Data Privacy: The GCC Landscape !

/
Content updates

In a world where technology is immensely evolving at a fast pace, concerns about the ability of States and governments to succeed in protecting the privacy of their citizens have increased. It is not a trend. It is an actual threat that may be used to harm others, especially with the rise of Artificial Intelligence (AI) and Internet of Things (IoT) and the integration of such technologies in machines that people use in their day-to-day life.

As a consequence, governments have been vigilant in addressing the topic of data privacy in general and the privacy of personal data in particular. Governments have been building the proper legal infrastructure to ensure effective protection is provided for personal data, especially when exchanged or transferred.

Looking at the Gulf region, 5 (Bahrain, Oman, Qatar, Saudi Arabia and United Arab Emirates) out of the 6 countries comprising the Gulf Cooperative Council (GCC) have enacted independent Personal Data Protection Laws (PDPL). Kuwait is only gulf country that does not have an independent Personal Data Protection Law yet.

Below is a quick guide into the current status of these 5 countries, listed in chronological order of enacting its own PDPL:

Jurisdiction Law Year Enact Date Enforce Date Overview
Qatar Law No. 13 of 2016 2016 03 Nov 2016 29 Dec 2016
  • The first GCC State to introduce an independent Personal Data Protection Law.
  • The provisions of the law apply to personal data, whether it was processed electronically and/or through traditional processing methods.
Bahrain Law No. 30 of 2018 2018 12 Jul 2018 1 Aug 2019
  • The second GCC State to introduce an independent Personal Data Protection Law.
  • The law applies to very individual and business living and operating in the Kingdom of Bahrain.
  • The law imposes strict obligations in relation to how, when and why personal data is collected, stored and used.
  • The key principles the law founded for the processing of Personal data data are:
  1. Legitimate and fair processing.
  2. Legitimate, specific and clear purposes.
  3. Sufficient, relevant and not excessive.
  4. Correct, accurate and updated.
  5. Retention is for limited periods.
  6. Security and confidentiality.
  7. Authorization.
Saudi Arabia Royal Decree No. M/19 of 1443H 2021 16 Sep 2021 24 Mar 2022
  • The law applies to all entities, whether inside or outside the Kingdom, that process Personal Data - wholly or partially - related to individuals residing in the Kingdom using any means.
  • Data Controllers or processors are required comply with the provisions of the Law within 1 year from enforcement date. The timeframe may be extended by the government if needed.
United Arab Emirates Decree-Law No. 45 of 2021 2021 20 Sep 2021 02 Jan 2022
  • The law adopts well-known data protection regimes, including the GDPR.
  • The law introduces rights for individuals to access, rectify, correct, delete, restrict processing, request cessation of processing or transfer of data, and object to automated processing.
  • Certain businesses may need to adjust certain rules or procedures to comply with the provisions of the law and avoid any breach.

Additional resources for data privacy in UAE:
Oman Royal Decree No. 6 of 2022 2022 09 Feb 2022 09 Feb 2023
  • The most recent Law enacted, in the region, concerning the protection of personal data.
  • The law urges businesses and entities to process personal data within the framework of transparency, honesty, and respect for human dignity.
  • The law requires explicit and documented consent of data subjects to any processing of their personal data, unlike most international data protection laws that allows a flexibility in processing certain data types without prior consent or authorization. 
  • The enforcement date will be in February 2023.
Tags
Cybersecurity
Information Technology
Privacy & Data Protection
Nadim Al Jisr
By Nadim Al Jisr
Editorial Lead

Nadim Al Jisr joined Thomson Reuters in 2014 as a Content Specialist, then moved to oversee the Westlaw Middle East platform and manage its growth. Nadim holds a Bachelor’s Degree in Law and has more than 10 years of experience as a legal consultant and litigator in Lebanon, Saudi Arabia and UAE. Nadim is native Arabic speaker and proficient in English and French. Nadim is currently completing his Master’s Degree in Law. Nadim is currently the Editorial Lead heading the MENA Content Team.

Speak to a consultant

Can't find an answer to your question?
Contact our support team.

Contact us

Request training

Contact our team to arrange training.

Request training

Tell us what you think

We'd love to hear what you think
of our products and support.

Give feedback