At the end of last year, Qatar became the first Gulf state to
enact a comprehensive privacy law. Until now, the many companies
that market to consumers or have employees based in Gulf
Cooperation Council (GCC) countries have had to determine their
local practices based on the various countries'
patchwork of sector-specific laws and regulations, as well as
the differing privacy regimes in force in the region's
zones. Now, at least in Qatar, the Personal Data Privacy Law
ostensibly serves as a single law governing the collection and
processing of data subjects' personal information, and may
serve as an exemplar for future GCC privacy laws.
The text of the law does not appear to be available online in
English at present, but the Qatari government has issued a
statement summarizing some of the law's most important
points. Although questions remain as to the scope and meaning of
some of the law's provisions, the statement provides some
indication of the types of companies and practices that will fall
within the law's purview.
Prior consent is an important component of the new law. Data
subjects' consent is required before their personal data may be
"used by an organization." Along those same lines, the
law forbids businesses from sending an individual "direct
marketing messages" without obtaining that individual's
consent. Although the scope of the term "direct marketing
messages" is not apparent from the text of the statement, it
indicates that companies engaged in direct marketing in Qatar
should review their policies and privacy notices to ensure that
they are obtaining the consent of Qatari consumers.
The law imposes certain data protection-related
responsibilities on organizations, including the responsibility to
ensure that "data handlers are properly trained." Again,
although the scope of this requirement is not entirely clear,
companies doing business in Qatar should review their training
policies or consider implementing such policies if they have not
done so already.
Article 17 of the law requires owners and operators of websites
"related to children" (another term that remains unclear
for the time being) must post a policy explaining how they handle
minors' personal information, and must obtain parental consent
in order to process minors' personal information.
While this post provides a brief overview of some of the most
important aspects of the law, companies collecting the personal
data of Qatari consumers and/or employees should review the
law's requirements to ensure compliance.
It has been announced that certain sections of the Protection of Personal Information Act came into effect on 11 April 2014.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).