As part of the series of legal updates on data privacy laws around the world, ESOMAR’s professional standards team focuses this week on recent developments in data protection legislation for the Middle East region. Over the past two years, three countries of the Middle East region have introduced an Act or Bill introducing data protection laws in their countries. Furthermore, one country (Israel) has introduced a tentative amendment to its already-existing data privacy law.
Iran
A Draft Act on Personal Data Protection and Safeguarding was introduced to the Iranian Parliament in September 2018 and is currently awaiting review. The Draft Act is intended to apply to “Iranian citizens (individuals and corporations), public or private, whether their private data is being processed inside or outside Iran, and to foreign citizens (individuals and corporations), public or private, only if their data is processed by Iranian processors and controllers”. Furthermore, it proposes the creation of a Data Protection Commission in charge of enforcing the Act. However, there remains in the Draft Act a number of unclear points, such as its territorial scope, which is not covered in any provisions. Hopefully, more clarifications on the Draft Act will be provided in the future.
Bahrain
In Bahrain, the Data Protection Law (DPL) was implemented on April 1st 2019, which applies to the private sector. The law has an extraterritorial scope, meaning that it applies to persons processing personal data using means available in Bahrain (such as appointed local representatives), and provides for a Personal Data Protection Authority, which has the power to investigate breaches of the DPL. A feature of the law worth noting is that it provides for criminal penalties for violations of certain provisions of the legislation, such as processing sensitive personal data or transferring personal data outside of Bahrain without complying with the relevant requirements as listed in the DPL, such as (among other things) the receiving countries having equivalent data protection laws or receiving a transfer authorization from the Personal Data Protection Authority.
Lebanon
Law No. 81 Relating to Electronic Transactions and Personal Data was introduced in October 2018, adding Lebanon to the ever-growing group of countries with a general data protection law. The Act took a big step in the direction of stronger personal data protection by regulating all collection, processing, or use of personal data, both through digital means and otherwise (as opposed to data protection being regulated only for certain industries and only to a certain extent). The Law provides a set of conditions that need to be met before one is able to collect, process and use personal data, as well as a list of exceptions to these conditions.
Israel
In February 2018, the Israeli government approved an amendment to its 1981 Privacy Protection Law. However, it is currently gridlocked and pending a decision by the Israeli Parliament. The amendment focuses on giving more enforcement powers to the Protection of Privacy Authority, such as the power to impose higher fines in case of a breach.
For a more exhaustive description or clarification of any of the aforementioned legislation, our Data Protection Officers will be happy to answer all of your question through its ESOMAR Plus service, an exclusive consultancy package tailored to help with your compliance needs.
