Oman: Operationalizing the data protection law - how to put it into practice
On February 13, 2023, Oman's personal data protection law (PDPL) came into force. The enactment of the PDPL follows a trend of new data protection laws in the Middle East.
The PDPL is consistent with other modern data protection regulations, providing a more robust data protection regime and a set of core data protection principles. The executive regulations (the Regulations), which will clarify various elements of the PDPL, are yet to be released by the Ministry of Transport, Communications and Information Technology (MTCIT). Fatma Al Zadjali and Jeanne Visser, from Al Tamimi & Company, discuss who the PDPL applies to and what its key provisions are.
Who does the law apply to?
The PDPL applies to the processing of personal data by controllers (a person/entity who determines the purpose and means of processing personal data) and processors (a person/entity who processes personal data on the controller's behalf) operating in Oman and/or processing personal data of data subjects in Oman. Personal data is defined under the PDPL as any data that makes a natural personal identifiable (whether directly or indirectly) by reference to one or more identifiers such as their name, ID number, location data, biometric data, or by reference to factors related to genetic, physical, mental, psychological, social, cultural, or economic identity.
Article 3 of the PDPL sets out several excluded categories. These include (but are not limited to) processing for the purposes of entering into a contract to which the data subject is a party, for the performance of a legal obligation imposed on the controller under any law, judgment, or court ruling, the protection of a vital interest of the data subject, the protection of national security or the public interest, to detect or prevent any criminal offense based on an official written request from the investigation authorities, and if the processing is in a personal or family context. The obligations and restrictions set out in the PDPL will not apply to processing of personal data which falls within an excluded category.
Key provisions of the law
One of the key principles of the PDPL is that personal data can only be processed after obtaining the express written consent of the data subject. Written consent is also required for sending advertising and marketing material to data subjects. Consistent with new data protection laws that have recently been introduced in the United Arab Emirates (UAE) and Kingdom of Saudi Arabia, the PDPL does not allow for processing based on a data controller's 'legitimate interests,' as found in other international legislation such as the General Data Protection Regulation (GDPR).
Prior to processing personal data, the data controller is required to issue a notice to the data subject setting out certain mandatory information including the purpose of the personal data processing and the source from which it is collected, details of the controller and processor, contact information of the personal data protection officer (DPO), the rights of the data subject, as well as the degree of disclosure of the personal data.
Rights of data subjects
Data subjects are granted various rights under the PDPL. These include: the rights to transfer their personal data; erasure of personal data; the right to obtain a copy of their processed personal data (through a data access request); the right to revoke their consent and amend, update, or block their personal data; and the rights to be notified of any breach or infringement of their personal data.
Sensitive personal data
There is a general restriction on processing of 'sensitive' personal data (such as genetic data, biometric data, health data, or data relating to ethnic origin, sex life, political or religious opinions or beliefs, criminal convictions, or security measures) without obtaining prior approval from the MTCIT. This consent requirement is not found in the GDPR, or any of the data protection laws recently issued in the UAE.
Processing of children's personal data is not permitted without express consent from their guardian unless the processing is required for the child's best interests. In the UAE, whilst data protection laws do not address minors' personal data specifically, separate legislation considers it a crime to process minors' personal data without the prior consent of their parents/guardians.
Data controllers' and processors' obligations
The PDPL requires controllers (and not processors) to conduct a Data Protection Impact Assessment (DPIA), provide mandatory disclosure in the form of notices as disrobed above, notify the MTCIT and the affected data subject of any personal data breach, appoint a DPO, ensure personal data confidentiality, and implement controls and procedures to protect personal data. Both controllers and processors must co-operate with the MTCIT and may be required, upon the request of the MTCIT, to appoint external auditors to ensure that the procedures for processing personal data have been carried out in accordance with the provisions of the PDPL and shall also provide the MTCIT with a copy of the external auditor's report. They shall also be responsible for retaining the documents of the processing operations, in accordance with the deadlines and procedures that shall be specified by the Regulations.
The PDPL allows for the transfer of personal data outside the borders of Oman only in accordance with 'controls and measures specified in the Regulations' (which are yet to be issued), however, no transfer may take place if the processing of the personal data would cause harm to the data subject or if it is processed in violation of the provisions of this law.
Notification of breach
If a personal data breach occurs which leads to 'destruction, alteration, disclosure, access or illegal processing' then the controller is required to inform the MTCIT and data subjects in accordance with the controls and measures to be specified in the Regulations as mentioned above.
Putting the law into practice
The PDPL shall apply to all businesses that operate in Oman and/or process personal data of data subjects in Oman, and are recommended to audit their existing data use to update their processes, contracts, notices, policies, and employee awareness to ensure compliance with the PDPL. An outline of the key aspects of putting Oman's new PDPL into practice is set below.
Businesses must undertake staff training to ensure that the changes are understood and to explain what is expected from staff when handling personal data, such as the requirement to obtain explicit consent prior to processing personal data, the need to inform individuals about the purpose and scope of the data processing activity, the rights afforded to data subjects, how to conduct data access requests, and what to do in the event of a data breach. It is highly recommended for an organisation to communicate their data protection policies and practices to their employees, to make sure they are familiar with their roles and responsibilities in processing personal data.
Implementing appropriate technical and organizational measures
To protect personal data, businesses must implement appropriate technical and organizational measures to prevent unauthorized access, disclosure, or loss of personal data. This includes implementing encryption and access control measures, establishing procedures for data backup and recovery, and regularly testing the effectiveness of these measures. Additionally, businesses will need to conduct DPIAs to evaluate the impact of data processing activities on the data subjects.
Establishing compliant processes
Businesses will also be required to establish processes for handling data access requests and breaches in accordance with the PDPL's requirements. This includes establishing procedures for responding to data access requests within any mandatory notification period (further details on this requirement will be clarified in the Regulations that are yet to be issued) and ensuring that personal data is only disclosed to authorized individuals.
Furthermore, businesses must establish procedures for properly reporting data breaches to the MTCIT and affected data subjects within any mandatory notification period (which will be specified in the Regulations). Businesses must also investigate the incident to determine the cause of the breach and implement measures to prevent similar breaches from occurring in the future.
Enforcing compliance with the new law is crucial to its effectiveness in protecting personal data. To ensure compliance, businesses must conduct regular audits and assessments to evaluate their compliance with PDPL's provisions. They will also need to appoint a DPO who is responsible for overseeing internal compliance with the PDPL's provisions and advising the business on data protection issues, as well as appointing an external auditor to ensure compliance with the provisions of the PDPL from an external perspective. The Regulations are yet to determine the requirements for selecting the DPO and external auditors but in general terms, the selection should consider a party that is familiar with the data protection laws.
The PDPL provides for high fines of up to OMR 500,000 (approx. $1.3 million). Violations of privacy may also be punished in some cases by imprisonment of up to one year (under the Omani Penal Law). The PDPL also sets administrative fines for non-compliance with its provisions that can range from OMR 1,000 to OMR 500,000 ($2,600 to $1.3 million) depending on the type and severity of the violation.
Businesses will be required to take certain steps to ensure that they comply with the provisions of the PDPL as part of their business operation. In general terms, businesses must create awareness among their employees about the PDPL's requirements, implement appropriate measures to protect personal data, ensure security mechanisms by ensuring the confidentiality of personal data, establish processes for handling data access requests and breaches, appoint a DPO to ensure internal compliance with the PDPL, protect personal data when transferring it outside of Oman, and generally ensure a proper compliance program with the provisions of the PDPL.