Qatar firms could be fined QR5 million for not protecting personal data

Photo for illustrative purposes only.

Sebastian Sikora/Flickr

Photo for illustrative purposes only.

With reporting from Riham Sheble

Authorities in Qatar are considering adopting a new data privacy law that would fine organizations who fail to prevent leaks up to QR5 million.

The latest version of the law has moved one step closer to being enacted after the Advisory (Shura) Council unanimously approved the draft yesterday, QNA reports.

The legislation has been in the works since at least 2011, and the draft was passed by the Cabinet in January this year.

Photo for illustrative purposes only.

Omar Chatriwala / Doha News

Photo for illustrative purposes only.

Yesterday, the Advisory Council approved the draft with some suggested changes and sent its recommendations back to the Cabinet.

The legislation would make it illegal for companies to use an individual’s data without their consent and includes provisions to prevent unsolicited spam marketing by SMS or email.

Leak protection

The draft includes 32 articles in eight chapters, and also outlines obligations for organizations and companies to ensure they properly protect personal information from being leaked or hacked.

Chapter two of the legislation includes five articles that require consent from individuals before their personal information can be used by an organization.

People should also be able to update these preferences at any time, Al Raya reported.

The law also aims to protect children against online exploitation domestically and abroad, but does not give further details of how.

The third chapter, with eight separate articles, sets out basic data protection responsibilities that all organizations must adhere to.

For illustrative purposes only

Video still via ictQatar

For illustrative purposes only

According to these provisions, data handlers must be properly trained and put in place “the necessary precautions to prevent personal data against loss, damage or disclosure,” the newspaper states.

In April this year, personal information including account numbers, passwords and email address for thousands of Qatar National Bank (QNB) was leaked on a file-sharing website.

The hack raised questions about the level of protection of personal data currently in place in organizations in Qatar.

As a result, the new law seeks to have “established standards of data protection as determined by the state” and in line with basic protections as enshrined in the national constitution, Al Raya said, quoting the Ministry for Transport and Communication.

Companies must make sure their networks and systems have sufficient protection and that information is classified as public, “private” or “confidential.”

No spam

In a bid to curb the amount of spam messages residents receive on email or by text message, there are also new provisions detailing the rules for direct marketing.

As announced in January, companies would be banned from sending messages without first getting an individual’s prior permission.

Photo for illustrative purposes only.

Petar Milošević/Wikicommons

Photo for illustrative purposes only.

Customers have previously complained about getting unsolicited texts from organizations that they have not had any dealings.

While telecommunications companies have advised residents how to block such SMS messages, it is more difficult to stop them being sent through social media apps such as Whatsapp.

Failure to comply with the provisions of the draft law could result in penalties of up to QR5 million, although the fine imposed for violators will be determined by the courts based on the severity of the infraction.

Some exceptions to the consent requirement include protection of national and public security, international relations or to prevent crimes.

Thoughts?

Please read our Comments Policy before joining the discussion. By commenting, you agree to abide by it.

Some comments may not be automatically published. This is not action taken by us, but instead, depending on whether or not you have verified your email address, or if your post triggers automatic flags.