On 27 June 2011, the Supreme Council of Information and Communication Technology (ictQATAR) issued a public consultation and first draft of a new Personal Information Privacy Protection Law for Qatar. This is a highly significant development for lawyers, businesses and consumers in the region as it will be the first national data privacy law to be issued in the Middle East.
Currently, personal information in most countries in the Middle East is poorly protected by a patchwork of confidentiality and secrecy laws. The new draft law includes protections for specific types of information, including personal information relating to children, location data and sensitive personal information (for example, information about religious affiliation or medical conditions). The new law will have a material impact on any Qatari person or organisation that collects, records, stores, uses or discloses personal information in electronic form.
Application
Personal information is defined in the draft law as information about an individual whose identity is apparent or can reasonably be ascertained from that information and any information (including location data) that can reasonably be linked to a specific individual, irrespective of whether that individual can be identified from that information. The inclusion of this second limb makes the scope of the draft law somewhat broader than the typical data privacy laws of other countries around the world, which tend to focus solely on personally identifiable information, although certain narrower definitions around the world are being interpreted more widely by local regulators to increase the protection for individuals.
The specific reference to location data (which includes not only the latitudinal and longitudinal position of an individual but also the direction of travel and the time that the location information was recorded) addresses a matter of rising importance given the increasingly-sophisticated capabilities of smartphones and other devices and applications to capture, store and use this type of information. The recent publicity concerning the ‘hidden’ location tracking file in iOS, Apple’s mobile operating system, probably contributed to ictQATAR’s decision to legislate specifically on the use of such data. Although not directly addressed under current European privacy rules, the influential Article 29 Working Party has identified a key privacy risk in the intimate link between a mobile device and its owner or user. The Working Party released an Opinion in May 2011 recommending that geolocation data should be considered ‘personal data’ and should therefore fall directly within the scope of the European Data Protection Directive. The national laws of some EEA Member States or their regulators also impose certain conditions on the use of such data, for example German law requires telecommunications service providers to obtain users’ consent to the use of location data for any purpose other than the provision of the service and the Commission Nationale de l’Informatique et des Libertés (CNIL) in France has published guidance on the collection of geolocation and other personal data from WiFi access points emphasising the need to inform users of the nature of the data collected and of any transfers of such data. Both the German law and French guidelines require that individuals are given the opportunity to block or delete geolocation data.
It is interesting to note that the draft law applies only to the electronic processing of personal information about an individual (or its collection in any form for the purposes of electronic processing). In other countries, data privacy laws often extend to manually processed data; for example, the UK’s Data Protection Act 1998 applies to manual data held in a ‘relevant filing system’ and privacy laws in Canada apply to personal data regardless of the medium in which it is collected, recorded or stored. As currently drafted, the new law in Qatar would not cover the collection and storage of paper records, despite the fact that sensitive personal information may exist in a hard copy format. The law also does not apply to the processing of information for private or domestic use.
The draft law is stated to apply to the processing of personal information ‘by or on behalf of any owner established in the State of Qatar, wherever such processing takes place’. An ‘owner’ is a person that processes personal information for their own purposes. The question of whether a person is ‘established’ in Qatar is not definitively determined under existing local laws, although it could be concluded from the Commercial Register Law that an entity must be registered with a registering body (such as the Ministry of Business and Trade or Qatar Financial Centre) to be established. Additionally, certain tax legislation introduced in Qatar last year provides for registration with the Ministry of Finance as ‘permanent establishment’ in order to avoid withholding tax. In this case, a tax card would be issued so it might be concluded from this that a party holding a tax card would be ‘established’ for the purposes of the data privacy law.
However it is conclusively determined in practice, it is certain that the law will not apply to all processing of personal information that takes place in Qatar and it will apply to processing by Qatari entities outside the borders of the State. This creates a significant void that is inconsistent with the Canadian and European approach. In those jurisdictions, a person or entity, whether ‘established’ in the relevant country or not, who processes information from within that jurisdiction is subject to the long arm of the law. For activities of local entities outside of the jurisdiction, other small economies have had to carefully interpret their data privacy legislation in order to avoid undue extraterritorial effects. For example, the Hong Kong Personal Data (Privacy) Ordinance has been interpreted to not have an extraterritorial effect which would restrict the activities of Hong Kong entities outside of Hong Kong with no impact on Hong Kong data subjects. It is unclear if a similar approach would be adopted in Qatar.
Key features
Many of the core principles of the draft law will be familiar to lawyers and companies used to applying and working under data privacy regimes in Europe and other parts of the world; for example, the obligation to process information fairly, rights of access for individuals and the need for owners to implement appropriate safeguards to protect information against loss or unauthorised disclosure are all fairly standard. There are also a number of more contemporary concepts that ictQATAR has incorporated into the draft as it seeks to ‘break new ground in addressing the current challenges of the Information Age’.[1]
Accountability
Organisations processing personal data will be obliged to ‘implement and enforce appropriate and effective accountability measures’ to ensure the protection of personal data. They must also verify that these measures have been implemented and maintain appropriate evidence.
The law is not prescriptive and therefore allows some flexibility for organisations to determine these accountability measures. However, there is a non-exhaustive list of possible measures including the conduct of privacy reviews before introducing new processing operations, the preparation of privacy policies, assigning personnel with responsibility for ensuring compliance, training and educating staff in the protection of personal information, setting up internal procedures and using technology to enable individuals to have direct access to their personal information.
While some of these measures are regarded as good practice for many organisations complying with existing data protection regimes around the world, Qatar’s draft law goes further than some others by specifically incorporating accountability as a legal principle. In this regard, it seems that Qatar has incorporated measures along the lines of the Canadian Standards Association’s principle of accountability that was specifically adopted and incorporated into Canadian federal privacy legislation.
Privacy by design
There is an article in the draft law obliging owners to take account of the law in all stages of the design and development of products, systems and services that involve or are likely to involve the processing of personal information. This is referred to in the consultation paper as ‘privacy by design’ and is a principle not generally incorporated into other legislation at present. The principle of privacy by design is to ensure that data protection compliance is designed into systems from the outset and it is a bold move by ictQATAR to try and instil a pervading privacy culture into a jurisdiction that has historically lacked any national laws in this area.
Personal information of children
The draft law includes specific obligations on web site operators that know or should have reasonably been aware that they are processing personal information from or about an individual under 16 years old. Any such operators must include notices on the web site about the information processed and how it is used and is required to obtain express parental consent prior to processing such information. Similar child protection legislation also exists in the US. In the draft Qatari law, there is a discretion granted to the Supreme Council to exempt individual web sites or categories of web sites for child protection or welfare purposes.
Positive notification of breach
Qatar’s draft law addresses the current concerns in some jurisdictions around incidents of data loss by providing that owners must notify individuals whose personal information has been or is reasonably believed to have been acquired by an unauthorised person. There is no obligation in the draft law to notify the regulator, which is something that other regimes such as Europe and Australia appear to be moving towards. However, the positive obligation to notify each individual is potentially onerous on corporate entities holding the data of thousands of individuals. There is no specified form of notice and it remains to be seen whether this could be achieved through a mass mailing or newspaper advertisement where appropriate. It is also worth noting that owners holding large amounts of personal information should be implementing higher standards of security in any case: the law requires that the nature and extent of safeguards for personal information should take into account the potential loss or harm that a breach of security would cause.
Any person processing information on behalf of an owner will also be caught by obligations in the law to implement appropriate safeguards to protect personal information and to notify an owner if there has been, or it is reasonably believed that there has been, a breach of security.
Transborder data flows
The European and Australian models of data privacy place restrictions on the export of data outside certain borders unless the party exporting the data complies with certain conditions. Other countries incorporate a less prescriptive requirement on the data exporter to ensure that a comparable level of protection will be given to the data as would be enjoyed in that country. The latter approach is taken by Canada, for example, where there also needs to be some disclosure of the fact that the information will be transferred outside of the country. However, there is no need in Canada to register or to obtain any approval from Privacy Commissioners before exporting data.
The draft law for Qatar goes further than either of these approaches by stating that an owner of personal information will refrain from restricting transborder data flows, except where the processing would breach the law and cause significant damage to individuals’ privacy rights. As currently drafted the emphasis on actively encouraging cross-border transfers is more progressive than most other laws around the world. However, in practice, it is possible to envisage that this might develop into a European-style model if the local regulator decides to issue determinations on particular jurisdictions that do (or do not) have regimes that protect the privacy rights of individuals.
E-mail marketing
The draft law creates a new opt-in rule for direct marketing by e-mail. An individual’s consent to direct marketing must be obtained and marketing e-mails must clearly show the identity of the sender, show that it is being sent for the purposes of direct marketing and provide a valid unsubscribe or ‘opt-out’ mechanism. There is also a less restrictive regime to allow direct marketing by e-mail to existing customers for related matters. This is broadly equivalent to the European and Canadian principle of ‘soft opt-in’ consent.
Enforcement and penalties
The Supreme Council is responsible for implementation and enforcement of the law. To that end, the law provides for the establishment by the Supreme Council of an Information Protection and Privacy Office within ictQATAR. The employees of the Supreme Council have the power to enter premises, access records and documents, and seize any property or materials as they deem necessary to prove any criminal offence under the law.
Unauthorised accessing, disclosing or processing of personal information is deemed a criminal offence along with knowingly obstructing the Supreme Council during an investigation and breaching a determination issued by the Supreme Council. Each offence is punishable by up to two years’ imprisonment and a fine of up to QAR 300,000 (approximately US$82,000). Individuals responsible for managing companies that commit such an offence face the same penalties.
What next?
ictQATAR’s consultation on the draft law will be open until 11 August 2011. Thereafter, it will review the comments and update the draft law as it thinks appropriate. The updated draft will then be submitted to the relevant authorities and stakeholders in Qatar for review and evaluation before the final law is published and becomes effective.
This consultation and publication of a draft law clearly position Qatar as a first mover in the field of privacy legislation among the Middle East states. If this law, its procedural mechanisms and the data privacy culture it creates are deemed by the European Commission to offer an adequate level of protection for the rights of individuals in relation to their personal data, Qatar could qualify as an approved destination for data processing allowing an easier flow of data and business between Europe and Qatar.
To the extent that the governments of other countries in the region were not already considering their own data protection laws, many are likely to be accelerating those processes as the Middle East continues to modernise and develop its legislative and procedural frameworks.
Dino Wilkinson is a partner in the communications, media and technology team of international legal practice Norton Rose Group based in Abu Dhabi. He worked in London for a number of years before relocating to the Middle East and has advised international businesses on data privacy and security issues.
[1] Personal Information Privacy Protection Law for Qatar: First Draft – ictQATAR Consultation Document, 27 June 2011
