The Qatari government has passed a law requiring a minimum level of protection for personal data within the State of Qatar. It is the first GCC member state to issue a generally applicable data protection law. Law No. 13 of 2016 Concerning Personal Data Protection (the Data Protection Law) was issued on 3 November 2016. It will come into full effect in six months' time (unless this period is extended).
The Data Protection Law gives rights to natural persons whose personal data is processed online, or obtained through any other means in order to be processed online, or processed through a combination of online and more conventional methods. As such, the Data Protection Law is designed to address concerns of individuals on the availability and security of their personal information through technology.
Some of the key points from the new law are:
- Individual rights - the rights given to individuals include the right to consent to any processing of their personal data, and to withdraw consent at any time. An individual will also have a right to review any personal data being stored in relation to him or her, and to ask for it to be corrected where it is inaccurate.
- Data processors - obligations to safe-guard personal data and to process it under certain restrictions are imposed on companies which process personal data.
- Sensitive personal data - certain types of personal data are subject to tighter restrictions. Sensitive personal information such as data relating to race, health, religious beliefs, relationships and criminal records may only be processed with the permission of the relevant unit of the Ministry of Transport and Communications (MOTC).
- Safeguarding children - information related to children is also subject to specific restrictions, including restrictions aimed at the owners and operators of websites which are directed at children. For example, such websites will be required to obtain the consent of the child's parent or guardian before any personal data may be processed.
- "Spam" - communications made electronically (including by wired or wireless communications) are also prohibited under the new law, where their purpose is unsolicited direct marketing.
High financial penalties will be imposed for breach of the Data Protection Law. For example, fines of up to QR1 million may be levied for breach of the ban on unsolicited electronic "spam". The level of fines will be designed to drive compliance and deter irresponsible personal data handling practices. They also highlight how seriously the Qatari government is taking the protection of privacy in a fast changing technological environment.
The Data Protection Law envisages further regulations being issued by the MOTC to assist its implementation. Therefore, the level of regulation in this area is likely to increase rather than decrease.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.