Data Protection update: Qatar introduces a law on personal data protection

The Qatari Government has enacted Law No. 13 of 2016 relating to the protection of personal data. The new law represents the first attempt by a GCC member state to introduce “European-style” legislation at the federal level governing the collection, use and disclosure of personal data.

The law will enter into force when published in the Official Gazette, which is expected to take place by the end of 2016. After publication, there will be a period of six months during which those subject to the law will have to ensure compliance.

The law will impose obligations on natural and legal persons processing data relating to identifiable individuals using electronic means. It includes a number of provisions which will be familiar to privacy law practitioners in Europe and other jurisdictions with established privacy law frameworks, including:

• principles of fair and lawful processing of personal data, including requirements to disclose to individuals the manner and purposes for which personal data will be processed before processing starts
• obligations to implement appropriate administrative and technical measures for the security of personal data, and
• a reiteration of the principle, already established in Qatar under separate regulations, that electronic marketing to individuals may only be carried out on the basis of the individual’s prior consent.

The following areas of the law are particularly notable, as they represent a step-change in regional compliance standards and replicate (and even exceed) standards seen in Europe and other jurisdictions with established data protection frameworks:

• Individual rights: The law introduces specific rights which sit outside the frameworks previously seen in the GCC, for example, specific provisions around withdrawal of consent and requests to correct or delete personal information, amongst other rights.
• “Special” categories of personal data: The law recognises that personal data relating to ethnic origin, children, health, religious belief, marital status or criminal offences have a “special nature” and, crucially, may only be processed after obtaining a permit from the Ministry of Transport and Communications. This is more restrictive than data protection laws in Europe and a potential legal and administrative obstacle to both internal (HR) and external (customer) data processing initiatives, in particular “big data” projects. This is an issue for any company involved in the use of data to carry out profiling of individuals.
• “Privacy by design”: The law appears to introduce a requirement for organisations to consider privacy issues when designing and developing products, systems and services. This type of “privacy by design” obligation is a key feature of the new EU General Data Protection Regulation and demonstrates an effort to incorporate the latest thinking around privacy issues at an international level. This is relevant to anyone leading legal and regulatory compliance initiatives in Qatar.
• Websites for children: The law requires the operators of websites targeting children to post specific notifications and obtain the explicit consent of a child’s guardian. The scope of these requirements, in particular what types of website will be deemed to “target” children, is unclear. If interpreted widely, the requirements could capture broad categories of digital media, including social media services.
• Cross-border transfers: The law establishes a general principle that there must be no restriction on the ability to access personal data collected in Qatar from, or store such data in, other jurisdictions. However, the law also reserves the right for governmental bodies to determine that this principle, amongst others, does not apply to certain categories of data they process on the grounds of national security, international relations, the economic or financial interests of the State, or the prevention or investigation of criminal offences. The result is that ministries, regulators and, potentially, “semi-government” organisations such as banks will have the right to mandate that their data be hosted in Qatar and that different rules will apply to personal data controlled by different entities of government. This is potentially an issue for hosting service providers operating in Qatar.

Our international Data Protection & Privacy group has developed a range of tools enabling clients to assess data compliance risks and make changes to address “gaps” in their organisation which will be useful to clients seeking to comply with the new law in Qatar. The fines for non-compliance with the law can be up to QAR 5m, but businesses need to look to ensuring compliance to also mitigate the significant reputational harm that can arise through violations.

Relevant communications from the Ministry of Transport and Communications and other governmental bodies will need to be actively monitored to understand the effect of the law and how to comply, in particular in relation to the potential restriction on exports of personal data from Qatar. We have recently provided specific advice to a number of businesses with operations across the Middle East and Africa on mitigating data transfer and data sovereignty risks in the context of cloud services.