Data Protection and Privacy Laws in the Middle East

Updated: Jan 11, 2021

Data Protection and Privacy Laws in the Middle East

What is Data Protection?

According to the Data Protection Act 1998, UK, Data Protection is securing individuals personal information, laying down policies to handle this information and giving the individuals the right to access information that the organizations, institutions and the governments hold about them.

In today’s age of the internet, information sharing is seamless and data is the new oil. Invariably, data protection and privacy become the heart of all information related policies in any organization.

What are the existing Data protection laws in the Middle East?

There is no direct general federal law in the GCC (an alliance of the Middle Eastern countries of Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain, and Oman).

Notwithstanding, it would be incorrect to say that Data Protection or Individual Privacy is not regulated.

The aspects of ‘privacy’ are covered in various general laws as below:

Qatar Financial Centre (QFC) The QFC addresses Data Privacy by the Data Protection Regulations (Regulation 6 of 2005) which are mainly driven by the European Data Protection Derivative. Read more here.

Dubai The Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008, and data protection in the DIFC is regulated by DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on 23/12/2012).

The DIFC enforces the law and imposes sanctions where the data controller is not compliant. Read more here.

Kingdom of Saudi Arabia The Shariah Law is supreme and it consists of tenets related to individual’s privacy. These principles are enacted in various sector-specific laws like –

  1. Anti-Cyber Crime Law punishes any person (by fine or imprisonment) who illegally accesses the computer of another without the prior’s knowledge or permission. Electronic Transactions Law regulates all forms of electronic communications.

  2. KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations) governs the exchange of information between borrowers and creditors through the Articles 3.1, 3.2.

  3. Healthcare Practice Code requires that a health practitioner safeguard and observe complete privacy in regards to patients’ data.

  4. Telecommunications Law restricts the service providers from sharing customer data to third parties and also prohibits telephone tracking of the customers.

Qatar “The sanctity of human privacy shall be inviolable, and therefore interference into the privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed,” says, Article 37 of the Qatari Constitution.

United Arab Emirates Article 31 of the UAE’s constitution speaks about freedom of communication and guarantees its secrecy in accordance with the law. The National Electronic Security Authority (NESA) ensures the electronic security of data storage, processing, and transmission.

Umbrella of the GDPR

Not only the Information and Communications Technology (ICT) companies but also Banking and Financial Services Institutions, Tourism, Hospitality, Media and Telecommunication, Automation and Engineering companies fall under the context of GDPR.

At a broader level, any company storing, processing or transmitting the data of EU residents irrespective of its geographical location must comply with GDPR.

Impact of GDPR (General Data Protection Regulation) in the Middle East

The GDPR standardizes the data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information.

It gives the control back to EU residents. The GDPR will usher in better accountability and governance as it is comprehensive, strict and the penalty can be as high as 4% of the total annual turnover of the company.

The law is enforceable from 25th May 2018. The GDPR has provisions like Appointment of representatives, Sanctions, Data breach notifications, Accountability, Data Protection Officers, Individual rights, to name a few.

According to the law, if any company in the Middle East is engaged in performing operations on the data of the Europeans or residents of EU, irrespective of its location will have to upgrade the software and servers to provide enhanced security and control to the customers.

This means greater financial implications to the company in terms of software, hardware, and appointment of human resources for the sake of compliance.

Businesses will have to create internal compliance processes for all the employees to fall in line with the GDPR. The concerned representatives will have an exposure to the legal authorities.

Companies will have to upgrade their offerings and projects to give the customers a complete control over their data. The impact of the GDPR can be visible in various industry sectors like Travel and Tourism, Automobile, Hospitals, Hotels and the Offshore Development Centre- IT Industry in general.

The companies based out of Middle East have to navigate costly, time-consuming and technically challenging obstacles like facilitating “data portability”, “data storage”, “notifications”, “data control” to name a few.

Enterprise software solution providers will have to conduct assessment of the functionalities in the application as its database consists of voluminous data of customers. So ensuring compliance to GDPR may require considerable modifications and aligned costs.

Technology Approach to GDPR compliance

The core principles of GDPR are lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability. These are essential to protect the principles of freedom, right to privacy and secure natural justice in all spheres including personal data.

The companies should assess and audit whether the GDPR is applicable. Products and Services need to be enhanced. For example, to comply with GDPR, solutions like Vaultastic help clients achieve the required compliances in a hassle-free manner. It’s a cloud-based Email Archiving solution that helps in keeping the corporate emails secure and easily retrievable when required, adhering to the principles of “accountability” in the GDPR.

Cloud email based solutions bring in world-class cost effective email collaboration tools and enable Data Governance. These are the products which set industry standards when it comes to “data location”, “personal data” and “sensitive personal data” as defined in the GDPR.