The Qatari government has passed a law requiring a minimum level of protection for personal data within the State of Qatar. It is the first GCC member state to issue a generally applicable data protection law. The law will be of particular interest to Qatar based employers given it introduces new requirements in relation to how employers maintain and manage their employee's information. It will require prompt action to ensure compliance, both for governance reasons and given the law introduces material fines for breach. Law No. 13 of 2016 Concerning Personal Data Protection (the Data Protection Law) was issued on 3 November 2016. It will come into full effect in six months' time (3 May 2016), unless this period is extended. The Data Protection Law will help build consumer trust in Qatar in the online environment and may encourage consumers to engage with innovative technologies in confidence that their data will be protected. It comes at a time when the rapid pace of technological change means that more personal data than ever before is being processed electronically, including due to the advance of big data and internet of things technologies.
Some of the highlights from the new law that employers should be aware of are:
- The vast majority of personal data processing activities are likely to be caught - The new law will apply in most instances where personal data is handled. Article 2 provides that the requirements shall apply where personal data (being data which identifies an individual or which can be used in combination with other data to identify an individual) is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or where a combination of electronic and traditional processing is used.
- You must have lawful grounds for processing - Personal data should not be processed without first obtaining the approval of the data subject, unless the processing is necessary to achieve a legitimate purpose. The legitimate purpose referred to may be satisfied by reference to the purpose of the data controller or a third party to whom the personal data is sent. It is unclear at this time how narrowly the term 'necessary' will be interpreted by the Qatari Courts.
- Individuals have the right to access their personal data - The rights given to individuals include the right to consent to any processing of their personal data, and to withdraw consent at any time. An individual will also have a right to review any personal data being stored in relation to him or her, and to ask for it to be corrected where it is inaccurate.
- Responsible information handling practices are now mandatory - The law introduces minimum standards and overarching principles with which organisations must comply when handling personal data, including that staff must be provided with appropriate training on the subject of privacy and that measures must be taken to protect personal data from loss, damage, unauthorised modification or unauthorised disclosure.
- Additional safeguards will apply to special personal data - The law creates a class of personal data known as 'special personal data', which warrants a greater degree of protection. This category of data includes data relating to children, race, health, religious beliefs and criminal records and may only be processed with the prior permission of the relevant unit of the Ministry of Transport and Communications (MoTC).
- Data breaches may trigger statutory reporting obligations - Any company who suffers a data security breach which would cause 'gross harm' to the individuals concerned must notify both as the regulator, the MoTC as regulator and the affected individuals. Based on the language used, it is likely that any breach in which children's data was compromised would trigger the data breach notification requirements in the law;
High financial penalties will be imposed for breach of certain provisions of the Data Protection Law. For example, a fine of up to QR1 million may be levied for a failure to notify the MoTC or an individual affected in the event of a data breach referred to above. A fine of up to QR5 million may be levied for a failure to secure approval from the MoTC before processing special personal data.
The level of fines is undoubtedly designed to drive compliance and to deter irresponsible personal data handling practices. It also highlights how seriously the Qatari government is taking the protection of an individual's right to privacy.
The concepts and requirements of the Data Protection Law will be clarified in further ministerial decisions. However, early indications are that the Data Protection Law is likely to transform the regulatory landscape for privacy in Qatar.