Emerging Data Privacy laws in the MENA Region

Emerging Data Privacy laws in the MENA Region

Article by Tsaaro

7 min read

Emerging Data Privacy laws in the MENA Region


In this day and age, the worth of information as an essential resource and incredible wellspring of financial wealth is evident. New plans of action are based on data, information science, and investigation. Organisations need to properly oversee and get their information to ensure shoppers’ protection and help their new information-driven plans of action. New administrative necessities affirm this significance, regardless of whether for individual or non-individual information. The abuse or blunder of information can unequivocally impact the public view of an association on the lookout.

What is the current status of Data Protection in the MENA regions?

By and large, the situation in the majority of the Middle East North Africa (MENA) purviews is that the security of an individual and the defending of their information is given under broad arrangements of law rather than laws explicitly centred around the issue of “information security” or “information assurance”. There are, obviously, a few exemptions for this. With the General Data Protection Regulation (GDPR), the EU drives information security and assurance charges. The inclination in the MENA area is that it would be a positive move for countries to present explicit neighbourhood information insurance laws to keep the GDPR. A Middle East-wide information security model law or structure would be considered to benefit both the nations and customers at large; however, the chance for territorial interoperability isn’t being utilised as of now. Across the Gulf Cooperation Council (GCC) nations, wards like Bahrain and the UAE Free Zones of the DIFC and ADGM are driving the way, with hearty information security laws on the resolution books. These laws are largely intensely impacted by the EU 1995 Data Protection Directive (1995 Directive), each reverting around the world acknowledged crucial information assurance standards. Saudi Arabia and the UAE are relied upon to follow Bahrain and the Free Zones before long. In any case, it isn’t clear whether such laws will be area explicit or will cover all associations, both public and private, or for sure when such laws will be set up. The UAE passed Federal Law No 2 of 2019, which manages data innovation and correspondences in the medical services. This law tries to raise the base bar for insurance of wellbeing information and presents specific ideas on a standard with best worldwide practice in information protection law.

Jurisdiction based status of Data Privacy laws

Bahrain was one of the first GCC countries to embrace its information protection law in 2018, which will come into power on 1 August 2019. The law plans to be steady with globally accepted procedures and is intensely founded on the GDPR. It incorporates the security of people’s safety and explicit assent necessities for information Processing, just as forming a Personal Data Protection Authority. The country’s aggressive designs straightforwardly impact the law into a centre point for server farms.
In the same way as other MENA locales, Egypt doesn’t presently have a particular information protection law. A draft law controlling the opportunity of information trade and information security is being discussed yet has not been distributed. The final form of the draft was made available in 2019. The new law indicates building up a Center for Personal Data Protection that will create and detail different approaches and guidelines and be entrusted with checking consistency with and authorising the new law’s arrangements.
There is, as of now, no particular information insurance law in Jordan; nonetheless, a draft information assurance bill is currently under conference. The draft bill shows up extensively dependent on the GDPR, consolidating the principle ideas of straightforwardness, exactness, stockpiling constraint and information minimisation. Be that as it may, the 2018 draft is by and large acknowledged to experience the ill effects of issues around an absence of freedom of the Jordanian Privacy Commission, an inability to fuse worldwide principles and best practices for information assurance and inadequate thought for current types of information handling.
There is presently no particular information insurance law in Kuwait. There are restricted arrangements in digital protection and electronic exchanges enactment anyway the locale falls behind other GCC countries. Be that as it may, with the emphasis on online protection and the endeavours of the Communication and Information Technology Regulatory Authority to work on the guidelines and practices of data security, and ensure the IT framework in Kuwait, it is expected that there will be advancements in information insurance soon.
The E-Transactions and Personal Data Law represent information assurance in Lebanon, presented in 2004 and refreshed in 2018. The structure has been criticised for being frail and relatively obsolete by not mirroring the truth of online information and that the considerable arrangements incorporate obscure and open-finished prerequisites. Also, specialists say that the law neglects to satisfactorily ensure Lebanese residents’ and occupants’ information by setting up feeble protections and just allowing the position to the presidential branch of the Lebanese Government. Contrasted to the GDPR, the law isn’t as nitty-gritty or exhaustive, principally as it neglects to accommodate the foundation of a free administrative body responsible for checking personal Data insurance.
Oman doesn’t have particular security or information assurance law; however, the Oman Information Technology Authority declared in 2017 that it was fostering an information insurance law. There is, nonetheless, no obvious sign of when it will be distributed. It was accounted for that whenever supported and endorsed into law; the law will concede incredible privileges to people in Oman, empowering them to practice GDPR-style levels of command over their Personal Data, including the capacity to protest the processing of their Personal Data and request admittance to any Personal Data about them held by any association in Oman.
Qatar was the top GCC country to give a, for the most part, relevant information security law, which produced results in 2017 and chief guidelines further executing it are relied upon to be passed in 2019. The law is demonstrated on and fuses natural ideas from other worldwide security structures, like the 1995 Directive (and likewise the GDPR) and commands that any party who Processes Personal Data stick to the standards of straightforwardness, reasonableness and regard for human respect. The Ministry of Transport and Communications is answerable for carrying out and upholding the law.
The QFC presented its own Data Protection Regulations in 2005 and set up a Data Protection Directorate answerable for carrying out and authorising the law, overseeing related debates and applying GDPR principles. The guidelines are to a great extent demonstrated on and roused by the security and information insurance standards and rules contained in the 1995 Directive and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
While Saudi Arabia doesn’t have a particular information assurance law, media reports propose that another opportunity of data and security of private information law is presently under audit. A novel and innovative administrative system for distributed computing exist, one of several instances of cloud-explicit organisational structures throughout the planet. The method depends on the best worldwide practice and public discussion.
Turkey’s Data Protection Law is prevalently displayed on the 1995 Directive, with a large number of the terms and focal arrangements intently reflecting their reciprocals in the EU law. The Institution of the Data Protection Law denotes another period for information security in Turkey. Albeit the Data Protection Law is in its earliest stages and no requirement moves have yet been made, the Personal Data Protection Board (the public administrative power in Turkey) has distributed the draft variants of auxiliary enactment, just as booklets giving direction on the execution of the law.
The UAE doesn’t have a particular government information insurance law undifferentiated from the GDPR. Nonetheless, reports propose that a draft government law (or laws) are ready to go despite the fact that there is no sign of when such might be distributed. Broadcast Communications and Cyber Crime laws give some restricted information assurance freedoms and commitments in the UAE close by the Constitution and Penal Code. Telecoms specialist co-ops have specific Personal Data assurance commitments under the Consumer Protection Regulations.
The DIFC and ADGM have established their information insurance laws dependent on worldwide best practices, which apply to associations in their ward. The DIFC and ADGM laws are, for the most part, predictable with information security laws in other created locales (explicitly the 1995 Directive and the UK Data Protection Act 1998). Both have intentionally looked not to pre-empt the GDPR – instead, they have embraced a “pensive” approach before additional conforming to it.


One of the most significant benefits of implementing consistent, principles-based, risk-based, horizontal privacy frameworks at the national level can create the right conditions for data sharing across a region, leading to regional economic growth and harmonised privacy protections for consumers. This is by far the most significant reason almost every other country is contemporarily working on some form of data privacy law of their own. The MENA countries are a part of the ongoing race and are slowly coming up with detailed legislations of their own for the same.
Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them