Uzbekistan is significantly strengthening its personal data protection regime by introducing stricter rules on data storage, cross-border transfers, and scope of application.

The reform reflects a clear shift toward enhanced regulatory control over sensitive data and alignment with global data governance trends.

Mandatory data localization for sensitive categories

 

A key development is the introduction of mandatory localization requirements for certain categories of personal data.

The following data must now be stored within Uzbekistan:

• biometric data of individuals;
• genetic data;
• personal data of individuals using telecommunications services within Uzbekistan.

As clarified in the amended provisions, these categories are explicitly designated as requiring storage on the territory of Uzbekistan, reinforcing data sovereignty over highly sensitive and large-scale datasets.

This represents a significant tightening compared to the previous framework and directly impacts telecom operators, digital platforms, and data-driven businesses.

Conditional cross-border data transfers

 

For other types of personal data, cross-border storage and processing remain permitted, but are now subject to stricter conditions.

Transfer abroad is allowed only if one of the following is met:

• the foreign jurisdiction is recognized as providing adequate data protection;
• the operator implements standard contractual clauses or binding corporate rules approved by the competent authority;
• the operator complies with recognized international data protection standards.

This introduces a structured framework similar to international regimes (e.g., adequacy decisions and contractual safeguards), increasing compliance requirements for companies operating across borders.

Expanded exclusions from the law’s scope

 

The reform also clarifies and expands the categories of data processing activities that fall outside the scope of personal data regulation.

In addition to state secrets, the law now explicitly excludes:

• information related to defense;
• information related to national security.

This aligns data protection rules with national security considerations and creates clearer boundaries between civilian and государственный data regimes.

Regulatory implications for businesses

 

The updated framework introduces several important implications for companies:

• data localization obligations for telecom and sensitive data operators;
• increased compliance burden for cross-border data transfers;
• need to implement contractual and organizational safeguards;
• closer regulatory oversight over data processing activities.

In particular, multinational companies and digital service providers will need to reassess their data storage architectures and transfer mechanisms.

Broader regulatory trend

 

The reform signals a broader move toward:

• strengthening data sovereignty;
• enhancing control over critical datasets;
• aligning with global trends in data localization and digital regulation.

At the same time, the introduction of conditional transfer mechanisms preserves a degree of flexibility for international operations.

Overall, the changes mark a transition toward a more structured and compliance-driven data protection regime, combining stricter localization requirements with regulated cross-border data flows.

For businesses operating in Uzbekistan, this represents a shift from a relatively flexible model to one requiring active data governance, legal structuring, and compliance management.