As the use of the Internet and online activities have grown to be a major part of our lives, personal data protection becomes fundamental. The data protection legislation, therefore, must evolve along with the technical developments to address emerging issues.
Currently, the integration of online means’ usage in Tajikistan is in its infancy and the development is relatively slow.
Setting the Ground
Prior to the adoption of the Personal Data Law in 2018, there was no law dedicated to personal data protection. Before the new Law, there were legal acts of various hierarchy that somehow regulate the protection of personal data, such as:
- The Constitution – establishes that collection, storage, use, and dissemination of information about a person’s personal life without consent is not allowed.
- The Civil Code – establishes that citizens have the right to protect the confidentiality of personal life, including secrecy of correspondence, telephone conversations, diaries, notes, intimate life, information on adoption or birth, medical secrecy, attorney-client privilege, the confidentiality of deposits.
- The Information Law – establishes general legal standards for the receipt, use, distribution, and storage of information.
- The Informatization Law – establishes that the rights to maintain personal secrets and confidentiality of personal data in information systems are subject to protection.
In 2018, the Personal Data Law was adopted that became the first law dedicated exclusively to the regulation of issues related to the protection of personal data.
In accordance with the newly adopted Law, personal data can be collected if the data subject gives the consent. However, the Law does not stipulate how such consent should be obtained, except for biometric data, which requires written consent. Presumably, such consent can be obtained in any suitable way (e.g. written, tick box).
For the first time, the issue of cross-border data transfer has been also addressed, which is allowed given the consent is obtained.
To this day there is no requirement for data localization, so data can be stored abroad.
There are no specific (technical) requirements in relation to means of ensuring the protection of personal data, only that they should be adequate.
Currently, a regulatory body for the personal data protection realm is yet to be determined.
As the issue of personal data protection in the modern world becomes increasingly prominent, lawmakers have to do their best to keep up with the developments and emerging issues. The lawmakers are expected to timely revise and amend (or introduce new regulations) the laws to make sure that legislation covers all aspects of personal data protection and ensures that individual rights are protected.
Author: Bahodur Nurov, Lawyer of GRATA International Tajikistan