Data protection law is advancing fast in the Middle East and North Africa (MENA). Legislators have been passing laws that bear a striking similarity to the EU’s General Data Protection Regulation (GDPR).
Here’s a primer on some of the MENA region’s stand-out data protection laws.
Qatar United Arab Emirates (UAE)
In the UAE, two regions have relatively progressive data protection laws:
- Abu Dhabi Global Market (ADGM): the Data Protection Regulations 2021
- Dubai International Financial Centre (DIFC): the Data Protection Regulations 2021
These laws are substantially similar to one another, and they both draw heavily upon the EU GDPR.
Both the ADGM and DIFC laws impose substantial obligations on controllers, including only processing personal data under an appropriate legal basis, complying with principles of data processing, and facilitating data subject rights.
The laws differ in terms of the maximum fines available under each—violating the ADGM law can result in a penalty of up to 28 million USD. In contrast, the maximum fine under DIFC’s data protection law is 100,000 USD.
Qatar’s Protecting Personal Data Privacy Law (PPDP) (Law No. 13 of 2016) is also similar to the EU GDPR in some respects.
Unlike the GDPR, the default legal basis under the PPDP is consent. Controllers must always get an individual’s consent for processing their personal data unless they are:
- Executing a public interest task
- Complying with the law
- Protecting vital interests
- Undertaking scientific research
- Investigating a crime
The PPDP does not assert extraterritorial effect to businesses operating outside of Qatar.
Bahrain’s Personal Data Protection Law (PDPL) (Law No. 30 of 2018) is similar to the GDPR in many respects:
- The law contains a broad definition of “personal data”
- It defines “sensitive personal data” in a similar way to the GDPR’s “special categories of personal data”
- It contains six principles of processing personal data
The PDPL also grants “data owners” rights over their personal data. These rights are very similar to those granted under the GDPR and include the rights to:
- Not be subject to certain automated processing
Egypt’s Data Protection Law (DPL) (Resolution No. 151 of 2020) also bears many similarities to the GDPR, providing a similar set of rights, principles, and responsibilities on data controllers.
One important difference is that the DPL doesn’t apply “extraterritorially” (outside of Egypt) in the same way as the GDPR. Non-Egyptian citizens acting outside of Egypt are only liable under the DPL if the relevant violation is punishable in the country where it occurred.
The Personal Data Protection Centre (PDPC) can impose fines under Egypt’s DPL, ranging from 50,000 EGP (approximately 3,190 USD) to 1 million (approximately 319,000 USD) depending on the violation.
Jordan’s draft Data Protection Bill was submitted in 2014 but has not yet passed.
The bill will provide for an independent data protection authority. It will impose rules about data security, data transfers, and the rights of data subjects to access and delete their personal data.
Until the Data Protection Bill becomes law, privacy rights in Jordan are protected by Article 18 of the Constitution of Jordan.
Lebanon’s main data protection is the Electronic Transactions and Personal Data Law (ETPDL) (Law No. 81 of 2018).
The ETPDL covers many different areas of law—from electronic signatures to bank cards to network traffic.
In terms of data protection, the ETPDL imposes some transparency obligations on Lebanese businesses that collect personal data and grants consumers the right to access or correct their personal data.
The Moroccan Data Protection Law (DPL) (Law No. 09 of 2008) was passed in 2009.
While the law is substantially similar to the EU’s outdated Data Protection Directive (1995), it has been updated via rules and regulations that have subsequently been passed by the National Control Commission for the Protection of Personal Data (CNDP).
The DPL provides five principles of data processing:
- Fairness and lawfulness
- Purpose specification
- Data minimization
- Storage limitation
The law also provides data subjects with the right to: