Within the region, Qatar has led the way in development of data privacy regulations. In addition to the robust data privacy and protection provisions set out in the State’s Law No. 13 of 2016, which is further supported by Guidelines issued by the Ministry of Transport and Communication, the Qatar Financial Centre as an independent regulatory jurisdiction, has recently updated its own Data Protection Regulations and Data Privacy Rules (together, “DPR”), which will come into force on 19th June 2022. Al Ansari & Associates were fortunate to sit down with the Data Protection Commissioner, Mr. Daniel Patterson, to discuss some of the improvements under the new legislation and to discuss how entities within the QFC or which have ongoing arrangements with the QFC, can ensure compliance with the DPR.
The Commissioner confirmed that the amendments made to the DPR took inspiration from the standards of the General Data Protection Regulations (“GDPR”), which are typically recognised internationally as the “gold standard” when it comes to data privacy and protection laws. Consequently, the Commissioner was quick to point out that the new DPR will require entities subject to the QFC laws and regulations to be even more diligent in their data compliance practices. On a positive note, our firm can attest to the responsiveness of the Data Protection Office (“DPO”) to queries raised to ensure compliance for our firm’s clients’ data protection activities, and the Commissioner in our discussions made it clear that his preference is for entities subject to the QFC laws, or for their counsel, to ask questions of the DPO if they are uncertain regarding the application of the DPR in order to avoid the potential application of significant fines and the corresponding impost of investigations being conducted.
Reflecting on how the new DPR corresponds to the GDPR, we discussed with the Commissioner his tech talk given back in October 2021 prior to the new DPR being issued (see QFC Tech Talk Series | Tech Talk x QFC Data Protection Regulations – Current and Future Regulation – YouTube ). During that presentation, the Commissioner talked about the proposed legislation establishing eight main principles in the context of processing personal data, which in effect mirrors those found in the GDPR. Given that it will take some time before we actually see the consequences of the QFC’s implementation and regulation of the new DPR, we asked the Commissioner whether or not it would be appropriate to consider the application of the corresponding provisions of the GDPR. While the Commissioner agreed that for general interpretation this approach had some merit, he made the legitimate point that it is often the detail of proposed data processing that will impact the legality of the processing, and again suggested that if in doubt seeking legal advice and as appropriate having a discussion with the DPO regarding the intended process, was ideal. The Commissioner also reflected on the impact of cultural nuances in the application of laws, and as such a focus on Qatar and the legal landscape in Qatar as it evolves, is of predominant importance in interpretation of the new DPR.
When asked what the Commissioner considered to be the main improvement under the new Data Protection Regulations and Data Privacy Rules, the Commissioner reflected on the requirements around data transfers, which under the old data protection regulations required each entity to consider the nature of the data privacy and protection laws in the jurisdiction to which the data is to be transferred to determine if the level of protection corresponded at a minimum with the protection provided in the QFC, with such process being cumbersome and labour intensive since it could require assessment of multiple jurisdictions. Under the new DPR the Commissioner indicated that the DPO will announce, hopefully on or about 19th June 2022 when the new DPR comes into effect, a list of adequate jurisdictions, which will be extremely beneficial to entities with a global footprint. The Commissioner also anticipates publishing standard contractual clauses once the new DPR is in effect, with such clauses being key to ensuring the lawful and secure transfer of personal data, while being consistent with international standards and the approach under the GDPR.
In our discussion with the Commissioner, it was clear that the DPR will be focused on ensuring that data subjects are properly informed of their rights in relation to their personal data. Under the DPR this includes the right to access; right to object; right to restrict; right to data portability and the right not to be subjected to a decision that is based on an automated processing or profiling. For data subjects, the new DPR provides significantly more details on their rights in relation to the processing of their personal data than the predecessor regulations.
Non-compliance with the DPR could result in the imposition of significant financial penalties. For QFC firms that fail to comply with the DPR or fail to comply with orders of the DPO, these penalties could amount to US$1.5 million per provision infringed.
The processing, transfer and use of personal data is complex. Al Ansari & Associates are very familiar with the application of not only the State’s data protection regime, but also the regulations and rules of the QFC. We would be pleased to answer any questions that you have and encourage you to contact us with your data protection queries to ensure compliance in this changing legal environment.
By
Sonia BarberSenior of Counsel |
Rafi Sajianشريك |