Qatar - Data Protection Overview
Qatar has, in addition to a specific comprehensive national level legal framework on data protection, a separate legal regime that applies to Qatar Financial Centre ('QFC') licensed entities. There are also various Qatari laws which set out certain rights of privacy and obligations of data protection.
The national level framework, Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law (only available in Arabic here) ('the National Privacy Law'), was issued by the Qatari Ministry of Transport and Communications ('MOTC') in November of 2016 and subsequently published in the Official Qatar Gazette on 29 December 2016. It is the first of its kind in the Gulf Cooperation Council ('GCC') region. The data protection regime that applies specifically to QFC-licensed entities is broadly modelled on the European Union’s Data Protection Directive (Directive 95/46/EC) ('the Directive').
There are also a number of other laws at a national level that address (either directly or peripherally) matters of privacy and protection of personal information, some of which are very generic and others which are quite sector-specific. Please note that all national laws of the State of Qatar are published in Arabic and there is no officially binding translation in any other language. Commentary provided below has been based on English translations of these laws, but the original Arabic text will prevail in the event of any potential discrepancies in interpretation. From a QFC perspective, however, the relevant legal regime discussed herein was in fact drafted in the English language, which is therefore considered to be the official original text.
2. THE LAW
At the most fundamental level, the Constitution of Qatar (‘the Constitution’) provides for a general right of privacy for individuals. According to the Constitution, 'the sanctity of human privacy shall be inviolable, and therefore interference into privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed save as limited by the provisions of the law stipulated therein.'
As such, the right to privacy is regarded as a fundamental individual right in Qatar, subject to such exceptions as contemplated in the wider Qatari legal framework.
The National Privacy Law sets out a number of new rules and requirements applicable to the processing of personal data of an identifiable individual. It applies in both electronic and non-electronic contexts.
As a general rule, the personal data of an individual is to be processed in accordance with principles very broadly aligned with the principles promulgated under the Directive. These include those of transparency, integrity, accuracy, acceptable practices, and are generally in accordance with the legal purposes for which the information was originally collected.
There is also a number of information disclosure, consent, and collection control obligations on data controllers and processors under the National Privacy Law. Conversely, there is also a number of exemptions or exclusions under the framework whereby certain data processors or controllers may (in whole or in part) be exempted from the application of its provisions.
3. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: 'Personal data' is defined as 'information about an individual who has a verified identity, or can be verified reasonably; whether through such information or by combining such information and other data.'
Sensitive Data: Personal data is described as being 'sensitive data' where it is related to ethnic origin, children, health, physical or psychological condition, religion, marital relations or criminal actions. The Ministry may also expand this definition from time to time to include other types of sensitive data as it sees fit.
Data Controller: 'Data controller' is defined as a 'natural or corporate person who individually, or jointly with others, determines the method and purpose of processing Personal Data.'
Data Processor: 'Data processor' is defined as a 'natural or corporate person who processes personal data for the Controller'.
4. SCOPE OF APPLICABILITY
Generally, the National Privacy Law applies to all natural and legal persons involved in data processing defined as 'collecting, receiving, registering, arranging, saving, preparing, amending, recovering, using, disclosing, publishing, transferring, blocking, deleting or cancelling' of personal data.
The National Privacy Law applies to both electronic and non-electronic forms of processing. It also, however, provides a number of exemptions from its application (whether in whole or in part). By way of example, the National Privacy Law itself does not apply whatsoever in the context of personal data processed by individuals for 'personal or family' purposes, nor any such processing for official statistical purposes. Some partial exemptions from the National Privacy Law include circumstances where the processing is happening in order to protect national or general security or the economic or financial interests of the State, and also in the context of tasks related to criminal investigations or for achieving scientific research for public welfare. More granular detail as to when such partial exemptions (of which the above are only a few examples) may apply is not spelled out in the legislation, and it is anticipated that this will be clarified by way of subsequently issued Ministerial resolutions or guidance.
5. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
Under the National Privacy Law, the MOTC is designated as the primary responsible authority. The National Privacy Law also contemplates the establishment of other relevant departments or authorities, which is anticipated to be clarified by way of pending Ministerial resolutions.
The MOTC and its officials have broad duties and powers pursuant to the National Privacy Law, ranging from the more standard enforcement remit (e.g. investigation, seizure, issuing compliance directions) to a wider on-going regulatory development and awareness role (e.g. to issue further resolutions clarifying various aspects of the law, collaborate with other public and private sector entities to help develop best practice approaches to regulating under the law, etc.).
6. NOTIFICATION | REGISTRATION
As a general rule, and unless one of the exemptions applies, the consent of the individual is required prior to any processing of his or her personal data (except where such processing 'is necessary for achieving legal purposes for the Controller or third parties to whom such data will be sent'). There is no guidance in the law as to any particular form that this general consent must take.
As to the processing of sensitive personal data, the National Privacy Law establishes a somewhat unorthodox regulatory approach. Namely, the processing of sensitive personal data is prohibited in the absence of having obtained advance approval from the MOTC, pursuant to more detailed rules and regulations that did not accompany the National Privacy Law upon its issuance (as above, it is anticipated that the more detailed process and procedure for this approval process will be set out in pending Ministerial resolutions).
7. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Broadly speaking, controller rights and responsibilities are aligned with more widely accepted international principles of data protection – for example, to process any personal data lawfully, and to take wider steps to ensure appropriate administrative and technical precautions are in place to protect the data. The controller is also required to inform the data subjects (in advance of any processing activities) as to who will be processing their data, the legal purposes for which their data is being processed, and exactly what type of processing activities will be occurring. The controller is also required to ensure that the data being collected is relevant and necessary for the legal purposes that the collection was intended, and to ensure on an on-going basis that the data is accurate, complete, and updated.
It is also interesting to note that the law further expressly obligates controllers to conduct comprehensive data audits and review of their internal processes and procedures pertaining to compliance under the law.
8. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Data processors, like controllers, are also required to ensure that personal data is processed in line with the wider principles of transparency, integrity, and respect for human dignity. There is also a requirement that the data is processed in accordance with 'acceptable practices,' which in turn is defined as the 'processing activities determined or approved by the [MOTC]' depending on the legal purposes for which the data is being proceed. The law does not provide any further elaboration on this facet at this point, which is again expected to be the subject of pending Ministerial resolution.
Processors (as with controllers) are also required to ensure that adequate protections are in place to help protect the personal data from loss, damage, and unauthorised disclosure or use. The relevant standard to be applied in assessing the adequacy of such protections is that they must be 'suitable for the nature and importance of the personal data to be protected.'
9. DATA SUBJECTS' RIGHTS
Data subject rights under the National Privacy Law are broadly aligned with those afforded under the Directive. For example, data subjects may:
- withdraw consent to the processing of their personal data;
- object to certain processing activities;
- issue requests for the deletion or correction of their personal data; and
- request access to their personal data and related info about how/why it is being processed.
Moreover, data subjects are also entitled to be notified when any inaccurate data may have been disclosed in relation to them.
Financial penalties of up to QAR 5,000,000 (approx. €1,233,000) can be imposed under the National Privacy Law, with the quantum ranging depending on the nature of the infraction. It is noteworthy, in this context, that:
- the failure (by either the controller or the processor) to take adequate security precautions to protect the data from loss or damage; and
- the failure to obtain the advance approval from the MOTC prior to processing sensitive personal data,
are expressly identified as two of the listed offences which are capable of attracting the highest financial penalty under the law. Any such financial penalties are also without prejudice to any other, or more severe, penalties that may appear in any other Qatar laws (for example, the Penal Code or Cybercrime Prevention Law, mentioned in section 2., below).
It is also worth noting that legal persons such as corporate entities can also be found liable under the law directly for any actions of third parties that violate the National Privacy Law, where third-party actions were committed in the corporate entity's name or on its behalf.
Perhaps most noteworthy, however, is that the National Privacy Law stipulates that 'any contract or agreement entered into in violation of the provisions of the law shall be deemed null and void.' However, the National Privacy Law does not further specify any more granular detail as to when, and to what extent, this provision would be enforced. For example, whether this would serve to invalidate a contract in its entirety, or only to the extent of the specific provision(s) that were non-compliant. Or whether it is contemplated that there will need to be some kind of materiality threshold as to the extent of non-compliance before this provision can be applied. As with many of the observations above, it is anticipated that there will be further guidance on this point pending by way of forthcoming Ministerial resolutions.
11. DATA PROTECTION OFFICER
Not applicable. The law does not specifically address the appointment of a data protection officer.
12. DATA BREACH NOTIFICATION
Under the National Privacy Law there are security breach notification requirements which apply to both processors and controllers. Processors are required to notify the controller in the event of any breach or risk of breach as soon as they become aware of the same. Controllers are in turn required to notify both the data subject and the MOTC, if breach is 'likely to cause serious damages to the personal data or the privacy of individuals.'
13. ADDITIONAL RELEVANT TOPICS
13.1 Data Transfers and Outsourcing
The position taken under the National Privacy Law to cross-border data transfers is somewhat unique from an international comparative standpoint. The relevant provision stipulates that a controller is not permitted to 'take any decision or procedure that may block the flow of personal data across borders,' unless the act of processing in question is otherwise in violation of the law or likely to cause 'serious damages to the personal data or privacy of the individual.' How this provision will be interpreted and applied in practice, however, remains to be seen.
13.2 Direct Marketing
The law provides that any form of direct electronic marketing to an individual is prohibited unless the prior consent of the individual has been obtained. The National Privacy Law does not, however, prescribe the form that such consent must take.
The electronic communication is also required to clearly show the identity of the sender, and include an easily accessible means of contact through which the individual can request that the communications stop.
13.3 Data Retention
Data controllers may not retain personal data for any longer than the period reasonably necessary to achieve the legal purposes for which the data was collected in the first instance.
14. SPECIFIC JURISDICTIONAL ISSUES
Further general protections of individual rights of privacy and confidentiality are found in the Penal Code and the Cybercrime Prevention Law, pursuant to which fines or terms of imprisonment may be issued for violations. For example, the Penal Code contains provisions prohibiting the dissemination of news, photos, or information 'related to secrets of private life, or families, or individuals,' even if the information at issue is true. The Penal Code also criminalises the disclosure of confidential information obtained by an individual in the context of his/her occupation or profession in the absence of consent of the data subject. The Cybercrime Prevention Law contains a number of broadly drafted clauses that effectively criminalise any unauthorised access, use, or interception of information using any form of electronic means (Articles 2-4), and stipulates heightened terms of punishment where the information at issue causes any potential for threat to national security, the economy, or is information belonging to any governmental department or entity.
There are also a handful of other Qatari laws which include certain privacy or data protection-related provisions, although many of these are sector-specific. For example, there are data protection obligations which apply to electronic commerce service providers pursuant to the Law No. 16 of 2010 on the Promulgation of the Electronic Commerce and Transactions Law in relation to the data that they process on behalf of customers. Similarly, the Decree Law No. 34 of 2006 on the Promulgation of the Telecommunications Law (and accompanying framework) set out a number of obligations which apply to telecommunications service providers in respect of protecting the privacy of their customer information.
It should also be borne in mind that Qatar (like most countries in the Middle East) is a civil law jurisdiction, and that there is no body of judicial precedent which can be reliably used to determine exactly how these laws will be interpreted in practice. As such, there is an element of uncertainty as to the exact scope of these laws and how they may be applied. Furthermore, the Middle East as a region has heightened cultural sensitivity about what constitutes personal or private information, and as such this should be taken into account by data controllers in the context of any proposed activities that involve the processing of personal information.