Oman: Latest developments in data protection and cybersecurity
Oman does not currently have a standalone data protection law. Whilst Oman's Constitution (Royal Decree No. 101 of 96) recognises an individual's right to confidentiality in all forms of communication, it does not recognise the right to privacy as a fundamental right beyond this. Alice Gravenor, Senior Associate at PwC Legal Middle East, analyses the patchwork of laws and regulations that constitute Oman's legal protection framework in the absence of a constitutional right to privacy or general data protection legislation and discusses all the latest regulatory developments aimed at strengthening Oman's privacy regime.
Establishment of the Cyber Defence Centre
In June 2020, the Sultan of Oman, His Majesty Sultan Haitham Bin Tarik, issued Royal Decree No. 64 of 2020 ('the Decree') establishing the Cyber Defence Centre. Although very short, the Decree represents one of the latest developments concerning the data protection and cybersecurity landscape in Oman.
Article 1 of the Decree states that a body by the name of 'The Cyber Defence Centre' will be set up and that such centre will report into the Oman Internal Security Service ('ISS'). The Decree is brief and does not go much further than stating that bylaws and decisions necessary for the implementation of such a system will be issued by the Head of the ISS, and that anything contrary to the Decree and the system it implements is hereby repealed.
Development of a draft data protection law
The Oman Information Technology Authority ('ITA') announced in 2017 that it was developing a data protection law ('the Draft Law'). However, the Draft Law remains a draft without a clear indication of when it will come into force. It was speculated that if approved and signed into law, the Draft Law will grant powerful rights to individuals in Oman, enabling them to exercise levels of control over their personal data equivalent to the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), for example by giving individuals the right to:
- object to the processing of their personal data;
- demand access to any personal data about them held by any organisation in Oman;
- demand that any mistakes in this data are corrected; and
- demand that this data is completely erased if they wish.
The ITA went as far as to hold public consultation sessions to discuss the Draft Law and seek feedback from members of the public on its contents, but limited further developments have since occurred.
In July 2020, the State Council held its eighth ordinary session of the first annual sitting for the seventh term where it discussed the 'Personal Data Protection Draft Law', noting the importance of the Draft Law in light of the ongoing technological developments and digital challenges. Hon. Dr. Rashid bin Salim bin Rashid al Badi, Committee Head of the Legal Committee of the Council, stated that the Draft Law contains 35 Articles divided into five Chapters as follows:
- Definitions and general provisions;
- Tasks and powers of the Ministry of Technology and Communications;
- Rights of individuals with regards to their personal data;
- Obligations of the controller and processor handling the processing of personal data; and
- Penalties for violating the provisions of the law.
Despite providing previously unknown detail on the Draft Law, no reports on the timelines for promulgation of the Draft Law have been reported.
A limited number of other laws in Oman relate to the use of personal information and cybersecurity, however these are certainly not the equivalent of bespoke data protection laws such as the GDPR.
The Cyber Crime Law
The Cyber Crime Law (Royal Decree No. 12 of 2011) seeks to address a wide array of illegal activities involving a computer device, computer system, or network. It considers various acts as cybercrimes and sanctions violations of such acts with robust penalties in the form of imprisonment and fines.
The Cyber Crime Law also contains limited provisions with respect to personal data protection, including making it an offence to violate the privacy of individuals using technology. It does not however impose any obligations on those who collect personal data.
The Electronic Transactions Law
The Electronic Transactions Law (Royal Decree No. 69 of 2008), which is based largely on the UN Model Laws relating to e-commerce and electronic signatures, contains limited provisions relating to the processing of personal data. It does, however, include some requirements relating to the obtaining, retention, and dissemination of personal data. However, the Electronic Transactions Law only applies to transactions performed between parties who have agreed to perform their transactions electronically and therefore its narrow data protection provisions do not apply to those who collect personal information outside the scope of the Electronic Transactions Law .
Limited data protection and cybersecurity provisions can also be found in a number of sectoral laws across the telecommunications, financial, and healthcare industries.
- Under Resolution No. 113 of 2009 issuing Regulations on Protection of the Confidentiality and Privacy of Beneficiary Data issued pursuant to Royal Decree No. 30 of 2002, following the written approval of a customer, a telecom service provider ('TSP') is permitted to share customer personal data with any of its subsidiaries or with other companies. Under such circumstances, the TSP is obliged to guarantee not to use customer data for any purpose other than the specified purposes and within the permissible limits. It is not clear whether this would include sharing the data with third parties outside of Oman and therefore consequently permit a cross-border transfer of such data.
- The Banking Law (Royal Decree No. 114 of 2000) contains certain limited provisions covering the protection of customer information in the banking context. All licensed banks, including their directors, officers, managers and employees are prohibited from disclosing customer information without the customer's consent, unless required to do so under Oman law or instructed to do so by the Central Bank of Oman.
- The Healthcare Law (Royal Decree No. 75 of 2019) contains provisions surrounding the disclosure of patient information. It is stated that patient information must not be shared with any person until the patient has provided their written consent to do so. Limited exceptions exist to this rule such as where disclosure is required to share relevant patient information with health insurance companies.
Given the latest developments concerning data protection and cybersecurity in Oman, with the issuance of Royal Decree No. 64 of 2020 establishing the Cyber Defence Centre, and the latest discussions concerning the Draft Law, it seems Oman has data protection and cybersecurity firmly on the agenda, and that further development in this area is likely in the coming months.
Alice Gravenor Senior Associate
PricewaterhouseCoopers Legal Middle East LLP