Data Protection and Privacy Laws in the Middle East

by Latham & Watkins LLP

Justin Cornish is counsel in the Latham & Watkins Outsourcing and Technology Transactions Practice. He is a frequent speaker on the topic of data protection and privacy laws. With IT spending in the Middle East projected to rise, Cornish provides a comprehensive overview of the complex legal framework governing the processing, storage and transfer of data in the Middle East.

With expenditures on IT infrastructure spending expected to rise in the Middle East, how would you characterize the legal framework governing the processing, storage and transfer of data in the Middle East?

At a symposium held in Dubai in March 2013, Gartner forecast that IT infrastructure spending in the Middle East would increase by 4 percent in 2013 to total US$3.9 billion. Of this spending, a significant proportion is forecast to be on servers and storage, which is underpinned by the construction of Tier 3 and Tier 4 data centers. With this ongoing investment will come an increasing need for organizations in the Middle East to be aware of, and compliant with, the legal framework for the processing, storage and transfer of data. This is true whether data is hosted internally on an organization’s own servers or externally using a third-party data center, which also includes the “cloud.”

There are no pan-GCC or pan-Arabic laws governing data protection and privacy. Nor are there any specific national laws or regulators governing data protection and privacy in Qatar, Saudi Arabia and the UAE of the type found in jurisdictions in the European Union. Notwithstanding that, it would be wrong to say that data protection and privacy remain unregulated in Qatar, Saudi Arabia and the UAE. The constitutions of these countries, together with certain statutes, recognize an individual right to privacy in specific circumstances. In addition, the Dubai Healthcare City and Dubai International Financial Centre (DIFC) free zones in the UAE and the Qatar Financial Centre (QFC) in Qatar have enacted data protection laws that regulate the processing, storage and transfer of personal data by organizations operating within their specific jurisdiction.

What are the characteristics of the data protection legislation in the QFC and in the Dubai Healthcare City and DIFC?

Qatar Financial Centre (QFC)

The QFC is regulated by the Data Protection Regulations (Regulation 6 of 2005) and by the accompanying Data Protection Rules. The QFC Regulations and Rules are based on European best practices and will be familiar to companies with experience of compliance with the European Data Protection Directive. They are applicable only to activities within the QFC  or transfers from the QFC. They address the collection, use, disclosure and transfer of personal data and establish the QFC Authority as the regulator responsible for administering the relevant laws and regulations for dealing with complaints under the regulations. The Regulations do not grant the QFC Authority express authority to impose fines for non-compliance. At the time of writing the QFC Authority had not issued a prescribed list of fines nor imposed any fines. The QFC Authority adopts a policy whereby it assists firms to prevent non-compliance with the Regulations. The QFC Regulations and Rules are also the same as or similar to the European Data Protection Directive when it comes to obligations on data controllers and processes and rules regarding when processing is legitimate.


Separate data protection regimes operate for the Dubai Healthcare City and the DIFC. Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008, and data protection in the DIFC is regulated by DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on 23/12/2012). As per the QFC data protection regime, both sets of laws and regulations are based on international best practices and will be familiar to organizations with experience of compliance with the European Data Protection Directive. They address the collection, use, disclosure and transfer of personal data and establish a regulator that is responsible for administering the relevant laws and regulations for dealing with complaints under the regulations and, in the case of the DIFC, enforcing compliance and imposing sanctions where a data controller is non-compliant.

In addition to the Dubai free zones and the QFC, are Qatar, Saudi Arabia or the United Arab Emirates considering introducing national data protection laws or establishing regulatory bodies that would govern data protection?

It is important to note that at this stage, each of these countries takes its own approach to data protection from a national perspective.


Article 37 of the Qatari Constitution states that “the sanctity of human privacy shall be inviolable, and therefore interference into privacy of a person, family affairs, home of residence, correspondence, or any other act of interference that may demean or defame a person may not be allowed”. The Penal Code also prohibits the disclosure of information and images relating to an individual’s private life and prohibits interception of private correspondence without consent. Organizations operating in Qatar should also be aware of sector-specific laws, including:

  • Labour Law, which imposes record-keeping obligations on employers
  • Banking Law, which requires QCB-regulated financial institutions to protect confidential information relating to their clients
  • E-Commerce and Transactions Law, which puts controls around e-commerce service providers’ collection, use, retention and disclosure of customer information
  • Telecommunications Law, which requires telecommunication service providers to protect customer information and also puts controls around the collection, use, retention and disclosure of such information

Qatar's Supreme Council of Information and Communication Technology (ICT) released a draft Personal Information Privacy Protection Law in mid-2011 for public consultation. Although this would establish a data protection regime in Qatar if passed, it is not known if (or if so, when) it may come into force.

Kingdom of Saudi Arabia (KSA)

The paramount body of law in KSA is the Shari?ah, a collection of fundamental principles derived from a number of different sources, which include the Holy Qu’ran and the Sunnah. Shari?ah principles protect each individual’s right to privacy and prohibit any invasions thereon. Under Shari?ah principles, disclosure of secrets is prohibited except, inter alia, where the owner of the relevant secret agrees to such disclosure or if the public interest requires so. While the Holy Qu’ran and the Sunnah do not stipulate a penalty for disclosure of secrets, such disclosure may be punishable by a penalty that a judge, in his discretion, deems appropriate and equitable. Such penalty may include a fine, imprisonment or deprivation of certain rights such as suspension of a practicing license. The principle that correspondence and communications should be kept confidential is further enshrined in the KSA Basic Law of Governance. Over and above Shari?ah principles, Saudi Arabia has enacted a number of sector-specific laws that impact personal data. These include:

  • Anti-Cyber Crime Law, which punishes any person (by fine or imprisonment) who illegally accesses the computer of another for the purpose of deleting, destroying, altering or redistributing its information, accesses the bank or credit information of another or interrupts data that is transmitted through a computer or an information network
  • Healthcare Practice Code, which requires that a health practitioner safeguard the secrets of patients that he comes across while carrying out his profession except inter alia where written approval of the relevant patient is obtained
  • Telecommunications Law, which restricts the disclosure of information that is intercepted during its transmission and restricts providers of telecom and internet services from disclosing information regarding their subscribers to third parties or from allowing individuals to monitor the communications of their subscribers
  • Electronic Transactions Law, which regulates exchanges of electronic communication, electronic contracting or other procedures performed or executed wholly or partially by electronic means
  • KSA Monetary Agency Regulations for Consumer Credit (Credit Regulations), which govern the exchange of information between creditors and borrowers:
    • Personal data obtained from consumers, guarantors or any other person in connection with the conclusion and management of agreements must be kept confidential (Article 3.1, Credit Regulations).
    • Personal data can only be processed for the purpose of assessing the financial situation of the borrowers or guarantors and their ability to repay the agreed credit (Articles 3.1 and 3.2, Credit Regulations).
    • Saudi Credit Bureau operates a central database for the purpose of registration and maintenance of credit information on consumers and guarantors. Banks are encouraged to consult the database before any commitment to the consumer or guarantor (Article 3.2, Credit Regulations).

United Arab Emirates

Article 31 of the UAE Constitution states that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. In addition, the Penal Code establishes criminal offences in relation to the disclosure or use of “secrets”, i.e. personal data, or the interception or disclosure of correspondence or telephone conversations.

Organizations operating within the UAE should also be aware of Federal Laws No.3 and No.5 of 2012, which respectively establish the National Electronic Security Authority (NESA) and combat cybercrimes. NESA has been charged with putting together policies and standards to ensure electronic security as well as suggesting further legislation in support of its goals and such legislation, policies and standards are likely to impact the processing and storage of personal data in the UAE. The cybercrimes law criminalizes a number of activities relating to the unauthorized access, amendment, interception, damage or use of certain types of data.

Specific sectoral laws that organizations should note include:

  • Labor Law, which imposes record-keeping obligations on employers with five or more employees. The Civil Code (Federal Law 5 of 1985 as amended), includes provisions relating to record-keeping by employers.
  • In recent months the Emcredit Decree, which regulates the provision of credit data by banks, financial institutions and government departments in Dubai to Emcredit, the official entity responsible for providing credit reporting services in Dubai.
  • Electronic Transactions and Commerce Law, which seeks to facilitate electronic transactions and correspondence through reliable electronic records and establish unified rules, regulations and standards for authentication and safety of electronic correspondence.
  • Medical Liability Law, which limits disclosure of patient data by physicians.
  • Telecommunications Law, which creates criminal offenses in relation to the interception or disclosure of communications over a telecommunication network. The UAE’s Telecommunications Regulatory Authority has issued the Privacy of Consumer Information Policy.

Have recent efforts in Europe to adopt what some describe as the world’s strongest data protection law had any influence/impact in the Middle East?

While there have been calls and some movement in all three jurisdictions in respect of the establishment of a nation-wide data protection regime, it does not appear that any such regime will be enacted in the near future. Were a European Union-style approach to data protection to be implemented, it would present a significant compliance challenge to organizations operating in Qatar, Saudi Arabia and the UAE. That said, the absence of a single unified data protection regime within or across all three countries creates its own compliance challenge due to the need for organizations to be aware of, and compliant with, each item of relevant legislation.

For companies processing data in the region, what types of notification requirements should they be aware of?

Notification obligations apply primarily in the QFC and the DIFC and again these are based on the requirements under the European Data Protection Directive whereby if an entity is a data controller it is required to notify the regulator.

Are there any regulations that prevent the import or export of data (customer data, employee files, financial records or other information) from the region?


Personal data can only be transferred to a recipient located in a jurisdiction outside the QFC if an adequate level of protection for that personal data is ensured by laws and regulations that apply to the recipient. Article 9(2) of the Data Protection Regulations and Article 3.1 of the QFC Regulations and Rules provide that data controllers must assess the adequacy of the level of protection in other jurisdictions considering all the circumstances relating to the transfer, and set out guidelines that data controllers must comply with when making these assessments. Transfers of personal data to a recipient that does not meet these requirements can only be made in certain circumstances (Article 10(1), Data Protection Regulations), for example, if the QFCA has granted a permit for the transfer(s) and the data controller applies adequate safeguards with respect to the protection of the personal data. There are no industry accepted standard form data transfer agreements approved by the QFCA, although at this stage in the law’s development organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.


DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012) and by the Data Protection Regulations (Consolidated Version No.2 in force on December 23, 2012) includes the rules for transferring personal data outside the DIFC. Personal data that originates within the DIFC may only be transferred to jurisdictions outside the DIFC that are considered to have an “adequate level of protection.” Jurisdictions that are considered to have an “adequate level of protection” include all of the member States of the EU. It is noteworthy that neither the United Arab Emirates nor the United States is considered to be a jurisdiction with an “adequate level of protection.” There are certain exceptions to the requirement for an adequate level of protection under Article 12. These include:

  • Written consent from the data subject
  • Obtaining a permit from the Commissioner (as long as the data controller applies adequate safeguards to the protection of the personal data)

Data transfer agreements are not contemplated by the Data Protection Law and no standard form data transfer agreement has been approved by the Commissioner, although at this stage in the law’s development organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.

Kingdom of Saudi Arabia (KSA)

No specific laws apply to the transfer of personal data outside of the Kingdom of Saudi Arabia although some sector-specific laws are relevant, e.g. the Saudi Arabian Monetary Agency (SAMA), which strictly prohibits data processing of any banking information that was initiated in Saudi Arabia. There are no industry accepted standard form data transfer agreements although at this stage in the law’s development, organizations should consider adopting a form of data transfer agreement that is the same as or similar to the model clauses used in Europe.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.