Smart News | Protection des données dans les pays du Golfe et transfert de données
Smart News | Protection des données dans les pays du Golfe et transfert de données
[article en anglais uniquement]
Data protection in the GCC and data transfer
In the last six months, Saudi Arabia (“KSA”), and the United Arab Emirates (“UAE”) have taken major steps with respect to personal data protection, following Qatar that had adopted its data protection law in 2016. These countries have adopted recent laws which are largely inspired by the EU General Data Protection Regulation (« GDPR”), reflecting many of its key concepts, including the seven principles that govern the GDPR, and the main rights granted by the GDPR to data subjects (“data subject” means the natural person about whom a Data Controller (the “Controller”) holds personal data and who can be identified, directly or indirectly, by reference to that personal data).
As for the other GCC countries, Bahrain adopted a personal data protection law that came into force on the 1st of August 2019, while Kuwait and Oman still do not have specific personal data protection laws.
In an international context where more and more data is transferred, these recent regulations come to organize the conditions of such transfer and more generally how personal data needs to be processed.
In this comparative analysis, are presented the main points to be taken into consideration by entities which collect, transfer and store personal data.
Saudi Arabia
The Personal Data Protection Law (“PDPL”),[1] which comes into force on March 23, 2022, is the first data protection law established in Saudi Arabia extending beyond the general principles of privacy and individuals’ personal data outlined under Sharia law. The rights granted to data subjects under the PDPL are in line with those granted to data subjects under the GDPR, such as the right to access, to rectification, to erasure, to the restriction of processing, to be informed, to data portability, to object, and not to be subject to automated decision making.
The PDPL is applicable (i) to the processing of personal data by companies or public entities taking place within the KSA, as well as (ii) to the processing of personal data relating to Saudi residents by companies located outside of the country. A company could therefore be subject to the PDPL even if it is not established in KSA through a subsidiary or a branch, if it is selling goods or services to KSA-based customers.
Controllers (when KSA entities) will be required to become compliant with the PDPL within a period of one year from the date of its entry into force. As for entities located outside the KSA, their requirement to appoint a representative in the KSA and to comply with the PDPL shall be delayed for a period of up to five years from the effective date of the PDPL. The Controllers will be required to register on an electronic portal that will form a KSA national record of Controllers, and pay an annual registration fee.[2]
The PDPL defines « personal data » as any information, in whatever form, through which a person may be directly or indirectly identified.[3]
Companies should take into account that the PDPL is more stringent in cross-border personal data transfers, as Controllers are not allowed to transfer personal data outside the KSA except if it complies with an agreement to which the KSA is a party, or it serves Saudi interests, or for other purposes that will be set out in the executive regulations of the PDPL. Furthermore, other requirements must be met including that the data transfer or disclosure to a party outside the Kingdom does not impact national security or Saudi interests, and the obtaining of the Saudi Data & Artificial Intelligence Authority’s approval (“SDAIA”).[4]
Penalties for failure to comply with any aspect of the PDPL include up to two years’ imprisonment and fines of up to SAR 3 million (circa USD 800,000). Higher fines may be imposed in case of repeat offenses. Furthermore, Parties affected by the offences may be able to claim compensation.
It is expected that the PDPL will continue to evolve during the first five years after its entry into force, with further details expected to be issued with respect to the processing of health and credit data.
United Arab Emirates
The Data Protection Law and its scope
On January 2, 2022, the Federal Decree No. 45 of 2021 regarding the protection of personal data (the “PPD”) came into force in UAE. The PPD will be supplemented by the issuance of a set of executive regulations by the UAE Data Office (which will oversee the PPD) (the “PPD Executive Regulations”). Controllers will have a further six months’ period from the date of issuance of the PPD Executive Regulations (anticipated to be published in March 2022) to comply with the PPD.
The PPD broadly mirrors the GDPR, with a number of exceptions.
The PPD applies to data subjects, Controllers and processors located in the UAE, and those located outside the UAE that process personal data of data subjects residing inside the UAE (which would apply to companies located outside the UAE doing business there); as well as to all automated digital processing of personal data. It is important to note that the companies established in certain free zones in the UAE (such as Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM)) do not have to comply with the PPD as they have their own data protection legislation.
Some specific categories of data are exempted from the PPD: (i) UAE government data, or UAE government entities that control or process personal data; and (ii) some specific categories of data, for example, health data or personal financial or credit data, that are subject to specific data protection legislation, and to the extent that is already governed by such specific UAE legislation.
As in KSA’s PDPL, and contrary to the GDPR, the PPD does not allow for the processing of a data subject’s personal data on the basis of the Controller’s legitimate interests to do so.
Companies should take into consideration that the personal data may not be transferred outside the UAE to jurisdictions that do not offer an adequate level of protection, without obtaining the data subject’s consent to the same. This prohibition is subject to certain derogations, including the transfers necessary for the performance of contracts, or to fulfil an obligation, or to protect the data subject’s vital interests, or preparing, pursuing or defending a legal claim. All data transfers to foreign jurisdictions are subject to the condition that the transfer does not conflict with the public and security interest of the UAE.
At present, the PPD does not expressly provide for sanctions to be applied in case of non-compliance with its provisions. The PPD Executive Regulations are expected to clarify this.
Qatar
The PDPPL and its scope
The Law No. 13 of 2016 concerning the Personal Data Privacy Protection (the “PDPPL”) provides a comprehensive data protection framework for Qatar. While the PDPPL took effect in 2017, executive regulations further implementing this law were issued in 2021.
The PDPPL applies to personal data when this data is any of the following: processed electronically; obtained, collected or extracted in any other way in preparation for electronic processing; or processed by combining electronic processing and traditional processing.
The PDPPL is aligned with the GDPR in relation to most of the principles, rights, and responsibilities provided therein, with some exceptions such as the cross-border transfers: while the GDPR authorizes cross-border transfers under specific conditions and if adequate levels of data protection are provided, the PDPPL forbids Controllers from taking any decision or measure that may limit cross-border data transfers, unless the processing of such data is in breach of the PDPPL, or where such processing may cause serious damage to the personal data or to the data subject’s privacy.
However, the PDPPL also reserves the right for the MoTC to determine that this principle, amongst others, does not apply to certain categories of data they process on the grounds of national security, international relations, the economic or financial interests of the State, or the prevention or investigation of criminal offences.
The violation of the PDPPL may result in fines up to QAR 5,000,000 (circa USD 800,000).
Conclusion
The GDPR principles have become over the last few years a gold standard in data privacy that more and more countries are aligning with, the GCC countries included.
Following Qatar, the KSA, and the UAE’s recent adoption of privacy laws aligning with the GDPR answer a missing gap in the protection of data that impacted individuals and companies operating in these countries these last few years.
Controllers of data operating in the GCC will however need to take into account the particularities of the different jurisdictions especially when more stringent protection measures are required from them. This is mainly the case when the local jurisdiction prohibits the cross-border transfer of all or certain categories of data.
The Global Data Privacy Practice Group of LPA-CGR avocats, led by Paris Partner Prudence Cadio, supports you in all your domestic and cross-border issues related to GDPR, thanks to its unique network of 13 offices in Europe, Asia, Middle East and Africa. We remain at your disposal for any assistance.
[1] Implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021)
[2] Controllers will be required to upload a record of processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside of KSA and the expected retention period.
[3] This includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person.
[4] The PDPL appears to imply that Controllers could be required to obtain a permit from the SDAIA for any cross-border personal data transfers, although how this will work in practice is not yet clear, and requires the guidance from the upcoming executive regulations.