The Qatari government has passed a law requiring a minimum level of protection for personal data within the State of Qatar. It is the first GCC member state to issue a generally applicable data protection law.
Law No. 13 of 2016 Concerning Personal Data Protection (the Data Protection Law) was issued on 3 November 2016. It will come into full effect in six months’ time (unless this period is extended).
The Data Protection Law will help build consumer trust in Qatar in the online environment and may encourage consumers to engage with innovative technologies in confidence that their data will be protected. It comes at a time when the rapid pace of technological change means that more personal data than ever before is being processed electronically, including due to the advance of big data and the internet of things.
Some of the highlights from the new law for organisations operating in the education sector should be aware of are as follows:
• The vast majority of personal data processing activities are likely to be caught: the new law will apply in most instances where personal data is handled. Article 2 provides that the requirements shall apply where personal data (being data which identifies an individual or which can be used in combination with other data to identify an individual) is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or when a combination of electronic and traditional processing is used.
• Promotion of responsible information handling practices: it introduces minimum standards and overarching principles with which organisations must comply when handling personal data, including that staff must be provided with appropriate training on the subject of privacy and that measures must be taken to protect personal data from loss, damage, unauthorised modification or unauthorised disclosure.
• Additional safeguards for children’s data: the law creates a class of personal data known as ‘special personal data’, which warrants a greater degree of protection. This category of data includes data relating to children, which may only be processed with the prior permission of the relevant unit of the Ministry of Transport and Communications (MOTC). In addition, specific obligations will apply to the owners and operators of websites which are directed at children. For example, consent of a child’s parent or guardian must be obtained before any personal data may be processed.
• Data breach notification obligations: Any company who suffers a data security breach which would cause ‘gross harm’ to the individuals concerned must notify both as the regulator, the MOTC as regulator and the affected individuals. Based on the language used, it is likely that any breach in which children’s data was compromised would trigger the data breach notification requirements in the law;
High financial penalties will be imposed for breach of certain provisions of the Data Protection Law. For example, a fine of up to QR1 million may be levied for a failure to notify the MOTC or an individual affected in the event of a data breach referred to above. A fine of up to QR5 million may be levied for a failure to secure approval from the MOTC before processing special personal data.
The level of fines is undoubtedly designed to drive compliance and to deter irresponsible personal data handling practices. It also highlights how seriously the Qatari government is taking the protection of an individual’s right to privacy.
The concepts and requirements of the Data Protection Law will be clarified in further ministerial decisions. However, early indications are that the Data Protection Law is may transform the regulatory landscape for privacy in Qatar.