Privacy in the Middle East: A Practical Approach

The Gulf Cooperation Council (GCC) region’s heavy focus on technology and innovation is dictating how privacy laws are administered, placing emphasis on protecting and supporting the rights of consumers, employees, and other types of data subjects.

Regional Trends: A Practical Approach

Despite the GCC’s data privacy legislation being enacted relatively recently, one major benefit is that the collective governments have been able to observe guidance, frameworks, and legislation from around the world, and collect and implement the best practices and most recent developments into their own laws. Collectively looking at the GCC region’s approach to data protection laws, some common, emerging themes, include:

• Data protection laws and enforcement practices are rapidly developing and based on best international practices, such as the European Union’s General Data Protection Regulation (GDPR).
• Enforcement is taken very seriously. Liability exists in every jurisdiction and is very severe, with penalties for violations ranging from fines to criminal charges to imprisonment. That said, the enforcement practice is still uneven.
• Integration of new technologies into law. New technologies, such as artificial intelligence and facial recognition, are either captured in new laws being issued or captured in existing laws that are being amended to address these new advancements. 
• Control over cross-border data transfers and extraterritorial reach are highly regulated. Practically in every country of the GCC region cross-border data transfers require additional consideration and, in certain cases, approval from the local authorities.

The United Arab Emirates

Some commonalities among the general framework include the general allowance of cross-border data transfers to adequate and non-adequate countries, the appointment of a data protection officer (DPO) in certain cases, and taking a risk-based approach when implementing appropriate technical and organizational measures for data protection.

Federal Decree Law No. 45 of 2021 on the Personal Data Protection

• While it formally came in force in January 2022, the Executive Regulations have yet to be released. Once issued, there will be a six-month grace period for compliance. The law has extraterritorial reach, except in instances of government data and government authorities (companies) that process data and data held with security and judicial authorities.
• Processing of health data, banking, and credit data is exempted from the privacy law and is regulated by other UAE laws.
• Other notable features include the mandatory maintenance of recording processing activities and the immediate reporting on data breaches to the UAE Data Office.

Privacy Legislation of Free Economic Zones

• Dubai International Financial Centre (DIFC): Applies to companies registered in the DIFC and those registered elsewhere if they process data in the DIFC as part of the so-called “stable arrangements.” It could potentially be amended soon to address data use in artificial intelligence, digital, and communications services and apps. Violators could face warnings, public reprimands, and fines up to $100,000.
• Abu Dhabi Global Market (ADGM): Applies to data processing in the context of activities of an establishment of a controller or a processor in ADGM, regardless of where the processing takes place. Data controllers must register with the Office of Data Protection at the Registration Authority and pay a data protection fee, plus renew on an annual basis. Violators could face significant fines for non-compliance of up to $28 million.

The Kingdom of Saudi Arabia (KSA)

The Personal Data Protection Law was recently amended and will be effective as of September 14, 2023. It includes a one-year grace period for compliance. The law has extraterritorial reach where the law applies to all personal data processing in the KSA and all personal data processing undertaken outside the KSA in respect of data subjects in the KSA. Violators will face significant fines of up to $1.3 million for non-compliance.

Notably, the strict prohibition on transfers of personal data outside Saudi Arabia has been amended, and international transfers may no longer require exceptional approval from the Saudi Authority for Data and Artificial Intelligence (SDAIA). While no registration is required, the SDAIA will issue the requirements for practicing activities related to data protection and will license auditors and accreditation entities, as well as maintain national register.

The Sultanate of Oman

The Personal Data Protection Law has been in force since February 13, 2023. The law does not include the concept of legitimate interest, and express consent is usually required for data processing. Notably, there is an obligation to appoint both a DPO and external auditor; cross-border transfers are generally allowed. As a general rule, it is prohibited to process genetic, biometric, health data, or data relating to ethnic origin, sexuality, political or religious opinions, beliefs, criminal convictions or security measures without permit from the authority. Violators will face fines of up to $1.3 million for non-compliance.

The Kingdom of Bahrain

The Personal Data Protection Law has been in force since August 1, 2019, and includes a variety of liabilities for violations, including the withdrawal of the DPA’s authorization, publication of statement of violation, suspension of data processing, fines (for up to $53,000), or imprisonment. The law includes extraterritorial reach to those individuals or entities located in Bahrain and those processing personal data using means in Bahrain, regardless of their place of residence.

By default, the appointment of the DPO is not required. Additionally, a data breach must be notified within 72 hours, and cross-border data transfers are generally prohibited unless expressly allowed by law or when the transfer is necessary for execution of a contract with a first party for the benefit of a data subject.

The State of Qatar

The State of Qatar has its own regulations that are separate and distinct from the Qatar Financial Centre (QFC). The State of Qatar’s Data Protection Law came into force in 2016 and was the first GCC member state to issue a generally applicable data protection law. The Data Protection Office, an independent institution of the QFC, administered the QFC Data Protection Regulations, which came into force on June 19, 2022. Both laws carry significant fines and restrictions, with enforcement actions continuing to be developed. Other issues of note: the appointment of the DPO is not mandatory, processing of data related to children, criminal activities, health, ethnicity, religion, and marital relations requires the DPA’s permit.

According to the general data protection framework, it is a data controller’s obligation to provide information on processing before it starts. Data controllers must create a personal data management system and are subject to data breach notification requirements within 72 hours.

The State of Kuwait

The Data Privacy Protection Regulation has been in force since April 4, 2021, and its extraterritorial reach applies to persons providing communication and information technology services and operating websites, smart applications, or cloud computing services targeting users in Kuwait (services providers). A service provider must notify the user of all information and service conditions in both English and Arabic, including on the alleged cross-border transfer of the data. Cross-border data transfers are subject to a four-tier classification system, with data categorized in tier 3 and tier 4 unable to be transferred outside of Kuwait.

Learn More

If you are interested in Privacy in the Middle East, as part of our Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.