It is a year since Qatar became the first GCC country to enact a specific national law relating to data protection. The government has confirmed an extension to allow organisations additional time to comply with the new legislation, but for many businesses there remains a substantial exercise to complete in order to satisfy the new requirements.
aw No.13 of 2016 Concerning Personal Data Protection (the "DPL") was gazetted and became law in Qatar on 29 December 2016. The DPL incorporates concepts familiar from other international privacy frameworks and enshrines an individual's right to have their personal data protected.
As we noted at the time of the DPL's enactment, this new law establishes a framework for data privacy compliance in Qatar under the oversight of the Ministry of Transport and Communications ("MoTC"). Its issuance represents an important first step for the protection of data privacy rights in Qatar. However, the DPL anticipates that further instructions and ministerial decisions will be issued to set out more detailed requirements and processes that will underpin the new regime.
For example, Article 16 of the DPL refers to personal data of a 'special nature' which is defined as 'any data relating to race, children, health, physical or psychological conditions, religious beliefs, marriage relationships or crimes'. The Minister of the MoTC may by 'decisions' add further categories of personal data of a special nature as well as 'impose further precautions to protect personal data of special data'. We await any such decisions and detail on systems and precautions required which are likely to impact, in particular, regulated sectors in Qatar, such as healthcare, financial services and education which have their own regulations that need to be suitably aligned. Also awaited are the requirements relating to MoTC processes for the granting of 'permissions' by the MoTC for the processing of personal data of a special nature. Under the DPL, no such processing is permitted without such permission.
Significant Changes Required
For many businesses in Qatar, the changes required to comply with the DPL will be complex and extensive. Organisations will need not only to understand what the DPL requires but also to invest in and adopt new processes and system changes to ensure effective compliance, including building privacy protection into the design new products and services.
Compliance Deadline Extended
In recognition of the substantial level of organisational change required, as well as the need for further clarity by way of ministerial consultation and implementing regulations, an extension for the deadline for organisations to comply with the DPL has been approved by the Qatari government. Council of Ministers' Resolution No.1 of 2018 was issued on 2 January 2018 extending the period for compliance set out in Article 30 of the DPL to a revised date of 29 January 2018. We understand from discussions with the MoTC that a further extension is proposed to be granted for compliance beyond this date, although we are awaiting formal confirmation of the additional extension period by way of a further implementing Council of Ministers' Resolution. In any case, organisations are recommended to start preparing for compliance at the earliest opportunity.
Consequences of Non-compliance: Don't wait, act now!
The challenge to ensure compliance is a significant one for most businesses and there are potentially adverse consequences in terms of damage to reputation and customer mistrust in the event of non-compliance. There are also regulatory penalties for contravention of the law.
Under the DPL, failure to comply may give rise to a fine of up to QR 5 million (equivalent to approximately US$1.35million).
In other data privacy developments, the European Union General Data Protection Regulation ("GDPR") is being implemented from 25 May 2018. This could impose further obligations on Qatari businesses that offer goods or services to individuals in the EU or that monitor the behaviour of individuals in the EU. These organisations will need to have regard to and comply with the additional data privacy requirements of GDPR. For those businesses that are affected by the GDPR, the penalties can be as high as Euro 20 million or 4% of global turnover.