GCC data laws: One size doesn’t fit all
Justin Whelan of HFW discusses the evolving personal data protection legislation across GCC jurisdictions and how companies must adopt a tailored approach to navigate the complexities and ensure compliance in each unique jurisdiction.
In recent years, the politically and economically allied states of the Gulf Cooperation Council (GCC) have introduced and/or updated personal data protection laws.
There are currently specific personal data protection laws in force in Bahrain[1]; KSA[2]; Oman[3]; Qatar[4]; the Qatar Financial Centre (QFC)[5]; the UAE[6]; the Abu Dhabi Global Market (ADGM)[7]; and the Dubai International Financial Centre (DIFC)[8]. Each jurisdiction has, of course, its own regulator.
Although there is as yet no specific personal data protection law in Kuwait, there is the Data Privacy Protection Regulation[9] (applying to certain telecommunications service providers), and a future personal data protection law is anticipated.
These personal data protection laws sit alongside numerous data privacy and data security provisions in other legislation such as: constitutional laws; civil codes; anti-cybercrime laws; electronic commerce and transactions laws; and cyber security frameworks. Certain sectors also often have specific data privacy and protection provisions, for instance regarding consumer protection, health and financial services.
Like other international laws, personal data protection legislation in the GCC largely provides for the key principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality and accountability.
There are distinct similarities within different specific GCC laws. It may therefore be tempting for organisations, particularly those with a presence in various territories, to consider a general overarching regime as intended to apply as one across the GCC.
However, data protection legislation can be complex. Not uncommonly, organisations face compliance challenges arising from issues such as: time-consuming manual processes; inaccurate or redundant data on discordant systems; and tracking control inadequacies. In such circumstances, correctly applying data protection law is not straightforward.
There is also the fundamental difference between data privacy and data security. The former is the realm of personal data protection law that is focussed on protecting data subject rights and the management and compliance of policies and procedures. The latter, on the other hand, primarily deals with technical safeguarding and protection from unauthorised access, and it is more concerned with laws on data security.
There are key idiosyncratic differences from jurisdiction to jurisdiction within the GCC laws. This means that, when developing governance procedures, organisations should be cautious of adopting a homogenised methodology, and instead consider a jurisdiction-specific approach. Seeking to develop a ‘one size fits all’ strategy for data protection in the GCC heightens the risk of non-compliance in a particular dominion.
Categories of Personal Data
As with international data protection laws, the GCC states distinguish between ordinary personal data and special category personal data. However, differences arise when examining the individual GCC laws regarding special category personal data.
In KSA there is no express definition of special category personal data. The definition of sensitive data does include data ordinarily considered to be special (e.g. health, genetics, ethnic origin, sexuality, religious or political beliefs, criminal convictions etc.), and explicit consent from the data subject is required to process such sensitive personal data.
The Omani and Qatari laws do not contain a specific definition of special/sensitive data at all, and permission from the competent authority is required for processing types of personal data that are usually considered to be sensitive. In Qatar personal data regarding marital status is also to be considered of a ‘special nature.’
In Bahrain, the QFC, the DIFC and the ADGM, consent from the data subject is just one of several permitted purposes allowed as legal bases for processing special/sensitive data, and no permission from the regulatory authority is required.
In the UAE, the current personal data protection law does not apply to personal health data or to personal banking/credit data that have separate legislation regulating protection and processing. If the processing of sensitive personal data involves systematic and comprehensive assessment, including profiling or automated processing, or if it is large volume processing, then the controller or processor must appoint a Data Protection Officer (DPO).
Controller and Processor
It is essential to establish whether an organisation is a data controller i.e. if it specifies the purpose and manner of processing personal data (whether that data is then processed by the controller or by a processor); or whether it is a data processor, i.e. if it manually or electronically performs any personal data processing (such as, for example, collecting, recording, organising, formatting, storing, modifying, updating, using, disclosing, transferring, erasing or destroying). Determining whether an organisation is a controller or a processor or both can become complicated, particularly where an organisation acts as both a controller and a processor over the same dataset but for different purposes and activities.
The laws in onshore UAE, and in the offshore ADGM, DIFC and QFC, set out numerous general obligations on both controllers and processors. In short, controllers must take the appropriate technical and organisational measures to protect and secure personal data and thereby preserve confidentiality, privacy and security. This is inclusive of ensuring that appointed processors have sufficient guarantees to implement the required technical and organisational measures. Processors must carry out processing in accordance with the instructions of the controller and the contracts concluded between them.
In contrast, whereas the laws in Bahrain, KSA, onshore Qatar impose numerous obligations on the controller, they do not impose the same on the processor. In Oman, the law primarily imposes obligations on the controller, but provides that the processor is to abide by those obligations too.
Legal Basis for Processing.
The starting point across the GCC is that consent of the data subject is required to process personal data, unless there is a valid alternative legal basis. Consent is however likely to be the most burdensome legal basis to obtain, and an alternative legal basis is often used where viable, such as: contractual performance; legal obligation; vital interests; public interest; and legitimate interest.
In KSA consent is necessary as the legal basis when processing sensitive data, credit data or where decisions are made solely on automated processing. There is also an additional legal basis of ‘actual interest’ which means that the controller must retain evidence that such an interest exists and that it is not possible to contact or communicate with the data subject.
Unlike the other GCC jurisdictions, the UAE the current legislation does not include legitimate interest as a lawful basis for processing personal data (although the anticipated Implementing Regulations may do so).
Records of Processing Activities (‘RPA’)
The GCC laws each contain specific provisions regarding what must be contained within Records of Processing Activities. However, there are GCC idiosyncrasies on the content.
The Bahrain law on applies to controllers or the data protection guardian (i.e. the person appointed by the Personal Data Protection Authority or by the controller). The laws in Oman, the QFC, the UAE, ADGM and DIFC, apply to both controllers and processors. In Qatar, the law does not contain any direct RPA provisions (although various other articles impose obligations on controllers to have a comprehensive and accurate description of processing activities). The KSA law applies to controllers only, and there are online templates for use provided by the Saudi Data & Artificial Intelligence Authority ‘SDAIA’)..
Transfers of Personal Data
The issue of cross-border transfer differs from GCC jurisdiction to jurisdiction. In Bahrain, the controller may, without prior authorisation from the authority, transfer personal data directly to countries/territories that are deemed to have adequate protection. The controller may transfer personal data to other than those countries/territories deemed to have adequate protection, and within a regional or international group, upon authorisation from the authority on a case-by-case basis. The controller may also transfer personal data to another controller, or to a third party outside of Bahrain, according to a contract that must include specific criteria. The law in Bahrain is otherwise silent on the specific purposes of transfer.
In KSA a controller is permitted to transfer personal data outside of the Kingdom for one of the following specific purposes: a) if it relates to performing an obligation under an agreement, to which KSA is a party; b) if it is to serve the interests of KSA; c) if it is for the performance of an obligation to which the data subject is a party; d) if it is to fulfil other purposes as set out in the KSA Transfer Regulations.
For a) and d) there must also be an adequate level of protection for personal data outside of KSA; for b) and c) controllers are exempt from the requirements to comply with the appropriate level of protection but they must implement appropriate safeguards such as via binding common rules (applying to the parties involved in entities engaged in joint economic activity); standard contractual clauses (that guarantee an adequate level of protection of personal data when transferred outside of KSA, and as published by SDAIA); or a certificate of accreditation (as issued by an entity licensed by SDAIA).
The KSA Transfer Regulations, updated on September 1, 2024, further permit transfer outside of KSA when: performing necessary operations for central processing to enable the controller to conduct its activities; providing a service or benefit to the subject of the personal data; and conducting scientific research and studies.
In Oman, the controller must obtain the express consent of the owner of the personal data, before transferring personal data outside of the Sultanate. Such consent is not required only if: it is in implementation of an international obligation under an agreement to which Oman is a party; or if the transfer conceals the identity of the data subject. Before transferring personal data outside of Oman, the controller must assess the level of protection provided by the external processor and the risks of transfer, inclusive of the purpose of processing personal data. The law is then otherwise silent on the permitted purposes for transfer.
In Qatar, the controller must conform to legitimate purposes and it cannot take any decision or action that would limit the cross-border flow of personal data, unless the processing of such data is contrary to the provisions of the law, or would cause serious harm to the privacy of the individual.
In the UAE, cross-border transfer is permitted if a proper protection level is available in the receiving state, or if the recipient state joins a bilateral or multilateral agreement related to the protection of personal data. Transfer out of the UAE is also permitted if a proper protection level is not available if certain criteria are met, such as: under a contract; explicit consent from the data subject; legal obligation; public interest. The awaited Implementing Regulations are expected to develop UAE law.
In offshore QFC, ADGM and DIFC, controllers and processors are permitted to transfer out of the jurisdiction without authorisation from their authority, if the authority has deemed the receiving jurisdiction to have an adequate level of protection. In the absence of deemed adequate protection, the transfer may take place subject to certain criteria, such as the controller/ processor providing appropriate safeguards, including enforceable rights and effective legal remedies for data subjects. Where a transfer cannot be based on the aforementioned, it is still generally permissible if the transfer is not repetitive; concerns only a limited number of data subjects; does not contain any sensitive personal data; or is for a legitimate interest.
Conclusion
This article seeks to draw out just some (and by no means all) of the areas where there are key and significant differences in GCC data protection laws. Although, at first blush, it may appear manageable and more cost effective for an organisation to implement a general GCC-wide personal data governance regime, this is likely to heighten the risk of non-compliance in a particular jurisdiction.
Whilst there is much political and economic co-operation in many areas between the GCC states, there is no one overarching pan-country data protection law. Rather, each GCC jurisdiction has its own law containing certain idiosyncrasies. To ensure data protection compliance within a particular GCC jurisdiction, a full and proper analysis of the data protection legislation of that jurisdiction is necessary.
Text by:
Justin Whelan, partner, HFW
—
Footnotes:
[1] Personal Data Protection Law No. 30 of 2018 in force 1 August 2019. The Bahrain Personal Data Protection Law supersedes any law with contradictory provisions. The Bahrain Personal Data Protection Authority issued ten ministerial supplementing resolutions on 17 March 2022.
[2] Personal Data Protection Law enacted 16 September 2021 as amended 27 March 2023 and in force 14 September 2023; as supplemented by the Implementing Regulation issued 7 September 2023, as amended September 2024.
[3] Royal Decree 6/2022 Promulgating the Personal Data Protection Law, in force 13 February 2023; as supported by Executive Regulations in force 5 February 2024.
[4] Law No. 13 of 2016 Concerning Personal Data Protection.
[5] Regulation No. 6 of 2005 on QFC Data Protection Regulations, as updated 17 December 2021.
[6] Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection issued 26 September 2021, in force 2 January 2022. Supporting Executive Regulations are yet to be published and when they are, organisations will have a further six months from the date of the issuance to comply with the UAE personal data protection law. In the UAE there are also data protection/privacy provisions within laws regarding health data, banking and credit data, and within regulations regarding Dubai Health Care City. There is also Dubai Law No. 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai, which provides for designed private sector entities to provide information held by the company in relation to a city to the government.
[7] Data Protection Regulations 2021 enacted 14 February 2021 (repealing 2015 Regulations) and as amended 2022, 2023, 2024.
[8] Law No. 5 of 2020, enacted 21 May 2020 and as amended by Law No. 2 of 2022. Also, Data Protection Regulations, in force 1 September 2023.
[9] Decision No. 42 of 2021 on Data Privacy Protection Regulation as issued by the Communications and Telecommunications Regulatory Authority (CITRA).