Support Centre

Middle East


On September 17, 2023, the Jordanian Personal Data Protection Act 2023 (JPDPA), which regulates privacy in Jordan, was issued and entered into force on March 17, 2024. In issuing the JPDPA, Jordan has become one of the leading countries in the Middle East and North Africa (MENA) region to regulate and govern personal information protection rules and regulations. The JPDPA resembles the General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, aiming to protect individuals' privacy and personal data in light of economic, business, and commercial rapid growth.  

However, in examining both the GDPR and the JPDPA, it becomes evident that while both regulations share the common goal of protecting individuals' data protection, privacy, and security, there are distinguished differences in their methods, scope, and implementation. In part one of this comparative series, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in the scope, definitions, and legal bases for processing to gain an inclusive and better understanding of the two frameworks.  

In this Insight article, Nick O'Connell and Fatma Al Zadjali, from Al Tamimi & Company, delve into Oman's recent strides in data protection, highlighting the significance of the newly revealed Executive Regulation (the Regulation) of the Omani Personal Data Protection Law (PDPL).

The term 'direct marketing' refers to business practices whereby businesses sell, promote, or advertise their products or services directly to members of the public through means such as SMS, telephone, or email. In the UAE, there is a range of spam and privacy legislation and regulations that specifically restrict direct marketing practices. The UAE has a multi-territorial, multi-jurisdictional legal system that encompasses the federal legislature as well as so-called 'free zones,' which are special economic zones with their own company and commercial laws specifically applicable for companies incorporated within the respective free zone. Nick O'Connell, Andrew Fawcett, and Darya Ghasemzadeh, from Al Tamimi & Company, provide an overview of the federal regulations, as well as specific legislation in some of the UAE's free zones.   

In this Insight article, Maher Ghalloussi and Lucrezia Lorenzini, from Baker McKenzie LLP, delve into the significant amendments made to the Dubai International Financial Center (DIFC) Data Protection Law No. 5 of 2020 (the Data Protection Law). The updates aim to enhance data protection practices, with a focus on regulating the processing of personal data through autonomous and semi-autonomous systems, marking a pioneering move in the Middle East.

The Qatar Financial Centre (QFC) as an independent regulatory jurisdiction has undergone a transformative journey to safeguard personal data in the developing landscape of finance and technology sectors over the years. In the initial regulations that were enacted in 2005, the scope was relatively broad, but this has since been refined in the 2021 amendments that came into force on June 19, 2022 (New DPR).

The amendments in the New DPR aim to bring the existing Data Protection Regulations (the 2021 Regulations) to the standards of the General Data Protection Regulations (GDPR), which ultimately obliges businesses operating from the QFC to be more diligent in their data compliance practices. The New DPR also ensures proper monitoring and regulation of QFC firms in the context of data protection. Dorina Drowniak, from Dentons, reviews the most recent amendments to the 2021 Regulations and how firms can ensure they stay compliant.  

Jordan is considered one of the leading countries in the MENA region to regulate personal information protection rules, as of September 17, 2023, the Jordanian Data Protection Law (the Law) is published in the Official Gazette, and according to the Law, it shall be effective after six months of being published, i.e on March 17, 2024. In this Insight article, Mariana Abudayah delves into the main and key points mentioned in the Law.

In this Insight article, Anne-Caroline Albrecht, Partner at Bonnard Lawson, Dubai, explores the evolving landscape of international data protection, with a focus on the Dubai International Financial Centre's (DIFC) pioneering efforts and its recent assessment of California's Data Protection Regime.

With the entry into force of the Personal Data Protection Law (PDPL), the Implementing Regulations of the PDPL (Implementing Regulations) (only available in Arabic here), and the Regulation on Personal Data Transfer (Transfer Regulations) (only available in Arabic here), the Kingdom of Saudi Arabia has adopted a comprehensive regulatory framework governing the processing of personal data.

Overall, the regulatory framework is a successful accomplishment for the Kingdom. Although formal guidelines and opinions are expected from the competent authorities, the enacted framework projects the Kingdom among those jurisdictions equipped with advanced data protection legislation, which resonates with most of the key principles and best practices adopted in other key jurisdictions. 

In this Insight article, Gianluca de Feo, Lawyer at AX Law, highlights some of the most significant practical aspects and key takeaways from the Implementing Regulations and the Transfer Regulations.

The Kingdom of Saudi Arabia (KSA) has revamped its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act1 (the Telecoms Act) and the publication of implementing regulations to support the new law. Dino Wilkinson, Masha Ooijevaar, Shamma Sied, and Ken Wong, from Clyde & Co, take a look at the provisions of the Telecoms Act, how it differs from previous legislation, and what companies need to consider.

In this Insight Article, Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultancy, provide an update to part one of this series. As discussed previously, the Dubai International Financial Centre (DIFC) has a collection of tools for data processors and controllers to rely on, in terms of protection of data, specifically when they are transferring data outside of the DIFC.

With the Personal Data Protection Law (PDPL), in the recently amended version, set to enter into force on September 14, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued for public consultation, on July 11, 2023, draft PDPL Implementing Regulations and draft Regulations on Personal Data Transfers. Both sets of regulations serve the purpose of providing further details regarding the application of the PDPL.

In this Insight article, OneTrust DataGuidance highlights some of the most significant aspects and key takeaways from the draft Implementing Regulations and the draft Data Transfer Regulations, featuring comments from Gianluca de Feo, Lawyer at AX Law.

In an increasingly interconnected world, establishing regulations to protect personal data in transactions between individuals, data controllers, and data processors has become necessary. This is particularly important for transactions between companies and individuals located in different countries. In the following Insight article, Mariana Abudayah, from Nsair & Partners - Lawyers, provides an overview of Jordan's ongoing efforts to address this pressing issue. Until now, Jordan has not issued a data protection law. However, the country is currently undergoing an assessment and review process by the Economic Committee at the Jordanian Parliament to develop a Data Protection Bill (the Bill). This article analyses the key aspects of the Bill, shedding light on its significance in safeguarding personal data and fostering secure cross-border transactions.