The State of Qatar has announced that it has issued Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (the “Law”). Once gazetted, the Law will officially be the first national level legal regime specifically governing data protection in the GCC. As such, it is expected to herald a new era of privacy-related compliance considerations for data controllers and processors in Qatar and the wider Middle East region, with neighbouring nations anticipated to follow suit in short order with their own national level privacy and data protection regimes.
Data protection in Qatar: Background and existing legal landscape
In 2011, Qatar’s Supreme Council of Information and Communication Technology (ictQATAR, as it was then known) released a draft privacy law – the Personal Information Privacy Protection Law – for public consultation. This was to eventually become the new Law – a first of its kind in the GCC.
Prior to the enactment of the Law, the legal landscape applicable to privacy and data protection in Qatar was relatively fragmented on a national level. Although the Qatar Financial Centre has a comprehensive specific framework governing data protection (which is broadly modelled on the EU Directive 95/46/EC) there was nothing comparable on a national level. Instead, national laws provided some privacy-related protections for individuals – but these tended to be either quite generic (e.g. a general right of privacy for individuals set out in the Constitution, and offences for privacy violations in the Penal Code and Cybercrime Prevention Law) or quite sector specific (e.g. data protection obligations applicable to telecommunications operators in connection with safeguarding the privacy of their customer information). However, with the enactment of the Law, there is now a specific data protection and privacy regime that applies on a much wider national level.
The new Qatar privacy law
Application of the Law – Processing Personal Data, Rights of Controllers & Individuals At a fundamental level, the Law sets out a number of new rules and requirements applicable to the processing of Personal Data of an identifiable individual, whether the processing is conducted by electronic or other means.
The general rule under the Law is that the personal data of an individual is to be processed in accordance with principles including those of transparency, integrity and respect for human dignity and acceptable practices. The Law contains a number of provisions which seek to establish appropriate information disclosure obligations on data controllers toward data subjects (e.g. purposes for collection, parties to be involved in processing activities, manner of processing) and also requires data controllers to limit their collection and retention of personal data to that which is relevant and necessary to achieve the purposes for which it was collected, and ensure that it is accurate, complete and current.
Furthermore, data controllers must obtain the consent of the individual prior to conducting any such processing of personal data. It is worth noting, however, that there are a number of exempting circumstances where the consent requirement (and in some instances, other much wider obligations under the Law generally) does not apply. These include, for example, where processing occurs for the purpose of discharging a legal obligation, where interests of national security require or where the processing is happening pursuant to a court order or other direction of relevant authorities. Furthermore, the Law does not apply to the processing of personal data by individuals in connection with personal or family matters, or for official statistical purposes.
The Law also establishes a separate category of personal data (referred to as “special personal data”), which is defined to include that which is related to ethnic origin, children, health, physical or psychological condition, religious beliefs, marital relations or criminal actions. However, instead of merely attributing heightened processing-related obligations upon controllers / processors in connection with such data, the Law prohibits any processing of this type of data altogether in the absence of having obtained advance consent from the relevant administrative unit at the Qatar Ministry of Information and Communications Technology (“Ministry”), subject to further rules to be set out by way of pending resolution and otherwise as set out in the Law. Therefore, when exactly this approval requirement will arise and how it will be administered (for example, whether it is triggered for each individual for whom the special personal data is to be processed or if a blanket company-wide type of approval may be obtained in connection with specified purposes, such as employment visa processing) remains to be determined, and is certain to raise a number of compliance related questions.
Both controllers and processors are also required to implement appropriate (taking into account the nature and importance of the data at issue) security safeguards and precautions to protect personal data from unauthorised disclosure, use and loss. Controllers may also need to factor in any such security / safeguarding requirements or policies that may be stipulated by the Ministry when determining the nature of such precautions. Where a security breach occurs, processors are expressly obligated to notify controllers – who in turn must notify the data subject and the Ministry if the breach is likely to cause serious damages to the personal data or the privacy of individuals generally.
Much like many other data protection regimes internationally, the Law also establishes certain rights of individuals in connection with the personal data that is being processed about them. This includes the right of individuals (subject to restrictions or exemptions otherwise set out in the Law) to:
- withdraw consent to the processing of their personal data;
- object to certain processing activities;
- issue requests for the deletion or correction of their personal data; and
- request access to their personal data and related information about how and why it is being processed.
The Law further stipulates that controllers must establish internal rules for receiving such data access, deletion and correction requests and make these available to data subjects.
Websites targeting children
Interestingly, the Law also contains provisions that pertain specifically to owners or administrators of websites directed at children. Whilst the concept of what would be captured specifically as such a website is not specifically defined in the Law (nor is a specific age of minority or majority indicated), it is likely to apply generally to any websites that target, collect personal data from or would otherwise be of interest to children.
Some of the additional obligations and requirements that the Law purports to apply to owners and administrators of children’s websites include, for example:
- to post notices on the website specifying the type of children’s data that is being processed and how it is being used (including disclosure policies);
- to obtain explicit approval for the processing from the child data subject’s parent; and to stop processing and delete data about the child if so requested by parents.
At this time, it is not clear what particular nexus the site must have with Qatar in order for application of the Law to be triggered (e.g. a server based in the State, or the express targeting of a Qatar-based audience, etc.). As such, and further on account of the reasons set out above, the intended scope of application of these provisions of the Law are somewhat uncertain at this stage.
Electronic communications for direct marketing
The Law also contains a Chapter aimed at imposing conditions and restrictions on the use of electronic communications for direct marketing purposes, where direct marketing is defined as “[s]ending any advertising or marketing materials via any means to individuals”. The operative provision states that it is “prohibited to make any direct electronic communication with the individual for the purpose of marketing without securing a prior consent”. The Law further provides that any such message that is sent must clearly identify the sender and set out the sender’s contact information via which individuals can request that the communications be stopped and/or withdraw their consent to receiving them.
Unfortunately, it is not clear at this stage if the restrictions are meant to apply to electronic direct marketing practices generally, or whether they are intended to apply to specifically restrict this type of use by controllers of the personal data they are holding for individually identifiable data subjects under the Law. The difference being, for example, that if the intent is for the latter interpretation then it may not be interpreted to prohibit electronic direct marketing practices where messages are sent to bulk distribution lists using information that may not be considered to be connected with an identifiable person (such as a machine-generated list of mobile numbers that does not connect the numbers with the actual subscribers). Indeed, it will be interesting to monitor how these provisions come to be interpreted and enforced in practice in the coming months.
Enforcement and coming into force
The Law sets out a number of potential monetary penalties for violations of certain of its terms, up to a maximum amount of QAR 5,000,000 (approximately $1.4M). Individuals may file complaints with the Ministry for investigation of alleged violations of the Law, who in turn may issue rectification orders as appropriate to controllers or processors and / or seize materials and otherwise document any such violations.
Perhaps most noteworthy, however, from an enforcement and potential repercussions standpoint, is that the Law stipulates that any contract or agreement entered in violation to its provisions shall be deemed null and void. Again, how this may be interpreted or enforced from a practical standpoint (for example, whether this would serve to invalidate an arrangement in its entirety or only to the extent of the offending aspects of it, and whether or not it would apply retroactively) remains to be determined.
The Law will come into effect six months from its upcoming date of publication in the Official Gazette, meaning that there will be a temporary grace period for entities doing business in Qatar to audit their data processing operations and take the necessary steps to ensure compliance.
The new Qatar Privacy Law – What to do next?
Without a doubt, the promulgation of the Law marks the beginning of a new legal era in Qatar, where privacy and data protection compliance concerns will formally become key legal considerations of doing business. It is also likely that similar legal changes will soon be effected across the wider Middle East, meaning that now more than ever this is a hot regional topic to watch.
As discussed above, the Law seeks to implement a number of detailed data processing obligations on both controllers and processors alike, some of which many multi-national companies doing business in Qatar will already be generally familiar with (seeing as some of these are broadly aligned with EU data protection standards). The Law also touches upon some further areas that are not traditionally addressed in data protection regimes (for example, the regulation of so-called children’s websites and direct electronic marketing), but which entities doing business in Qatar will nonetheless need to ensure compliance with moving forward.
On this point, and as discussed above, it is also evident that there are a number of areas of the Law which will be the subject of further regulatory clarifications (whether by way of formal Ministerial resolution or otherwise) in the months and years that follow its enactment. These clarifications should help to infuse some further practical and legal certainty on how entities doing business in Qatar can best ensure compliance with the regime now and in the future.
In the interim, and indeed moving forward, your local legal advisors should be able to assist by way of helping to assess and navigate the changes that this new legal regime will herald, and to help ensure that your business activities and processes are cognisant of its requirements.