Privacy gets more teeth in Bahrain
Do you worry about your credit card or personal details getting misused or leaked online, each time you use it at a vendor or for some identification purpose? According to the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 have seen more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records. Perhaps, even more, remarkable is the fact that 3.2 billion of those records were exposed by just eight breaches, the report says.
Things, however, are changing in Bahrain with data becoming the new oil. Regulators here are currently working to make sure that “privacy is not on sale”. Earlier last month, Bahrain’s own ‘Personal Data Protection Law’ or PDPL came into existence. The Law, Khalid Al Rumaihi, Chief Executive, Bahrain Economic Development Board said, will govern how personal information is used by individuals and organisations for commercial use.
PDPL aims at enhancing consumer trust in the market and for facilitating “increased data flows across borders which individuals and businesses can capitalise on for growth and trade.” Data, as the law states, can be collected, but only in a legalised way. So careful, if you think that collecting and storing information about customers is a must for growing your business. Better know that such actions might land you in hot waters, if not done as per the law requires. Punitive measure for data misuse is severe, a fine ranging from BD20,000 and a jail term of at least one year.
For whom is it valid?
According to PDPL, the law applies to every individual or businesses that collect contact details, CPR copies or any other personal details in Bahrain. The law enacted by the Kingdom in 2018 is modelled on the 1995 European General Data Protection Regulations (GDPR), thanks to Edward Snowden without whom the world would have never known how the US National Security Agency (NSA) is collecting personal data from Facebook to identify, track and monitor individuals without their consent.
In the wake of Snowden’s revelations, Max Schrems, an Austrian PhD student and privacy activist, challenged the transfer of his data to the United States by Facebook, which breached his data privacy rights as an EU citizen including the existence of the Prism spying programme. The complaint ultimately ended up before the Court of Justice of the European Union (CJEU) in October 2015. CJEU struck down the Safe Harbour framework then used by about 4,500 companies, including Facebook, to transfer data to the US.
The European GDPR was passed in response to this decision, and the subsequent controversies arising from the revelations of Edward Snowden. Authorities here, in light of the opening of the Amazon Web Service Facility and other Fintech facilities, were quick to recognise the importance of giving assurances on privacy. Thus came Bahrain’s ‘Personal Data Protection Law’ into existence. However, it will be in full swing only after the formation of a Data Protection Agency, which is currently taking shape.
Who is affected?
PDPL requires all individual who process any information owned by or related to the identity of an individual to do so with the consent of the data owners. The term individual means every individual normally living or working in Bahrain, every business with a place of business in the Kingdom and individuals and businesses outside Bahrain who collect the personal data of individuals in Bahrain. PDPL demands the process to be done securely with adequate protection.
Exceptions are provided for processing data to fulfil a contractual obligation. No or fewer exceptions, however, are provided for handling “sensitive personal data’ related to religion, ethnic origin, gender, age, political views, criminal history or union membership of an individual. Restrictions are also there for transferring the collected data to a country outside the authorised countries’ list maintained by the data protection authority.
Who is in charge?
As of now, this position is vacant with the country is fast-moving to establish a Data Protection Agency. Once formed, the national body will decide on the best practices and modus operandi that should be followed by individuals and corporates while handling or processing personal data. The authority will act as the enforcer of the law and be in charge of monitoring compliance with PDPL.
What are the fines?
First-time offenders will face a penalty of BD1,000 per day and BD2,000 per day for repeating the violation within three years from the first penalty. The law also proposes an administrative penalty of up to BD20,000. Criminal penalties of imprisonment of not more than one (1) year can also be imposed instead of or in addition to any fine.
What is required?
Ensure that personal data are collected and processed in compliance with the law. Before doing that, the individual or organisation should know the circumstances in which prior authorisation is required. Contract with third parties might require a second look along with privacy policies, consent forms and employment deals.
A Data Protection Supervisor should be there to look at what is being processed unless the processing is limited to certain activities as listed in article 14 of the law. Automated processing of sensitive personal data, biometric data for identification purposes, genetic information and video monitoring will require the prior approval of the authority.
As Khalid Al Rumaihi, Chief Executive, Bahrain Economic Development Board, has said, “The future prosperity of the GCC depends on countries like Bahrain responding quickly to the waves of digital and technological disruption that are sweeping the world economy.” “As Bahrain’s digital economy deepens and expands, the Personal Data Protection law will enable the Kingdom to continue to attract high-quality FDI across multiple sectors.”
The Personal Data Protection Law, he said, is proof of Bahrain’s ability to stay right at the heart of the Gulf’s growth potential in the years to come. The conditions for trade, innovation, and disruption could not be better – for Bahrain, the region, and the world at large.