Recognising the need to develop an international regulatory and legal framework in order to protect the digital sovereignty and data privacy of individuals and businesses in Qatar, Personal Data Privacy Protection Law (PDPPL) No 13 of 2016 was issued.
The law includes provisions related to the rights of individuals to protect the privacy of their personal data. Article 2 states that this refers only to personal data that is electronically processed, or obtained, gathered or extracted for use electronically, or when a combination of electronic and traditional processing is used. However, it does not apply to personal data processed by individuals privately or within a family context, or to any personal data gathered for official surveys and statistics, as per Law No 2 of 2011 on Official Statistics.
Under the law, businesses are banned from sending direct marketing messages electronically without obtaining an individual’s prior consent, and that consent is required from individuals before their personal information can be used by another entity.
Organisations must also adhere to basic data protection responsibilities. This includes, but is not limited to, ensuring data handlers receive training and that precautions in place to ‘protect personal data from loss, damage, modification, disclosure or being illegally accessed.’
Protection is given to personal data of a private nature, such as information relating to race, religious beliefs, children, health, relationships and criminal records – this may only be processed after obtaining permission from the Ministry of Transport and Communications (MoTC).
Additionally, in order to protect the youngest members of society, Article 17 states that the owner or operator of any website related to children must put up a policy about how it manages the information of minors. Website owners/operators must also get the consent of the child’s parent when processing their information.
It should be noted that entities that operate within the Qatar Financial Centre (QFC) are subject to the QFC’s own Data Protection Rules and Data Protection Regulations from 2005.
The need for the law and the guidelines
According to Dr Ahmed Elmagarmid, Executive Director at Qatar Computing Research Institute, speaking at a recent online panel discussion, ‘most nation states have data related laws to strengthen their nation’s ability to act independently in the digital world. However, there is a lack of collaboration among nations in developing international regulations or laws on data sovereignty and privacy.’
He added that there have been more than 600 state-sponsored cyber-attacks in the last decade, and that the rate is increasing. ‘There is a lack of international law or accord to regulate the use of cyberwarfare or the Geneva Convention equivalent for cyberwarfare. Also, one of the challenges in cyber security is the lack of collaboration among countries in sharing data. Similarly, banks are not sharing information about the nature of the attacks because they are worried about the financial implications, while the attackers share information very widely on the dark web.
MoTC, Qatar Development Bank, Qatar Business Incubation Centre, and Qatar Science and Technology Park are all working together to develop mechanisms to protect data and develop both defensive and offensive capabilities. Meanwhile, the MoTC, Ministry of Interior, National Cyber Security Research Lab, and other entities are collaborating to develop local capabilities and technologies on data sovereignty.
With the country racing towards total digitalisation by 2030, there is a need for more transparency, awareness and education. Qatar is at the forefront of adopting regulation, moving quicker than others in the region. To this end, MoTC released the guidelines for the Personal Data Privacy Protection Law on 28 January 2021 to mark Data Privacy Day.
The Compliance and Data Protection (CDP) Department at MoTC has released the guidelines to help everyone – whether as individuals, regulated entities or stakeholders – to understand their responsibilities, rights and practices under the law.
CDP has developed the guidelines so that organisations can understand their obligations under the PDPPL, to provide clarity on these requirements, and where possible provide checklists and template documents to support controllers with compliance with the PDPPL.
The guidelines apply to any organisation or entity that processes personal data, through electronic means or in combination with non-electronic means, and clarify some ambiguities in the PDPPL.
For example, under Article 11 (8), controllers must ensure that processors comply with the law and adopt appropriate precautions to protect personal data. The Controller and Processor Guidelines for Regulated Entities have now clarified that the controller can ensure a processor’s compliance with this Article by entering into a formal contract. This contract must state the subject matter, duration of the data processing, the nature and purpose of the data processing, the types of personal data being processed and the categories of individuals being processed, the controller’s duties and rights. It must also address security measures, duties of confidentiality, audit rights and individuals’ rights.
There is now clarification over Article 16 of the law, which provides that in order to process sensitive personal data, permission must be sought from the Compliance and Data Protection Department under the Special Nature Processing Guidelines. These also set out the requirements in order to obtain permission, including a data protection impact assessment to identify processing risks.
Equally, under Article 22 consent must be obtained from individuals before sending any direct marketing electronic communications. Again this has been clarified under the Electronic Communications for Direct Marketing Guidelines: consent must be explicit and unambiguous, and an affirmative act – consent through pre-ticked boxes and opt-out notices only is not permitted.
What this means for organisations and individuals
Given the size and range of organisations subject to the law – from multinational companies to local stores – the guidelines are flexible, and the onus is on the entity to review how they process personal data and take responsibility for it. This may entail using tools such as a personal data management system, a record of processing activities, and the data protection impact assessment mentioned above, in order to protect personal data and the rights of the individual.
The guidelines can also provide guidance to individuals on their rights under the PDPPL. This includes the right to give or withdraw consent to any processing of their personal data. There is also has the right to review any of their personal data being stored, and to request any modifications or corrections if the information is inaccurate.
As such, should an individual feel that their personal data is not protected or is being used unlawfully, controllers are required to ensure that individuals are able to make complaints to them. Complaints can also be made directly to CDP, and the guidelines set out in more detail about the individuals’ rights in these instances.
One important concern for individuals is the use of social media platforms and its part in sharing personal data. Guidelines are therefore in place advising how individuals can protect their personal data when using social media and ensure privacy.
Some pertinent terms from the Personal Data Privacy Protection Law:
Personal data privacy: the use of an individuals’ personal data in technological systems, a field that combines technology and respect of individual’s privacy within a regulatory, legal framework that regulates the relation between the individual and the entity that collects and uses their data.
Data controller: a natural or legal person who, whether acting individually or jointly with others, determines how personal data may be processed and determines the purpose(s) of any such processing personal data processing. Responsible for the controls relating to designing, changing or developing products, systems and services relevant to personal data processing.
Data processor: a natural or legal person who processes personal data for the controller.
Personal data processing: processing personal data via one or more operations eg gathering, receipt, registration, organisation, storage, preparation, modification, retrieval, usage, disclosure, publication, transfer, withholding, destruction, erasure and cancellation.
Author: Sarah Palmer
This feature is from Marhaba’s M80 Spring/Summer 2021.
Copyright © Marhaba Information Guide. Reproduction of material from Marhaba Information Guide’s book or website without written permission is strictly prohibited. Using Marhaba Information Guide’s material without authorisation constitutes as plagiarism as well as copyright infringement.