Oman has become the latest country in the Middle East to issue national privacy legislation with the publication of a new Personal Data Protection Law. In this article, we outline the scope and key requirements of this new law and consider what it will mean for organisations operating in Oman.
What is the new law?
Royal Decree 6/2022 promulgating the Personal Data Protection Law (PDPL) was issued on 9 February 2022. It will be supplemented in due course by an executive regulation that will be issued by the Minister of Transport, Communications and Information Technology.
The PDPL will repeal and replace Chapter Seven of the Electronic Transactions Law that had imposed some limited obligations relating to the protection of private data in the field of electronic transactions. The new law comprises a more comprehensive set of rules that will be applicable across all sectors unless they fall within the excluded cases.
Who and what is within the scope of the PDPL?
The PDPL applies to the processing of personal data, which is defined as “data that identifies a natural person or makes him identifiable, directly or indirectly, by reference to one or more identifiers”. This includes a person’s name, civil number, electronic identifiers or factors specific to a person’s genetic, physical, mental, psychological, social, cultural or economic identity.
There is a significant list of excluded cases where the provisions of the PDPL are stated not to apply as follows:
- Protection of national security or public interest.
- Implementation of the units of the administrative apparatus of the state and other public legal persons of the competences prescribed to them by law.
- Implementation of a legal obligation imposed on the controller by virtue of any law, judgment, or decision by the court.
- Protection of the economic and financial interests of the state.
- Protection of a vital interest of the individual to whom personal data relates (data subject).
- Detection or prevention of a crime on the basis of a formal written request by the investigation entities.
- Execution of a contract to which the data subject is a party.
- If the processing is within the personal or family sphere.
- For the purposes of historical, statistical, scientific, literary, or economic research, by entities authorised to carry out such works, provided that no indication or reference relating to the data subject is used in the published research and statistics, to guarantee that the personal data is not attributed to an identified or identifiable natural person.
- If the data is available to the public in a manner that is not contrary to the provisions of the PDPL.
What are the main features of the PDPL?
The law obliges organisations to process personal data “within the framework of transparency, honesty, and respect for human dignity” and grants certain rights to individuals, including the right to revoke consent to processing of their personal data, the right to request for their personal data to be amended or erased, the right to have a copy of their personal data and the right to have personal data transferred to another party.
Organisations that determine how and why personal data is processed (controllers) must implement appropriate controls and procedures to protect personal data, maintain certain records and cooperate with the Ministry of Transport, Communications and Information Technology (MTCIT) in connection with the PDPL. They are also required to notify data subjects in writing of certain information before processing their personal data and to obtain written consent before sending any advertising or marketing material to individuals.
Controllers and any third parties that they appoint to process personal data (processors) may be required by the MTCIT to appoint an external auditor to verify their compliance with the law. They must notify the MTCIT and the data subjects of any incidents that lead to the destruction, alteration or unlawful access to personal data.
More details on the obligations of controllers and processors – and the role and function of any external data protection auditor – are expected to be contained in the executive regulation under the PDPL that will be issued in due course.
Controllers will also need to identify a personal data protection officer and there will be controls on transfers of personal data outside Oman. Again, the extent of these requirements and restrictions will be subject to further clarification in the executive regulation. Transfers of personal data that would harm the data subject are prohibited.
Are there enhanced restrictions for sensitive personal data?
There is a general prohibition on processing certain types of data without obtaining a permit from MCTIT. These restricted data types broadly correlate to sensitive or special categories of personal data defined in other international laws, i.e. genetic and biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or data relating to security measures.
It is also prohibited to process the personal data of a child without the approval of a guardian, unless such processing is in the child’s best interests.
How does the Oman PDPL differ from other international laws?
While most international data protection laws allow for a range of circumstances where personal data may be processed without the data subject’s consent, the PDPL appears to adopt a different approach of requiring the explicit and documented consent of data subjects to any processing of their personal data. The requirement to seek a permit for processing of sensitive personal data types (see above) is not found in European laws but has been seen in other legislation in the Middle East – for example, under the data protection law in Egypt.
However, if a data processing activity falls within one of the excluded cases (see above) then the PDPL does not apply. The drafting of the legislation suggests that such processing then falls completely outside the scope of the law. It remains to be seen how this will be interpreted by the regulator and controllers/processors in practice or if the executive regulation will provide further details on how personal data can be processed without a data subject’s consent (for example, where the consent is impossible or impractical to obtain).
In common with recently introduced legislation in Saudi Arabia and the United Arab Emirates, there is no express acknowledgment of a controller’s “legitimate interests” as a basis for the processing of personal data. This is often relied upon as the legal justification for processing by companies under legislation such as the EU General Data Protection regulation (GDPR).
What are the penalties for non-compliance?
The MTCIT may issue warnings to controllers or processors that violate the PDPL, order rectification or erasure of personal data, suspend the processing of transfer of personal data in violation of the PDPL and/or seize the equipment used in committing a violation. Data subjects have the right to submit complaints to the MTCIT if they believe that their personal data is not being processed in accordance with the law.
Criminal penalties for disclosure of secrets or other privacy-related offences under the Oman Penal Law and other legislation will continue to apply. In addition, the PDPL establishes a scale of fines for different offences rising to OMR 500,000 (US$ 1,300,000) for the unlawful transfer of personal data outside Oman.
What happens next?
The PDPL is stated to take effect one year after the date of issuance, which means that it will be effective from 9 February 2023. The executive regulations supplementing the Law are expected to be published within this period.
It is possible that further details and guidance will be published by the MTCIT during the period prior to the PDPL taking effect on matters such as the mechanisms and procedures for obtaining regulatory consent or notifying breaches.
All businesses operating in Oman should immediately begin assessing their activities and making changes to corporate policies and procedures to align with the PDPL. Controllers will have to train staff on the core principles and obligations under the PDPL and will need time to ensure that a culture of data protection is suitably embedded into the organisation. We have previously issued tips for enterprises on how to create an effective privacy framework and worked with many companies to help them implement the required processes and policies for compliance.