Uzbekistan: New Requirements for Uzbek Citizens’ Personal Data Localization Enter into Force

(May 7, 2021) On April 16, 2021, Uzbekistan’s Law on Amendments and Additions to Certain Legislative Acts of the Republic of Uzbekistan entered into force. This law, which Uzbek President Shavkat Mirziyoyev signed into law on January 14, 2021, amends the country’s Law on Personal Data and introduces new requirements on personal data localization.

Provisions of the Amendments

The newly added article 27(1) to the Law on Personal Data defines the conditions and requirements for processing personal data for citizens of Uzbekistan. (Law on Amendments and Additions to Certain Legislative Acts art. 13; Law on Personal Data art. 27(1).)

According to the new law, the personal data of Uzbek citizens must be processed “[b]y technical means physically located in the territory of Uzbekistan, and in databases duly registered with the data protection authority in Uzbekistan”—namely, the State Inspectorate for Control in the Field of Informatization and Telecommunications of the Republic of Uzbekistan (UzComNazorat). Furthermore, the data localization requirement applies to the collection, systematization, and storage of data, and to all types of data processing, including operations carried out using information technology and via the internet. (Art. 27(1).)

The compliance obligation rests with the owner and/or operator of the database. The owner is any person who owns the database that includes the personal data. The operator is any person who processes the personal data.

Under this law, infringements of the requirements are punished under provisions of the Administrative Responsibility Code and the Criminal Code of the Republic of Uzbekistan. (Art. 33.)

Fines for the unlawful collection, systematization, storage, modification, addition, use, provision, dissemination, transfer, depersonalization, and destruction of personal data can be as much as three to five base calculated values (equivalent to approximately US$64.60 to $106.00) for individuals, and from five to 10 base calculated values (approximately US$106.00 to $211.00) for officials. (Art. 33 of the Law on Personal Data; art. 46 of the Code of Administrative Responsibility.)

If the unlawful processing is repeated after the imposition of the administrative fine, then the fine must be increased to as much as 50 base calculation values (approximately US$1,057), or an individual must be “deprived of a certain right” (the law does not specify what kind of “right”) for up to three years or sentenced to correctional labor for up to two years. (Art. 33 of the Law on Personal Data; art. 141(2) of the Criminal Code.)

When the same actions are committed by a prior conspiracy of a group of persons; repeatedly or by a dangerous recidivist; out of mercenary or other base motives; and/or using official position; and/or if the actions entail grave consequences, the law provides for higher fines (the equivalent of approximately US$1,057–$2,115) or stricter criminal punishments in the form of correctional labor for up to three years, or restriction of freedom for up to three years, or imprisonment for up to three years. (Art. 33 of the Law on Personal Data; art. 141(2) of the Criminal Code.)


On February 12, 2020, the Cabinet of Ministers of Uzbekistan published a draft regulation—“How Databases on Personal Data Should Be Registered”—that aimed to further regulate the data localization requirements. This draft regulation sets out the mechanics of monitoring compliance with data protection requirements on the internet, and in particular, compliance with the data localization requirement.

The draft regulation proposes using restrictions on access to online resources as a remedy for noncompliance and establishing a special registry to list violators of personal data storage and processing rules.

According to the draft regulation, it should be possible for the government to completely block access to the online resources of the violators or limit such access by reducing the internet speed for accessing these resources. The draft regulation would require UzComNazorat to include the violator’s online resources in the personal data database registry and restrict access to these resources within 12 hours of a violation being reported.

Uzbek officials have stated that the placement of servers in the territory of Uzbekistan would help “to increase the Internet speed 10 times.” However, critics of the amendments claim that such measures are aimed at increasing control over internet users and the content posted on social networks.

Join Our Team

Subscribe Now

Get updates by subscribing to our newsletter