Data Residency in Central Asia:
Uzbekistan, Kyrgyzstan, and Kazakhstan Compared
Businesses operating across Central Asia face data residency requirements in each of the three largest economies: Uzbekistan, Kyrgyzstan, and Kazakhstan. The requirements are similar in concept but different in specifics — and Kazakhstan's enforcement history makes this more than a theoretical compliance risk. This article compares the three frameworks and their practical implications for architecture decisions.
Uzbekistan: Law No. 213-II (2019)
Uzbekistan's Law on Personal Data (No. 213-II) was adopted in 2019 and has been amended several times since. The core requirement is direct: personal data of Uzbek citizens must be processed and stored in databases physically located in Uzbekistan. "Personal data" is defined broadly to include name, contact information, passport number, biometric data, and location data. The enforcing body is the Agency for Personal Data Protection (Shaxsiy ma'lumotlar bo'yicha agentlik).
Penalties focus on suspension of data processing activities — effectively an injunction against operating the non-compliant system in the Uzbek market. For a company whose product depends on Uzbek user data, this is an existential penalty, not a financial one. Cross-border data transfer requires either the recipient country to provide "adequate protection" for personal data or explicit, informed consent from each data subject.
Kyrgyzstan: Law on Personal Data (2008, Amended)
Kyrgyzstan's personal data framework is older and has evolved through amendments rather than comprehensive replacement. The localisation requirement — personal data of Kyrgyz citizens stored on servers physically in Kyrgyzstan — mirrors the Uzbek model. However, enforcement maturity is lower than Uzbekistan's. The relevant authority has less operational capacity, and systematic enforcement actions against foreign companies are less common.
This does not mean the risk is zero. As Kyrgyzstan's digital economy grows and regulatory capacity improves, enforcement is expected to intensify. Companies architecting for long-term compliance in the Kyrgyz market should treat the localisation requirement as binding today, not as a future concern.
Kazakhstan: Law on Personal Data and Its Protection (2013)
Kazakhstan has the strictest and most actively enforced data localisation framework in the region. The 2013 law includes the localisation requirement for personal data of Kazakhstani citizens, a requirement to notify the relevant authority before cross-border transfers, and actual enforcement history that makes non-compliance a genuine business risk.
The most cited enforcement example is the LinkedIn blockage in 2016, where Roskomnadzor (Russia's regulator) blocks were echoed by Kazakhstani regulators — though that case involved multiple compliance issues. More recently, Kazakhstan's telecom regulator (AREP) has pursued systematic reviews of major digital platforms' compliance with localisation requirements. Unlike Uzbekistan and Kyrgyzstan, Kazakhstan has the regulatory capacity to actively investigate and act.
Shared Requirements (All Three)
- • Personal data of citizens stored in-country
- • Cross-border transfers require adequate protection or consent
- • Broad definition of personal data (name, contact, ID, biometrics)
- • Designated national enforcement authority
Key Differences
- • Kazakhstan: notification required before cross-border transfer
- • Kazakhstan: active enforcement history (service blocks)
- • Uzbekistan: most recent and frequently amended framework
- • Kyrgyzstan: lowest current enforcement maturity
The Architecture Challenge: Three Jurisdictions, One Platform
A business serving all three markets correctly cannot use a shared database that stores personal data from all three countries in one location — unless that location happens to be in all three countries simultaneously, which is not possible. The correct architecture requires data to be isolated per jurisdiction: Uzbek user data in Uzbekistan, Kyrgyz user data in Kyrgyzstan, Kazakhstani user data in Kazakhstan.
This is architecturally achievable but requires deliberate database design. The typical approach is jurisdiction-aware storage routing in the application layer: the application identifies the jurisdiction of the data subject (from registration data or IP geolocation) and writes to the appropriate regional database cluster. Operational data that does not contain personal identifiers — aggregate metrics, anonymised analytics — can be centralised.
"The practical solution is sovereign cloud nodes in each country, with cross-region replication used only for operational data that does not contain personal identifiers. The architecture is not complicated once you decide to build for compliance from the start — retrofitting it later is what causes headaches."
Hyper App currently operates nodes in Uzbekistan (Tashkent) and Kyrgyzstan (Bishkek), with Kazakhstan capacity in planning. For businesses operating regionally, the combination of local nodes and jurisdiction-aware routing on a single platform removes most of the compliance complexity — the infrastructure layer handles the residency, and the application layer handles the routing logic.