Central Asia Discusses Cybersecurity and Data Protection: EDF Experts Present Legal Analysis

A regional meeting on data and cybersecurity was held on April 8–9, 2026 in Almaty. It was organized by the U.S. Department of Commerce through the CLDP program, with participation from Mastercard and the Institute of Cyber Literacy.

Representatives of government agencies and the private sector from Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, and Uzbekistan attended. Topics included data localization and protection, the launch of the Cyber Champions Network, and the “Cyber Coach” and “Cyber Leader” programs.

Head of the legal practice at Eurasian Digital Foundation, Yelzhan Kabyshev, presented “Comparative Legal Analysis of Personal Data Legislation in Central Asia.”

He emphasized that the rapid growth of the internet audience makes data protection critically important for the region.

Legal map of the region

• Kazakhstan: Law “On Personal Data and Their Protection” (2013, updated 2024). Regulator — Committee on Information Security. Reforms 2020–2026: breach notification, expanded regulator powers, fines up to 2000 MCI.
• Kyrgyzstan: Old law repealed, new law since 2025 strengthens rights of subjects and duties of operators.
• Uzbekistan: Law of 2019, mandatory localization since 2021, active blocking practice (TikTok, VK, Twitter).
• Tajikistan: Law “On Personal Data Protection” since 2018, regulator — Communications Service.
• Turkmenistan: Law of 2017, strict localization, oversight by the Prosecutor’s Office.

Localization and cross‑border transfer
All states require data storage within national territory. Transfers abroad need either subject consent or adequate protection in the recipient country.

Rights and obligations
Subjects have rights to informed consent, access, and correction. Operators must ensure lawful processing and protection. Consent forms vary: written (Turkmenistan) vs. free and informed (Kyrgyzstan, Uzbekistan, Kazakhstan).

Liability
Administrative and criminal liability applies. Kazakhstan and Uzbekistan impose large fines; Uzbekistan adds criminal liability for repeated localization violations. Tajikistan criminalizes unlawful collection of private life data.

Future regulation
Experts noted trends toward rules for profiling and AI, plus risk assessment mechanisms (DPIA) for high‑risk systems.

The meeting showed that Central Asia is moving toward its own Data Privacy model, though approaches differ. Kazakhstan and Uzbekistan lead development, while Tajikistan and Turkmenistan retain gaps.