Home / Resources / Article / Privacy and data protection legislation in the Arab world
Default
Article

Privacy and data protection legislation in the Arab world

Writer:
Regina El Ahmadieh
07 Feb 2023

According to the Data Protection Act of 1998 from the United Kingdom, data protection is to secure the personal information of individuals and establish policies for its processing, and give them the right to obtain what organizations, institutions and governments hold about them.

Laws regulating privacy around the world and degrees of penalties

Information privacy law, or data protection laws, are laws that prevent the disclosure or misuse of information about individuals. More than 80 independent countries and territories, including almost every country in  Europe  and many countries in  Latin America,  the Caribbean, Asia and Africa, have adopted comprehensive data protection laws.

  1.  The EU data protection regulation GDPR, in force since 2018, includes the following main principles:
  • Data should only be collected for a stated purpose
  • Data collected on individuals must not be disclosed to other organizations or individuals unless permitted by law or with the consent of those concerned.
  • Records collected about individuals must be accurate and current
  • A mechanism must be designed to review the data collected about individuals and verify its accuracy
  • The data must be deleted when the stated purpose for collecting it has ended
  • It is prohibited to transfer personal data to countries that do not enact personal information protection laws equivalent in strength and strictness to the first party
  • The collection of certain highly sensitive data (such as sexual orientation and religious denomination) is prohibited, unless strictly necessary
  1. The COPPA Children’s Online Privacy Protection Act, which has been in effect since 2000, imposes certain conditions on operators of websites and online services directed to children under the age of 13, as well as on operators of other websites that collect personal information about children under the aforementioned age as well.

In 2020, investigations by the US Federal Trade Commission (FTC) resulted in YouTube being fined $170 million and requiring it to implement the COPPA law, in addition to preventing the publication of any content that exploits children online.

 

Regulating laws in the Arab world

The Arab countries define personal data as “ data related to a specific person, or who can be identified directly or indirectly by linking this data to any other data by name, voice, image, identification number, online identifier, or any other data.” Data identifying psychological, health, economic, cultural or social identity.”

It also includes processed data, which is known as the technique of writing personal data, collecting, recording, saving, storing, merging, displaying, sending, receiving, circulating, publishing, erasing, changing, or Modify, retrieve or analyze it, using any media, electronic or technical device, whether partially or completely.

 

As for the Gulf Cooperation Council countries (the coalition of Middle Eastern countries: Saudi Arabia, Kuwait, the Emirates, Qatar, Bahrain, and Oman), there is no direct general federal law. However , it would be incorrect to say that data protection or individual privacy is not regulated.

 

Various general laws cover aspects of “privacy” as follows:

Saudi Arabia

The Kingdom’s anti-cybercrime system punishes any person who acts illegally to access another person’s computer for the purpose of deleting, destroying, changing, or redistributing information, with a fine not exceeding 3,000,000 Saudi riyals or imprisonment for a period not exceeding four years, or both.

Anyone who accesses banking or credit information or any information related to securities in general shall be subject to a fine not exceeding 2,000,000 Saudi riyals or imprisonment for a period not exceeding three years, or both. 

An image from www.saudia.com showing the browser’s consent request to the privacy policy

 

The United Arab Emirates

Article 31 of the Constitution of the United Arab Emirates stipulates freedom of communication and guarantees its confidentiality in accordance with the law. The National Electronic Security Authority (NESA) ensures that data is stored, processed and transmitted in a secure manner that preserves privacy.

The city of Dubai is regulated by Healthcare Regulation No. 7 of 2008 AD , and data protection in the DIFC is regulated under DIFC Law No. 1 of 2007 AD (amended by DIFC Law No. 5 of 2012 AD) and the Data Protection Regulations (Consolidated Edition No. 2 effective dated 12/23/2012 AD).

The DIFC enforces the law and imposes penalties when a data controller does not comply with the regulation in a systematic manner and is held accountable according to the fines list.

 

Qatar

Article 37 of the Qatari Constitution stipulates that “the sanctity of a person’s privacy may not be violated, and therefore it is not permissible to interfere with his privacy, family affairs, place of residence, correspondence, or any act of interference that may degrade a person or distort his reputation.”

Personal Data Privacy Protection Law No. (13) of 2016 stipulates the following:

Article 4: The controller may process personal data only after obtaining the individual’s consent, unless the processing is necessary to achieve a legitimate purpose of the controller or the person to whom the data is sent.

 Article 5: An individual may, at any time: 

  1. Withdraw his previous consent to the processing of his personal data.
  2. Object to the processing of his personal data if it is not necessary to achieve the purposes for which it was collected, or is in excess of its requirements, or is discriminatory, unfair, or in violation of the law. 
  3. Request the deletion or erasure of his personal data in the cases referred to in the previous two clauses, or when the purpose for which that data was processed has ended, or if there is no justification for the controller to retain it. 
  4. Request to correct his personal data, attaching proof of the validity of his request .  

Article 6: The individual has the right to access his personal data and request review of it at any time, facing any controller. He also has the right to:

  1. Notify him of the processing of his personal data and the purposes for which such processing is carried out.
  2. Notify him of any disclosure of inaccurate personal data about him.
  3. Obtain a copy of his personal data after paying an amount not to exceed the service.

Without prejudice to any more severe penalty stipulated by another law, anyone who violates any of the provisions of the articles shall be punished with a fine not exceeding (1,000,000) million riyals.

 

Egypt: Personal Data Protection Law No. 151 of 2020

Every holder, controller, or processor shall be punished with a fine of not less than one hundred thousand pounds, for collecting, treating, disclosing, making available, or trading electronically processed personal data by any means other than those authorized by law or without the consent of the person who receives the data.

The penalty shall be imprisonment for a period of not less than six months and a fine of not less than two hundred thousand pounds and not exceeding two million pounds, or one of these two penalties, if this is committed in exchange for obtaining a material or moral benefit, or with the intention of exposing the person concerned with the data to danger or harm .

 

Impact of the General Data Protection Regulation (GDPR) in the Middle East

Data protection law in all 28 European Union countries defines and imposes strict new rules on the monitoring and processing of clearly identified personal information, ensuring that data privacy and information are kept secure. It returns control to the people of the European Union.

GDPR will improve accountability and governance because it is comprehensive and stringent and the penalty can be up to 4% of a company’s total annual turnover. The regulation has provisions such as appointment of representatives, penalties, notifications and data breaches, accountability, data protection officers and individual rights. For example, but not limited to. The law has been effective since May 25, 2018.

According to the law, if any company in the Middle East conducts operations on the data of Europeans or EU residents, it must, regardless of its location, improve its software and servers to provide and enhance security and monitoring for customers. This means increased financial impacts on the company in terms of software, equipment and hiring human resources for compliance.

Businesses will need to establish internal compliance processes for all employees to align with the GDPR. The relevant representatives will inform the legal authorities.

As for companies, they must raise the level of their offers and projects to give customers full control over their data. The impact of the General Data Protection Regulation can be seen in various industry sectors such as travel and tourism, automobiles, hospitals, hotels, the offshore development center, and the IT industry in general.

Middle East-based companies have to jump through costly, time-consuming and technically challenging hurdles such as facilitating “data portability”, “data storage”, “notifications” and “data control” to name a few.

Enterprise software solution providers have to evaluate the functionality of the application because their database consists of huge data about customers. Therefore, ensuring GDPR compliance may require significant adjustments and costs.

 

Technology approach to GDPR compliance

The basic principles of the GDPR are governance, legality, integrity and transparency, purpose definition, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability. These principles are essential to protect freedom and the right to privacy and ensure natural justice in all areas, including personal data.

Companies should evaluate and review whether the GDPR is applicable. Products and services should be improved. For example, to comply with the General Data Protection Regulation (GDPR). The solutions help achieve the required compliance in a hassle-free manner. It is a cloud email archiving solution and helps keep company emails secure and easily recoverable when needed, adhering to the “accountability” principles of the GDPR.

Cloud email solutions also provide cost-effective, global electronic collaboration tools and enable data management. These are products that set the industry standards when it comes to “data location,” “personal data,” and “sensitive personal data” as defined in the GDPR.  

Data is the new oil in the age of the Internet and digital transformation. Today, the exchange and transfer of information has become easy and takes many forms, while data protection and privacy have become a constant concern and the core of all information-related policies in any organization.

 

Newsletter

Subscribe to our newsletter and never miss latest insights and security news.

Similar Articles

Default
Article
The launch of the leading technology conference LEAP in Riyadh.
The activities of the “#Leap_2025” conference began yesterday, Sunday, in Riyadh, with w...
Read more
Default
Article
Students in the Digital Age
Choosing a university major is a crucial decision with far-reaching implications for a student’s pro...
Read more
Default
Article
Seniors IT launches 2025 with an event featuring CyberX.
#Seniors_IT kicked off the new year 2025 with a special event under the theme “Together We Thr...
Read more
Default
Article
The University of Jordan’s visit to CyberX and the signing of a cooperation agreement.
CyberX welcomed a delegation from the University of Jordan, headed by Dr. Ibrahim Al-Jarrah, accompa...
Read more
Languages: