Countdown to Data Privacy in Qatar

At the end of 2016 Qatar became the first GCC state to issue a general Data Protection Law aimed at regulating the use of the personal data of individuals.

This law (13 of 2016 on Personal Data Protection), under discussion since 2011, is likely to herald similar changes in neighbouring countries in coming years.  Until now, Data protection and information privacy is largely dealt with as part of a range of general laws including criminal and cyber security laws, laws covering specific industries such as telecommunications and banking, broad constitutional obligations, and detailed requirements limited only to free zones in the countries of the GCC.   

The Qatari law adopts terminology generally recognisable to those already dealing with data protection requirements of European and US law.  Where this new law differs is in limiting its applicability to information being processed electronically collected with the purpose of electronicprocessing, or processed in manner that mixes the electronic processing and the traditional processing.   In practice, this is likely to cover almost all forms of data processing likely to be carried out, but does, in theory, allow for a situation where data is only dealt with manually that could fall outside the scope of the law.

While the law contains no real surprises for international organisations used to complying with the data protection regimes of Europe, or to a lesser extent, the USA, it will likely see challenges in implementation by local business units used to being able to be a little more relaxed in their handling of data.  Local businesses which have never been required, or seen the need, to comply with stricter privacy regimes will have the most work to do to bring their compliance and the understanding of their teams up to the standard required by the new law.  This will particularly be the case for those heavily engaged online and in direct marketing.

With the law being gazetted at the very end of 2016, the 6-month countdown to implementation has begun and businesses active in dealing with personal information in Qatar will still have the time to review their process and policies to ensure they are in compliant in order to avoid the significant fines allowed for under the Law before the 28 July 2017 deadline.