Qatar's new data privacy law will mean that businesses must take action to protect the privacy of personal data or risk fines of up to QR 5 million (USD 1.47 million).

Subject to any extensions, businesses will have a grace period of 6 months from the effective date of the new law to ensure that they comply with its requirements.

Some of the key features of the new law can be summarised as follows:

  • An individual's right to privacy with respect to their personal data is acknowledged by the law.
  • Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data.
  • The law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together.
  • The processing of personal data will be regulated in a way which bears similarities with existing data protection regulation elsewhere in the world.
  • Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and to crimes. For example, parental consent will be required in connection with the online collection and processing of the personal data of children.
  • Businesses will need to implement suitable measures, including training to protect personal data from loss, damage, modification, disclosure or illegal access.
  • Direct marketing will require the prior consent of the intended recipient and, among other requirements, the relevant communication must include a means by which the recipient may opt-out of future communications.
  • Businesses will be exempt from complying with certain provisions of the law in a number of circumstances.
  • Complaints in relation to breach of data privacy may be made to Qatar's Ministry of Transport and Communications and the Ministry may order the business, upon investigation, to remedy the breach.
  • Any agreement that contradicts the provisions of this law will be void.

This new law emphasise an increasing trend across the GCC towards greater digital economy regulation. Indeed, this is the first time a GCC country has introduced generally applicable data privacy laws, such laws previously being confined to particular fee zones, such as the Qatar Financial Centre, the Dubai International Financial Centre and Dubai Healthcare City.

We will be providing a more detailed summary of the new law in due course and will also update our Global Data Protection Handbook.