Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The topics that I have been asked to cover are privacy, data protection, spam, consumer protection and cloud computing. The common thread between these topics is the need to balance the benefits of living in the information age with the expectation of privacy. On the one hand, the information age brings with it many benefits (including greater efficiency and convenience with regard to gathering, storing and using data). On the other hand, expectations with regard to protection from arbitrary interference with privacy are generally considered a well-established social and legal norm – including in this region.
Generally speaking, the position in most of the GCC countries is that the privacy of an individual is protected under general provisions of laws not specifically focused on the issue of privacy. By way of example, the UAE Penal Code makes it an offence to publish, through any means, news, pictures or comments pertaining to the secrets of people’s private or familial lives. It also makes it an offence for anyone who is, by reason of profession, craft, circumstance or art, entrusted with a secret, to disclose the secret, or use it for his or her own benefit, or that of another, unless such disclosure or use is permitted by law or by the consent of the person to whom the secret pertains.
The key point that I wish to illustrate by these examples is that the these privacy related provisions have not been drafted with the information age in mind. To provide some context, we have recently relied on provisions such as this to advise on a corporate client’s proposed transfer of employee data to an off-shore data storage facility and another client’s proposed use of customer data for purposes other than those for which it was originally gathered. Would a company’s use of personal information (such as employee information or customer information) for fairly mundane business purposes (such as off-shore data storage or targeted marketing campaigns) fall within prohibited uses of ‘secret’ information under these penal provisions?
Other laws restrict the use of personal data in certain circumstances. By way of example, the UAE Medical Liability Law (Federal Law No. 10 of 2008) prohibits a doctor from disclosing the secrets of the patient that the doctor becomes aware of in the course of practice, either if the patient trusted him with the secret or if the doctor became aware of the secret in the course of practice.
We recently conducted a review of the situation in other GCC countries and essentially confirmed that privacy is protected in these other countries in much the same way as in the UAE. Laws designed primarily to protect privacy do not typically exist as laws in their own right. Provisions relating to protection of privacy may be found in the context of other laws, including respective penal codes and laws relating to specific matters such as regulation of conduct of medical practitioners, credit disclosure and unfair business practices.
Both the Dubai International Financial Centre and the Qatar Financial Centre have their own data protection specific laws or regulations. These legal provisions are generally consistent with data protection laws from other developed jurisdictions (specifically, the EU Data Protection Directive 95/46/EC and the UK Data Protection Act 1998). They apply to specific types of personal information that can relate to identifiable individuals, and set out obligations requiring that personal data be processed fairly, lawfully, securely and for a specified and legitimate purpose. They also contain restrictions on data transfer from within the respective Financial Centres to places outside those Financial Centres. The most significant point to note about the respective data protection provisions of these Financial Centres is that they are applicable only to activities within those Financial Centres – or transfers from those Financial Centres to places outside the Financial Centres.
In contrast, Oman and Qatar both have laws relating to e-Commerce which contain provisions relevant to data protection. Oman’s Electronic Transactions Law (Royal Decree 69/2008) and Qatar’s Electronic Commerce and Transactions Law (Law No. 16 of 2010) are both based largely on the UN Model Laws relating to e-commerce and electronic signatures – but the laws as enacted in both countries go beyond these to include specific provisions relating to data protection.
Specific data protection regimes appear to be common in respect of telecommunications service providers. By way of example, Qatar’s Telecommunications Law (No. 34 of 2006) requires telecommunications service providers to operate their telecommunications networks and related systems with due regard for the privacy rights of their customers, and requires telecommunications service providers to be responsible to protect any customer data in their custody and to refrain from collecting, using, retaining or publishing any customer information unless with the customer’s consent or as permitted by law. Additionally, service providers must ensure that all the information submitted is accurate, complete and valid for use (and correct or remove data upon the customer’s request).
Similar provisions (although with varying degree of detail) apply to telecommunications service providers licensed by the telecommunications regulatory authorities in other GCC countries. The UAE’s Telecommunications Regulatory Authority has issued the Privacy of Consumer Information Policy. Oman’s Telecommunications Regulatory Authority has issued Resolution No. 113/2009 issuing Regulations on Protection of the Confidentiality and Privacy of Beneficiary Data. Thus, telecommunications service providers should be aware that special data protection regimes may apply to their activities, even if there may be no data protection laws of general application.
Consumer protection and spam
The next topic ties in with the issue of privacy and data protection in the sense that personal contact details, such as mobile numbers and email addresses, may be disclosed by customers in the context of procuring goods and services, and then used subsequently for electronic marketing purposes. Many people find this type of marketing to be invasive of their privacy, and prefer to receive it only if they have ‘opted-in’.
In some countries in the region there are general prohibitions on this type of activity. By way of example, the consumer protection provisions of Qatar’s Electronic Commerce Law restricts the ability of e-commerce service providers (not necessarily telecommunications providers) to be involved in providing unsolicited marketing communications, and requires consumers to be able to opt-out from the receipt of such communications.
In July 2010, the UAE Telecommunications Regulatory issued a specific policy on unsolicited marketing communications. Under this policy, licensed telecommunications providers in the UAE are required to minimize spam and take all reasonable steps to ensure that spam is not being sent over their networks. If a licensee (ie. a telecommunications provider) fails to take all practical steps to prevent spam ‘with a UAE link’ (which includes spam originating both inside and outside the UAE) from being sent over the licensee’s network, then the regulator can take action against the licensee. The policy also prohibits licensees from being involved in ‘address harvesting’, and it requires them to implement ‘opt-in’ consent processes for all electronic marketing provided to customers. Additionally, by way of an annex to the policy, the UAE TRA has provided similar restrictions specifically in respect of SMS spam sent via mobile phones.
The term “cloud computing” describes a broad range of remote access computing services, generally involving situations in which users have access to applications and data storage services on demand and delivered over an external network. This basically involves the use of software and/or data storage space provided by someone else – allowing for savings on things such as licensing software or buying data storage hardware.
Some of the key privacy and data protection considerations in a cloud computing environment are:
Corporate users of cloud services may place responsibility for direct control of critical data and applications in the hands of third parties. If there is an outage or a security breach, the user could be exposed to claims from its own customers (and potential reputation damage) even though the fault was on the part of the cloud provider. Similarly, failure on the part of the cloud provider (eg. with regard to compliance in respect of data privacy) could lead to regulatory non-compliance on the part of the cloud user. Cloud users should conduct thorough due diligence of the provider they are considering and in particular focus on the privacy and security levels of the services to be offered.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection matters in the Middle East. For further information, please contact David Yates (email@example.com) or Nick O’Connell (firstname.lastname@example.org).