WELCOME TO CHARLES RUSSELL SPEECHLYS.
We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
Otherwise, we'll assume you are OK to continue. Please close this message
Unlike the European Union, there is no harmonised legal framework to specifically address privacy and data protection in the states of the Gulf Cooperation Council (GCC). The absence of specific legislation does not mean, however, that privacy is not protected but such protection will emanate from general legal provisions rather than from a particular piece of legislation.
This article provides for a whistle-stop tour of the various relevant legal provisions in each of the six GCC jurisdictions (Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE)) in terms of data protection.
In Bahrain, there are industry-specific laws and certain provisions in general laws that cover data protection and confidential information.
In Kuwait, the constitution mentions that: “Freedom of communication by post, telegraph and telephone and the secrecy thereof shall be guaranteed; accordingly, censorship of communications and disclosure of their contents shall not be permitted except in the circumstances and manner specified by law”.
Likewise, in Oman the constitutional law recognises the individual’s right to a private life and guarantees citizens’ confidentiality in all forms of communication.
The protection of privacy and personal data in Qatar is addressed in various provisions of some of Qatar’s laws. For example:
Although no specific DP legislation exist in Saudi Arabia, a right to privacy is established in a number of different laws of the Kingdom, starting with the Saudi Constitution which mentions the right to privacy and sets out the overriding principle that all correspondence and communications between parties should be kept strictly confidential and should not be disclosed.
This principle is supported by provisions contained in the Saudi Telecommunications Act and the Anti-Cyber Crime Law.
–the interception of data transmitted through an information network without legitimate
–the illegal access of bank data, credit information or information regarding ownership of
–unlawfully accessing computers to modify, delete, damage or redistribute personal information.
When no relevant legislation applies to protect privacy and personal information, Shariah will apply. Shariah (or Islamic law) is a compilation of principles mostly derived from the Holy Quran. Shariah principles protect the individual’s right to his own privacy and prohibit the disclosure of secrets (unless the owner of the secrets agrees to the disclosure or the public interest requires such disclosure). If Shariah does not provide for any penalty, the penalty will be left at the court’s discretion.
In the UAE, certain provisions in various federal laws can impact data processing activities, for example:
Both the Penal Code and the Cyber Crimes Law set out criminal offences and do not directly confer rights upon individuals in relation to the misuse of their data. However, Federal Law No. 35 of 1992, as amended (the Criminal Procedures Law) permits a person who sustains a direct personal injury from a crime to pursue their civil rights before the criminal courts during the criminal proceedings.
There are also provisions in certain sector specific laws and regulations that address privacy rights in particular areas, such as the Labour Law, the Credit Information Law and the Medical Liability Law.
Besides the absence of specific legal frameworks addressing the protection of personal data, the economic “freezones” areas of Dubai International Financial Centre (DIFC) and Dubai Healthcare City (DHCC) and the Qatar Financial Centre (QFC) each have their own data protection regime applicable to companies established in those zones.
The legal provisions in the DIFC and the QFC are based, if not entirely on the principles set out by the European Data Protection Directive, on European best practice and require personal data to be processed fairly, lawfully, securely and for a specified legitimate purpose.
Freezone data protection regimes will only be applicable to activities undertaken within the relevant free zones. This means that, if an entity is operating in one of the free zones in Dubai or Qatar, it will need to ensure compliance with the QFC Data Protection Regulations or the DIFC Data Protection Law or the Health Data Protection Regulation, depending on which set of rules applies to that entity.