Bahrain’s Personal Data Protection Law (PDPL) is designed to protect personal information and ensure its handled properly. This law is important for anyone dealing with data in Bahrain. It applies to all types of data processing within the country, whether it’s done by hand or through automated systems. The law also affects foreign companies that process data in Bahrain—they need to appoint a local representative to comply with the law. However, if you’re handling data for personal or family use, or if it’s for certain government security purposes, the PDPL doesn’t apply to you.
Legitimate Uses of Data
When it comes to using personal data, the PDPL clearly defines what is permitted. First and foremost, data must be processed fairly and only for clear and legitimate purposes. It is essential that the data collected is accurate, up-to-date, and not retained longer than necessary unless anonymized for long-term storage.
The PDPL also provides flexibility for certain fields like journalism, literature, and the arts. As long as the data is accurate and is used in accordance with relevant press laws, some of the standard processing rules do not apply (Article 6). This flexibility ensures that freedom of expression is protected while still maintaining the safety of personal data. Additionally, data related to criminal cases can only be processed by authorized individuals and must be handled with confidentiality (Article 7).
Data Subject Rights
One of the key features of the PDPL is the rights it gives to individuals regarding their personal data. People have the right to know exactly how their data is being used. This includes knowing who is collecting it, why it’s being used, and who it’s being shared with. People can also access their data to see if it’s being processed, and they have the right to get detailed information about how it’s being used. If someone doesn’t want their data used for direct marketing or in a way that could harm them, they can object to it (Articles 18, 19, 20).
Moreover, individuals can request corrections to any inaccurate data, and if the data is being used unlawfully, they can ask for it to be blocked or erased. This includes the “right to be forgotten,” which allows someone to have their data removed when it’s no longer needed (Article 23). People can also withdraw their consent for data processing at any time, giving them control over their information.
Enforcement and Penalties
The PDPL doesn’t just set rules—it also comes with serious consequences if those rules aren’t followed. The Personal Data Protection Authority (PDPA) is in charge of making sure the law is enforced. If someone violates the law, they can face hefty fines and even imprisonment. This applies to illegal data processing, unauthorized data transfers, and failing to notify the PDPA about certain activities (Article 58).
Conclusion
Bahrain’s PDPL is a critical law that protects personal data and ensures it’s handled with care. It gives individuals strong rights over their information and enforces strict rules to prevent misuse. At the same time, the law offers some flexibility for areas like journalism, creating a balanced and secure data environment in Bahrain.
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.
Check out our white paper on the Bahrain PDPL here
News of the Week
1. Contentious California AI bill passes legislature, awaits Governor’s signature
California’s legislature passed a controversial AI safety bill mandating safety tests for advanced AI models. The bill, which faces strong opposition from tech companies, requires developers to implement a “kill switch” for AI systems and hire third-party auditors to assess safety practices. Proponents, including Elon Musk, argue it’s necessary to prevent AI from becoming uncontrollable. The bill now awaits Governor Gavin Newsom’s decision by September 30 to become law.
2. Law firm Orrick Herrington & Sutcliffe and plaintiffs’ attorney deny violating orders in data breach class action
Law firm Orrick, Herrington & Sutcliffe and plaintiffs’ lawyer William Federman have denied breaking court orders in a case related to the 2023 MOVEit data breach. They argue that a $900,000 settlement negotiated in Oklahoma was within their authority and did not interfere with the federal case in Massachusetts. The federal lawyers claim the settlement could undermine their case and accuse Orrick and Federman of procedural misconduct. U.S. District Judge Alison Burroughs is reviewing the situation.
3. U.S. appeals court revives Google privacy class action lawsuit
A U.S. appeals court has revived a class action lawsuit against Google. Chrome users claimed Google collected their data without consent, even when they chose not to sync their browsers. The 9th Circuit Court in San Francisco said the lower court should have examined whether users reasonably consented to data collection. Google disagrees with the ruling, arguing its privacy controls are clear, and the case will now proceed to trial.
4. Uber Fined Record $324 Million In Netherlands for Transferring Sensitive EU Driver Data to U.S.
Uber has been fined €290 million ($324 million) by the Dutch Data Protection Authority for sending European taxi drivers’ personal data to the U.S., violating EU privacy rules. Uber argues the fine is unjust and plans to appeal, claiming their data transfer practices complied with GDPR during a period of uncertainty. The fine can be contested and any penalties are on hold until all appeals are resolved.
5. Meta’s changes to ad data use rules accepted by CMA
Britain’s Competition and Markets Authority (CMA) has approved Meta’s updated plan for handling data from advertisers. Originally, advertisers could opt out of having their data used to improve Facebook Marketplace. The new plan will prevent all such data from being used for Marketplace improvements, without requiring any action from advertisers. The CMA believes these changes offer better protection for advertisers and address previous concerns about Meta’s market advantage.
