Presentation on theme: "AN OVERVIEW OF DATA PROTECTION LAW IN THE GCC NICK OCONNELL, Senior Associate – TMT JUNE 2013."— Presentation transcript:
AN OVERVIEW OF DATA PROTECTION LAW IN THE GCC NICK OCONNELL, Senior Associate – TMT JUNE 2013
1 DATA PROTECTION QUERIES: TYPICAL SCENARIOS General compliance with global corporate policies Transfer of employee data to centralised HR/pension function located abroad Disclosure of employee information in M&A context Collection and use of client information for marketing Release of information in response to requests from authorities (including foreign authorities)
2 DATA PROTECTION LANDSCAPE IN THE GCC No pan-GCC laws governing data protection No national laws specifically focussing on data protection
3 DATA PROTECTION LANDSCAPE IN THE GCC Broad provisions protecting privacy generally: – eg. Constitutional protection – eg. Criminal law protection UAE Penal Code, Article 379: "… any individual who by reason of his profession, craft, situation or art is entrusted with a secret and who discloses it in cases other than those permitted by the law, who uses it for his own advantage or another person's advantage … Shall be punishable by confinement for a minimum period of one year and by a fine of at least twenty thousand dirhams or by one of these two penalties … all this unless the individual to whom the secret pertains has consented that it be disclosed or used. All the GCC countries have provisions of this nature.
4 DATA PROTECTION QUERIES: TYPICAL SCENARIOS General compliance with global corporate policies Transfer of employee data to centralised HR/pension function located abroad Disclosure of employee information in M&A context Collection and use of client information for marketing Release of information in response to requests from authorities (including foreign authorities)
5 DATA PROTECTION LANDSCAPE IN THE GCC Specific provisions protecting personal data (or privacy) in certain contexts: – eg. patient data; health insurance information – eg. credit information – eg. telecommunications; spam – eg. hacking; defamation; breach of privacy Specific data protection laws/regulations applicable in specific local jurisdictions: – eg. DIFC, DHCC, QFC
6 Oman: Electronic Transactions Law (Royal Decree 69/2008) Article 45: – Any person who controls any personal data by virtue of his job in electronic transactions shall, before processing such data, notify the person from whom it is collected by a designated notice of the procedure he is following to protect that data. These procedures shall include an identification of the person responsible for processing the data, the nature of the data, and the purpose, methods and locations of processing and all information necessary to ensure secured data processing Subsequent provisions of the law provide for: – the data subject to access and update personal information, – a restriction on a data controllers ability to process personal information if such processing will cause damage to the data subject, – the requirement to consider the security of personal data being transferred outside Oman.
7 Qatar: Electronic Commerce and Transactions Law (No. 16 of 2010) Article 59: The service provider shall: – Shall identify, at or before collection of such information, the purposes for which personal information about the customer is collected; – Shall not (except as permitted or required by law, or with the consent of the data subject) collect, use, retain or disclose customer personal information for undisclosed or unauthorised purposes; – Shall be responsible for any records of customer personal information or any records of customer electronic communications, in the custody or control of the service provider or its agents; – Shall take reasonable steps to ensure that the personal information of the customer and related records are protected by security safeguards that are appropriate to their importance.
8 DATA PROTECTION IN THE GCC: WHAT NEXT? Qatar – draft Personal Information Privacy Protection Law? UAE? Elsewhere in the GCC?