The draft Law “On Personal Data” is actively discussed in the Parliament. On April 16, 2019, the Draft Law has passed its third and final reading in the Legislative Chamber of the Parliament. Now, it shall be forwarded to the Senate for further debate, after which the Draft Law shall be presented for presidential assent and become a law. Allegedly, the Law “On Personal Data” (the “Law”) shall be adopted before 5 October 2019.
The Law shall alter how businesses and public sector organizations can handle the information of their customers. It shall also boost rights of individuals and give them more control over their personal information. The State Center for Personalization under the Cabinet of Ministers (the “Center”) is appointed as the authorized body in the area of personal data. This review explains what the proposed developments shall mean for entrepreneurs. Information presented herein is prepared based on the current Draft Law. All or some provisions of the Draft Law may be changed and redrafted prior to its adoption.
SCOPE OF THE LAW
The Law shall not be applicable to personal data processing performed by individuals for their personal use and not related to professional or commercial activities.
Both personal data and sensitive personal data are going to be covered by the Law. As per the Draft Law, personal data shall mean any information relating to a specific or identifiable individual. Sensitive type of data, among others, shall include genetic data.
Individuals, organizations, and companies that are either 'controllers’ (possessors) or 'processors' (operators) of personal data are going to be covered by the Law. Operators are the ones who are processing the personal data, whereas the possessors are the ones who own the databases.
The issues concerning the cross - border transfers of personal data are also covered by the Law. Thus, it shall apply to all Uzbekistan-based companies, irrespective of whether personal data is processed inside or outside of the Uzbekistan.
There is a clear responsibility for organizations to obtain a consent from people they collect information about. The request for a consent must be given in an easily accessible form and shall clearly indicate the purpose of such processing. In cases, when the initial purpose for data processing changes, an additional consent shall be obtained.
The consent must be clear and distinguishable from other matters. The validity period of the consent shall also be expressly indicated. The Law allows for the electronic form of the consent. The processing of depersonalized data does not trigger the application of data protection law.
Companies covered by the Law are accountable for their handling of people's personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed. Additionally, the Law shall impose an obligation on companies to register their personal data databases with the Center. Notably, the databases containing the information only on a surname, first name and patronymic of individuals as well as personal data, which is publicly available, shall not be subject to registration.
There are also provisions that resembles the well - known ‘right to be forgotten’. Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right may require controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Companies shall be conducting data mapping to identify all cross-border transfers of personal data, so that they can determine the best way to comply with the Law. Any transfer of personal data to a third country can take place, only if certain conditions are met by the data exporter and the data importer. Cross-border transfers may take place without a need to obtain authorization, if the third country’s national law ensures an adequate level of protection for personal data. In the absence of an adequacy determination, a cross-border transfer can still take place provided that the data subject explicitly consents to such transfer.
The adoption of the Law shall be along with the introduction of amendments to the Code on Administrative Liability that means that particular obligations shall be enforceable right away.
One of the elements of the Law is the possibility for businesses that do not comply with it to be subject to certain liabilities. If an organization does not process individual's data in a correct manner (e.g. not having sufficient customer consent to process data or violating the core of the Law concepts), it can be fined. If a company does not have its databases registered, it can be fined. Penalties may also be imposed for not notifying the supervising authority and/or data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from the Law enforcement.
In addition to imposing new obligations on the companies and organization’s collecting personal data, the Law also gives individuals a lot more power to access the information that is held about them. Everyone shall have a right to get confirmation that an organization has information about them, access to this information and any other supplementary information. Furthermore, individuals are also entitled no to provide explanations and reasons for their refuse to disclose their personal information.
As a result, companies shall have to give users more control over their data. There are certain exceptions, but generally, people must be provided with an explanation of a decision made about their personal data. This includes the notification of the data subject of company’s actions during processing (e.g. transfer of the data to third parties).
 Processing of personal data obtained during investigations relating to potentially illegal activity/ violation of third party’s rights and/or interests.