Justin Cornish is counsel in the Latham & Watkins Outsourcing and Technology Transactions Practice. He is a frequent speaker on the topic of data protection and privacy laws. With IT spending in the Middle East projected to rise, Cornish provides a comprehensive overview of the complex legal framework governing the processing, storage and transfer of data in the Middle East.
With expenditures on IT infrastructure spending expected to rise in the Middle East, how would you characterize the legal framework governing the processing, storage and transfer of data in the Middle East?
At a symposium held in Dubai in March 2013, Gartner forecast that IT infrastructure spending in the Middle East would increase by 4 percent in 2013 to total US$3.9 billion. Of this spending, a significant proportion is forecast to be on servers and storage, which is underpinned by the construction of Tier 3 and Tier 4 data centers. With this ongoing investment will come an increasing need for organizations in the Middle East to be aware of, and compliant with, the legal framework for the processing, storage and transfer of data. This is true whether data is hosted internally on an organization’s own servers or externally using a third-party data center, which also includes the “cloud.”
There are no pan-GCC or pan-Arabic laws governing data protection and privacy. Nor are there any specific national laws or regulators governing data protection and privacy in Qatar, Saudi Arabia and the UAE of the type found in jurisdictions in the European Union. Notwithstanding that, it would be wrong to say that data protection and privacy remain unregulated in Qatar, Saudi Arabia and the UAE. The constitutions of these countries, together with certain statutes, recognize an individual right to privacy in specific circumstances. In addition, the Dubai Healthcare City and Dubai International Financial Centre (DIFC) free zones in the UAE and the Qatar Financial Centre (QFC) in Qatar have enacted data protection laws that regulate the processing, storage and transfer of personal data by organizations operating within their specific jurisdiction.
What are the characteristics of the data protection legislation in the QFC and in the Dubai Healthcare City and DIFC?
Qatar Financial Centre (QFC)
The QFC is regulated by the Data Protection Regulations (Regulation 6 of 2005) and by the accompanying Data Protection Rules. The QFC Regulations and Rules are based on European best practices and will be familiar to companies with experience of compliance with the European Data Protection Directive. They are applicable only to activities within the QFC or transfers from the QFC. They address the collection, use, disclosure and transfer of personal data and establish the QFC Authority as the regulator responsible for administering the relevant laws and regulations for dealing with complaints under the regulations. The Regulations do not grant the QFC Authority express authority to impose fines for non-compliance. At the time of writing the QFC Authority had not issued a prescribed list of fines nor imposed any fines. The QFC Authority adopts a policy whereby it assists firms to prevent non-compliance with the Regulations. The QFC Regulations and Rules are also the same as or similar to the European Data Protection Directive when it comes to obligations on data controllers and processes and rules regarding when processing is legitimate.
Separate data protection regimes operate for the Dubai Healthcare City and the DIFC. Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008, and data protection in the DIFC is regulated by DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on 23/12/2012). As per the QFC data protection regime, both sets of laws and regulations are based on international best practices and will be familiar to organizations with experience of compliance with the European Data Protection Directive. They address the collection, use, disclosure and transfer of personal data and establish a regulator that is responsible for administering the relevant laws and regulations for dealing with complaints under the regulations and, in the case of the DIFC, enforcing compliance and imposing sanctions where a data controller is non-compliant.
In addition to the Dubai free zones and the QFC, are Qatar, Saudi Arabia or the United Arab Emirates considering introducing national data protection laws or establishing regulatory bodies that would govern data protection?
It is important to note that at this stage, each of these countries takes its own approach to data protection from a national perspective.
Article 37 of the Qatari Constitution states that “the sanctity of human privacy shall be inviolable, and therefore interference into privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed”. The Penal Code also prohibits the disclosure of information and images relating to an individual’s private life and prohibits interception of private correspondence without consent. Organizations operating in Qatar should also be aware of sector-specific laws, including:
- Labour Law, which imposes record-keeping obligations on employers
- Banking Law, which requires QCB-regulated financial institutions to protect confidential information relating to their clients
- E-Commerce and Transactions Law, which puts controls around e-commerce service providers’ collection, use, retention and disclosure of customer information
- Telecommunications Law, which requires telecommunication service providers to protect customer information and also puts controls around the collection, use, retention and disclosure of such information
Qatar's Supreme Council of Information and Communication Technology (ICT) released a draft Personal Information Privacy Protection Law in mid-2011 for public consultation. Although this would establish a data protection regime in Qatar if passed, it is not known if (or if so, when) it may come into force.
Kingdom of Saudi Arabia (KSA)
The paramount body of law in KSA is the Sharīʿah, a collection of fundamental principles derived from a number of different sources, which include the Holy Qu’ran and the Sunnah. Sharīʿah principles protect each individual’s right to privacy and prohibit any invasions thereon. Under Sharīʿah principles, disclosure of secrets is prohibited except, inter alia, where the owner of the relevant secret agrees to such disclosure or if the public interest requires so. While the Holy Qu’ran and the Sunnah do not stipulate a penalty for disclosure of secrets, such disclosure may be punishable by a penalty that a judge, in his discretion, deems appropriate and equitable. Such penalty may include a fine, imprisonment or deprivation of certain rights such as suspension of a practicing license. The principle that correspondence and communications should be kept confidential is further enshrined in the KSA Basic Law of Governance. Over and above Sharīʿah principles, Saudi Arabia has enacted a number of sector-specific laws that impact personal data. These include:
- Anti-Cyber Crime Law, which punishes any person (by fine or imprisonment) who illegally accesses the computer of another for the purpose of deleting, destroying, altering or redistributing its information, accesses the bank or credit information of another or interrupts data that is transmitted through a computer or an information network
- Healthcare Practice Code, which requires that a health practitioner safeguard the secrets of patients that he comes across while carrying out his profession except inter alia where written approval of the relevant patient is obtained
- Telecommunications Law, which restricts the disclosure of information that is intercepted during its transmission and restricts providers of telecom and internet services from disclosing information regarding their subscribers to third parties or from allowing individuals to monitor the communications of their subscribers
- Electronic Transactions Law, which regulates exchanges of electronic communication, electronic contracting or other procedures performed or executed wholly or partially by electronic means
- KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations), which govern the exchange of information between creditors and borrowers:
- Personal data obtained from consumers, guarantors or any other person in connection with the conclusion and management of agreements must be kept confidential (Article 3.1, Credit Regulations).
- Personal data can only be processed for the purpose of assessing the financial situation of the borrowers or guarantors and their ability to repay the agreed credit (Articles 3.1 and 3.2, Credit Regulations).
- Saudi Credit Bureau operates a central database for the purpose of registration and maintenance of credit information on consumers and guarantors. Banks are encouraged to consult the database before any commitment to the consumer or guarantor (Article 3.2, Credit Regulations).
United Arab Emirates
Article 31 of the UAE Constitution states that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. In addition, the Penal Code establishes criminal offences in relation to the disclosure or use of “secrets”, i.e. personal data, or the interception or disclosure of correspondence or telephone conversations.
Organizations operating within the UAE should also be aware of Federal Laws No.3 and No.5 of 2012, which respectively establish the National Electronic Security Authority (NESA) and combat cybercrimes. NESA has been charged with putting together policies and standards to ensure electronic security as well as suggesting further legislation in support of its goals and such legislation, policies and standards are likely to impact the processing and storage of personal data in the UAE. The cybercrimes law criminalizes a number of activities relating to the unauthorized access, amendment, interception, damage or use of certain types of data.
Specific sectoral laws that organizations should note include:
Labor Law, which imposes record-keeping obligations on employers with five or more employees. The Civil Code (Federal Law 5 of 1985 as amended), includes provisions relating to record-keeping by employers.
In recent months the Emcredit Decree, which regulates the provision of credit data by banks, financial institutions and government departments in Dubai to Emcredit, the official entity responsible for providing credit reporting services in Dubai.
Electronic Transactions and Commerce Law, which seeks to facilitate electronic transactions and correspondence through reliable electronic records and establish unified rules, regulations and standards for authentication and safety of electronic correspondence.
Medical Liability Law, which limits disclosure of patient data by physicians.
Telecommunications Law, which creates criminal offenses in relation to the interception or disclosure of communications over a telecommunication network. The UAE’s Telecommunications Regulatory Authority has issued the Privacy of Consumer Information Policy.
Have recent efforts in Europe to adopt what some describe as the world’s strongest data protection law had any influence/impact in the Middle East?
While there have been calls and some movement in all three jurisdictions in respect of the establishment of a nation-wide data protection regime, it does not appear that any such regime will be enacted in the near future. Were a European Union-style approach to data protection to be implemented, it would present a significant compliance challenge to organizations operating in Qatar, Saudi Arabia and the UAE. That said, the absence of a single unified data protection regime within or across all three countries creates its own compliance challenge due to the need for organizations to be aware of, and compliant with, each item of relevant legislation.
For companies processing data in the region, what types of notification requirements should they be aware of?
Notification obligations apply primarily in the QFC and the DIFC and again these are based on the requirements under the European Data Protection Directive whereby if an entity is a data controller it is required to notify the regulator.
Are there any regulations that prevent the import or export of data (customer data, employee files, financial records or other information) from the region?
Personal data can only be transferred to a recipient located in a jurisdiction outside the QFC if an adequate level of protection for that personal data is ensured by laws and regulations that apply to the recipient. Article 9(2) of the Data Protection Regulations and Article 3.1 of the QFC Regulations and Rules provide that data controllers must assess the adequacy of the level of protection in other jurisdictions considering all the circumstances relating to the transfer, and set out guidelines that data controllers must comply with when making these assessments. Transfers of personal data to a recipient that does not meet these requirements can only be made in certain circumstances (Article 10(1), Data Protection Regulations), for example, if the QFCA has granted a permit for the transfer(s) and the data controller applies adequate safeguards with respect to the protection of the personal data. There are no industry accepted standard form data transfer agreements approved by the QFCA, although at this stage in the law’s development organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.
DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on December 23, 2012) includes the rules for transferring personal data outside the DIFC. Personal data that originates within the DIFC may only be transferred to jurisdictions outside the DIFC that are considered to have an “adequate level of protection.” Jurisdictions that are considered to have an “adequate level of protection” include all of the member States of the EU. It is noteworthy that neither the United Arab Emirates nor the United States is considered to be a jurisdiction with an “adequate level of protection.” There are certain exceptions to the requirement for an adequate level of protection under Article 12. These include:
- Written consent from the data subject
- Obtaining a permit from the Commissioner (as long as the data controller applies adequate safeguards to the protection of the personal data)
Data transfer agreements are not contemplated by the Data Protection Law and no standard form data transfer agreement has been approved by the Commissioner, although at this stage in the law’s development organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.
Kingdom of Saudi Arabia (KSA)
No specific laws apply to the transfer of personal data outside of the Kingdom of Saudi Arabia although some sector-specific laws are relevant, e.g. the Saudi Arabian Monetary Agency (SAMA), which strictly prohibits data processing of any banking information that was initiated in Saudi Arabia. There are no industry accepted standard form data transfer agreements although at this stage in the law’s development, organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.