Privacy Regulations in Central Asia

5 privacy and data protection laws across Central Asia

Kazakhstan LPDP
Kazakhstan
Flag of KZ
Opt-in

Kazakhstan's LPDP requires written consent before collecting personal data with detailed specifications. Data must be stored within Kazakhstan (data localization). A massive 2025 breach affecting 16 million individuals prompted proposals for criminal liability for mass leaks. Breach notification is required within one business day.

Uzbekistan PDL
Uzbekistan
Flag of UZ
Opt-in

Uzbekistan's 2019 law requires explicit consent for data collection, third-party provision, and cross-border transfers. Presidential Decree PP-153 (April 2025) marks a shift toward practical enforcement with compulsory breach notifications in the financial sector. A new AI regulation bill is under parliamentary review.

Kyrgyzstan Law 58
Kyrgyzstan
Flag of KG
Opt-in

Kyrgyzstan's 2008 law provides a basic data protection framework. The May 2025 amendment introducing administrative liability for violations represents a significant step, as previously the law lacked effective penalty mechanisms. Enforcement is still minimal but growing.

Tajikistan Law 1537
Tajikistan
Flag of TJ
Opt-in

Tajikistan's 2018 data protection law provides a framework for personal data processing with consent requirements. Enforcement is in its infancy with very low penalties and minimal practical enforcement activity. The President determines the authorized enforcement body.

Turkmenistan Law 519-V
Turkmenistan
Flag of TM
Opt-in

Turkmenistan has the weakest data protection framework among Central Asian states. No dedicated data protection authority exists, penalties are very low (120-150 EUR for administrative violations), and practical enforcement is essentially non-existent. No Central Asian state has acceded to Council of Europe Convention 108+.