragraph 8 of these Rules, the collection and processing of personal data with restricted access must be conducted via information facilities located within the Republic of Kazakhstan. The storage and transfer of such data should be carried out using cryptographic protection tools that meet at least the third level of security, as defined by the standard established in Kazakhstan. Personal data of restricted access includes all personal data, except for that which the data subject has made publicly available or that which is publicly accessible by explicit provision of the law. A similar provision was already in effect since 2021 in Rules bearing the same name, repealed in 2023, under its Paragraph 10.

According to Art. 7.6 of the Informatization Law, the central executive body carrying out state regulation in the field of electronic industry is tasked with establishing a unified register of trusted software and electronic products. According to Art. 54.3.1, for the purposes of state security, only approved software may be used for public procurement and for critical information and communication infrastructure, whether state-owned or private, including telecommunication infrastructure. In addition, it is reported that the local content for this software must not be less than 70%.

Art. 21 of the Law of the Republic of Kazakhstan on Communications stipulates that operators of communication networks of all categories included in the unified telecommunications network of the Republic of Kazakhstan shall be obliged to create at their own expense a system of centralised management of their networks, which must be located on the territory of the Republic of Kazakhstan.

In addition to the legal requirement of local processing of personal data in Kazakhstan introduced in 2015 in the Personal Data Law (Art. 12.2), pursuant to Art. 16.2 of the Law, a copy of personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties). Pursuant to Art. 16.3 of the Personal Data Law, if no such protection is available, cross-border transfers of personal data are only possible if:
- The subject gives specific consent;
- In cases specified by international treaties ratified by Kazakhstan;
- In cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
- In the case of the protection of the constitutional rights of an individual and citizen, where getting the consent of the subject or their legal representative is impossible.
It is reported that national legislation does not specify a list of countries to which the transfer of data is prohibited, nor are there any criteria listed for determining the countries that provide a proper level of protection of personal data.

Kazakhstan has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. No. 94-V provides a comprehensive regime of data protection in Kazakhstan. The Personal Data Law provides general regulations on the collection and processing of personal data and notably includes broad requirements for data localisation. In addition, the Amendment Law was introduced in July 2020, significantly extending data protection obligations for organisations. The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority, including its powers and role.

As per the requirements of the Law on Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information and Communications (2017), users have been required to identify themselves using government-issued digital signature technology or SMS verification in order to comment on domestic websites.
The law requires website operators to make it mandatory for users to enter into a formal agreement before they are permitted to post comments on local websites. The information provided in the agreement needs to be retained by the website and handed over to the authorities whenever asked.

According to Art. 25.2(10) of Law No. 94-V, an owner and/or operator of a personal data database, which is a legal entity, should appoint a person responsible for organising the processing of personal data (this requirement does not apply to the activities of courts). According to Art. 25.3, such a person is entrusted with the following duties:
- Exercise internal control over observance by the owner and/or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
- Inform the employees of an owner and/or operator of the provisions of Kazakh law with respect to processing and protection of personal data;
- Exercise control over receipt and processing of applications from personal data subjects or their legal representatives.

In July 2019, the government introduced the Qaznet Trust Certificate under the Law on Communications, a machine-in-the-middle (MITM) technology that enables it to monitor users’ online activities. The certificate requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices.
It is reported that the commentators and experts inside the country and abroad almost unanimously consider the certificate a government-initiated technology for the interception of encrypted user traffic via MITM attacks. Some of the 37 websites that University of Michigan researchers identified as targets of the certificate included Facebook, Gmail, Instagram, Mail.ru, OK, Twitter, VK, and YouTube, suggesting that its purpose was to “surveil users on social networking and communication sites.”
On 21 August 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. Later, Apple announced that it would make similar changes to its Safari browser and that the certificate would not be installed. After this, the requirement for the installation of the certificate was postponed.
While required, the certificate appeared to affect a fraction of connections passing through the country’s largest ISP, Kazakhtelecom. This means that some, but not all, of the Kazakh Internet population was affected.
In December 2020, Kazakhstan once again tried to enforce the installation of the certificate. However, the enforcement once again halted after the protest of the major internet browsers. Although not enforced, the provisions for mandatory installation of the certificate remain in Kazakhstan's regulations.

A basic legal framework on intermediary liability for copyright infringement is absent in Kazakhstan's law and jurisprudence. However, the Agreement on Enhanced Partnership between the EU and the Republic of Kazakhstan, signed in March 2016, provides a safe harbour to European companies under several conditions. According to the agreement, an information intermediary is not liable, for example, if it does not initiate the transfer, if the end-user always takes the initiative, if it does not choose the recipient of the transfer if it does not choose or change the information contained in the transfer if it complies with the conditions of access to information, observes rules for updating information, does not interfere with the lawful use of generally recognised technologies, immediately deletes information or stops access to it, after receiving a notice.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Kazakhstan's law and jurisprudence. However, the Agreement on Enhanced Partnership between the EU and the Republic of Kazakhstan, signed in March 2016, provides a safe harbour to European companies under several conditions. According to the agreement, an information intermediary is not liable, for example, if it does not initiate the transfer, if the end-user always takes the initiative, if it does not choose the recipient of the transfer, if it does not choose or change the information contained in the transfer if it complies with the conditions of access to information, observes rules for updating information, does not interfere with the lawful use of generally recognised technologies, immediately deletes information or stops access to it, after receiving a notice.

As per the requirements of the Law on Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information and Communications (2017), users have been required to identify themselves using government-issued digital signature technology or SMS verification in order to comment on domestic websites. Failure to enforce the rule after April 2018 can lead to fines. The law requires website operators to make it mandatory for users to enter into a formal agreement before they are permitted to post comments on local websites. The information provided in the agreement needs to be retained by the website and handed over to the authorities whenever asked.