January 24, 2022. This article is Part 3 of a series of posts providing an overview of some key legal and regulatory developments that happened in the Middle East during 2021 in the field of data protection and privacy.
In 2016, Qatar became the first Gulf Cooperation Council (GCC) country to have a national-level data protection law when it issued Law No. (13) of 2016 on Protecting Personal Data Privacy (“DP Law”).
As is typically the case in most jurisdictions prior to the issuance of comprehensive national-level privacy legislation, prior to the issuance of the DP Law the legal landscape applicable to data protection was relatively fragmented (with the Qatar Financial Centre economic free zone (“QFC”) having a comprehensive privacy law broadly based on the then-current EU Directive 95/46/EC, and a scattering of national laws with provisions touching upon matters of privacy protection).
The DP Law ushered in a new era of more widely applicable privacy compliance considerations for organizations subject to its application, but it also raised a number of questions and concerns. Although it was broadly based on internationally recognized principles of data protection (i.e., “transparency, integrity and respect for human dignity and acceptable practices”), there were some requirements that necessitated a level of compliance action that the DP Law itself had not yet contemplated or facilitated. For example, processing of so-called “special nature” personal data (i.e., sensitive data) required not only heightened processing protections, but also consent from a data protection authority that had not yet been established (amongst other requirements that the DP Law referenced would be addressed in pending Ministerial resolutions).
Fortunately, 2021 marked the introduction of many long-anticipated and highly welcomed developments on this front. On 31 January 2021, the Compliance and Data Protection authority (“CDP,” established as a department of the Ministry of Transport and Communications) made a series of guidelines available addressing various compliance-related facets of the DP Law and its requirements (“Guidelines”).
In terms of the scope of application of the DP Law and Guidelines (collectively, “DP Framework”), the CDP refers to the concept of these being applicable to “Regulated Entities,” although this is not a term used in the DP Law or separately defined in a formal legal context. The CPD does, however, contemplate expressly that the DP Framework “can be applied to entities, whether a multinational company operating globally or a local convenience store sharing personal data only with a local Qatari bank.” On balance, it seems that the scope of the DP Framework is intended to capture the processing of data related to individuals located within the State – although the CDP does convey variously in guidance that it is not intended to be interpreted or enforced in any prescriptive manner, and that organizations subject to it should use reasoned judgement when determining whether (and to what extent) to adopt any of the guidance, templates, or procedures as contemplated under the Guidelines.
The Guidelines themselves are very comprehensive, and provide what ought to be a useful toolkit for organizations seeking to ensure compliance with the DP Law and individuals seeking to understand their respective rights. They are comprised of numerous instruments ranging from best-practice oriented guidance notes (for example, guidance on when compliance exemptions under the DP Law might apply to certain processing activities, guidance on preparing privacy notices, and guidance summarizing individual data subject rights) to various forms and templates that can be used by regulated entities to align their operations with legal requirements (for example, forms for “special nature” data processing requests and data breach notifications, as well as templates for conducting data privacy impact assessments and preparing records of processing activities).
Some of the key elements of the DP Framework are as follows:
- Consent (which may be revoked) of the data subject is the primary basis for justifying processing of personal data, but controllers can also potentially rely on “lawful purpose” grounds (g., contractual or legal obligations, legitimate interests).
- Personal data is rather conventionally defined generally as that which relates to an identified or identifiable individual.So-called “special nature” personal data is defined as that related to “ethnic origin, children, health, physical or psychological condition, religious creeds, marital relations, and criminal offenses.” As noted above, processing “special nature” data requires consent of the CDP, who may impose additional processing conditions.
- Individuals are afforded certain rights which must be respected by controllers. These include the rights to protection and lawful processing of their data, to object to processing in certain circumstances, to erasure and correction requests, to be notified of any inaccurate disclosures, and to access their personal data.
- Controllers are required to notify both the CDP and the relevant data subject in the event of a data breach, and failing to do so could attract penalties of up to QAR 1,000,000 per violation (approximately USD $275,000). It may also attract a further penalty of up to QAR 5,000,000 (approximately USD $1,375,000) if it is determined that the controller failed to establish appropriate security measures and precautions relating to the data and its processing activities.
Both the Guidelines and the DP Law are accessible through the CDP Guidance Hub. It has been reported since the issuance of the Guidelines that further practical measures for demonstrating compliance with and enforcing the DP Framework are under discussion amongst key industry stakeholders. As such, we anticipate that there will be further developments that the CDP will be reporting during the course of the new year, and organizations falling under the remit of the DP Framework should therefore monitor the CDP website for these accordingly, in tandem with their ongoing compliance activities.