Recent Data Protection Developments in the GCC
A re-formatted version of this article first appeared in the Lexis-Nexis Middle East Law Alert in August 2021.
Unlike the pan-national approach taken by the European Union with the General Data Protection Regulation (GDPR), the Gulf Cooperation Council (GCC) is yet to introduce a regional data protection (DP) law. Accordingly, each country has been independently developing their own approach to DP legislation, influenced to varying degrees by international legislation (such as GDPR) and best practice. Over the last 12 months, there has been unprecedented spike of DP legislative activity across the GCC so we called on Joby Beretta from The Bench, a 20 year veteran of advising on DP issues in the region, to provide us with an overview.
Bahrain was an early adopter of a nationwide DP law back in 2018 when it issued Law No. 30 of 2018 with respect to Personal Data Protection Law. In June this year, three draft implementing regulations were released for public consultation:
Draft Order regarding the Data Subject Rights – including obligations of the data controller and processor, decisions based on automated processing, conditions of consent, establishment of consent management procedures, withdrawal of consent, cases where the data subject has no right to object to processing etc.;
Draft Order regarding the duties of the Data Protection Guardian – setting out the role and duties of a data protection officer, including registration, eligibility, application process, fee, renewal, termination etc.;
Draft Order regarding the conditions to be met in the technical and organizational measures that guarantee protection of data - covering the detailed requirements including governance, resources, training, privacy framework, Information Security Officers, general policies and procedures, impact assessment requirements, vulnerability assessments, notification, insurance, transfer, audit, investigations etc.
We understand from the Bahrain News Agency that the Ministry of Justice, Islamic Affairs and Endowments (which was given temporary responsibility of the Authority pursuant to Decree No. 78 of 2019) was inviting comments and suggestions on the draft orders/regulations by the end of June 2021.
The Kuwaiti DP legislators have been very active with the introduction of:
Law No. 12 of 2020 (Information Law) and its Executive Regulations No. 62 of 2021 which provides individuals the right to request information from relevant authorities on the Personal Data (PD) held etc.; and
Law No. 70 of 2020 on the Practice of the Medical and Paramedical Professions, the Rights of Patients and Health Facilities.
In addition, the Communication and Information Technology Regulatory Authority (CITRA) issued Decision No. 42 of 2021 on Data Protection Regulations, which came into effect on 4 April 2021. Key points to note include:
the Regulations apply to all ‘Service Providers’ from both public and private sectors that process Personal Data whether permanently or temporarily through automated means whether the processing takes place inside or outside Kuwait;
the definition of ‘Service Providers’ is extremely wide and arguably covers anyone that operates a website and collects data on individuals in Kuwait – not just providers licensed by CITRA to provide ICT services in Kuwait.
the regulations include a wide range of obligations in relation to collecting and processing personal data before (e.g. to provide all information and terms in both English and Arabic and obtain consent), during and after the service;
there are detailed provisions on data classification, lawful data collection and processing, technical measures, record keeping, notification of breaches etc.; and
A nationwide DP law has been discussed since 2017 and we understand that the draft was reviewed by the Omani State Council in July 2020. Hon. Dr. Rashid bin Salim bin Rashid al Badi, Committee Head of the Legal Committee of the Council, is quoted as stating that the draft law contains provisions relating to (i) definitions and general provisions; (ii) tasks and powers of the Ministry of Technology and Communications; (iii) rights of individuals with regards to their PD; (iv) obligations of the controller and processor handling the processing of PD; and (v) penalties for violating the provisions of the law. We do not have any further details on when this law may be issued.
Qatar was the region’s pioneer in terms of enacting a nationwide DP law with Law No. 13 of 2016 Concerning Personal Data Protection. In November 2020 the Ministry of Transport and Communications issued not 1 but 14 regulatory guidelines, which introduced some new requirements, many of which GDPR-esque, such as:
carrying out DP impact assessments before undertaking any new processing activities;
maintaining processing activity records;
enabling data subject requests;
notifying breaches within 72 hours;
embedding ‘privacy by design’;
ensuring consent for direct marketing is explicit, unambiguous and easily withdrawn;
dealing with third party processors;
implementing a PD management system etc.
obtaining authorisation from the Ministry to process data of a special nature.
Qatar Financial Centre (QFC)
The QFC introduced the Data Protection Regulations and Data Protection Rules way back in 2005 and we are not aware of any recent amendments to these. We expect however that we may see QFC follow the approach taken recently by ADGM and DIFC to closer align their DP law with GDPR.
We understand that the Saudi Government may be considering the introduction of a generic personal DP law but we are not aware of any developments in the last 12 months. Despite that, there has been a recent flurry of legislative changes in KSA that affect DP such as:
the National Data Governance Interim Regulations 2020, which is mainly aimed at Government data but includes some provisions applicable to all PD processors; and
the E-Commerce Implementing Regulations 2020, which touch on the data of e-commerce customers.
Other recent developments in KSA are more specifically aimed at the ITC sector, with the Communications and Information Technology Commission issuing:
the General Principles for Personal Data Protection in April 2020, which sets out very high-level requirements on service providers such as lawful processing, retention, security, developing a privacy program and policy, not transferring PD outside of the KSA without approval, notification of breaches, rights of customers etc.;
Procedures of Launching Services or Products Based on Customers’ Personal Data, or Sharing Personal Data in May 2020, which set requirements on service providers to in relation to Privacy Impact Assessments etc.; and
the Cybersecurity Regulatory Framework for Service Providers in the ICT Sector in June 2020, which sets out a very comprehensive set of cyber-security requirements that must be met by service providers depending on whether they are classified as ‘critical national infrastructure’ or not.
The DP lawyers over at ADGM have had a very busy year culminating with the enactment of the new Data Protection Regulations 2021 in February 2021. In essence, the overhaul was undertaken to align with GDPR but there are a few key points to note:
There is a transition period from 14 Feb 2021 of 12 months for existing ADGM companies and 6 months for new companies;
Many of the concepts, definitions and provisions mirror those in the GDPR but there are some specific departures such as:
territorial scope (whereby if a controller processes data for a controller outside or the ADGM, it only needs to comply with the regulations ‘to the extent possible’ taking into account whether the Controller is subject to similar obligations in its home jurisdiction’);
certain exemptions granted to controllers to restrict certain rights of data subjects (i.e. the right to requests amends/deletion of personal data or to object to processing) in certain circumstances;
the fees, fines (up to US$28m) and penalties; and
exemption from appointing a DP officer (not required if the company employs fewer than 5 employees, unless it carries out High Risk Processing Activities).
Dubai Healthcare City
The DIFC DP lawyers were ahead of the pack with alignment with GDPR with the enactment of their new Data Protection Law No. 5 of 2020 and the Data Protection Regulations, which came into effect on 1 July 2020. Some key points to note are:
The law applies not only to entities in DIFC but also entities which process PD within the DIFC as part of ‘stable arrangements’;
The DIFC law differs from GDPR in quite a few ways:
some definitions (such as Special Category Data, where the DIFC law includes additional categories such as ‘communal original’ but doesn’t include ‘sexual orientation’);
processing of special categories of data (allowing (i) processing that is proportional and necessary to protect data subjects and (ii) protecting the public);
data subject consent (where the controller is required to implement measures to assess the ongoing validity of the consent and re-affirm consent in certain circumstances);
reliance on legitimate interests (where a public authority may not rely on this ground);
appointment and role of a DP officer (where a DPO is required if performing ‘High Risk Processing Activities’ on a regular basis or in the event of adoption of new tech or methods, which materially increase the risk);
other areas such as privacy impact assessments, consultation with the authority, cessation of processing (where the controller has alternatives to deletion), binding agreements for joint controllers, the list of countries with an adequate level of protection (e.g. Israel and ADGM), sharing data with public authorities, transparency obligations, rights of data subject (e.g. an additional right not to be discriminated), notification of breach, fines etc.
There is currently still no nationwide UAE DP law but there have been a few recent developments such as:
the Implementing Regulations (Cabinet Decision No. 32 of 2020) in relation to the Federal Law No. 2 of 2019 Concerning the Use of ICT in Health Fields, which came into force in October 2020 (which covers e.g. the requirement to obtain various consent and approvals prior to disclosing health data, encryption and a restriction on transfer outside of the UAE);
the Ministry of Health and Community Prevention Ministerial Decision No. 51 of 2021 which relaxed some of the previous restrictions on transferring medical data outside of the UAE. The Decision allows the transfer in certain cases (such as further treatment/research, online health services, insurance or national interest purposes etc) provided that certain conditions are fulfilled;
the new Federal Consumer Protection Law (No. 15 of 2020), which contains a very basic right for protection of the privacy and security of PD and it not being used for marketing purposes. Further details are due to be set out in the Implementing Regulations; and
the new UAE Central Bank Consumer Protection Regulation (Circular 8/2020) and Consumer Protection Standardsissued in November 2020, which contain detailed requirements on the banks to ensure a high level of confidentiality and privacy of PD.
There is a certainly a compelling argument for the introduction of a GCC wide DP law to simplify DP compliance and facilitate cross border business (not only across the GCC but globally) with an aligned, rather than fragmented, DP framework.