Qatar’s Emir has signed a new data privacy law that requires companies and organizations to protect the personal information they gather from residents – or face severe consequences.
Such data includes a person’s ethnic origin, their physical or mental health, religion, marital status, criminal record and information about their children.
The law has been in the works since at least 2011, and was approved by the Advisory Council and Cabinet earlier this year.
Here’s what you need to know about Law No. 13 of 2016, the text of which was published by Al Sharq yesterday.
1) It applies mainly to information gathered and stored on computers or online.
According to Article 2, the legislation refers only to personal data that is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or when a combination of electronic and traditional processing is used.
It does not apply to personal data processed by individuals privately or within a family context, or to any personal data gathered for official surveys and statistics.
2) Companies will now have a harder time sending out spam messages.
According to Article 22, businesses are now banned from sending direct marketing messages electronically without obtaining an individual’s prior consent.
Even after individuals opt-in, messages must include the identity of the communicating party and a valid address (or phone number) in case the individual wants the messages to stop.
Violators face fines of up to QR1 million.
This new rule will likely come as a big relief to many consumers in Qatar, as residents often complain about receiving unsolicited messages from companies with which they have no relationship.
3) Children have a right to privacy
According to Article 17, the owner or operator of any website related to children must put up a policy about how it manages the information of minors.
These website operators must also get the consent of the child’s parent when processing their information.
Parents have the right to ask what information the operator has, and to demand that it be deleted.
Additionally, children’s participation in a game or a prize drawing are not grounds for an operator to collect their personal data.
4) Companies must protect personal data from leaks or face stiff penalties.
According to the law, organizations must adhere to basic data protection responsibilities.
This includes ensuring data handlers are properly trained and that necessary precautions are made to “protect personal data from loss, damage, modification, disclosure or being illegally accessed.”
Companies must also make sure that information is classified as public, “private” or “confidential.”
If the data is breached, the company should notify the affected individuals and Qatar’s communication ministry.
Violators face fines of up to QR5 million.
5) But there are a lot of exemptions.
Not all organizations and firms that have data breaches will be penalized. According to Article 18 of the law, as translated by Qatar Tribune:
Government authorities “can process some personal data without being bound by the provisions of this law for the protection of national security or public security, protection of international relations of the country, protection of economic or financial state of the country, prevention of any crime or collection of information on a crime or and investigation of a crime.”
This calls into question what effect the law would have on organizations like Qatar National Bank.
In April, personal information including account numbers, passwords and email address for thousands of QNB customers was leaked on a file-sharing website, sparking concerns about data protection in Qatar.
Meanwhile, Article 19 states that a company is also exempted from complying to the law if it is:
- Performing a task pertaining to the public good;
- Executing a court order;
- Protecting the vital interests of the individual;
- Meeting the objectives of scientific research that benefits the public; and
- Collecting information to investigate a crime when asked by officials.
Notably, none of the exemptions cover freedom of speech or media freedom.
6) Complaints must be addressed within a certain time period
Individuals can lodge complaints with Qatar’s Ministry of Transport and Communications if they feel this law has been violated.
Once the ministry contacts the company in question, it has 60 days to respond to the government’s inquiry.
The ministry then has 60 more days to make a decision. If these days pass without a response, this implies a rejection of the company’s petition.
The new law takes effect six months from being published in the official gazette, though this grace period could be extended.
Thoughts?