Electronic Privacy Regulations in the GCC

A closer look at Electronic Privacy Laws in the GCC

The cooperation council for the Arab State of the Gulf is commonly known as Gulf Cooperation Council (GCC). It is a regional, intergovernmental, political and economic union that consists of all Arab states of the Persian Gulf except Iraq. The GCC countries are Kuwait, Bahrain, Qatar, Saudi Arabia, Oman and The UAE.

Nowadays, Electronic privacy is the centre of everybody's attention as the amount of data created today is very high with approximately 2.5 quintillion bytes per day, which is a very huge amount. So the sensitivity of data and its privacy goes up day by day. It's becoming increasingly important we should be focusing on how our data is being used.

Data is collected in various forms like when going out for shopping and swiping up your credit card, getting on a website and registering yourself, sometimes even you don't have to provide any information and you just simply accept the cookies then you have provided some part of your personal information to them which can be knowingly or unknowingly. This article is about the electronic privacy laws in GCC countries individually.

Bahrain:

In Bahrain a Personal Data Protection Law (PDPL) has been created, where the data controller has been given to data subjects that mean the control is given to the general public. The companies should be abiding by the law and to manage electronic privacy, the data protection law was drafted in 2019.

The purpose is to protect the data for the individuals and without the consent of the individual, the data should not be moved around. There is non-compliance and risk is also for companies who are not been able to manage the data they are supposed to manage as per the provision of this law. There is imprisonment for one year and a fine up to BHD 20000. The Ministry of Justice is the body that monitors the PDPL compliance maintain notice and authorisation of the register for data processing.

Consent to the process, personal data unless required by law, legitimate interest or contractual obligation. Appointment of data protection guardian is done by impartiality and independently. Transferring data for processing outside of Bahrain is not going to be a straightforward process now. The person has got a list which is now proposed in the consultation paper but anyone outside the country needs to get permission on a case to case basis.

Rights of data subjects like the right to blocking, object to direct marketing are back to the people, so they can now control the data usage and the framework for the data quality has now been expanded on one of the consultation papers.

Qatar:

In 2016, the Qatar government has introduced Law No. 13 which is related to the protection of personal data. Qatar is one of the first GCC states which have introduced the electronic privacy law, which says about the assembling, usage and release of personal data.

When the law was published in the official gazette, there was six months’ time period in which compliance of law was ensured.

There electronic privacy laws levy restrictions on individuals as well as companies to distinguishable individuals using electronic means. The law provides an individual’s right to give consent to the specific information which has to be published or not. Furthermore, the “specific” category include health status, birth status, religious belief, criminal records, marital status etc. It can only be procured with the permission of the Ministry of Transport and Communications.

Concerning cross border transfers, personal information collected in Qatar from different jurisdictions should be easily accessible. But this rule does not apply when it is a matter related to the national security of the country, international relations or in case of investigation of criminal offences.

Oman:

In the current situation, Oman does not have any electronic privacy law but the right to the individuals' confidential data in all modes of communication is secured as per Oman’ Constitution (Royal Decree No. 101 of 96). For the protection of electronic data privacy, the sultan of Oman established a Cyber Defence Centre (Royal Decree No. 64 of 2020).

The abovementioned Cyber Defence Centre will directly report and help the Internal Security Service (“ISS”) of Oman. All the mandatory laws for cybersecurity will be issued by the head of ISS and anything which goes contrary to the decree will be repealed.

As per the Electronic Transactions Law, data collected from the e-commerce websites like electronic signature contains very fewer provisions for the protection of data but it includes some necessary provisions related to dissemination and retention of data. This law is only applicable to electronic transactions.

The UAE:

The UAE introduced a new comprehensive data law in the country. This new data law is being brought as part of the national programme called “Projects of the 50”. At present, UAE does not have a singular comprehensive data protection law; this would be the UAE’s first comprehensive data protection law to operate across the country’s mainland.  But other existing laws have been used to deal with privacy and data security matters and certain data protection provisions have applied to certain sectors.

The new data law will introduce certain rights for individuals such as the right to information, right to access, right to be forgotten. When the personal information is stored and monetized in some way or used for wrongful marketing purposes, so there will be certain provisions to stop this and it will ensure that the information will be used only with the consent and that it does not harm someone’s privacy.

Kuwait:

Currently, Kuwait does not have any particular electronic privacy law. There are no specific guidelines on how retention and dissemination of data are done.  But the e-commerce law requires that any personal details like marital status, birthplace, health status, financial condition, personal status, and criminal record (if not to be disclosed) should be retained privately. The abovementioned information should not be disclosed without consulting the client and without the client's permission.

Saudi Arabia:

At present in the Kingdom of Saudi Arabia, there is no electronic privacy law related to data protection. Due to no data protection law, businesses in Saudi Arabia are getting affected as there is market awareness about the privacy of data. Currently, all the matters related to privacy in Saudi are governed by sharia law in the absence of any specific legislation.

E-commerce law came into force in 2019, which applies to all the service providers who provide goods and services through an e-commerce platform, even outside of KSA to the people residing there. It is also prohibited in this law to seek a client’s details.