The past couple years have seen Qatar, Saudi Arabia and the UAE in particular, continue to take significant steps towards a more globalised and harmonised approach to data protection. International, tech-focused companies operating in these countries may have been burdened by regional and/or sector-specific rules, which recent initiatives have sought to alleviate in order to encourage data flows.
This is a brief snapshot of the state of play in these key Middle East jurisdictions.
Qatar
Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (PDPPL) provides a comprehensive data protection framework for Qatar at the federal level, with the Ministry of Transport and Communications (MOTC) acting as the federal regulator.
Qatar's global business hub, the Qatar Financial Centre (QFC), operates on a separate regime, outlined by the QFC Data Protection Regulations 2005 (initially brought in to mirror the now-outdated EU Data Protection Directive) and the Data Protection Rules 2005. Compliance is regulated by the Qatar Financial Centre Authority (QFCA).
The MOTC released guidelines on the PDPPL for the Qatari state on 31 January 2021. These apply to both regulated entities and individuals, with the stated aim of helping stakeholders understand their responsibilities and rights under PDPPL.
The Compliance and Data Protection Department (CDP) announced that it will take measures to ensure the PDPPL's implementation and compliance with it (the CDP Guidance Hub can be found here).
On 25 May 2021, the CDP announced that Qatar had participated in the first Arab Regional Forum on the Protection of Personal Data, which was organised online by the Arab Information and Communication Technologies Organisation. The Forum discussed privacy legislation enacted in Arab League countries and comparisons with international rules. The CDP's representative at the Forum mentioned the Emiri Decision No. (1) of 2021, which entails the establishment of the National Cybersecurity Agency. The aim of the National Cybersecurity Agency is to maintain and organise cybersecurity at the national level, as well as protect the Qatari state's vital interests in the face of cybersecurity threats.
On 18 August 2021, the QFCA launched its consultation on proposed amendments to the QFC data protection regime. The aim is to bring it more in line with the GDPR and other international data protection laws, partly to reduce compliance burdens and costs for international businesses operating in the QFC.
Notable proposed changes include providing clarity around applicability of the regime and the meaning of "consent", a broader scope of responsibilities and requirements for data controllers, the introduction of new data subject rights and new powers for the QFC Data Protection Office to impose financial penalties for breaches.
Saudi Arabia
On 24 September 2021, following approval from the Council of Ministers of Saudi Arabia, the Personal Data Protection Law (PDPL) was published in Umm Al-Qura (the official gazette), establishing Saudi Arabia's first data protection law and extending beyond the general principles of privacy and individuals' personal data that are outlined under Shari'a law.
The new law aims to regulate data transfers and ensure the privacy of personal data and, as per Article 2(1) of the PDPL, will be applicable to the processing of personal data by companies or public entities taking place within Saudi Arabia as well as the processing of personal data relating to Saudi residents by companies located outside of the country.
In contrast to the EU GDPR which functioned as an update to and harmonisation of the data protection legal framework, the PDPL marks a brand-new approach and presents challenges to businesses operating within Saudi Arabia.
The PDPL, which can be found here (Arabic language only), provides new rights to data subjects including the right to claim damages for material and non-material loss, rights of access, rectification and erasure, among others.
The PDPL will come into full effect on 23 March 2022 following a 180-day transition period during which supplementary executive regulations may be issued. Having said that, this period may be delayed for up to five years in relation to the processing of personal data by companies located outside of the Kingdom of Saudi Arabia.
The Saudi Data & Artificial Intelligence Authority (SDAIA), the national data protection regulator responsible for the supervision and enforcement of the PDPL's implementation over the next two years, published a set of FAQs (which can be found here (Arabic language only)), providing guidance on key aspects such as how "personal data" is defined, sensitive categories of personal data, the requirement for consent and how personal data may be retained. Regarding sensitive personal data, under Article 35(1)(a) the penalty in relation to its unlawful disclosure or publication may include imprisonment for up to two years and/or a maximum fine of SAR 3,000,000 (roughly £587,000 at the time of writing).
Additionally, during September 2021, the SDAIA signed a "memorandum of understanding" with the King Salman International Complex for Arabic Language, which sets out a cooperative framework to support the applications, capabilities and research into the use of the Arabic language in artificial intelligence.
In relation to cybersecurity, on 29 May 2021 the Communications and Information Technology Commission (CITC) announced that the cybersecurity regulatory framework has now entered into effect. The framework, which is directed towards service providers in the communications, IT and postal sectors, stipulates the requirements for improving cybersecurity risk management (for example, by supporting the adoption of certain risk management methodologies for service providers) in line with international data protection guidelines.
Following this, the Saudi National Cybersecurity Authority launched a public consultation on the draft document outlining cybersecurity controls for operating systems. The cybersecurity controls – categorised under governance, defence, resilience and third-party and cloud computing cybersecurity – aim to reduce risks facing operating systems and enable the relevant regulatory bodies to enforce data protection requirements for/on these systems. Public consultation on the draft document, which can be found here (Arabic language only), ended on 26 September 2021.
UAE
Onshore
Presently, in the UAE there is no comprehensive, consolidated data protection law at the federal level and there is no single national regulator for data privacy issues. In addition to generalised rights to privacy provided within the UAE Constitution and Penal Code, there are multiple sector-specific laws which incorporate data protection and security provisions. These include the Federal Law No.2 of 2019 on the use of information and communications technology in health fields in the UAE and Federal Law by Decree No. 3 of 2003 Regarding the Organisation of the Telecommunication Sector. Federal Law by Decree No. 5 of 2012 on Combating Cybercrimes (13 August 2012), also prescribed the overarching prohibition of the invasion of privacy of another person via technological means without their consent.
In early September 2021, as part of the "Principles of 50" (which comprises a series of initiatives providing the roadmap for the UAE's economic, political and social development over the next half century), the Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications announced that the UAE government will introduce its first ever federal data protection law, with the aim of creating a "global law… [ensuring] a seamless and smooth transfer across borders" and reducing burdens on data-rich, international companies which operate in the UAE but are currently relying on localised rules. The drafting of the new federal law is said to have considered global data protection laws and involved consultations with a number of major technology companies. The proposed law is likely to be issued before the end of November 2021, just ahead of the UAE's 50th anniversary.
Later that month, the Central Bank of the UAE announced new guidance on transaction monitoring and sanctions screening for its "Licensed Financial Institutions" (LFIs), which stipulates that LFIs are required to establish and maintain effective monitoring/screening systems that consist of risk-based frameworks, employee training and awareness and active oversight carried out by their respective boards. The Central Bank's guidance can be found here.
Free-zones
The UAE comprises a number of special economic free-zones which permit 100% foreign-ownership wiht special tax and customs regimes independent of the civil and commercial federal laws. The Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM) and Dubai Health Care City (DHCC) all have their own specialised data protection legislation, the latter of which focuses on patient health data and recognises restrictions on certain disclosures and transfers.
Last year saw the enactment and enforcement of the Data Protection Law No. 5 of 2020 in the DIFC which brought the DIFC's data protection regime closer to the EU's as set out in the GDPR, with new obligations to appoint data protection officers, carry out data protection impact assessments and introducing the right to data portability.
During Q3 2021, the ADGM adopted new Standard Contractual Clauses for data exports (which can be found here) which reflect the strengthened requirements outlined in the Data Protections Regulations 2021 which replaced and enhanced the ADGM personal data processing requirements found within the Data Protection Regulations 2015. The DIFC is also looking at SCCs with a consultation on proposed revisions to its SCCs in relation to DIFC controllers and non-DIFC processors.
On 26 August 2021, the DIFC announced in a press release that it had formally engaged with the UK Department for Digital, Culture, Media & Sport to begin the adequacy process with the aim of enabling data flows and reducing trade barriers between the two jurisdictions.
Demystifying a complex framework
Many international businesses will be operating across more than one of these jurisdictions. Although there are plenty similarities to the (UK) GDPR, there are also differences and specialist advice should be taken. Our international Data Protection & Cyber team can help with this, so please contact us if you need assistance.