Bahrain's Data Protection Law: What You Need to Know to Comply

Bahrain’s Data Protection Law of 2018 (Law Number 30 of 2018 Issuing the Data Protection Law), comes into effect this August (August 1 2019), giving companies and individuals little time to get ready to comply with its provisions. The punitive measures it proposes for the misuse of data are also severe, ranging from BHD 20,000 as a fine to one year in jail. It’s application is far reaching, applying to individuals and corporate entities which process data.

Do you collect your customers contact information and CPR copy for the sale of your products? Do you check the buyers personal details and request the same from them if you are selling your car? If the answers to questions like this are “yes,” then the law is theoretically broad enough to apply to you. In this week’s blog post we explore the law and provide a basic idea of what you need to do to make sure you are in compliance with it.

Bahrain Night.jpg


Background

With the opening of the Amazon Web Services facility in Bahrain, and the creation of the Bahrain “Fintech” bay, the small Gulf Kingdom is seeking to attract investment in the rapidly developing technology sector. To secure investor and consumer confidence, and keep pace with the international regulatory framework which already exists, the Kingdom enacted the Data Protection Law in 2018. Its main provisions and structure essentially mirror the European Data Protection Regulations which came into effect in 2018. The European General Data Protection Regulations (GDPR) were passed and agreed upon by EU member states in 2016, after the decision of the European Court of Justice in 2015, striking down the “Safe Harbor” decision of the European Commission. The “Safe Harbor” rule stipulated that data transfers to the United States from Europe could be considered protected for European citizens, due to the data protection framework in place in the United States.

In Maximillian Schrems v Data Protection officer, Maximillian Schrems, an Austrian citizen and Facebook user, filed a complaint with the Irish data protection authority alleging a breach of his fundamental privacy rights by Facebook, who were sharing his information and that of all European users, with US authorities. This came after the public revelations of Edward Snowden, a former NSA officer. Mr. Snowden disclosed to the public how the US National Security Agency (NSA) used personal data received from Facebook, to identify, track and monitor individuals, without their consent.

The Irish High court referred the case for a decision by the European Court of Justice. The Court of Justice found that, in light of the revelations from Mr. Snowden, the United States did not offer sufficient data protection assurances for European users. The Court declared that the use of personal information by public agencies without the consent of the data owners, as acquired from Facebook, was in violation of the rights of European data subjects. In response to this decision, and the subsequent controversies arising from the revelations of Edward Snowden, the European GDPR was passed.

The Kingdom of Bahrain, being home to a number of multinationals, and with proximity and longstanding diplomatic relations with the European Union, is highly influenced by legislative and legal developments in the West. The recent bankruptcy law in the country was implemented based on the Chapter 11 procedures available for companies in the United States, and in a similar fashion, the Bahrain Data Protection Law bears similarity to the framework and structure put in place by the GDPR.

Key Requirements

The law requires all individuals who process personal data (being any information owned by or related to the identity of an individual), to do so with the knowledge and consent of the data owners. Such data processing (use of data) must also be done in a secure manner, and the data belonging to the data owners must be adequately protected. There are certain exceptions, for example, for those who process data for the purposes of fulfilling a contractual obligation with the data owner.

When it comes to “sensitive personal data,” being data related to the religion, ethnic origin, gender, age, political views, criminal history or union membership of an individual, there are more stringent requirements for the processing of such data (fewer exceptions), and specific penalties for failing to follow the requirements of the law.

Finally, transferring data outside the Kingdom of Bahrain without the consent and awareness of a data owner, is prohibited unless the transfer is made to a country which is published on a list maintained by the data protection authority (authorized countries’ list).

Compliance Requirements

The Data Protection Law is to be overseen by the Data Protection Authority. Once formed, this authority will establish a few key areas of compliance. Firstly, they will decide which entities and individuals are required to appoint a data processor (to handle their processing activities), what regulatory frameworks and best practices are to be applied on data managers (recipients and processors of data), and finally, how data managers are to report activities to the data controller and register with the authority for monitoring of their data protection activities. Individuals/entities, who engage in automated processing will also have a reporting requirement with the authority. The authority will designate and create the authorized countries list as mentioned above, as well.

Beyond the requirements which are yet to be fully established by the data protection authority, there will also be certain documentary and policy formalities which will need to be implemented beforehand to ensure that an entity or data manager is complying with, and ready to meet the requirements of the law.

These can be summarized as follows:

  • Developing a Privacy and Data Processing Policy

  • Creating Contractual Disclaimers for customers and clients from whom you receive data

  • Developing secure, documented and easily explainable systems for storage of data.

Compliance Services

We offer a full pre-implementation compliance service suite, including the development of the documents described above. Our service is tailored to businesses, big and small, with a flexible pricing system. The compliance requirements also include storage and data protection procedures using adequate software protections, and we provide such offerings through our partners.

Once the registration requirements with the data protection authority become clear, we will also be able to support clients in this regard as well.

All interested clients are welcome to contact us for a free diagnoses of their compliance requirements, with respect to the data protection law.

contact: info@borderlesscounsel.com

https://www.borderlesscounsel.com/









zakir mir