Middle East sees moves to update data protection laws

Middle East-based Marie Chowdhry of Pinsent Masons, the law firm behind Out-Law, said the reforms continue a recent trend being seen across the Middle East where there has been a push to modernise data protection standards. Data protection rules were updated in the Abu Dhabi Global Market (ADGM) last year.

The Bahrain data protection law will enter into force on 1 August.

"The new law is a paradigm shift for businesses in Bahrain, reflecting alignment with international standards and practices on the protection of data," Chowdhry said. "The main obligations centre on processing data fairly and lawfully, collecting personal data for legitimate, specific and clear purposes and ensuring that the data collected is relevant and not excessive."

Under the new Bahraini regime, businesses will be required to notify the newly established Personal Data Protection Authority before beginning to process personal data and in some cases, including where they plan to process sensitive personal data, organisations will require the authority's prior approval to do so.

Under the new law, sensitive personal data is considered to be personal information that directly or indirectly discloses the ethnic origin of the individual, their ethnic group, political or philosophical views, religious beliefs, trade union affiliation, criminal record, or any data relating to their health or sexual status.

One of the legal bases for processing personal data under the new law is where businesses have obtained consent from the 'data owner' to do so. However, alternative grounds for data processing include where the processing is necessary for the implementation or performance of a contract, where it is necessary for compliance with a legal obligation such as a duty prescribed by law or an order issued by a competent court, or where it is necessary to protect the vital interests of the data owner.

Businesses may also be able to go ahead with processing personal data without consent if the processing is necessary for the purposes of a legitimate interest they, or a third party, are pursuing. However, this legal condition for processing will not apply where the organisations' interests are in conflict with the fundamental rights and freedoms of the affected data owner.

Stiffer conditions on processing sensitive personal data apply, with just a few limited exceptions listed in the law to the general obligation on businesses to obtain data owners' consent.

Businesses are also required to implement technical and regulatory measures to protect data from unintentional or unauthorised destruction, accidental loss, unauthorised alteration, disclosure, access or any other form of processing, while provisions in the new law also restrict the circumstances in which personal data can be transferred outside of Bahrain.

Further reforms are proposed in the DIFC. In June, the DIFC Authority opened a consultation concerning plans to update the DIFC Data Protection Law. A deadline of 18 August has been set for responses to be submitted.

The existing DIFC data protection framework is based on the EU's Data Protection Directive from 1995. The Directive was superseded by the General Data Protection Regulation (GDPR), which took effect in May 2018.

In its consultation paper, the DIFC Authority said: "The proposed law is based on principles and concepts found within the GDPR together with modifications reflecting latest technology, privacy and security law developments as well as the unique requirements of the DIFC. The purpose of the revisions made in the proposed law is to ensure continuity (with respect to the current data law), consistency (with respect to the broader international landscape) and to reflect modern data management thought leadership."

Changes proposed in the DIFC include updating the principles by which personal data can be processed, bringing data processors directly into scope of the requirements of the data protection law, introducing new record keeping and data protection impact assessment obligations for businesses, and establishing new rights for data subjects, including in relation to accessing their personal data and data portability.