The Kingdom of Bahrain has become the second country in the GCC to issue a national data protection law. Organisations operating in Bahrain or processing the personal data of consumers from Bahrain should be aware of the new obligations and sanctions in the legislation that will become effective in 2019. Here are the five questions you should be asking to understand how the new law will impact you.
Bahrain's Personal Data Protection Law No. 30 of 2018 (the Law) has been published in the Official Gazette on 19 July 2018.
The Law aims to be consistent with international practices in the protection of personal data and to enhance the attractiveness of Bahrain to foreign investors by providing a clear framework for processing personal data. It is anticipated to be supplemented by resolutions that are due to be issued by 1 February 2019.
Who is affected?
The Law will apply to any processing of personal data wholly or partly by automated means or the manual processing of personal data that will form part of an organised filing system. The Law is stated to apply to individual residents or workers in Bahrain, locally established businesses and any businesses outside Bahrain that process personal data "by means available within the Kingdom" other than for purely transitory purposes.
This means that non-Bahraini businesses operating data centres or using third party data processors in Bahrain will be caught by the Law. Any non-resident person or business that is subject to the Law must appoint an authorised representative in the Kingdom to perform its local legal obligations.
The Law does not apply to processing of personal data within the context of personal or family affairs or processing that relates to national security undertaken by security authorities in the Kingdom.
What data is protected?
The Law defines personal data as information relating to an identified or identifiable individual.
This is largely consistent with European and similar international definitions of personal data or personally identifying information (PII) under equivalent legislation, although there is express reference to identification of an individual via their Personal ID Card in addition to other factors specific to the individual's physical, mental, cultural, economic or social identity.
Data subjects will have rights of access to personal data and to information concerning the processing of their personal data, as well as the right to object to processing for direct marketing or automated decision making.
What are the key obligations?
Many of the obligations placed on "data managers" (controllers) will be familiar to organisations that operate under data protection laws in other parts of the world, including requirements to process data fairly and lawfully, to collect personal data for legitimate, specific and clear purposes and to ensure that data is adequate, relevant and not excessive as to the purpose for which it was collected.
Data cannot be processed without the consent of the relevant individual (data subject) unless it falls within one of the five grounds for processing in Article 4 of the Law. These grounds include the performance of contracts or legal obligations, protecting the data subject's vital interests and safeguarding the data controller's legitimate interests. There are derogations for the processing of personal data for journalistic, artistic or literary purposes and more stringent rules applying to the processing of "sensitive personal data" (i.e. personal data that directly or indirectly reveals racial or ethnic origin, political or philosophical views, religious beliefs, trade union membership, criminal record, health or sexual condition).
One interesting feature of Bahrain's legislation is the role of the 'Data Protection Supervisor'. This is an accredited third party that may be appointed by data controllers at their discretion or, in some cases, at the direction of the data protection authority. The Data Protection Supervisor must exercise its role in an "independent and neutral manner" (unlike, for example, the data protection officer appointed by European entities under the GDPR). Its responsibilities include monitoring and verifying the data controller's compliance with the law, supporting the data controller in exercising its rights and performing its obligations, maintaining a register of processing, and coordinating between the data protection authority and the data controller.
The Law prohibits the transfer of personal data outside Bahrain to jurisdictions that are not approved by the data protection authority unless the data subject provides consent or the transfer falls under a specific derogation, including transfers necessary for the performance of contracts, protection of the data subject's vital interests or preparing, pursuing or defending a legal claim. The Law also requires data controllers to enter written contracts with third parties that process personal data on their behalf (data processors). However, there is no mandatory data breach notification provision in the Law.
How will the law be enforced?
A range of criminal and administrative fines may be imposed under the Law.
Criminal offences – including the processing of sensitive personal data or transfer of personal data outside the Kingdom in violation of the Law or failure to notify as required by the Law – may attract fines of up to BD 20,000 (US$ 53,200) or imprisonment for up to one year.
Administrative fines for other offences may be imposed on a scale up to BD 20,000 (US$ 53,200) for one-off fines or daily penalties of up to BD 1,000 (US$ 2,650), which may be increased for repeat offences.
Other sanctions available to the regulator include publishing statements concerning established violations and referring potential crimes to the Public Prosecutor. Individuals may claim compensation for damage suffered due to any processing of their personal data by a data controller in breach of the Law.
What should organisations do now?
The Law will become effective from 1 August 2019, but any organisations that are involved in processing personal data in Bahrain should start conducting an assessment of their processing activities at the earliest opportunity in order to understand the implications of the Law and implement appropriate compliance measures.
This process would typically start with a due diligence exercise to understand the flows of data around the organisation. Contracts with third parties will also need to be reviewed along with privacy policies, consent forms and employment agreements.
Once the law comes into effect, data controllers will have to notify the authority prior to conducting any data processing unless they appoint a Data Protection Supervisor or the processing is limited to certain activities set out in Article 14 of the Law. Some types of data processing (including automated processing of sensitive personal data, biometric data for identification purposes, genetic information and video monitoring) will require the express prior approval of the authority.
Ongoing awareness and training in data protection is likely to become a more commonplace feature for companies in Bahrain and we would expect to see organisations adopting data governance policies, procedures and practices in line with international standards. Processes will need to be in place to ensure that organisations can comply with their obligations and respect the new rights afforded to data subjects.