Digital Compliance 2026: Conflicts Among the Digital Code, Artificial Intelligence, and Personal Data Laws in Kazakhstan
In recent months, Kazakhstan’s digital legislation has undergone a comprehensive overhaul. The January enactment of the Law of the Republic of Kazakhstan ‘On Artificial Intelligence’ (the ‘AI Law’), amendments to the Law of the Republic of Kazakhstan ‘On Personal Data and Its Protection’ (the ‘Personal Data Law’), and the extensive codification of the sector through the Digital Code of the Republic of Kazakhstan have fundamentally changed the regulatory landscape.
An analysis of the new regulatory framework has revealed systemic inconsistencies in certain provisions. In attempting to address a wide array of issues, legislators have created several ‘grey areas’ in legal regulation. Below are some of the legal provisions that may pose risks to businesses.
1. Recommender Systems: Classification Issues and the Autonomy Trap
An analysis of the new legislation's provisions has identified a methodological gap that poses a risk to content and commerce platforms, including marketplaces, online stores, and media outlets. The issue arises from the implementation of the AI Law regarding the classification of algorithms.
Platform owners may categorise their recommendation feeds—such as smart product suggestions or news selections—as low-autonomy systems, as outlined in Article 17.2 of the AI Law. Businesses might interpret this classification to mean that the algorithm only generates recommendations, while the final action—such as clicking on a card or making a purchase—always rests with the end user. Following this reasoning, companies believe they are in a safe position. After all, the strict prohibitions outlined in Article 17.3 of the AI Law (including bans on hidden profiling and subconscious manipulation) are primarily aimed at high-autonomy systems.
This approach, however, contains a fundamental legal error. By defining low-autonomy systems as those in which ‘a human always performs the final choice and actions’, the legislator relies on the international concept of control known as human-in-the-loop. In this context, the ‘human’ refers not to the end user reacting to advertising, but rather to an operator associated with the owner of the AI system.
The recommendation algorithm’s role is not to make purchases, but to select and display products algorithmically. Since the marketplace’s smart feed is generated and presented to users in real time, within milliseconds, no employee can pre-check or approve each display. This means the system operates and makes decisions autonomously.
