In September 2024, the TRA of Oman issued Decision No. 1152/2/19/2024-20 ("Regulations"), regulating cloud computing services and data centres in the Sultanate. The Regulations came into force a day after being issued in the Official Gazette. This move, while aiming to strengthen the country's digital infrastructure, also brings significant legal and operational implications for cloud service providers ("CSPs"), data centre operators, and subscribers alike. The Regulations set clear standards for the handling of data, information security, and compliance requirements. However, they also raise challenges, particularly around data localisation, security compliance, and operational transparency.
Scope of the New Regulations vs. Personal Data Protection Law ("PDPL")
While both the Regulations and the PDPL (Royal Decree No. 6/2022) may apply to some of the same entities, such as cloud service providers, they serve different regulatory purposes. The Regulations focus on the technical operation and management of cloud infrastructure, while the PDPL is dedicated to safeguarding the privacy and rights of individuals with regard to their personal data.
The Regulations are sector-specific and focus exclusively on the provision of cloud computing services and data centres. However, these Regulations apply to a much wider range of data beyond personal data, covering all types of content stored, processed, or transmitted through cloud infrastructures, including commercial, governmental, and non-personal data. For example, Article 1(5) defines content broadly, including software, text files, commercial data, personal data, and more, which shows the Regulations are concerned with how any form of data is handled within cloud systems, regardless of its nature.
On the other hand, the PDPL is a general data protection law that applies across all sectors and industries where personal data is processed. Its core purpose is to protect the privacy rights of individuals (data subjects) and establish clear rules regarding the processing, storage, and transfer of personal data. The PDPL does not address other types of data such as corporate or governmental information, which are regulated by the TRA's sector-specific framework.
The two legal frameworks are governed by different regulatory authorities. The TRA, which governs the Regulations, is known for its active enforcement and oversight of the telecommunications and technology sectors. In contrast, while the PDPL is in force, its regulator—the competent administrative division at the Ministry of Transport, Communications, and Information Technology—is still developing its approach to managing personal data protection.
Key Legal Implications of the TRA Regulations
The Regulations introduce several important legal considerations for CSPs, data centre operators, and subscribers alike.
- Permitting and Licensing Requirements:
Under Article 2, any entity wishing to provide cloud computing or data centre services in Oman must obtain a permit from the TRA. These permits are valid for three years and can be renewed, subject to compliance with regulatory requirements (Article 6). Failure to obtain the required permits or renew them within the grace period can lead to permit suspension or cancellation, as outlined in Article 28. Service providers must comply with these licensing requirements, ensuring that their operations are fully legal. This framework is designed to regulate the market and ensure that only approved entities handle sensitive data in Oman, providing greater security and accountability. - Data Sovereignty and Security:
One of the most significant legal implications is the Regulation's emphasis on data sovereignty. According to Article 12, CSPs are prohibited from transferring sensitive data (Levels 3 and 4, which include governmental and financial data) outside Oman without prior TRA approval. This classification system appreciates varying levels of sensitivity: Level 3 includes regulated private sector data (such as energy, utilities, and insurance), while Level 4 covers highly sensitive data from state entities, financial institutions, and health sectors. This reinforces Oman's control over its sensitive information and aligns with the broader global trend toward stricter data localisation measures. That said, companies operating multinational cloud services will need to ensure that their data hosting and processing comply with Omani regulations. Cross-border data transfers involving personal or sensitive data may require additional permissions and adds complexities to operations for global providers. - Data Breach Notification Obligations:
Under Article 10, service providers are obligated to notify subscribers within 72 hours of any data breach or security incident that could affect their data. Providers must also notify the TRA within 12 hours for certain severe breaches, especially if they impact a significant portion of subscribers (Article 11). This provision aligns with global best practices in data protection, including the PDPL, ensuring that affected parties are notified quickly to minimise harm. However, it places a burden on service providers to maintain robust monitoring and reporting systems. - Transparency and Subscriber Rights:
The Regulations mandate that service providers include transparent terms in their contracts with subscribers, particularly around service levels, pricing, and liability. Article 22 requires that service level agreements (SLAs) be clearly defined and disclosed to subscribers. By enforcing transparency, the Regulation protects subscribers and holds service providers accountable for service failures or data losses. The Regulations specifically prohibit CSPs from limiting their liability for loss of subscriber content or failure to meet service standards (Article 23). This means that service providers cannot include clauses in their contracts that absolve them of responsibility for data loss, security breaches, or substandard service quality. - Administrative Penalties
In accordance with Article 28 of the Regulations, entities found to be in violation of the provisions governing cloud computing and data centres in Oman may face various administrative penalties. These penalties are designed to ensure compliance with the legal framework, and the severity of the penalty imposed will depend on the seriousness of the violation. The TRA has the discretion to impose one or more of the following measures: -
- Warning: The Authority may issue a formal warning for minor infractions, serving as a preliminary step in addressing the violation.
- Suspension of the Permit: For more serious breaches, the TRA may suspend the permit, effectively halting the operations of the cloud service provider or data centre operator until compliance is restored.
- Fines: Monetary penalties may be imposed in accordance with the provisions of the Telecommunications Law (Royal Decree 30/2002 as consolidated). The amount of the fine is determined based on the nature and extent of the violation.
- Cancellation of the Permit: In the most severe cases of non-compliance, or if the violation persists despite prior warnings or penalties, the TRA may cancel the entity's permit, permanently prohibiting the provider from operating under the Regulations.
Subscriber Challenges and Potential Ways to Overcome Them
The Regulations, while beneficial in strengthening data protection and security, also present several challenges for subscribers, particularly businesses relying on cloud services.
- Data Localisation Challenges:
The restriction on transferring sensitive data outside Oman without TRA approval (Article 12) could pose operational difficulties for multinational companies that rely on global cloud infrastructure. Subscribers might face delays or additional costs when seeking approval for cross-border transfers, particularly if their operations span multiple jurisdictions. To overcome this challenge, subscribers can explore hybrid cloud models. By utilising local data centres in Oman for sensitive data (Levels 3 and 4) and maintaining non-sensitive data on international cloud platforms, companies can optimise their operations while complying with TRA regulations. - Security Compliance and Audits
The Regulations impose stringent security requirements on service providers, including compliance with international standards such as ISO27001 and ISO22301 (Article 16). This can increase costs for subscribers, as providers may pass on the costs of security compliance and regular audits. Subscribers should negotiate clear SLAs that detail the level of security and compliance they are paying for. Additionally, subscribers should proactively conduct risk assessments to ensure their cloud provider's security measures meet their specific needs, potentially minimising the impact of compliance costs. - Cross-Border Data Management:
With strict rules around cross-border data transfers, businesses that operate internationally may find it difficult to manage their data flows efficiently. The need for TRA approval could slow down business operations and complicate data management strategies. Companies should work closely with legal advisors to understand the specific requirements for data transfers under Article 12 and seek approval early for any cross-border operations. Implementing strong data governance frameworks can also help businesses ensure compliance while maintaining operational flexibility.
Conclusion
The Regulations on cloud computing services and data centres in Oman present a comprehensive framework for data protection and security in the country's rapidly growing digital infrastructure. While the Regulations offer clear benefits in terms of data sovereignty, security, and subscriber protection, they also introduce challenges, particularly for multinational companies and subscribers operating across borders.
By understanding the key legal implications and leveraging best practices (such as adopting hybrid cloud models, negotiating strong SLAs, and implementing sound data governance) subscribers can navigate these challenges effectively and ensure compliance with Oman's evolving regulatory landscape.
For cloud service providers and subscribers alike, the Regulations signal a significant shift in the management of cloud-based data in the Sultanate of Oman. Preparing for these changes, and staying ahead of compliance requirements, will be essential in leveraging the potential of cloud computing while ensuring legal and regulatory conformity.
Disclaimer: The information contained in this guidance is intended for general informational purposes only and does not constitute legal advice. This guidance is based on the legislation in force as of the date of publication and may not reflect subsequent changes or developments. The authors and Said Al-Shahry & Partners Advocates and Legal Consultants are not responsible for any errors or omissions in the content or for the results obtained from the use of this information. Readers should consult a qualified legal professional before acting upon any information contained in this guidance. No attorney-client relationship is created by accessing or using this guidance.