July 5, 2018

Qatar’s Data Privacy Law – No further Council of Ministers Extensions for Compliance

It is well over a year now since Qatar became the first GCC country to enact a specific national law relating to data protection. The government confirmed a formal extension of time to allow organisations additional time to comply with the new legislation until 29 January 2018. Whilst the supervising unit of the Ministry of Transport and Communications ('MoTC') is not yet fully operational, the extended period for businesses to put in place compliance arrangements is now officially over.

Introduction 
Law No.13 of 2016 Concerning Personal Data Protection (the "DPL") was gazetted and became law in Qatar on 29 December 2016. The DPL incorporates concepts familiar from other international privacy frameworks and enshrines an individual's right to have their personal data protected.

As we noted at the time of the DPL's enactment, this new law establishes a framework for data privacy compliance in Qatar under the oversight of the MoTC. Its issuance represents an important first step for the protection of data privacy rights in Qatar. However, the DPL anticipates that further instructions and ministerial decisions will be issued to set out more detailed requirements and processes that will underpin the new regime. The supervisory unit of the MoTC that is responsible for oversight and all administrative processes connected with the implementation of the requirements is still 'under establishment' and not yet fully operational – it is anticipated that the unit and the necessary processes will not be in place until the last quarter of 2018.

For example, Article 16 of the DPL refers to personal data of a 'special nature' which is defined as 'any data relating to race, children, health, physical or psychological conditions, religious beliefs, marriage relationships or crimes'. The Minister of the MoTC may by 'decisions' add further categories of personal data of a special nature as well as 'impose further precautions to protect personal data of special data'. We await any such decisions and detail on systems and precautions required which are likely to impact, in particular, regulated sectors in Qatar, such as healthcare, financial services and education which have their own regulations that need to be suitably aligned.
Also awaited are the requirements relating to MoTC processes for the granting of 'permissions' by the MoTC for the processing of personal data of a special nature. Under the DPL, no such processing is permitted without such permission.

Significant Changes Required
For many businesses in Qatar, the changes required to comply with the DPL are complex and extensive. Organisations must not only to understand what the DPL requires but also to invest in and adopt new processes and system changes to ensure effective compliance, including building privacy protection into the design new products and services.

Drafting a privacy policy alone will not be sufficient to ensure DPL compliance; it requires 'top down' oversight, a robust governance and control environment, and effective systems and processes within the business to ensure compliance, including reporting and notifications to the competent authorities where there are breaches or risks of non-compliance. Any such change will require thorough planning and training of staff and will take time to effectively cascade through an organisation.

Compliance Extension now over
In recognition of the substantial level of organisational change required, as well as the need for further clarity by way of ministerial consultation and implementing regulations, an extension for the deadline for organisations to comply with the DPL was approved by the Qatari government. Council of Ministers' Resolution No.1 of 2018 was issued on 2 January 2018 extending the period for compliance set out in Article 30 of the DPL to a revised date of 29 January 2018. No further Council of Ministers' extensions have been implemented. Although the supervisory unit of the MoTC that will oversee and enforce the DPL is not operational and administrative processes are not yet in place, organisations should now be meeting the requirements of the DPL and taking all necessary measures to ensure ongoing compliance.

Consequences of Non-compliance: Don't wait, act now!
The challenge to ensure compliance is a significant one for most businesses and there are potentially adverse consequences in terms of damage to reputation and customer mistrust in the event of non-compliance. There are also regulatory penalties for contravention of the law.

Under the DPL, failure to comply may give rise to a fine of up to QR 5 million (equivalent to approximately US$1.35million).

In other data privacy developments, the European Union General Data Protection Regulation ("GDPR") became effective from 25 May 2018.  This imposes further obligations on Qatari businesses that offer goods or services to individuals in the EU or that monitor the behaviour of individuals in the EU.  These organisations must have regard to and comply with the additional data privacy requirements of GDPR. For those businesses that are affected by the GDPR, the penalties can be as high as Euro 20 million or 4% of global turnover.

How can we assist?
Clyde & Co is able to assist on all aspects of data privacy planning and solutions, including the application of both the DPL and GDPR to your business operations. We typically work with businesses to fully understand their 'sector specific' needs and achieve a fully integrated 'data privacy compliance framework'. This can include legally compliant policies, processes, contracts, systems and controls that are consistent with local legislation and international best practices. We can also help organisations to implement safeguards to ensure continuing compliance with relevant legislation, including comprehensive and timely reporting with regard to the DPL.

*This article was originally published in January 2018 and has been amended to reflect additions and subsequent changes to the law.