Cloud and data privacy regulations in the Middle East

In order to have a sustainable business in today’s world, protecting customers’ privacy is key and it comes with securing their data.

In the Middle East, the privacy landscape has been flourishing in the last ten years with privacy laws and regulations emerging across the region, especially with the implementation of GDPR in Europe.

Let’s see the evolution of these data laws and explore the case of cloud services adoption.

GDPR impact on data privacy laws in the Middle East

With the implementation of GDPR, the European Union is leading the charge on data privacy and protection, and the feeling in the Middle East North African (MENA) region is that it would be a positive move for nations to introduce specific, local data protection laws to follow the GDPR. A Middle East-wide data protection model law or framework would be considered to benefit both the countries and consumers at large; however, the opportunity for regional interoperability is not being leveraged as of today.

EU regulators have convincingly communicated that GDPR is about protecting the privacy of European citizens in all jurisdictions, meanwhile privacy has not traditionally been a priority for Middle Eastern governments. Indeed, the position in most of MENA juridictions is that the privacy of an individual and the safety of their personal data are provided under general provisions of law rather than laws specifically focused on the issue of “data privacy” or “data protection”. However, there are some exceptions that we will explore today in this article.

Main data protection laws in the Middle Eastern countries

🇯🇴 Jordan

No strict data protection law in place to properly protect and promote the right to privacy.

2014: the Ministry of the Digital Economy and Entrepreneurship introduced a draft law on the protection of personal data.

2018: the ICT Ministry proposed the fourth revised version of the text to be compatible with the European Union's GDPR.

🇦🇪 UAE

2019 Federal Law No. 2: The use of Information Technology in the healthcare sector defines health data, prescribes retention periods, contains data localisation requirements, regulates sharing and disclosing of health data and mandates putting appropriate security in place to protect health data.

2017 Telecommunications Regulatory Authority Consumer Protection Regulations: In certain cases consent is required before sharing subscribers’ information.

🇶🇦 Qatar

2016 Personal Data Privacy Protection Law: It protects the privacy of individuals’ personal data. With this, Qatar became the first GCC member state to issue a personal data protection law. The Ministry of Transport and Communications has been tasked to enforce the law.

🇸🇦 KSA

2019 E-Commerce Law: It protect individuals’ personal data by putting appropriate safeguards in place, to keep data no longer than necessary, obtain prior express consent for marketing and advertising purposes and do not disclose personal data to third parties, unless the individual has consented to, or required by law.

🇰🇼 Kuwait & Oman 🇴🇲

No specific privacy laws. However, certain provisions related to privacy are contained in Kuwaiti E-Transactions Law, Law No. 20 of 2014 and Omani Electronic Transactions Law.

🇱🇧 Lebanon

2018 E-Transactions Law No. 81: Even though the draft of the law went through many rounds since it was first introduced in 2004. However, the law does not define what consent is for data subjects, and it prohibits individuals from withdrawing their consent to collect and process their personal data once it was previously given, or if “the data-processing officer is obliged to collect the data under the law.

🇪🇬 Egypt

After several years of debate, the government has introduced the Republic’s first standalone data protection law, which aims to regulate and protect citizens’ data online. The provisions under the new law are modeled on EU's GDPR as the law adopts similar concepts and definitions. It is hoped that the new law will help Egypt attract foreign investment by increasing consumer confidence in electronic data processing and setting clear parameters for companies looking to capitalise on the growth of the digital economy.

Through the table above, we have seen the evolution of the implementation of data protection laws across the Middle East throughout the years. Now, what about cloud services?

The initiatives towards cloud services in the Middle East

The COVID pandemic has sparked renewed interest in cloud-based technologies and applications. Meanwhile, large-scale public cloud services continue to open up, paving the way for cloud adoption at a faster pace.

Let’s explore the case of 3 countries in the region:

  • Egypt: The government introduced much-needed regulatory frameworks, building and transforming smart universities, working to host Huawei's first cloud data platform in Africa, and building its first smart city, 'the Administrative Capital.' Egypt is one of the very few emerging markets that have developed during the COVID-19 pandemic, which may encourage more technology companies to consider entering the market post COVID-19.
  • Qatar: The Communications Regulatory Authority (CRA) developed the Cloud Policy Statement to provide recommendations for an overall policy and regulatory review, that is instrumental to the development of a solid cloud computing industry in Qatar. In line with the objectives of its strategy, the CRA has identified, in the Cloud Policy Statement, a comprehensive set of legal and regulatory requirements that competent government entities should adopt or update.
  • UAE: There are multiple initiatives to drive cloud computing adoption within government: the UAE Telecommunications Regulatory Authority (TRA) has released its ‘TRA Vision’ that focuses on establishing and maintaining the UAE as a leading global digital economy. Central to that is the positioning of the UAE as a regional data and cloud hub. International cloud service providers have long been focused on the UAE as a key regional market, and today those service providers are building out their cloud footprints in UAE datacenters.

As most countries in the Middle East have developed specific initiatives to enforce cloud services implementation in the region, most states have provisions for the localisation of data collected or presented on the cloud. Governments have started to issue laws requiring international and local companies to host their data locally, e.g., in the United Arab Emirates, where the laws tell us that neither financial data nor public sector data should leave the country. In the same way as data protection laws, those related to cloud services continue to be reviewed to match with the rising trends globally and locally in the MENA region.