Comparison between recent legislation regarding Personal Data Protection in Bahrain, Saudi Arabia and the United Arab Emirates
EMME Advisory Services
Supporting business in emerging markets and the middle east
By Matthew Chance
Introduction
When the General Data Protection Regulation, better known by its acronym of GDPR, was passed into EU law in 2016, it became an example to follow for many countries around the world, and economies in the GCC were quick to notice. The Kingdom of Bahrain issued Law Number 30 of 2018 concerning the use of personal data, to be followed by the Federal UAE Law No. 45 of 2021, which was written into law alongside legislation creating a new UAE data office, and by the Kingdom of Saudi Arabia issuing their own Personal Data Protection Law in the same year. It’s become clear that more and more countries in the GCC and the Middle East more widely are taking the issue of the protection of personal data seriously, and as such an examination of these three laws, the way they mirror one another and the few but important key differences between them is likely to be illustrative of what to expect in the future legal landscape of the region, and more importantly how to best deal with these new laws specifically when doing business in Bahrain, the UAE and Saudi Arabia.
Section 1 – Important definitions and the scope of the law
To begin with, it is most important to know what exactly these laws concern. On the face of it, they all make it clear that all three are about Personal Data and the protection thereof – however, while most will have a broad idea about what this might be, it’s important to take a closer look at the exact definitions to appreciate what kind of scenarios exactly will fall under the remit of the law in each of the three countries. However, even just in the definitions there can be subtle differences that have larger ramifications for how the law is applied as a whole – these differences can make a great degree of difference to the kinds of scenarios in which the law is engaged, and to whom they apply.
Key Similarity – Definition of Personal Data
All three laws are explicit in what they concern – the use of Personal Data, which at the broadest level receives a near-identical definition in each law. In all three, Personal Data is defined as any set of information that could identify any person, (any such person is defined as a Data Subject) whether by reference to a name, address, ID number, or any other kind of information that might identify a person, whether directly or indirectly. The non-exclusive nature of the kinds of information that might come under the umbrella of these definitions, as well as the stipulation that information that can be used to identify a person either directly or indirectly are both included casts an extremely wide net over the kind of information that can be considered Personal Data – indeed, it seems extremely easy to interpret any supply of or receipt of information by any person to any other person.
Key Difference – Special Classes of Personal Data
A closer look at all three laws will make it clear however that there are certain classes of personal data that are considered to be in their own special classes. All three reveal that a definition has been included for Sensitive Personal Data. However, while the definitions for Personal Data in all three pieces of legislation were very broadly defined in such a way that all three can be considered the same the classification of Sensitive Personal Data in each instance not only concerns much more exclusively defined classes of data, but each are subtly different from each other. For instance, the Bahraini law includes in this category information that reveals any individual’s race, ethnicity, political or philosophical viewpoints, religion, union membership, criminal record, or any information concerning health or sexual status. The Saudi law on the other hand refers to Sensitive Personal Data as any personal statement which includes, as in the Bahraini law, reference to a person’s ethnic or tribal origins, religious and political views, or their criminal or security records but also reference to a person’s membership in any private associations or institutions, biometric data that can determine identity, and three other separately defined special classes of personal data, these being Genetic, Health, and Credit data. The UAE legislation goes on to define Sensitive Personal Data as data that can identify any person’s family, racial origin, political or philosophical opinions, criminal records, biometric data (defined separately as data obtained via a specific technique that allows for facial identification of a person) or any data that relates to health concerns, such as his or her physical, mental, genetic or sexual condition. While there is quite a lot of overlap between the categories included in each definition, it is important to be aware of the important differences under each statute – for instance, the Bahraini law is the only one of the three to make a specific allowance for union membership, whereas the Saudi law makes a broad allowance for membership of any private group, while the UAE law makes no allowance for affiliation with private groups at all. These differences, however small, are important to pay attention to – the difference between how each law treats regular Personal Data and Sensitive Personal Data can have severe ramifications, as we will examine later.
Key Similarity – Processing, Controllers and Processors
Now that the definitions of Personal Data and Sensitive Personal Data have been established, the next important matter to determine is what can be done with it that falls under each piece of legislation. In all three laws, this falls under the definition “Processing.” As with the definition of Personal Data, all three laws converge on a highly similar and extremely broad definition of the term, merely declaring Processing to be any operation performed upon the data whatsoever, including recording, storing, adapting, using the data for any person or transferring it elsewhere. This definition makes it near impossible to come into contact with any kind of Personal Data and not fall under the broad umbrella of one of these laws – the fact that all three include merely storing data under the definition of Processing means that merely possessing any kind of Personal Data can be considered as Processing – likewise, destroying or erasing the data also is considered Processing under all three statutes.
Likewise, under all three pieces of legislation, there are near-identical definitions for Controllers and Processors – the former is considered to be any person (whether individuals or legal personalities) who determine how data is processed and for what purpose, whereas a Processor is anyone who processes data on the behalf of a Controller.
Key Difference – Scope of the law and exceptions
The Bahraini law’s second article concerning the scope of the law has two key elements regarding what manner of data processing counts for the purposes of the law and who these laws apply to. Firstly, the law applies to the processing of data by partial or total automatic means, or by any non-automatic means that forms part of a filing system, or is intended to function as such.
Secondly, the law applies to every natural person who either resides in the Kingdom of Bahrain or maintains a place of business there, every legal personality with a place of business in Bahrain, or any natural person or legal personality that does not meet either of these definitions but nevertheless processes data using means that are situated in the Kingdom, unless those means are only intended to be used for the transit of data through the Kingdom’s territory.
Under these rules, any citizen or resident of the Kingdom of Bahrain can be considered either a Data Subject, Controller or Processor for the purposes of the law, and any data that’s either kept in a filing system or dealt with any digital means whatsoever will be considered to be Processed.
The same article does provide some exceptions to this rule, however – processing of data by an individual for the purpose of their own personal or family affairs is excepted, as is any processing that concerns public security as carried out by any public or national security organ operating under the auspices of the Bahraini government – furthermore, any measure of the Bahraini PDPL is stated as not prejudicing any duty of confidentiality relating to the Bahraini Defense Force. While national and public security concerns aren’t likely to relate to the average person residing or seeking to do business in Bahrain, the exception relating to personal affairs seems to give at least some umbrella of protection to regular people simply carrying on with their normal lives, though it should be noted that this protection is only provided to individuals and not legal personalities including companies – as such individuals should take care when mixing business with personal matters when it comes to identifying data to avoid potentially breaching the terms of this law.
By contrast, the Saudi law is more straightforward but also more wide-reaching in terms of scope – article 2 of the Saudi law bluntly states that all Processing of Personal Data that takes place inside the Kingdom of Saudi Arabia by any means falls under the aegis of the law, in addition to any processing of the Personal Data of Saudi Arabia’s residents by any entity outside the country. This is an extremely wide-reaching definition, so much so that it has an essentially unlimited international element – any person or entity who receives information relating to any Saudi citizen or even a Saudi resident may become liable under this law no matter where they may be in the world. It should also be noted that unlike the Bahraini law, which does not concern non-automated Processing of data that isn’t considered to be part of a filing system, the Saudi law concerns any Processing of data no matter what – as a reminder, under all three laws Processing can be construed extremely broadly, to the point that merely receiving it can be considered Processing for the purposes of the law. As such, all need to be extremely wary when handling any identifying data concerning any Saudi national or resident – the likelihood of this law and its obligations being engaged are extremely high, regardless of whether any entity receiving the data is doing business in Saudi Arabia or not at the time.
Even the exceptions are more limited in the case of the Saudi law – while it provides the same exception for personal and family use as in the Bahraini law, the exception includes the additional stipulation that data must not be disclosed or disseminated to a third party for the exception to continue to apply – therefore, even when dealing with more mundane matters, individuals need to take care to avoid engaging this law when transmitting Personal Data.
There is, however, an additional stipulation under Article 3 that states that any provisions or procedures of the law shall not prejudice and provision that grants rights to Data Subjects, or any law or international agreement to which Saudi Arabia is a party that grants “better” protection of Personal Data. That said, which relevant laws and agreements can be considered to be “better” is likely to be subjective, as neither the law itself nor the published regulations concerning the law offer any guidance on this matter.
The UAE law’s scope is once again defined by article 2, which states that the law concerns any processing of data, whether that be total or partial, or by automatic or any other means, conducted by either any Data Subject who resides or has a place of residence in the UAE, and Controller or Data Processor located in the UAE who carries out Processing of Data Subjects located either within or without the UAE, or any Controller or Processor located outside the UAE who Processes the Personal Data of any Data Subject within the UAE.
One should note that not only does the UAE law invoke the similar concern to that under the Saudi Law, where any person located outside the country who receives or processes Personal Data concerning citizens and residents of the country becoming liable under the law, the UAE law also introduces an inverse of this consideration, where data processors operating within the country must be aware that the law is still engaged even if they are handling the data of Subjects who reside outside the UAE and are not UAE citizens. Note that this requirement is also mirrored somewhat in the Bahraini law’s stipulation that any processing of data inside of Bahrain may engage the law, though the UAE excludes the Bahraini exception for the mere transit of data through its territory.
As such, while the Scope of the law in the UAE can be considered as the widest-ranging and most robust of the three laws, it also features the longest list of exceptions to the rules. In order, it excludes from the remit of the law any government data, any government authorities that process Personal Data, processing of Data by a Subject for personal purposes, personal health data and financial and banking data subject to separate protections under other legislation, and perhaps most notably companies and institutions located in the UAE’s Free Zones that are subject to their own equivalent legislation. For reference, the three Free Zones that meet these criteria are the Dubai International Finance Centre, the Abu Dhabi Global Market, and the Dubai Healthcare City, each of which have enacted their own data protection laws independently of the UAE Federal law. While these will not be explored in detail here, note that each of them were modelled in broad terms to be compatible with the EU’s GDPR, and as such won’t be drastically different to the Federal law or the Saudi or Bahraini laws, though it should go without saying that anyone planning on doing business in these free zones should familiarize themselves with the relevant law in question more closely.
As with the special classes of personal data, the difference between the scope of the rules may be significant depending on which jurisdiction one plans to engage with, and care should be taken before assumptions are made in regards to whether the law is in action or not.
Section 2 – Key rights and obligations
There are several key common threads between the three pieces of legislation in regards to the main obligations that they impose on Data Controllers and Processors, and the primary rights that Data Subjects enjoy. However, there are noticeable differences between the three as well that should be paid heed to.
Key difference – Basic conditions for processing
All three laws lay out a basic set of conditions under which data is allowed to be processed, though each is slightly different and expressed in a different way.?
The Bahraini law under Article 3 sets out a list of basic criteria which have to be met in order for data to be considered legitimately processed. In addition to being processed in a fair and lawful manner, personal data must be collected for one clear and specific reason, and cannot be processed for any reason that’s not compatible with this original intended purpose, save for long-term storage for historical or scientific reasons, and then only under the condition that the data is either anonymized or encrypted in such a way that renders it impossible to identify the relevant Data Subject. Further to this, the data collected should not exceed that which is required for the data’s stated purpose and be correct, accurate and kept up to date when this is a relevant factor.
Under the Saudi Law, articles 10 to 13 dictate how Personal Data can be collected and processed. Article 10 confirms, similarly to the Bahraini law, that data can only be used for the purpose for which it is collected, but additionally adds the stipulation that any such data must be gathered directly from the data subject only. However, it also sets out a series of exceptions to both of these rules – for instance, if the Data Subject agrees otherwise, if the Personal Data in question is already publicly available, if, when the Controller in question is a public body, or if the data is required for security or judicial purposes, if complying with the rules may harm the Data Subject or their vital interests, if collection is necessary to protect public health and safety or the life of health of an individual or a group of individuals, or if it is recorded or stored in such a way that does not allow for data subjects to be identified. Article 14 of the separately published Data Regulation draft that governs part of the Saudi law issues some guidance on this matter, stating that a Controller must adopt means of assessing the risk of processing anonymized data, including the risk that the Data Subject be identified, and that the rapid advance of relevant technologies in this area be taken into account.
Article 11 of the law states that the method of collection of data must be directly related to the stated purpose of the Controller, and be conducted clearly, without deception and in a manner compatible with all existing laws. Furthermore, the data collected shall be limited only to what is necessary in order to fulfil the purpose for which it is collected under Article 10. It mirrors the Bahraini law in this regard, though article 11 also adds the requirement that in the case that collection of data becomes no longer necessary to achieve the stated purpose, collection of data must immediately cease and what exists should be destroyed. Article 12 also adds the requirement that Controllers must adopt a Personal Data privacy policy and make this available to Data Subjects to review and agree to before collection of data can begin.?
When data is collected directly from a Data Subject, article 13 additionally goes on to require a Controller to inform the Data Subject of the specific legal or practical reason for gathering the information, which parts of the information are optional or mandatory to provide, that the data will not be processed in a manner incompatible with article 10 or the purpose of its collection, the identity of the person collecting the data (unless the collection is for security reasons) and who the data will be disclosed to and whether the data will leave Saudi Arabia.
The UAE law sets out a set of general rules for data processing under Article 5, which are mostly similar to the other two laws with some slight differences. In addition to the basic requirement that all processing is fair and lawful, the stipulation that data is used only for its prescribed purpose also recurs here – though it comes with the qualifier that personal data may also be used for purposes similar to the prescribed reason for which it was collected - however, the requirement that any data collected be limited to only that which is necessary to fulfil this purpose remains in place. Similarly to the other laws, data must be kept accurate and up to date, and any data that is kept once the original purpose for data collection is complete must be anonymized in order to protect the identity of the relevant Data Subjects.
In addition to these, articles 7 and 8 of the UAE law divides the general obligations between those unique to the Controller and those unique to the Processor – when the Controller and Processor are one of the same, it is implicit that both sets of obligations apply at once. In addition to a basic requirement to take the necessary measures to keep data safe and comply with the other measures of the law, Controllers are required to keep a special record of all Personal Data kept, including a description of its category, the methods by which it is processed and the purpose for doing so, any data relating to it transfer and processing outside the UAE, and security measures applicable to it, with all this information to be kept available to be supplied upon request by the UAE Data Office.
Under Article 8, the Processor is obliged to carry out processing according to the Controller’s instructions, apply appropriate techniques to process the data, and to comply with the established rules regarding sticking to the set purpose of the data, not disclosing it unless permitted, and to likewise keep a special record of the data. It also supplies an additional requirement where more than one Processor is involved in the processing of data – in such a case, a contract must be drafted which clearly defines the subdivision of processing work – otherwise, all parties will be held jointly liable for any breach of the law incurred.
Key Similarity – Consent
Under all three pieces of legislation, another basic requirement for processing of personal data to be carried out is that the Data Subject must give their consent for it. Under the Bahraini law this basic requirement is set out in articles 4 and 5, while in the Saudi law it is set out by Article 5, while the UAE law states that processing without consent is forbidden under Article 4.
However, all three laws indicate that there are exceptions and other conditions attached to the requirement for consent, and here each law starts to diverge once again.
Key Differences – Exceptions and special conditions regarding Consent
The Bahraini law has two sets of exceptions regarding consent – the first, under article 4, concerns Personal Data in general, whereas article 5 concerns Sensitive Personal Data specifically. Under article 4, a Data Subject’s consent is not required when the processing in question is necessary for the performance of a contract to which the subject is a party or when steps are being taken at the subject’s request to enter into a contract, or when the processing is necessary in order to meet a non-contractual legal or judicial requirement. Additionally, consent is not required if the vital interests of the subject are at stake or if the processor is pursuing the subject’s legitimate interests, or those of a third party to whom their data has been disclosed, provided that this is not in conflict with the subject’s rights and interests.
Under Article 5, the list of exceptions for consent in regards to Sensitive Personal Data is more extensive. Consent is not required when processing is required for the Controller’s obligations under the law, where it is necessary for the protection of an individual where the data subject is not capable of giving their consent, when the data subject has made the data in question publicly available, or that processing is necessary for reasons of legal claims or defenses, or for healthcare. Consent is also not required for processing relating to the activities of associations or unions, provided that it is only necessary for reasons relation to the association in question, that the data relates solely to members of the body or people with close relations to the body, and that data is not disclosed to any other person with the subject’s consent. The final exceptions are saved for public bodies carrying out their duties as prescribed by law, and for data relating to racial, religious or ethnic status when such data is being used to determine the need for equality of opportunity and treatment, but only if such processing is carried out with appropriate safeguards in place.
领英推荐
?Article 6 also makes it clear that articles 4 and 5 don’t apply to the processing of personal data if the data in question is being used for purposes to relating to the press, arts or literature, providing that the information is accurate, is safeguarded against being used for other reasons and is otherwise consistent with other Bahraini laws covering these areas.
The clauses in the Saudi law governing the same principles are much shorter and as such are more restrictive as compared to the Bahraini law. Under Article 6, the only exceptions to the requirement of consent for either processing data or changing the purpose for which data is processed are when the data subject’s best interests are being worked towards and they cannot be contacted, the processing is necessary to fulfil either a law or separate agreement the subject is party to, or for security purposes when the Controller is a public entity. Article 7 also inserts an additional stipulation that consent to processing cannot be made a precondition for the provision of a service or benefit, unless the processing in question is necessary for that same service or benefit. An additional exception is listed under article 27, which allows for usage of data without consent for scientific, statistical or research purposes, so long as the data either does not contain any identifying information, is destroyed after processing if it does, or if the processing in question is required under another law or to perform a contract to which the Subject is a party.
The UAE law is less restrictive than the Saudi law in regards to consent though not quite as permissive as the Bahraini law. Both the general rule of consent and the exceptions thereof are contained in Article 4. The requirement for consent is disapplied when the processing is necessary to protect the public interest or public health, where the information is already publicly known, in cases involving legal proceedings or security matters, when the processing is for healthcare reasons, if the processing is necessary to protect the subject’s interests, if the processing is required to perform a contract, or amending or terminating one by the subject’s request, plus any processing necessary to fulfil any other UAE laws.
Key similarity – Special PD Officers
While each piece of legislation does it in a different way, each piece of legislation touches on the potential for Controllers to employ a special officer to overseas matters pertaining to Personal Data Security. The Bahraini legislation refers to this person as a Data Protection Guardian, whereas the UAE law refers to them as a Data Protection Officer. Under Saudi law, this person is referred to as a Personal Data Protection Officer, though notably there is no clause in the Saudi PDPL itself – this is instead prescribed in the attendant regulations to the law, published separately. However, despite the differences in nomenclature and their positioning within the legislation, it should be noted that in all three cases the role prescribed to this individual is broadly speaking very similar – to ensure compliance with the terms of each of the relevant laws, to maintain a high degree of knowledge and expertise in the area of data protection, liaising between Controllers and the relevant data authority in each territory, and protecting the rights of relevant data subjects.
Key difference – requirement to appoint a data officer
While the duties of this special officer are very similar under each of the laws, the requirement for a Data Controller to actually appoint one varies according to which legislation applies. In Bahrain, the phrasing under Article 10, which governs the duties and need for a Guardian, seems to imply that appointing one is optional, stating that a controller “may” choose to appoint one. However, the same clause states that the board of the Personal Data Protection Authority has to power to make it mandatory for certain classes of Data Controllers to appoint a Guardian in the future – attention must be paid to the decisions of the Authority to determine if this becomes the case.
Under the phrasing of Article 32 of the Saudi Law’s regulations, which states that a Controller “shall” appoint one or more of its employees to a PDPO position, it is implied that appointing an officer is mandatory, though the same clause seems to state that the Saudi Data and Artificial Intelligence Authority shall assess the need to appoint such an officer based on factors, seeming to imply that this requirement may be relaxed in the future – again, attention to the decisions of Saudi data authorities will be required in the future, though it seems that during the early days of the Saudi PDPL being in effect, it will be best practice for all corporate Data Controllers to appoint a PDPO.
The UAE legislation has the clearest-cut requirements for a Data Protection Officer, flatly stating that one is required when Processing would cause a high degree of risk to confidentiality, if any comprehensive assessment or analysis on any amount of Sensitive Personal Data is to be carried out, or if a large amount of Sensitive Personal Data is to be processed. What counts as a large amount may be difficult to define, as is what might count as “comprehensive” processing, but it would seem to be wise to have a Data Protection Officer in place if a Controller in the UAE is to deal with Sensitive Personal Data at all.
Key similarity – rights of objection and request
Under all three versions of the law, Data Subjects are allocated various rights to the use and treatment of their data, though it should be noted that under the Saudi law this is once again primarily governed by the Regulations rather than the law itself.
The main parallels between all three laws are that a data subject typically has a right to object to certain types of processing, in particular uses involved with direct marketing – these are covered by articles 19 and 20 of the Bahraini law, while the Saudi law requires the destruction of data if the Subject requests it when that data is to be used for direct marketing purposes – meanwhile article 17 of the UAE requires Processing to cease if the data is for direct marketing and the Subject requests it. Furthermore, all three laws have a basic requirement to allow Data Subjects to access their data or copies thereof upon request, and to correct or erase information in certain circumstances when requested under certain circumstances, particularly when that data is not being processed in accordance with the relevant law. They also have the right to request information on Data Controllers, the parties that they intend to distribute the information to, and the methods of processing.
The Saudi Regulations make a special case for when new and emerging technologies are used, such as artificial intelligence. In such a case, the Subject also has a right to request more specific details of the mechanisms used in clear-cut language, the periods for which the data is to be kept and the contact details of the Personal Data Protection Officer, if applicable.
Key difference - duty of confidentiality
The rules regarding disclosure under the Bahraini law is rigidly defined under article 9 – without the consent of the Data Subject or a judicial order, personal data cannot be disclosed to third parties. Additionally, any data kept that is in breach of this law must not be processed, and in addition to the disclosure of data being subject to the consent of the Subject, any data disclosed by a third party cannot be processed without the further consent of the original Data Controller. Third parties in receipt of disclosure also cannot use the data for the benefit of themselves or others, with this prohibition remaining in place in perpetuity, even beyond the end of any employment or contractual relationship that might have led to them possessing the data.
While the Saudi law maintains this general rule of non-disclosure under article 15, it is more permissive in terms of the exceptions it provides. In addition to allowing disclosure if the Subject consents to it, or to fulfil judicial requirements as in the Bahraini law, disclosure is also allowed if the data was obtained from publicly available sources, if it is required to protect public health or safety or the lives of other individuals, or if the data disclosed does not contain any identifying data.
However, under article 16, there are exceptions to these exceptions – even if the requirements for an exception are met and complied with, disclosure is expressly forbidden if it poses a security threat, threatens to damage Saudi Arabia’s standing with another country, prevents the detection of a crime or otherwise impacts the integrity of judicial proceedings or the rights of an accused in a judicial case, endangers the safety of one or more individuals, violates the privacy of a party other than the Data Subject, conflicts with the interests of a legally incompetent or deficient person, if disclosure amounts to a breach of a professional or contractual obligation, or discloses a confidential information source against the public interest.
The effect of these counter-exceptions leads to the effect of this part of the Saudi law back round to being quite restricted, especially when it comes to material that could be considered politically or socially sensitive, and as such extra care must be taken in these scenarios.
The UAE law is somewhat unusual in that it does not contain any dedicated clause addressing disclosure, but this is not necessarily to say that the law is any more lax than the other two. If one returns to the definitions section of the legislation, it can be seen that the definition of the word “Consent” is given as the consent that is given by Data Subjects to allow third parties to process their personal data. As a reminder, under the UAE law “Processing” is defined as any operation performed on the data by any electronic means whatsoever. In that regard, digitally disclosing information still meets the definition of Processing under the UAE law, and as such all the general rules in regards to consent and the exceptions to that requirement under Article 4 of the law still apply, as detailed previously in this document.
Key similarity – rules regarding transfer to other territories in the UAE and Bahrain
As a matter of course when dealing with personal data in a modern environment that includes the internet and other forms of digital transfer of information, the transfer of data to overseas territories is a distinct likelihood. All three laws contend with this situation.?
The Bahraini law and the UAE deal with the matter in much the same way, with two classes of such scenarios – those where the recipient territory has roughly equivalent data protection laws to that of Bahrain or the UAE, and those when they do not.
Under the Bahraini law, the general rule under article 12 is that data may not be transferred outside of the country, except in two specific cases. The first of these circumstances is when the country or territory in question that is to receive the data is one of those considered by the Personal Data Protection Authority to be one with sufficient legal safeguards, kept in a list maintained and updated by the Authority itself. This list is likely to include other GCC states with broadly equivalent legislation such as the Kingdom of Saudi Arabia and the UAE, the member states of the European Union subject to the GDPR (in addition to the United Kingdom which has retained it post-Brexit) and other states with GDPR-influenced data laws. Other territories which have not recently enacted new laws or reform in regards to Personal Data, such as the United States, are likely to be left off the list, though it will be important to frequently consult the Authority’s list in order to observe for updates.
There are two broad classes of exception to this rule – firstly the Authority may authorize a transfer by a Controller to a territory not on the list on a case-by-case basis so long as it is satisfied that the data will be subject to adequate protection, giving regard to the nature of the nature of the data being sent, the territory in question the data is being sent to and the available protection measures that will be in place there, and relevant international laws, treaties and other agreements are in place. Note that this approval may come with special conditions attached, including timing conditions.
The second class of exceptions to the rule comes under Article 13 of the law, in which a transfer to non-listed territory is permitted when the data subject consents to the transfer, when the data has been compiled from a register created by law for the purpose of giving information to the public, or if the transfer is necessary for the creation or performance of a contract between the Controller and Subject, the performance of a Contract between the Controller and third party in the interests of the Subject, complying with a law or judicial instruction, or for preparing or pursuing a legal claim or defense.
The UAE law adopts much the same approach as Bahrain. Under article 22, it is stated that where the UAE Data Office is satisfied that the target country has sufficient data protection laws in place, transfers to that territory are authorized – the countries that are likely to be considered sufficient in this regard are most likely extremely similar to that of Bahrain, but it should go without saying that it would be prudent to consult UAE Data Office sources first. Under the same article, it is also permitted to transfer data to territories where the UAE has relevant bilateral or multilateral agreements in place with the country or countries to which the transfer takes place – again, consulting Data Office sources in regards to which countries enjoy the benefit of such treaties is prudent.
To all other territories, the rules under article 23 apply – this article provides a series of scenarios in which transfers to other countries may be made, with the strong implication that all other transfers are prohibited. These scenarios include when a contract or agreement is established which obligates the recipient in the recipient territory to implement protections consistent with the rules of the PDPL, if the express consent to the transfer is given by the Data Subject, if the transfer is necessary to fulfil judicial obligations or a contract similar to the exceptions under Bahraini law, if the transfer is necessary for international judicial cooperation or to protect the public interest.
Key Difference – transfers of data outside of Saudi Arabia
The approach to the transfer of data outside of the host territory is different in the Saudi law, under article 29 – it introduces the primary unrestricted exceptions to the rule up front and follows them with a hard ultimatum – unless it protects the life or vital interests of the Data Subject, or to examine or treat an infection, the general rule is that transfer of Personal Data outside of the Kingdom is strictly prohibited.
The few extra exceptions to this are much more heavily restricted than they are other Bahraini and UAE law. Transfers outside of Saudi Arabia must meet an obligation under an international agreement or serve the Kingdom’s interests, and even in this restricted case the transfer must not harm Saudi Arabia’s national or security interests, sufficient guarantees as to the data’s securities must be given, the transfer of personal data shall be restricted to the bare minimum necessary, and the Saudi Data and Artificial Intelligence Authority must authorize each transfer.
The article does also make an exception similar to the Bahrain and UAE laws which states that transfers to states that have sufficient data protection legislation in place may be permitted, but even this is relatively much more restrictive than the other two laws in that even these transfers must be approved on a case-by-case basis by the Authority, and in any case must not include any sensitive data. No allowance whatsoever is made for territories that are not considered to have adequate protections. It must be emphasized this additional level of restrictiveness in regards to international data transfers goes above and beyond what is normal for this kind of legislation and could belie serious security concerns on the part of the Saudi government – as such, anyone handling personal data in Saudi Arabia should exercise extreme caution when it comes to the transfer of such data outside of the country.
Liability
With the key obligations and duties imposed by the law established, it is important to establish the potential penalties for breach of each law.
Under the Bahraini law, civil and criminal liability may be established separately. Civil liability is simple – under article 57, any party who suffers damage as a result of a breach of the law by a Data Controller or Data Guardian may seek fitting compensation in civil proceedings.
Of course, this is not likely to have any impact on additional criminal penalties relevant to Data Controllers, which do not prejudice any other criminal penalties involved if the commission of a breach of the PDPL accompanies a breach of any other law. In all cases, a fine of a minimum of 1000 Bahraini Dinars and a maximum of 20,000 Dinars may be imposed, as well a jail sentence of up to a year. Note that when offenses are commissioned by a legal personality like a company instead of by a specific individual, any total fine issued may be doubled if the offense was commissioned by the acts or omissions of any member of the relevant board of directors for the legal personality’s benefit.
Penalties in Saudi Arabia are potentially more severe. In addition to any civil liability incurred under article 40 for physical or morale damages suffered by any party as a result of a breach, several harsh criminal penalties are prescribed for breaches. Under article 35, anyone who discloses or publishes Sensitive Personal Data in breach of the law and with the intent to harm the Data Subject or achieve any personal benefit is subject to one or both of a fine of up to 3 million Saudi Riyals or a jail sentence of up to two years. Anyone who transfers data outside of Saudi Arabia in breach of article 29 is subject to a fine of up to 1 million riyals and / or a jail sentence of up to 1 year.
Under the terms of Article 36, any other offenses are dealt with either by the issuing of a warning, or a fine of up to 5 million riyals. Note that repeat offenses after a fine may be doubled up to an absolute maximum of 10 million riyals.
The UAE law, as of now, has deferred to include any concrete penalties in the law itself, instead deferring to allow the UAE data office to established the specific penalties for breaches in future published regulations under article 26 – however, it would be prudent to expect penalties for breach to be steep, in keeping with the other two laws – the fact that this new law was created in the first place indicates that the UAE is willing to take data security seriously and as such it should be expected that it will also take violations of the law seriously as well.
Conclusion
While each of these laws represents a solid degree of normalization in regards to data protection rules across the GCC and Middle East region, there are a good degree of differences between each law – some differences are very striking, while others are more subtle, but even some of the subtle differences, such as the differences between what is considered Sensitive Personal Data in each jurisdiction, could have profound consequences for the potential liability of anyone dealing with Personal Data, and as such it is important for such companies and individuals to tread very carefully and take their obligations very seriously. Note also however that while all three of these laws have now been passed, the legal lay of the land should still be considered to be in a state of flux as much of it is dependent on additional regulation that is still potentially subject to change. This legislation is a new frontier for those who have been resident in each jurisdiction until now, but even those familiar with other similar legislation such as GDPR should watch their step in the near future, as it is just as likely that these laws will pose as much of a challenge for the governments that created them and the new authorities they have created to enforce them as they will to the people and companies that will be subject to them.