Privacy landscape in the Middle East has been flourishing in the last ten years with privacy laws and regulations emerging across the region. Today we have a colourful and promising scene, extremely exciting for privacy professionals to be a part of. While the purpose of this article is to give you a flavour of what to expect of it, I have to admit, even after five years spent in the midst of the excitement, it is still not an easy job to do.
To start with, Shari’a principles have been protecting certain aspects of privacy and rights of individuals. Criminal and laws regulating cyber-crimes and cyber security, where enacted, usually mandate obtaining consent before collecting or disclosing personal data. In addition, some heavily regulated sectors such as health, banking and telecommunications introduced certain provisions related to the protection of the privacy of individuals.
Talking about “pure” privacy laws, a number of countries and free zones in the region have dedicated privacy laws in place. Here is an overview of these laws:
- Israel – Protection of Privacy Law, 5741-1981 of 1981 (PPL)
- Qatar Financial Centre – Regulation No. 6 of 2005 (QFC Data Protection Regulations) with Data Protection Rules of 2005 (collectively DPR)
- The United Arab Emirates do not have a federal privacy law, but two of its financial centres have enacted theirs:
- Dubai International Financial Centre – Data Protection Law of 2007 amended by DIFC Law No. 1 of 2018 (DPL)
- Abu Dhabi Global Market – Data Protection Regulations of 2015, amended by Data Protection Regulations of 2018 and 2020 (DPR)
- Qatar – Law No. 13 concerning Personal Data Protection of 2016 (PDP)
- Turkey – Personal Data Protection Law, No. 6698 of 2016 (PDPL)
- Bahrain – Law No. 30 with respect to Personal Data Protection of 2018 (PDP)
- Lebanon – Law No. 81 Relating to Electronic Transactions and Personal Data of 2018 (ETPD)
- Egypt – Data Protection Law (DPL) has been approved by the Parliament
Although most of these laws are based on either Directive 95/46/EC or General Data Protection Regulation 2016/679, the legislators have also introduced some specifics. For example, Bahraini PDP prescribes criminal penalties for non-compliance and a deadline of 15 days to respond to data subject requests. Also, not so common for privacy laws, Qatari DPL and Lebanese ETPD prescribe consent as a legal basis for electronic marketing – the ETPD allows relying on its version of “soft opt-in” as well. Organisations which suffer a personal data breach and fall under the scope of the Turkish PDPL, must notify the personal data breach to both affected individuals and the Turkish regulator at the earliest (Decision No. 2019/10 further clarifies that the notification should be made within 72 hours after becoming aware of the breach). Moreover, where Turkish Regulator deems appropriate, it may publish details of the breach on the website or through other means. Similar to a requirement of appointing a DPO, Israeli PPL mandates appointing a security supervisor to be in charge of information security. The current version of the Egyptian DPL prescribes consent as the only legal basis.
This quick run through the Middle East privacy laws shows some of their peculiarities. On the other hand, they also have traits in common. For each of these laws, be on the lookout for the following:
- Principles related to processing of personal data
- Appropriate legal basis
- Requirements to appoint Data Protection Officer
- Requirements to notify personal data breach to individuals and regulators
- Registration requirements with relevant authorities
- Requirements for transfers of personal data
- Data subject rights
Going through the above list, you have noticed that some countries in the region do not have dedicated privacy laws. Let us have a look at how some sectorial laws protect the privacy of individuals in these countries:
United Arab Emirates (UAE)
The Federal Law No. 2 of 2019 on the Use of Information Technology in Healthcare Sector defines health data, prescribes retention periods, contains data localisation requirements, regulates sharing and disclosing of health data and mandates putting appropriate security in place to protect health data.
Under Telecommunications Regulatory Authority Consumer Protection Regulations of 2017, in certain cases consent is required before sharing subscribers’ information, i.e. when sharing personal data with affiliates and/or other third parties not directly involved in the provision of telecommunication services. Also, subscribers’ personal information must be safeguarded properly.
Not to forget, the aforementioned financial free zones have dedicated privacy laws in place. These laws are based on the Directive 95/46/EC, but are not applicable to the rest of the UAE.
Kingdom of Saudi Arabia (KSA)
KSA E-Commerce Law of 2019 and its Implementing Rules enacted in 2020 mandate service providers to protect individuals’ personal data by putting appropriate safeguards in place, to keep data no longer than necessary, obtain prior express consent for marketing and advertising purposes and do not disclose personal data to third parties, unless the individual has consented to, or required by law. The law has an extraterritorial effect as well.
Cloud Computing Regulatory Framework v2 of 2019 is one of the few such regulations in the world. The framework imposes information security requirements, keeping the content stored on clouds within KSA in certain cases, and breach reporting requirements to authorities and cloud customers.
Kuwait and Oman
These countries also do not have dedicated privacy laws. However, certain provisions related to privacy are contained in Kuwaiti E-Transactions Law, Law No. 20 of 2014 and Omani Electronic Transactions Law, Royal Decree No. 69 of 2008. Kuwaiti E-Transactions Law prescribes consent as the legal basis, while the Omani law forbids processing if it is going to cause harm to individuals or prejudice their rights.
Iranian Electronic Commerce Law prescribes consent as a legal basis, and explicit consent for certain categories of data (for example data which may reveal ethnicity, religious beliefs and similar) and certain transparency requirements. There are a number of other sectorial laws which touch on privacy as well.
To conclude, the privacy landscape in the Middle East is quite complex. I hope this brief summary will help you navigate through it. My piece of advice is – be on the lookout for any news, as changes in the region tend to happen quickly.
By Stevan Stanojevic, Group Data Privacy Manager, Etihad Aviation Group
This article reflects my personal opinions and it is based on personal research. The content in this article is for information purposes only. Nothing in this article should be considered as legal advice on any matter.
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.