Another telling move in privacy in the GCC: Oman issues a new Personal Data Protection Law

Oman has recently enacted a data protection law, Royal Decree 6/2022 promulgating the Personal Data Protection Law (“Oman PDPL”)  was issued on the 9th of February 2022 and was published in the Official Gazette 1429 on 13th February 2022.  There is a transition period as the law does not actually come into force until a year from the date of its issuance.  The Minister of Transport, Communications and Information Technology (“Minister”) must also issue the executive regulation of the Oman PDPL  and shall also issue the necessary decisions for implementing its provisions.  These subordinate regulations and decisions will be critical to fleshing out the obligations under the new law.

The Oman PDPL repeals Chapter 7 of Oman’s Electronic Transactions law, which had some references to the protection of private data in a digital context and which briefly alluded to data protection principles in passing. In doing so, the Oman PDPL introduces much more robust privacy provisions, and introduces core privacy law principles as it looks to align Oman’s data protection landscape with global “best practice” in data protection.  For those familiar with such core data protection principles enshrined in laws such as the European Union’s General Data Protection Directive (“GDPR”), much of the concepts introduced by the Oman PDPL  will be familiar, with GDPR terminology, and core principles included. The Oman PDPL  introduces provisions regarding personal data breach, data protection officers, data transfer requirements,  data subject rights, amongst other familiar provisions.

The Minister will be acting as the key data protection regulatory authority for operationalising the law, and implementing it in practice. The Minister’s role will complement, but not conflict with that of the Cyber Defence Centre, which deals with cybersecurity matters, separate from data protection privacy matters.

Key provisions:

1. Consent of the Data Subject: Consent is the primary  lawful basis or legal basis for processing under the Oman PDPL.  Article 10 of the Oman PDPL poses an outright ban on processing personal data unless the Controller has obtained the data subject’s consent, and is able to provide proof of such consent. Unlike other data protection laws, there are no alternative legal basis for processing than consent (e.g. there is no concept of legitimate interest). However, there are certain “exceptions” to the scope of application of the Oman PDPL, as discussed below.  If the processing falls within one or more of these exceptions, then consent is not required (and consequently,  unlike the data protection laws that provide for  alternative to consent as a lawful basis for processing, the remainder of the Oman PDPL does not apply to the exceptions).
2. Application & Scope: The Oman PDPL applies to the processing of Personal Data. However, its application and scope excludes any processing of personal data where: it is in the interest of national security or public interest; where it is required to implement apparatus of the state and public legal persons; where processing is required to implement a legal obligation imposed on the controller, where processing is necessary to protect the economic and financial interests of the state, where processing is necessary to protect the vital interest of the data subject, where processing is necessary for the execution of an existing contact to which the data subject is a party (but not its conclusion), where it is necessary to prevent a crime, and where it is necessary for the purposes of historical, statistical, scientific, literary, or economic research by entities authorised to carry out such works.
3. Principles of Data Protection: It is not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject. However, the Oman PDPL falls short of incorporating commonly established data protection principles such as data minimisation or purpose limitation.
4. Sensitive Personal Information: A key derogation from core international data protection principles is that there is no definition of “Sensitive Personal Data” or “Special Categories of Personal Data” (as found in other laws), and further there are no “conditions” or specific safeguards for processing such data. Instead, the Oman PDPL poses an outright, complete ban on processing personal data relating to genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures, except and unless after obtaining a permit for such processing from the Ministry.
5. Children: The Oman PDPL prohibits processing the personal data of a child except with the approval of his or her guardian, unless such processing is in the best interest of the child.  This provision is in line with international data protection best practice and reflects the special protection granted to children as vulnerable data subjects. The interests of the child are clearly placed above the custodian duty and role of the parent.
6. Registrar of Compliance: the Minister will be preparing a register in which controllers and processors who meet the prescribed conditions are recorded. More details of this register will be provided in the executive regulations.
7. Data Subject Rights: Data subjects are granted specific data subject rights under the Oman PDPL. Such rights include: the right to revoke consent (without prejudice to any processing which took place prior to such withdrawal), the right to rectify, update, erase or “block” personal data, the right to obtain a copy of his personal data, the right to be notified of breach,  the right to complain to the Minister and the right to data portability. The executive regulations are expected to shed further light and detail on the controls and procedures for the exercise of these rights.
8. Obligations of the Controller and the Processor: both Controllers and Processors have certain core duties under the Oman PDPL, which include assessing the impact and risk that the data subjects will be exposed to as a result of the processing, implementing appropriate procedures and controls for data transfers, and ensuring that appropriate technical and procedural measures are in place to allow adherence to the Oman PDPL.
9. Transparency requirement: Prior to commencing processing, the controller must provide the data subject with certain information, such as the main details of the controller and processor, the contact details of the DPO, the purpose of processing personal data and the source from which it was collected, the rights of data subjects, the recipients of the personal data and a description of the processing and the procedures in place. The most effective way to meet this requirement is to have a compliant privacy policy or notice, and to subsequently obtain the data subject’s consent through a click and accept procedure.
10. Breach notification: The controller shall, in the event of a personal data breach that leads to its destruction, alteration, disclosure, access, or processing in an illegal manner, notify the Minister and the data subject of the breach, in accordance with the controls and procedures determined by the executive regulations.
11. DPO: The controller shall identify a personal data protection officer, and the executive regulations shall determine the controls for selecting this officer and his duties.

How can we help:

Our specialist Digital & Data team has expertise in dealing with data protection issues in the region and works alongside our Oman office. If you have any questions about the Oman PDPL please do not hesitate to contact us.