Uzbekistan, Reinforcing The Privacy Rights of Citizens

The Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data, also known as the Law on Personal Data, is a data protection law that was recently passed in Uzbekistan in 2019. Prior to the passing of the Law on Personal Data, the primary law pertaining to the protection of personal data and privacy had been the Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information. As such, the Law on Personal Data was passed to update data protection and privacy legislation within Uzbekistan to more current standards. To this point, the law establishes the legislative framework that data controllers and processors within the country must follow at all times.

How are data controllers and processors defined under the Law on Personal Data?

In contrast to many other privacy policies around the world, Uzbekistan’s Law on Personal Data does not provide a specific definition for the term “data controller”. Instead, the law uses the term “owner of a database”, with the term owner being defined as “a State body, an individual, and/or legal entity that has the right to own, use, and dispose of the personal database”. Conversely, the Law on Personal Data also does not provide a specific definition for the term “data processor”, and instead uses the term “operator”. As such, the term operator is defined as “a State body, an individual and/or a legal entity that processes personal data”. Moreover, the law defines personal data as “Information recorded on electronic, paper, or other tangible medium of expression relating to a specific individual or enabling the identification thereof”.

In terms of the scope and application of the Law on Personal Data, the personal scope of the law applies to “relations arising from the processing and protection of personal data”, including the collection and processing of personal data by owners of databases and operators respectively. Alternatively, the Law on Personal Data does not specifically outline any territorial scope of the law, as the law only explicitly states the requirements and responsibilities of owners of databases and operators who engage in data processing activities within Uzbekistan. Furthermore, the material scope of the law covers the following data processing activities:

• The collection of personal data.
• The systemization of personal data.
• The storage of personal data.
• The modification of personal data.
• The supplementation of personal data.
• The use of personal data.
• The provision of personal data.
• The distribution of personal data.
• The transfer of personal data.
• The depersonalization of personal data.
• The erasure of personal data.

What are the requirements of databases owners and operators under the Law on Personal Data?

Under Uzbekistan’s Law on Personal Data, databases owners and operators are required to adhere to the following principles in relation to the collection and processing of personal data:

• The legality of processing.
• Accuracy.
• Reliability.
• Confidentiality.
• Security.

What’s more, database owners and operators are also responsible for abiding by the following obligations as it related to data protection:

• Complying with all personal data legislation.
• Providing information pertaining to the processing of a data subject’s personal data at their request.
• Ensuring that the content of personal data is both necessary and sufficient to perform the tasks for which it is was collected or processed.
• Taking measures to erase the personal data of data subjects at their request.
• Providing evidence of data subjects consent to the processing of their personal data at their request.
• Temporarily suspending the processing of personal data, or erasing said data altogether, if the information is revealed proving that a violation occurred under the law in regards to data processing.
• Providing data subjects with the opportunity to submit their documents in an electronic form in order to temporarily suspend the processing of their personal data, or to erase said personal data.
• Notifying data subjects in writing, as well as other participants involved in the data processing process, in the event that personal data is changed, erased, or if access has been restricted.
• Notifying data subjects in writing in the event that their personal data is also shared with a third party.
• Taking the necessary organizational, technical, and legal measures to ensure that personal data is protected at all times.

What are the rights of data subjects under the Law on Personal Data?

Under Uzbekistan’s Law on Personal Data, data subjects are guaranteed the following rights as it pertains to the protection of their personal data:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object/opt-out.
• The right not to be subject to automated decision-making.

In terms of penalties for non-compliance with the law, the Law on Personal Data is enforced through the Administrative Responsibility Code of Uzbekistan of 22 September 1994 No. 2015-XII. As such, database owners and operators who fail to comply with the law are subject to a monetary penalty ranging from 10 BCA to 100 BCA ($231-$2,273), a punishment of correctional labor of up to three years, and a term of imprisonment of up to three years. To this end, the following actions are considered violations of the law:

• Actions committed by a prior conspiracy on behalf of a group of persons.
• Actions committed repeatedly or by a “dangerous recidivist”.
• Actions committed as a result of “mercenary or other base motives”
• Actions committed using an individual’s official position.
• Actions committed that would entail grave consequences.

Through the passing of the Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data, the country of Uzbekistan was able to significantly modernize its data protection and privacy legislation. While the law defines the collection and processing of personal data using different terms than many other data privacy laws, the provisions of the law are nevertheless largely on par with other privacy laws that have been passed in recent years. As such, Uzbekistan has joined the list of various other countries in Asia that have passed comprehensive data protection laws in recent years, such as South Korea’s Personal Information Protection Act and India’s Personal Data Protection Bill.