Our knowledge, experience, and expertise are now available on the go.
My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.Find out more
Roberto Lusardi - Senior Associate - Digital & Data
Qatar recently introduced legislation in respect of privacy and data protection (Law No. 13 of 2016, the “Data Protection Law”), which is based on, and tries to capture certain aspects of, European-style data protection and privacy. Due to the absence of the relevant regulations relating to the Data Protection Law, it is difficult to properly understand how the law and its procedures will be applied in practice. On the other hand, the new General Data Protection Regulation (“GDPR”) is due to come into force across the European Union (“EU”) on 25 May 2018. Consequently, in addition to understanding and complying with the provisions of the Data Protection Law, certain Qatari entities may also be subject to, or may need to comply with, the GDPR due to its intended extra-territorial reach.
The previous data protection regulation for the EU (the Data Protection Directive) was also intended to have a broad scope. Its provisions, however, covered only data processing activities carried out within the EU unless there was deemed to be an “inextricable link” between such activities carried out by an entity outside the EU and an entity located within the EU. This prevented EU organisations and competition authorities from regulating data processing activities in respect of EU individuals where such processing activities were performed by data controllers outside of the EU.
The need for extended territorial scope is due to (i) increase in global access to, and use of, the internet, (ii) online/electronic commerce, (iii) establishment of global corporate networks and (iv) growth of cloud services.
Due to the above, territorial borders have become blurred and caused concerns relating to protection of privacy when processing personal data in connection with online services (specifically cross-border ones). The GDPR thus extends its territorial scope to data controllers and processors outside the EU in certain instances. There are exemptions available in circumstances where (i) personal data from EU individuals is only occasionally processed, (ii) processing is not on a large scale and (iii) the nature and purpose of the processing is unlikely to result in a risk to the privacy rights of the relevant individuals.
As a consequence, certain non-EU organisations now fall within the scope of the GDPR in relation to either: i) targeting, or ii) monitoring, individuals in Europe and would be determined on a case-by-case basis.
GDPR application by way of Targeting
For GDPR to be applicable by way of targeting, it is envisaged that there needs to be an active direction of activities towards individuals within the EU rather than mere availability of a website or online advertising to EU individuals. The targeting of individuals in EU would need to include additional factors such as:
Interestingly, the GDPR will apply whether the offered goods or services are paid for or free.
GDPR application by way of Monitoring:
In order for the GDPR to be applicable by way of monitoring, the behaviour and/or movement of individuals within the EU needs to be monitored. Again, this is determined on a case-by-case basis but can be undertaken or deemed to occur by (i) gathering location data, (ii) allowing EU individuals to join/use a social network and (iii) tracking online activities of EU individuals to create profiles (for purposes of analysing or predicting personal preferences, behaviours and attitudes).
GDPR indirect application to Foreign Entities:
The GDPR provisions would also apply indirectly to a foreign entity that has an agreement with an EU entity (eg. for agency or marketing services) involving data processing activities. In such an event, the agreement between such entities would need to provide for compliance with the GDPR and the foreign entity would be required, as data processor, to comply with all applicable GDPR measures.
A foreign entity which falls within the scope of the GDPR, acting as data processor or controller (as applicable), would be required to comply with some or all of the following obligations:
Sanction for Non-Compliance
Breach of the GDPR can result in the imposition of different categorised fines, with the maximum level of fine being an amount equal to Euro 20,000,000 or 4% of the defaulting organisation’s total, global annual turnover (whichever is the highest).
Commentary vis-à-vis Qatar and Enforcement
With the extended scope of GDPR, non-EU entities dealing with EU data may be concerned as they may have to take into consideration, and comply with, extensive EU data protection requirements.
The GDPR may also extend to Qatar-based entities (without any EU presence or establishment) actively targeting and/or conducting EU business, based on (substantial) targeting and monitoring provisions referred to above. However, this is yet to be tested. Generally, not every web-based Qatari business that is accessible from within the EU would fall under the GDPR.
It is unlikely that any EU-based organisation or competition authority would look to implement and enforce the GDPR provisions against such Qatari entities because enforcement of any applicable sanction/fine would need to be undertaken via the application of international law and any existing or potential cooperation agreement or treaty and would ultimately require the assistance of local Qatari authorities.
Notwithstanding the above, it is advisable for any Qatari entities that are conducting business and/or monitoring individuals within the EU as part of their global services that are unsure as to whether or not they need to comply with the GDPR (or that simply wish to pursue “best practice”) to do the following:
Entities should also note that under the GDPR a much wider definition is given to personal data and includes online identifiers such as IP addresses and cookie identifiers vis-à-vis the Data Protection Law.
In respect of Qatari entities that have operations or establishments in the EU (through any legal form including a branch, a subsidiary, or a joint venture), the data processing activities of such establishment will be subject to the GDPR irrespective of whether the processing takes place in the EU or not. In order to ensure that they will be compliant with the new GDPR provisions, such Qatari entities should immediately undertake appropriate measures and implement plans to meet the eventual compliance requirements, including, without limitation:
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.