Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
Welcome to the latest edition of Law Update titled “Rise of Generative AI.”
In this edition, we dive into the dynamic world of Technology, Media, and Telecommunications (TMT) across the Middle East and North Africa (MENA) region. TMT continues to play a vital role in positioning the region as an international business and social hub, driving significant growth and innovation.
Our focus in this Law Update is on the sector’s ongoing potential to advance and propel the region toward a more digital economy. We explore the benefits of embracing a digital transformation and how local authorities have responded by enhancing regulations to accommodate the evolving TMT landscape.
This edition covers a range of topics, including – the new Telecommunications & Information Technology Law in Saudi Arabia, the intricacies of trademarks in the Metaverse, and the legal challenges faced by the video game industry. Additionally, we take a regional perspective, discussing jurisdictions such as Kuwait, Saudi Arabia, UAE, Oman, and Bahrain to provide a comprehensive understanding of the TMT landscape.
We hope you thoroughly enjoy this packed issue of Law Update, filled with captivating articles that address key legal issues within a vital sector for the region.Read the full edition
Bahrain’s new Law on the Protection of Personal Data was published on 19 July 2018, and will come into effect on 1 August 2019.
The Law will require a variety of changes to the way businesses process personal data in Bahrain or about residents of Bahrain. Historically, data protection has not been a high priority topic for most businesses in Bahrain, with the limited exception of international entities subject to data protection requirements in other jurisdictions in which they operate. While the publication of the new Law provides a considerable lead-in period within which entities subject to the Law will need to comply, the fact that the Law creates criminal offences means that compliance is all the more important and should be treated as a high priority.
Bahrain’s Data Protection Law describes the legal protection of personal privacy as among the main constitutional rights of the person, and notes that it should be protected, particularly in the context of the increasing use of electronic/digital means for processing information. The Law applies to:
The Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000 (between about USD 2,600 to about USD 53,000) (or a fine only in the case of corporate entities). The following are examples of activities that attract criminal penalties under the Law:
Generally, the security of processing provisions, and the confidentiality provisions, appear to be fairly standard. Data controllers are required to apply technical and organizational measures capable of protecting personal data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing. The measures adopted need to be appropriate, bearing in mind the nature of the data in question and the risks associated with processing it.
Data controllers are required to engage only data processors who provide sufficient guarantees regarding the application of technical and organisational measures. Importantly, there is an obligation on data controllers to take steps to verify compliance with such measures, and to enter into a written contract with the data processor requiring that the data processor shall only process data in accordance with the instructions of the data controller, and in accordance with the data controller’s requirements with regard to security and confidentiality.
There does not appear to be any specific obligation to notify the Authority in the event of a data breach incident. It is possible that this level of detail might be addressed in the regulations, or that the Authority is expected to address breaches only in the event that they become aware of them, and when the circumstances indicate a breach of the obligation to use suitable technical and organizational security measures.
Data Protection Supervisor
The Law contemplates a role of ‘Data Protection Supervisor’ (not a data protection officer type role) intended to act as an independent and impartial intermediary between the data controller and the Authority. The data protection supervisor will help the data controller fulfil its rights and obligations, and coordinate between the data controller and the Authority. It will also be required to verify the data controller’s processing in compliance with the law, alert the data controller to any apparent non-compliance to enable the issue to be addressed, and alert the Authority where such non-compliance has not been addressed within a specified timeframe.
The concept of a data protection supervisor has the potential to result in a whole new industry in the Bahrain market. The regulations setting out the requirements for the registration of data protection supervisors may shed greater light on what is anticipated, in terms of who might be able to fulfil such roles. The most natural development may be for the role to be filled by consulting/audit firms with expertise in data protection related issues.
Al Tamimi & Company regularly advises on data protection issues across the Middle East. For further information about the new Data Protection Law in Bahrain, or assistance in ensuring compliance, please do not hesitate to contact us.
Nick O’Connell, Partner, TMT
Foutoun Hajjar, Partner, Head of Office – Bahrain
Camelia Quinnell, Senior Data Protection Adviser, TMT
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.