Uzbekistan's personal data reform is a positive signal but the real test is still ahead

29 March 2026

Uzbekistan's amendments to the Personal Data Law, signed into force on 26 March 2026, represent more than a technical regulatory adjustment. The reform was driven by sustained pressure from international businesses, fast tracked through parliament with unusual speed and confidentiality, and signals a broader shift in how Uzbekistan approaches digital economy governance. With the law now enacted, the real test lies in the implementing regulations that will determine whether the new framework delivers on its promise.

How we got here

The origins of this reform go back to mid 2025. On 14 July, Presidential Decree No. 111 restructured the Presidential Administration with an explicit mandate to improve dialogue between government officials and the private sector. Just four days later, a meeting was convened in Tashkent bringing together government bodies and international companies to discuss a specific pain point that had been growing for years. The focus was Article 27-1 of the 2019 Personal Data Law, which required all personal data of Uzbek citizens processed using information technologies to be stored on servers physically located in Uzbekistan. For international companies running global cloud infrastructure, this was a fundamental obstacle to doing business in the country.

An interagency working group was formed in August 2025 to prepare legislative amendments. Given the sensitivity of the topic and the push from the Presidential Administration, the process moved quickly and with unusual confidentiality. The draft text was finalized by November 2025 without going through the standard public discussion process, which is rare but not unprecedented when there is high level political backing. The Legislative Chamber reviewed the draft in three readings between December 2025 and January 2026, with the first two readings not publicly announced. The chamber approved on 20 January, the Senate followed on 5 February, and the President signed the law on 26 March 2026.

The speed and the level of confidentiality throughout this process tell their own story. This was a reform that had political support at the highest level, and one that the government wanted to deliver without inviting the kind of public debate that could slow it down or water it down.

The institutional landscape has shifted

Understanding who is now responsible for personal data regulation in Uzbekistan is essential for any company planning compliance or engagement. The regulatory landscape has changed significantly over the past two years.

The original 2019 Law designated the State Center for Personalization under the Cabinet of Ministers as the main regulatory body. That center was later reorganized into a Personalization Agency under the Ministry of Justice. However, as part of broader cybersecurity and informatization reforms, the Personalization Agency under the Ministry of Justice has been phased out entirely. Staff and functions have been transferred to the Ministry of Internal Affairs, specifically to the Department of Migration and Personalization.

This institutional shift carries important implications. The Ministry of Internal Affairs is a security focused institution. The culture is hierarchical, enforcement oriented, and significantly different from economic development or digital technology ministries. Companies accustomed to engaging with more business friendly government bodies should adjust their expectations accordingly.

The Department of Migration and Personalization under the Ministry of Internal Affairs is now the primary regulator for personal data matters. Other bodies with potential oversight roles include:

• The Inspection for Control in the Sphere of Informatization and Telecommunications under the Ministry of Digital Technologies, which handles compliance inspections for digital services
• The Ministry of Justice, which may retain certain legal registration or oversight functions
• The National Agency of Perspective Projects, which is involved in major technology initiatives

Companies planning compliance or engagement need to understand that the primary point of contact sits within a security focused ministry, but that practical implementation will likely involve coordination across several of these bodies.

Enforcement powers are on the horizon

Presidential Decree No. 14, signed on 19 January 2026, significantly expanded the Department's authority and established an ambitious digitalization roadmap.

A draft amendment to the Administrative Liability Code must be submitted to the Cabinet of Ministers by May 2026. From there, the draft will go through the full legislative cycle, moving through the Presidential Administration, the Legislative Chamber, the Senate and finally requiring the President's signature. Realistically, this means formal enforcement powers for the Department could be in place sometime in 2027, though it remains unclear whether there will be a transition period or whether the penalties will apply immediately upon enactment.

By the end of 2026, the Personalization Center's databases and software will be fully integrated into the Ministry's automated information system, creating a centralized Digital Migration Platform launching from 1 January 2027. This consolidation will give the regulator a far more complete picture of data processing activities across the country.

The three implementing regulations that will define the real impact

The law creates three pathways for lawful cross border data storage and processing. But none of them can be used in practice until the government adopts the necessary secondary legislation.

The first is the list of countries recognized as providing an equivalent level of personal data protection, to be determined by the Cabinet of Ministers. This is the most important piece. For companies operating on global cloud infrastructure, everything depends on whether the countries where their data centers are located make this list. The criteria for assessment and the timeline for adoption are not yet known.

The second is the approved standard contractual terms and mandatory corporate rules. These must be developed and approved by the authorized state body. Companies familiar with the EU model of Standard Contractual Clauses will recognize the concept, but the Uzbek version will need to be tailored to local requirements and the final text could differ significantly.

The third is the approved list of international standards for personal data management and storage. This could potentially allow companies already certified under frameworks like ISO 27001 or ISO 27701 to qualify, but again, it depends entirely on what the authorized state body includes in the approved list.

Until all three are adopted, the cross border pathways exist in legislation but cannot be relied upon in practice. Companies should not assume compliance simply because their data does not fall into the three mandatory localization categories. They need an active legal basis, and that requires at least one of these three mechanisms to be operational.

What to expect in practice

Based on Uzbekistan's regulatory culture, companies should expect a period of several months between the law's enactment and the publication of draft implementing regulations. When the drafts appear, there will typically be a 5 to 15 day public comment window. This is a narrow but critical opportunity to shape the final text.

The regulatory culture in Uzbekistan is generally reactive rather than proactive. Most companies wait for laws and implementing regulations to be enacted, conduct internal compliance reviews, and either interpret ambiguities conservatively or wait to see how enforcement develops. Approaching regulators directly for advance compliance consultations or seeking formal written opinions on whether specific business practices comply is not standard practice. Government officials are often reluctant to provide written interpretations because they do not want to commit before all implementing regulations are finalized, and individual officials do not want personal liability if their interpretation later proves incorrect.

For international companies, the practical recommendation is to:

• Complete internal technical compliance assessments now
• Prepare documentation of data processing practices
• Monitor the development of the three sets of implementing regulations closely
• Plan to participate actively in the public comment process when draft bylaws are published

The window will be short, and the stakes are high.

The bigger picture

These amendments should be read alongside Uzbekistan's broader digital governance trajectory. The country has adopted a new cybersecurity strategy to 2030, introduced a legal framework for artificial intelligence, and established an ethics code for AI. Personal data reform is part of a larger effort to modernize the country's digital regulatory environment in ways that can support both international business engagement and national security objectives.

The reform is a positive signal. It shows that the government is listening to international business concerns and is willing to act. But the transition from a blanket localization requirement to a functioning cross border transfer framework is not automatic. It requires implementing regulations that are workable, timelines that are realistic, and an institutional culture that can balance enforcement with facilitation. The coming months will show whether the promise of this reform translates into practice.