The Middle East is witnessing a period of significant change in the data privacy landscape.
Influenced by global trends and a growing awareness of citizen rights, governments are enacting new regulations that aim to protect personal information.
These laws share some similarities with established frameworks like the General Data Protection Regulation (GDPR), but also reflect regional priorities, such as special rules on sensitive data processing and cross-border data transfers.
This article will discuss the privacy regulations and developments specifically within the Gulf Cooperation Council (GCC).
Regional trends
Some common themes are emerging in the GCC region’s approach to data protection laws, including:
- The increasing importance of cybersecurity matters, and artificial intelligence (AI) developments have given rise to the rapid development of data protection laws and enforcement practices.
- Enforcement is taken very seriously. Liability exists in every jurisdiction and is very severe, with penalties for violations ranging from administrative fines to criminal charges to imprisonment.
- New technologies, such as artificial intelligence and facial recognition, are either captured in new laws being issued or captured in existing laws that are being amended to address these new advancements.
- Control over cross-border data transfers and extraterritorial reach are highly regulated. Practically in every country of the GCC region, cross-border data transfers require additional consideration and, in certain cases, approval from the local authorities.
United Arab Emirates
Federal Decree Law No. 45 of 2021 on the Protection of Personal Data
Scope
The Federal Decree has extra-territorial reach and applies to:
- The processing of personal data of people residing in the UAE or people who have a business within the UAE;
- Each organisation in the UAE, irrespective of whether the personal data processed is of individuals inside or outside the UAE;
- Organisations located outside the UAE who carry out processing activities of data subjects within the UAE.
Exempted data from the decree includes government data, health data, banking and credit data, and data held with security and judicial authorities. Processing of these types of data is regulated by other UAE laws.
Under the UAE law, photos and video images of individuals are considered to be sensitive data subject to special regulation. Invading the privacy of an individual by taking and posting images on social networks without consent can result in administrative fines and lead to imprisonment. It is also illegal to monitor an individual’s geographical location without consent or to retain or make copies of such information. This is an important consideration for companies with mobile applications with track mechanisms or geo-location capabilities.
Grounds for processing
Unlike the GDPR, the UAE law does not include legitimate interest as a legal basis for processing data. Instead, consent is the primary basis for data processing which must be given in a clear, simple, unambiguous, and easily accessible manner in writing or electric form and can be withdrawn at any point. Consent is not required, however, if processing is necessary to fulfill obligations of a data controller or data subject under specific UAE laws or to perform a contract to which an individual is a party.
Other important rules
- While cross-border data transfers are permitted to adequate and non-adequate countries, a list specifying which countries are considered to be adequate has yet to be published. It is mandatory to maintain a record of processing activities and a data protection impact assessment may be required in certain cases, along with the appointment of a data protection officer.
- Data breaches should be immediately reported to the UAE Data Office.
Free zones
The privacy legislation in the free economic zones has been in the Dubai International Financial Centre (DIFC) since 2020 and in the Abu Dhabi’s International Financial Centre (ADGM) since 2021 and are regulated by the DIFC Commissioner of Data Protection and the ADGM Office of Data Protection, respectively.
DIFC
Applicable to companies registered in the DIFC as well as those registered elsewhere but process data in the DIFC, the law may be amended to cover the use of data in AI systems, digital, and communications services.
The legal grounds for processing are consent, performance of contracts, compliance with laws, and legitimate interest.
Cross-border data transfers are allowed, and a risk-based approach has been adopted when implementing appropriate technical and organisational measures for data protection.
In terms of liability, the authority can issue warnings, public reprimands, a wide range of fines up to US$100,000 per violation and prevent data processing.
ADGM
The ADGM data protection regulation applies to data processing in the context of activities of an establishment of a controller or a processor in the ADGM regardless of where the processing takes place.
The legal grounds for processing are consent, compliance with laws, performance of a contract to which a data subject is a party and legitimate interest, which is interpreted broadly.
Data controllers must notify the Commissioner and pay a data protection fee, and there are significant fines for non-compliance.
Saudi Arabia
The Personal Data Protection Law has been effective as of September 14, 2023, and has a one-year grace period for compliance. The law will be enforced by the Saudi Data & Artificial Intelligence Authority (SDAIA) for the first two years, with oversight by the National Data Management Office. The law has extra-territorial reach and covers not only all data processing that physically happens in Saudi Arabia, but also outside if it involves the data of data subjects within the country. There are significant fines for non-compliance.
Saudi law has legitimate interest as a legal basis for data processing provided that it could not cover sensitive data processing and transfer. The scope of application of “legitimate interest” seems to be rather narrow and it remains to be seen how SDAIA will interpret it in practice.
Strict prohibition on transfers of personal data outside Saudi Arabia has been relaxed and international transfers no longer require exceptional approval from SDAIA. In certain cases, Saudi law requires data controllers to appoint a data protection officer.
Oman
Nearly one year after the Personal Data Protection Law came into force on February 13, 2023, the Executive Regulations were issued, providing guidance on how personal data should be processed and managed in Oman. There is a one-year grace period to fully comply with the law in line with the Executives Regulations.
Under the authority of the Ministry of Transport, Communications, and Information Technology (MTCIT), the law does not define the territorial scope. However, it does not apply to situations where processing is required for performance of obligation under the laws or the execution of an existing contract to which a data subject is a party.
Consent is the primary basis for data processing. Genetic, biometric, heath data or data relating to ethnic origin, sexual life, political or religious opinions, beliefs, criminal convictions, or security measures cannot be processed without permit from the authority.
There is an obligation to appoint a data protection officer and an external auditor. Before processing data, subjects should be properly notified of such processing activities and data subjects can contact a data protection officer at any time.
Cross-border transfers are allowed, and transfers can be conducted if data subjects provided their consent.
Kuwait
Kuwait has recently released a new data privacy protection regulation, the Data Privacy Protection Regulation No. 26 of 2024 and is regulated by Communications and Information Technology Regulatory Authority (CITRA). The law applies to service providers operating telecommunications networks and internet services to the public and collecting, processing, and storing personal data and user content whether processed inside or outside Kuwait.
Service providers must notify the user of all information and service conditions in both English and Arabic, including on the alleged cross-border transfer of the data. CITRA must be notified of major data breaches with a high risk to the rights and freedoms of individuals.
Bahrain
The Kingdom of Bahrain was the second country in the GCC region to issue national privacy regulations which have been in force since August 1, 2019, and regulated by the Data Protection Authority. The Personal Data Protection Law has been supplemented by ten ministerial resolutions and sector-specific data protection provisions can be found in other regulations, such as the Central Bank of Bahrain and Financial Institutions Law, the Telecommunications Law, and the Labour Law.
The law has extra-territorial reach and applies to individuals and entities located in Bahrain, and also to entities and individuals processing personal data using means in Bahrain.
Violations of the data protection regulation may lead to civil, administrative, and criminal liability with consequences including the withdrawal of authorisation and imprisonment. Similar to GDPR, the authority must be notified of all data breaches within 72 hours.
Processing personal data is prohibited without the written consent of the data subject unless the processing is necessary for the implementation of a contract to which the data subject is a party or for legitimate interests of the data controller or any third party, to whom the data is disclosed.
An appointment of a data protection officer is not required, however, companies that do appoint one must notify the authority within three working days on such appointment with the officer’s contact details.
There is a general prohibition on cross-border data transfers unless expressly allowed by law. A list of 83 adequate countries has been published to which cross-border transfers are permitted.
Qatar
Qatar was the first GCC country to issue a generally applicable data protection law in 2016. The law has been supplemented by guidelines that provide additional information about interpretation and application.
There are separate regulations and rules that only apply in the Qatar free zones. The Qatar Financial Centre (QFC) Data Protection Regulations and Rules 2021 have an extra-territorial effect and apply to entities registered in the QFC, and not registered there if, as part of ongoing arrangements, they process personal data through an entity in the QFC.
Data controllers are obligated to notify individuals on data processing before it starts. There are additional obligations for operations of websites addressed to children including posting a detailed notice and obtaining express approval from a legal tutor.
The appointment of the data protection officer is not mandatory—it is up to each data controller to decide whether they want to appoint an officer or not. Data controllers must create a personal data management system to review protection measures before implementing new protection operations.
Processing data related to children, criminal activities, health, ethnicity, religion, and marital relations require a permit from the data protection authority.
Looking ahead
The countries in the GCC region have all established data protection laws in recent years which shows a growing focus on data privacy rights. While these developments represent a positive step towards data protection, challenges remain. Balancing the need for privacy with economic growth and national security is a complex task. The continued evolution of these regulations and their implementation will be crucial in determining the effectiveness of the Middle East’s data privacy journey.
By Ksenia Andreeva, partner, and Alena Neskoromyuk, associate, at Morgan, Lewis & Bockius, Dubai.
