Support Centre

Middle East


In a significant development within the State of Kuwait's regulatory landscape, the Communication and Information Technology Regulatory Authority (CITRA) has taken decisive steps to fortify data protection measures in the realm of telecom and IT services. Under Decision No. 26 of 2024, CITRA introduced a new set of Data Privacy Protection Regulations (the Regulations), effectively replacing the prior regulations. Concurrently, CITRA has repealed its former Data Classification Policy under Decision No. 34 of 2024, signaling a strategic shift towards more comprehensive safeguards for sensitive information.

This proactive update reflects CITRA's recognition of the growing need for strong data security measures as Kuwait's telecom and IT sectors expand. These regulatory changes also match Kuwait's big-picture plan for progress outlined in the New Kuwait 2035 strategy, emphasizing a focused push for better technology resilience and privacy standards in the country's digital world. Asad Ahmad and Salma Farouq, of GLA & Company, discuss the Regulations, highlighting the key provisions that individuals and entities should be aware of.

On December 18, 2023, in order to mitigate risks and address challenges arising from the artificial intelligence (AI) field, the Israeli Ministry of Innovation, Science, and Technology, together with the Ministry of Justice, published a final AI Policy detailing the policy principles of regulation and ethics for the development and use of AI systems in the private sector in Israel.

In this Insight article, Dalit Ben-Israel and Lior Haliva Wasserstein, of Naschitz Brandes Amir, review the AI Policy's findings in the field of data protection, outline the emerging challenges, examine the application of existing law, and explore the principles that the AI Policy seeks to adopt in this context.

Part one of this comparison outlined the differences in the scope, definitions, and legal bases for processing between the Jordanian Personal Data Protection Act 2023 (JPDPA) and the General Data Protection Regulation (GDPR). In part two of the comparison between the two laws, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in controller and processor obligations, data subject rights, and enforcement for a better understanding of the two frameworks. This article will also consider the unique challenges and compliance considerations that companies and organizations may encounter.

On September 17, 2023, the Jordanian Personal Data Protection Act 2023 (JPDPA), which regulates privacy in Jordan, was issued and entered into force on March 17, 2024. In issuing the JPDPA, Jordan has become one of the leading countries in the Middle East and North Africa (MENA) region to regulate and govern personal information protection rules and regulations. The JPDPA resembles the General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, aiming to protect individuals' privacy and personal data in light of economic, business, and commercial rapid growth.  

However, in examining both the GDPR and the JPDPA, it becomes evident that while both regulations share the common goal of protecting individuals' data protection, privacy, and security, there are distinguished differences in their methods, scope, and implementation. In part one of this comparative series, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in the scope, definitions, and legal bases for processing to gain an inclusive and better understanding of the two frameworks.  

In this Insight article, Nick O'Connell and Fatma Al Zadjali, from Al Tamimi & Company, delve into Oman's recent strides in data protection, highlighting the significance of the newly revealed Executive Regulation (the Regulation) of the Omani Personal Data Protection Law (PDPL).

The term 'direct marketing' refers to business practices whereby businesses sell, promote, or advertise their products or services directly to members of the public through means such as SMS, telephone, or email. In the UAE, there is a range of spam and privacy legislation and regulations that specifically restrict direct marketing practices. The UAE has a multi-territorial, multi-jurisdictional legal system that encompasses the federal legislature as well as so-called 'free zones,' which are special economic zones with their own company and commercial laws specifically applicable for companies incorporated within the respective free zone. Nick O'Connell, Andrew Fawcett, and Darya Ghasemzadeh, from Al Tamimi & Company, provide an overview of the federal regulations, as well as specific legislation in some of the UAE's free zones.   

In this Insight article, Maher Ghalloussi and Lucrezia Lorenzini, from Baker McKenzie LLP, delve into the significant amendments made to the Dubai International Financial Center (DIFC) Data Protection Law No. 5 of 2020 (the Data Protection Law). The updates aim to enhance data protection practices, with a focus on regulating the processing of personal data through autonomous and semi-autonomous systems, marking a pioneering move in the Middle East.

The Qatar Financial Centre (QFC) as an independent regulatory jurisdiction has undergone a transformative journey to safeguard personal data in the developing landscape of finance and technology sectors over the years. In the initial regulations that were enacted in 2005, the scope was relatively broad, but this has since been refined in the 2021 amendments that came into force on June 19, 2022 (New DPR).

The amendments in the New DPR aim to bring the existing Data Protection Regulations (the 2021 Regulations) to the standards of the General Data Protection Regulations (GDPR), which ultimately obliges businesses operating from the QFC to be more diligent in their data compliance practices. The New DPR also ensures proper monitoring and regulation of QFC firms in the context of data protection. Dorina Drowniak, from Dentons, reviews the most recent amendments to the 2021 Regulations and how firms can ensure they stay compliant.  

Jordan is considered one of the leading countries in the MENA region to regulate personal information protection rules, as of September 17, 2023, the Jordanian Data Protection Law (the Law) is published in the Official Gazette, and according to the Law, it shall be effective after six months of being published, i.e on March 17, 2024. In this Insight article, Mariana Abudayah delves into the main and key points mentioned in the Law.

In this Insight article, Anne-Caroline Albrecht, Partner at Bonnard Lawson, Dubai, explores the evolving landscape of international data protection, with a focus on the Dubai International Financial Centre's (DIFC) pioneering efforts and its recent assessment of California's Data Protection Regime.

With the entry into force of the Personal Data Protection Law (PDPL), the Implementing Regulations of the PDPL (Implementing Regulations) (only available in Arabic here), and the Regulation on Personal Data Transfer (Transfer Regulations) (only available in Arabic here), the Kingdom of Saudi Arabia has adopted a comprehensive regulatory framework governing the processing of personal data.

Overall, the regulatory framework is a successful accomplishment for the Kingdom. Although formal guidelines and opinions are expected from the competent authorities, the enacted framework projects the Kingdom among those jurisdictions equipped with advanced data protection legislation, which resonates with most of the key principles and best practices adopted in other key jurisdictions. 

In this Insight article, Gianluca de Feo, Lawyer at AX Law, highlights some of the most significant practical aspects and key takeaways from the Implementing Regulations and the Transfer Regulations.

The Kingdom of Saudi Arabia (KSA) has revamped its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act1 (the Telecoms Act) and the publication of implementing regulations to support the new law. Dino Wilkinson, Masha Ooijevaar, Shamma Sied, and Ken Wong, from Clyde & Co, take a look at the provisions of the Telecoms Act, how it differs from previous legislation, and what companies need to consider.