Authorities in the Gulf Cooperation Council (GCC) countries are looking to tighten their data privacy laws and give more teeth to regulators after the introduction of EU’s General Data Protection Regulation (GDPR).
Privacy regulations around the world protect the rights of the individual’s data for fair and lawful collection and use of their personal information by organisations.
Qatar launched its Privacy and Protection of Personal Data Law in 2016 while Bahrain implemented its data privacy law on August 1 this year. The UAE is expected to implement the law this year and Saudi Arabia by next year. The only countries left are Oman and Kuwait.
Phil Mennie, director for digital trust at consultancy firm PwC, said that the demand for privacy expertise exploded after the introduction of GDPR.
“We are seeing a lot of changes across the GCC region and a lot of privacy laws are coming in,” he said.
“Large organisations are impacted by the GDPR but we observed, unlike in Europe where privacy has been a topic for a very long time, in the Middle East there is a lower understanding of how privacy impacts organisations,” he said.
However, he said that organisations are finding efficient and economical ways to run their businesses, which involve transferring data outside of their jurisdictions and are using data analytics to create new revenue streams.
Cyberattacks…Fastest growing crime
According to a survey conducted by the consulting firm, 89% of the customers avoid doing business with companies that do not protect their privacy while 87% of CEOs consider lack of privacy over personal data either an issue or risk in their organisation.
According to research firm Cybersecurity Ventures, cyberattacks are the fastest growing crime and are increasing in size, sophistication and cost. Cybercrimes are expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, while the cybersecurity market is expected to experience a 12-15% year-over-year growth through 2021.
Industry experts welcome the move by the Telecommunications Regulatory Authority of the UAE (TRA) to set up a Data Privacy Law, as they expect certain controls over privacy and the data shared with agencies.
Work in progress
Talal Wazani, Head of Strategic Security Consulting at Help AG, said it is a work in progress and the Law will look similar to GDPR for entities that deal with the private information of customers and govern how they use this information after they get the consent from the customers.
“As far as we know, two initiatives are going on. One is at the Dubai level and the other at the Federal level. One of Smart Dubai’s initiatives is the Dubai Data Law, also known as Bayanat Dubai, but we don’t have any clarity on how it is going to be or what is the structure. On the Federal level, TRA is working on the foundation for the UAE Data Privacy Law,” he said.
Initially, Wazani said that the UAE Data Privacy Law will be some sort of a framework that would be passed on to the lawmakers to refine it further and publish it as the law.
He said that both Dubai and the UAE have some catching up to do but Mennie said that it is a good move from the UAE authorities but will not say it is late as the whole world is catching up now.
“Only in the last few years, privacy has become such an important topic after the recent scandals, data breaches and the fines coming out of Europe. It is the right thing to introduce to protect the personal data of individuals,” Mennie said.
UAE gets tough on IoT and health care data
This year, the TRA has also published a new policy regulating services and devices associated with the Internet of Things (IoT Policy) in March while the UAE Federal Law on health care came into effect in May that directly addresses data protection principles.
Mohammad Al Zarooni, Director of Policies and Programs Department at TRA, had told TechRadar Middle East recently that data privacy is crucial to the cyber and the UAE is regulating and drafting a data protection law.
“We will look at the best performing practices performed worldwide; GDPR will be one of the inputs to it. We want to make sure that whatever regulations are put, are easy to be implemented across different sectors,” he said.
Richard Chudzynski, senior manager at PwC Legal, said that Bahrain does not have fines as compared to GDPR but have criminal sanctions.
GDPR has a ceiling of 4% of global annual revenues of up to 20,000 euros while Bahrain has a ceiling of BD 20,000 with a potential sentence of a maximum imprisonment of one year.
A breach, under GDPR, needs to be disclosed within 72 hours but this law is not included in Bahrain Personal Data Protection Law and can be submitted monthly to the regulator.
Tough to accomplish
When asked about the possibilities of implementation of a GCC-wide data privacy law, Wazani said it would be amazing if a GCC- or Arab-wide law can be accomplished but it is tough to accomplish.
“For GDPR, EU is the governing body and in the Middle East, there is no governing body. How long is it taking for the GCC-wide VAT to be implemented? The difficulty is in aligning together all the local privacy laws in the Middle East, apart from the jurisdiction laws as well,” he said.
However, Mennie said that a GCC-wide law is sensible to him but he does not know how the legal resume works across the GCC and don’t know whether there is any mechanism in place to enforce the law across the GCC.
“If there was, that would make a lot of sense,” he said.
Al Zarooni said that there are some talks about a unified GCC law but “I believe that most of the regulations worldwide will be more or less the same, some will be more stringent and some will be relaxed. One unified GCC law might be good but it will be challenging to come up with”.