The State of Qatar has issued a new law concerning the privacy and protection of personal data, law no. 13 of 2016 (the Law). While it is not yet in force, it is anticipated that it will be published in the official gazette soon and will come into effect six months later.
The Law extends to personal data processed electronically or obtained for electronic processing, or processed through a combination of traditional and electronic processing methods. It does not extend to private processing of personal data or data collected for establishing official statistics.
The Law grants certain rights to individuals including the right to give or withdraw consent for any processing of their personal data. An individual also has the right to review their personal data being stored, and to request any modifications to inaccurate information.
The Law places a heavy burden on the data controllers and processors to ensure that the personal data is handled with care and is protected from any loss or unauthorised disclosure. It directs the controllers to inter alia (i) review the data privacy procedures; (ii) train and raise awareness among processors; (iii) ensure effective management of personal data; (iv) use proper technology, and; (v) maintain compliance;.
Added protection is afforded to personal data of a private nature. Such information can only be processed after obtaining permission of the relevant department of the Ministry of Transport and Communications (MTC). The owners and operators of websites for children are also obliged to make adequate disclosures on their websites and obtain permission from parents before their child's information can be processed.
Direct marketing through electronic communication to individuals without obtaining their advance consent is prohibited.
Notwithstanding the above, exemptions are given under the law which allow the competent authority or the controllers to process personal data without compliance with certain provisions. Some of the exemptions are: (a) the protection of national or public security or international relations or economic or financial interests of the State; (b) for the prevention or investigation of a crime; (c) execution of a task related to public interest; (d) purposes of scientific research for public interest (e) upon an official request from the investigation authorities or court of competent jurisdiction.
The Law prescribes high financial penalties for non-compliance or legislative breaches. The penalties will range from QAR 1 million ($274,634) to QAR 5 million. However, it is notable that imprisonment is not a prescribed sanction under this law.
Impact on the Qatari financial sector
The Law may cause some practical difficulties for the banks, either due to lack of clarity or to its subjective nature. To identify a couple of examples: QCB has instructed the banks to retain customers' information for at least 15 years. However, the Law allows individuals to demand the deletion of their personal information once the purpose has been fulfilled. This inconsistency may result in non-compliance by the bank with the QCB instructions. Another example relates to the Know Your Client process undertaken by the banks. During this process, certain personal data of a private nature may be gathered. However, according to the Law, this information may only be processed after obtaining permission of the MTC. It is not clear whether the banks would need a blanket approval from the MTC or whether permission would have to be sought specific to each case. This may be a cumbersome process for the banks.
Moreover, banks are allowed to outsource certain non-core functions to service providers, provided that adequate controls and guidelines for risk mitigation are in place. This outsourcing can help with cost reduction, improvement of services, or saving time for the bank's main services. However, it seems that the Law places an additional obligation on the banks to ensure that the data obtained meets the lawful purposes and is processed in accordance with the law.
Banks may also have to revisit their marketing and promotional activities. Activities such as email updates or SMS marketing may not be possible under the Law. The practical risks remain unclear at present, as the relevant section in the Law is broadly worded and remains open to interpretation.
Recommendations for banks
Before the law is effective, banks should consider taking some precautionary steps:
- raising awareness internally and among their service providers;
- reviewing internal documents to ensure compliance with the Law;
- conducting internal trainings to ensure the relevant departments are able to address customer's questions or concerns regarding their rights under the Law;
- conducting training for data processors and revisit internal risk assessments and mitigation plans; and
- revisiting banks' and the service providers' security measures to protect customer data.