The State of Qatar will be the first in the GCC to enact a national level regime that specifically addresses data protection and privacy matters. Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (“Data Privacy Law”), aims to set minimum levels of protection for personal data within the country. Issued in November 2016, the Data Privacy Law takes effect from the date of publication in the Official Gazette which is expected to be next year. The Data Privacy Law primarily applies to electronically processed information setting out guidelines for the tech sector on issues relating to marketing communications and the protection of the personal data of individuals and minors.
Regarding individual privacy, Article 22 of the Data Privacy Law prohibits certain forms of direct electronic marketing. The use of ‘spam’ messaging without obtaining an individual’s prior consent or failing to offer an opt-out feature from future communications could result in fines of up to Qatari Riyals (“QR”) 1 million for violators. Specific restrictions also safeguard the information of minors by requiring certain policies for websites directed at children. Article 17 requires parent or guardian consent where a minor’s personal data is to be collected. Moreover, individuals have the right to give or withdraw consent at any time in relation to the processing of their personal data. Certain types of sensitive personal data such as criminal or medical records may also only be processed with the permission of the Ministry of Transport and Communications.
Not surprisingly with cyber related hacking incidents increasing around the MENA region, Qatar’s Data Privacy Law also places restrictions on businesses, requiring them to ensure that sufficient action is taken to protect the privacy of personal data. For example, the law stipulates that companies should train their data processing staff to a high standard, take measures to protect personal data from being illegally accessed or damaged, and periodically conduct audits. Companies failing to adhere to the requirements of the Data Protection Law could be subject to fines of up to QR 5 million. Subject to any extensions, businesses will have a grace period of six months from the effective date of the Data Protection Law to ensure that they comply with its requirements.
Interestingly, Article 18 of the law includes exemptions from such obligations in circumstances involving the protection of national security, or matters relating to the economic or financial state of the country, and (perhaps controversially) in the prevention or investigation of a crime.
Having been in the works since 2011, the Data Privacy Law is a step toward ensuring that personal data is protected from unauthorized access and/or hacking. As a relatively new and untested piece of legislation, businesses are already considering the changes in business practices that will be required in order to comply with the law’s requirements.