Data Protection Regulations in the Middle East
The EU’s General Data Protection Regulation has sparked a global legislative movement that aims to vouchsafe individuals’ privacy and curb data vulnerability. While some of these new regulations were years in the making, many were directly influenced by the GDPR. Countries with strong economic ties to the EU have taken a proactive approach to compliance. By enshrining similar laws within their own legislation, they ensure that local companies are GDPR compliant and can thus continue doing business in the EU without running fowl of its strict data protection requirements.
In the Gulf Cooperation Council (GCC), consisting of Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates, there is no overreaching federal law that addresses data protection, but each country has addressed these concerns at national level.
Here is an overview of existing legislation:
United Arab Emirates
The UAE as a whole does not have specific data protection regulations, although the freedom of communication by post, telegraph or other means and its secrecy are guaranteed by the constitution. Federal laws further strengthen this right under both civil and penal codes, by allowing individuals to pursue civil actions for privacy breaches or, in case of personal data being disclosed or made public, being charged for breaking the law. An Electronic Transactions and Commerce Law and a Cyber Crimes Law are also in place.
As a Free Zone, the Abu Dhabi Global Market (ADGM), the international financial centre established in the UAE capital, has had a data protection regulation since 2015. A number of amendments were added to it in the Data Protection (Amendment) Regulations 2018, which aimed to align its definitions to international standards and provide clarity on a number of points such as timings and jurisdictions. The ADGM also established an Office of Data Protection (ODP) in December 2017 which was tasked with the enforcement of the regulations.
Another Free Zone within the UAE, the Dubai International Financial Centre (DIFC), has had a Data Protection Law since 2007, which was brought in line with international standards in January 2018. It has its own Office of the Data Protection Commissioner which was tasked with the protection of all personal information in the DIFC.
The Personal Data Protection Law No. 30 of 2018 (PDPL) was issued on 12 July 2018 in the Kingdom of Bahrain and will come into force on 1 August 2019. The legislation was directly influenced by the country’s ambitious plans to become a hub for data centers, with Amazon Web Services (AWS) planning on opening massive data centers there by 2019.
The requirements of the new law bear striking similarities to the EU’s GDPR. It includes the protection of individuals’ privacy, specific consent requirements for data processing as well as the creation of a Personal Data Protection Authority.
The PDPL, however, brings several additions to its European counterpart. One of the most notable is its application not only to its residents and companies processing their data, but also individuals not normally residing or working in Bahrain and companies without a place of business in the country, that process personal data by using means available in Bahrain. Processing solely used for data transfers is excluded from this third category.
Kuwait and Oman
Neither Kuwait nor Oman currently have any data protection laws in effect. Privacy of communications is vouchsafed through their respective constitutions and both have passed laws regarding electronic transfers in recent years.
Kuwait Law No. 20 of 2014 (Regarding Electronic Transactions) protects electronic records, information, messages, documents and signatures related to civil, commercial and administrative transactions as well as any disputes that arise from their use.
Oman meanwhile has both an Electronic Transactions Law issued in 2008, which aimed to create a safe digital environment for e-transfers as well as to protect data integrity and digital signatures, and a Cyber Crime Law, published in 2011, which addresses crimes that both target a computer device or network or are facilitated by them. While these laws aim to protect data, neither addresses individuals’ right to privacy nor regulates data processing. Oman has plans for a data protection law, but it has remained for now at draft stage.
Qatar was the first GCC country to enact a law specific to data protection in the wake of the GDPR adoption in Europe. Issued at the end of 2016, the Law Concerning Personal Data Protection (DPL), established individuals’ rights to have their personal data protected. According to the law, any entity processing such data must respect the principles of transparency, fairness and human dignity or face hefty fines of up to US$1.35 million.
The oversight and administrative processes connected to the implementation of the new law fall under the responsibility of the Ministry of Transport and Communications which established a new supervisory unit for this purpose.
The Kingdom of Saudi Arabia’s legislation is based on Islamic Sharia law. It does not have any specific regulation addressing the protection of personal data. Its constitution broadly protects individual privacy, stating that property, capital, and labor are basic constituents of the economic and social structure of the kingdom and thus constitute private rights.
Like in the case of Kuwait and Oman, there are a number of laws that regulate data in Saudi Arabia. The Anti-Cyber Crime Law punishes those responsible for illegally accessing computers and intercepting data transmitted on information networks. The Electronic Transactions Law regulates electronic communications. The Healthcare Practice Code protects health data while the Telecommunications Law prohibits telephone tracking of customers and third-party information sharing and outlines sanctions for breaches.
The GDPR has brought data protection concerns to the international stage, highlighting the interconnectivity of our digital world. The GCC has, especially in its financial hubs, enacted laws to ensure compliance with the GDPR and other international data protection laws. While some countries have yet to address individuals’ rights to privacy, any company wishing to do business in Europe must take matters into their own hands both to avoid fines and ensure they don’t lose opportunities offered by the European market.