Countries in the Middle East have bold plans for economic growth, new technologies, innovation and urban development in the next ten to twenty years. The United Arab Emirates (UAE) is at the forefront of this high ambition. Bahrain, Qatar and Oman are smaller still, but are resource-rich and intend to diversify to meet a changing world. Saudi Arabia is a sleeping giant with confident plans for urbanisation and diversification of its economy. Israel stands slightly apart with its efforts to update its long existing data protection laws. The nation is highly regarded for technology, security, unicorn companies and start-ups, with a successful history of technology exports. All of these countries are adopting new data protection laws, maturing existing rules or expanding the scope of technology regulation. These policy shifts seek to protect individual rights, build trust in new technologies and increase international and regional data flows. Data protection is trending in the Middle East, because the region is investing heavily in data, technology, automation, smart cities and scientific innovation. Turkey is a notable regional neighbour; most fully aligned to international data protection and EU standards. Turkey serves as a reference point for the wider region. The overall regional picture is not uniform. There are different approaches, differing levels of data protection maturity, variable enforcement, many timelines and a range of expectations.
United Arab Emirates (UAE)
The UAE is made up of seven emirates. These are Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. The country has three international-facing data protection regulatory systems. The most recent is UAE Data Protection Law of 2021. It is wide-ranging but does not apply to the UAE government or government organisations. The UAE Data Office, the data protection regulator, is still being fully set up. Rules, regulations and guidance will be published soon to clarify and expand the law. These updates and clarification could be announced at relatively short notice, so companies and organisation must watch developments closely.
The other two laws relate to the UAE’s Free Zones that focus on international financial services, fintech, cryptocurrencies and sectors adjacent to these services. Abu Dhabi Global Market (ADGM) data protection laws were updated in 2021, adding elements that mirror the EU’s General Data Protection Regulation (GDPR). Dubai International Financial Centre (DIFC) data protection rules were updated in 2020 and adopted several matching principles and elements of the GDPR. The DIFC law is now more interoperable with the GDPR. DIFC has been taking steps to grant data protection adequacy to the EU, UK and Singapore. There is an ongoing appetite to establish data flows with other trusted countries and regions.
Bahrain’s Personal Data Protection Law (PDPL) came into force in August 2019. The key definitions largely mirror the definitions in the EU’s GDPR. Independent Data Protection Guardians, who are like GDPR Data Protection Officers, are to be appointed. Penalties range from 100 to 20, 00 dinars and could also include a year in prison. The regulator is the Ministry of Justice and Islamic Affairs (MOJ), who carry out the duties of the Bahrain Personal Data Protection Authority.
Qatar’s Protecting Personal Data Privacy Law (PPDP) was enacted in 2016. The definitions in the law are similar to those in the EU’s GDPR and incorporate key international data protection principles. The Qatar Financial Centre (QFC), a Free Zone in Doha, also has its own data protection rules for businesses and organisations that are registered and licensed by the Centre. The Qatar Financial Centre Authority updated the QFC’s 2005 data protection regulations in December 2021 with new regulations and rules aligned with GDPR.
The Kingdom of Saudi Arabia introduced its first Personal Data Protection Law (PDPL) by royal decree in September 2021. This was followed by a draft Executive Regulation in March 2022 to interpret and extend the PDPL. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA). The PDPL comes into force on 17 March 2023 (postponed from 22 March 2022). The law reflects key elements of international data protection principles, EU GDPR and mirrors various data protection laws in the Middle East.
Israel’s data protection law was introduced 1981. Data Security Regulations followed in 2017. These include the concepts of personal data, sensitive data, database, database owner, database holder and database manager. The main law is the Protection of Privacy Law and the regulator is the Privacy Protection Authority (PPA), which is part of the Ministry of Justice. Israel’s data protection landscape is a mix of law, regulations and formal guidelines issued by the PPA. The European Commission granted Israel data protection adequacy in 2011, under the EU Data Protection Directive 1995, and remains the only country in the Middle East to have received an EU adequacy decision. Further legal alignment with the EU’s GDPR may be required going forward. In 2021, the Ministry of Justice announced proposals to update its data protection laws to improve the regulatory scope, key definitions and increase the PPA’s enforcement powers.
Other Countries in the Middle East
Turkey, a near neighbour to the Middle East with enduring historical and trade links, introduced a comprehensive data protection law, the Protection of Personal Data Law of 2016. Turkey also ratified the Council of Europe Convention 108 in 2016. The Turkish Personal Data Protection Authority, Kişisel Verileri Koruma Kurumu (KVKK), is the regulator. Turkey’s data protection regulatory landscape reflects international data protection principles and is substantially similar to the EU’s GDPR.
Egypt introduced a Law on the Protection of Personal Data in 2020. The law includes principles, definitions, rights and duties that mirror EU GDPR. The Minister of Communications and Technology is tasked with publishing Executive Regulations for the law. The regulator is the Data Protection Centre, but this organisation has not been fully established. Lebanon has a basic data protection law in the form of the Electronic Transactions and Personal Data Law of October 2018. There is no independent data protection regulator. Oman published a Personal Data Protection Law in February 2022, with plans to bring it into force in February 2023.
Jordan published a draft data protection law in 2021. Iraq, Iran, Kuwait, Palestine, Syria and Yemen do not have a comprehensive national or international facing data protection laws.
Other Future Trends to Watch
The UAE and Saudi Arabia are moving quickly to expand their national artificial intelligence capabilities and introduce regulatory frameworks for new technologies. Fintech will continue to grow and mature in most countries. The emergence of Middle Eastern data protection regulators with distinct voices, regulatory approaches and ways of operating is a noticeable trend. The Turkish Personal Data Protection Authority (KVKK), ADGM Office of Data Protection (Commissioner for Data Protection) and the DIFC Commissioner of Data Protection are creating notable blueprints. In the longer term, Chinese investment in the Middle East coupled with the strengthening of historic ties with India, will impact the regulatory environment in the Middle East. China’s recent data protection and data security laws, as well as India’s impending comprehensive data protection law will also shape data protection, cybersecurity, data flows, trade and the market adoption of new technologies and innovation.
For help, support and advice with data protection, data breach response, cybersecurity strategy, new technology projects and artificial intelligence data risks in the Middle East, especially the UAE, Turkey, Israel, Saudi Arabia, Bahrain and Qatar, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370