Data Protection and Privacy Landscape in the Middle East

We are witnessing significant legal reform in the Gulf Cooperation Council (“GCC”) countries [1], particularly the United Arab Emirates (“UAE”) and Kingdom of Saudi Arabia (“KSA”), as part of their plans to increase foreign investment into the region and diversify the economies away from oil dependency.

These reforms include significant modernisation of the data protection and privacy laws, following an increased governmental push to boost personal data protection and privacy rights. Organisations operating in the region must ensure that they understand and comply with the new data protection and privacy laws in each jurisdiction. 

GCC laws & regulations – what do organisations need to know?

The Middle East comprises multiple jurisdictions. Within the GCC countries, there are both onshore and offshore jurisdictions which apply civil law and common law legal systems, respectively. This creates a complex legal and regulatory landscape to navigate. 

Until relatively recently, the data protection and privacy laws in the region have been limited, with provisions spread across a patchwork of different legislation, and next to no enforcement by regulators. Now, the GCC countries are at varying stages of implementing standalone data protection laws for the first time or updating existing laws to align with international best practice, in particular the EU General Data Protection Regulation (GDPR), including in respect of notification obligations following a data breach.  

Onshore jurisdictions

The key points to note are:

     1. Status of the laws

The GCC countries are at varying stages of implementing standalone data protection laws to align with the EU GDPR. What does this mean?

• Qatar and Bahrain have had standalone data protection laws in place since 2017 and 2019, respectively, introducing various changes since then to bring them more in line with the EU GDPR. 
• KSA’s first standalone personal data protection law (“KSA PDPL”) came into full effect (following a one-year grace period) on 14 September 2024. KSA’s regulator (the Saudi Data & Artificial Intelligence Authority (“SDAIA”) continues to issue clarifications on the application of the KSA PDPL.
• Oman’s personal data protection law will come into full effect on 5 February 2026, following a two-year grace period for compliance.
• Although it entered into force on 2 January 2022, the UAE’s personal data protection law (“UAE PDPL”) currently has limited practical application, pending issuance of its Executive Regulations, as many of its provisions are linked to the Executive Regulations which do not yet exist. The UAE PDPL establishes the UAE Data Office as the data protection regulator, but it is not yet operational, making it practically difficult to comply with certain provisions, including data breach notification obligations. 
• Finally, Kuwait’s law is narrower in scope as it only applies to organisations that are licensed by the Kuwait Communications and Telecommunications Regulatory Authority (“CITRA”) as telecommunications or internet service providers. The Kuwait PDPL is currently in a grace period for compliance and will come into full effect on 26 February 2025.

It is important to note that, whilst closely aligning with the EU GDPR, there are some important differences which must be considered carefully in respect of each jurisdiction.

     2. Extra-territorial effect

With the exception of Kuwait (which only applies to CITRA-licensed organisations), the data protection laws in the GCC countries have extra-territorial effect, meaning that they apply to organisations within the jurisdiction as well as organisations outside the jurisdiction which process personal data inside the jurisdiction. In some jurisdictions (for example, KSA), controllers will need to register on the regulator’s platform before they are able to make breach notifications. Organisations should carry out an assessment of their processing activities in each of the jurisdictions and check their compliance with each law.

     3. Sanctions for non-compliance

Fines for non-compliance currently range from USD2,600 in Bahrain to USD1.33 million in KSA, the latter of which can be doubled for repeat offences (noting that the potential fines are higher in the offshore jurisdictions – see below). Imprisonment is also a potential sanction in KSA, Bahrain and Kuwait.

     4. Enforcement

To date, there has been no public enforcement action taken by onshore regulators in respect of data protection and privacy issues. Historically, the onshore regulators have generally been relatively “hands-off”. However, we are seeing an upwards trajectory in enforcement and a more proactive approach being taken by regulators in other areas. We expect this trend to be replicated by the onshore data protection regulators.

     5. Claims

Similarly, there have been no third-party claims by data subjects in respect of their data protection and privacy rights in the onshore courts so far. We anticipate that this may change as the regulatory action starts to pick up.

Offshore jurisdictions

The offshore jurisdictions in the financial free zones in the UAE and Qatar, being (i) the Dubai International Financial Centre (“DIFC”), (ii) the Abu Dhabi Global Market (“ADGM”) and (iii) the Qatar Financial Centre (“QFC”), operate common law legal systems, which are based heavily on English law or incorporate it directly. They have their own laws and regulators, including in respect of data protection and privacy.

The data protection laws in the financial free zones are very closely aligned with the EU GDPR. The data protection regulators are a lot more proactive, with enforcement decisions having been published in respect of data breaches and non-compliance. The fines that can be imposed are much higher than onshore, with the DIFC Data Commissioner having the discretion to award unlimited fines.

It is important for organisations to note that, depending on the nature and extent of their processing activities, it is possible that the onshore and offshore (in the financial free zones) data protection laws may both apply to them in the UAE or Qatar simultaneously. 

What should organisations do to prepare? 

Organisations should undertake the following steps to achieve compliance with data protection laws:

1. Undertake an assessment of the GCC data protection laws that may apply to them in the context of their processing activities, and action the necessary registrations with the regulators.
2. Harmonise the relevant data protection legislation and requirements into a cohesive framework, which should guide individuals on relevant policies, introduce ways to mitigate data-related risk, and build a response plan in respect of unforeseen events. 
3. Implement operational data protection controls, such as having clear policies around how data is handled and stored, maintaining detailed records of data processing activities, and developing inventories of the personally identifiable information the organisation collects and processes.
4. Provide regular training to team members in respect of data protection and responses, including sanctions for non-compliance. 

For more information on how we can help you navigate compliance with Middle East data protection legislation or assist with responding to cyber incidents, please contact Olivia Darlington at Olivia.Darlington@clydeco.ae

[1] The GCC countries consist of the United Arab Emirates, the Kingdom of Saudi Arabia, Qatar, Oman, Bahrain and Kuwait.