New national privacy law on the horizon for Qatar

A new national privacy and data protection law is in the works for the Gulf nation of Qatar.

According to a Nov. 7 press release, government bodies are at work recording the Arabic language version of the law in the country's Official Gazette.

This law, the first of its kind, stemmed from a 2011 Personal Information Privacy Protection Law enacted by the Supreme Council of Information and Communication Technology -- before that, officials say, privacy was a “relatively fragmented” legal issue. The country's financial industry had a sort of framework around data protection, but no national law was codified.

What does the new law do? From a description of the new Qatar privacy law provided by stakeholders, the law will enforce new rules and requirements for data handlers, described as “data controllers and processors,” in Qatar and neighboring countries. These data controllers will have the responsibility of getting consent from the individual before processing certain kinds of personal data.

The law also isolates a category of personal data for specific protections: for instance, data related to ethnic origin, family status, physical or psychological conditions and religious beliefs.

Processors will have to go to the Qatar Ministry of Information and Communications Technology to ratify any kind of processing for these types of information.

For more, Gulf News Journal spoke with Kelly Tymburski, a legal partner at Dentons in the UAE.

The Qatar government recognized the need to take proactive measures to ensure that there is a wider, national level legal regime governing the protection of privacy and personal data,” she said. “Not only is this kind of development in line with internationally recognized best practice, but it also helps to inspire confidence in the market and promote the Qatar economy in terms of future development.”

Tymburski also described the “data controllers and processors” mentioned in the press release around the law.

“Major data controllers and processors can be found across all sectors,” she said, citing industries sectors such as financial institutions, hospitals, educational institutions, communications service providers, hotels and airlines. “Essentially, every type of business will be involved in data processing to some extent -- even if this is just in the context of hiring employees and administering these relationships on an on-going basis.”

As for likely outcomes, Tymburski said much of the application of the law will depend on the release of further details.

“There are many areas of the law that are not yet settled, and the further detail of which will be forthcoming in pending ministerial resolutions,” she said. “Much of this has to do with procedural and administrative elements of the law -- for example, the process that will be put into place for obtaining authorizations in order to process ‘special personal data’ of data subjects. Until such further detail has been clarified in pending instruments, it is difficult to predict the likely outcomes of the law or the potential obstacles it may inadvertently create.”