The FIFA 2022 Football World Cup begins in Qatar in November 2022, excitement is building and preparations are being finalised.
Roberto LusardiSenior Counsel,Digital & Data
With not much time left to go before the FIFA 2022 Football World Cup (“WC22”) begins in Qatar in November 2022, excitement is building and preparations are being finalised. Lots of planning and arrangements have been and/or are being made, such as for tickets for the games and related accommodation, entertainment and travel plans. Amidst the excitement, there will be millions of bits of data/information being processed to facilitate all these operations and functions.
While engaged with all this preparation and anticipation in respect of the tournament, including, inter alia, ensuring all necessary security is provided and maintained, it can happen that persons and organisations may overlook the need for compliance with other legal requirements- such as data privacy and the protection of personal data of individuals
Under the Data Protection Law of Qatar (DP Law), personal data may only be processed with the consent of the applicable data subject/individual or if the processing is necessary for a lawful purpose of the data controller or third party to whom the data are transferred. In all cases there is a requirement that the individual is provided with details as to the purpose and method of the processing. There are certain exceptions to this, such as where the processing is required by operation of law or to protect the vital interests of a data subject. Another exception is where a Competent Authority (defined as any Qatar government entity competent under law to regulate acts pertinent to data protection) is allowed to process personal data of individuals without compliance with the DP Law requirement in cases involving national security or the interests of the state.
Of relevance to Qatar, and as an example in respect of the WC22 in particular, is the requirement relating to the accommodation of guests/visitors to the country by private/non-hotel hosts, either directly or through entities which operate online platforms (which arrange accommodation and a related secure payment service). Via these platforms users (“guests”) book accommodation services advertised by other users of the platforms (“hosts”) by contracting directly with them. The platform operators do not provide or manage the accommodation or any related services available on the platforms and compliance with legal obligations remains the responsibility of the hosts. In Qatar, under Circular No. 1 of 2021 issued by Qatar Tourism Authority (“QTA”), short term rentals are classified as “holiday homes”, and thus the equivalent of “hotel facilities/establishment”. Such rentals are only permitted with a licence for holiday homes obtained via the QTA’s e-Services portal, which sets outs the requirements and application process to obtain such a licence. Hosts are also required to keep records for a period specified by QTA and to collect guest/reservations data relating to the WC22 period from 1 November 2022 to 23 January 2023. Such data is to include information such as check-in and check-out date, name, date of birth, nationality, gender, email address and passport number(many of which are personal data).
Under Circular No. 11 of 2022 issued by the Chairman of QTA, online platforms are required to share with QTA all necessary information about accommodation listings and the respective hosts. This includes details like the applicable name, identification number, email address/mobile phone number and QTA license. In addition, online platforms are required to work with hosts to submit booking details and guest details via the SITA platform to ensure all relevant MOI information is shared in a timely manner about guests staying at licensed properties. No definition is provided for “SITA” or “MOI” although it is understood that the latter is a reference to the Qatar Ministry of Interior.
The above imposes a requirement on hosts and online platforms to collect and process personal data of individuals (guests), which will require obtaining the consent of the guests to such processing, alternatively, having a lawful purpose for the processing. While this may be addressed by hosts and platforms implementing appropriate consent procedures and privacy notices, it is not clear if compliance with the requirement to share personal data under the QTA circulars:
Is required (or considered a lawful purpose) under the DP Law; or
Falls under the exemption mentioned above relating to national security and state interests and whereby QTA is considered a Competent Authority.
Of further concern, specifically to the online platforms, is that, being established offshore, they are not governed by the DP Law or any other law in Qatar that applies specifically to such platforms. In addition, these platforms would need to be aware of and compliant with data protection legislation in their own jurisdictions in relation to providing the above mentioned personal data, which may be more complex and/or difficult to implement. Such action may also result in these platforms possibly breaching the data protection regulations in their own jurisdictions, for example, if they are subject to the General Data Protection Regulation (“GDPR”) under European Union law, whose provisions in this respect are very restrictive and strictly enforced. This would leave the platforms exposed to fines and/or civil liability, as well as potential criminal liability in certain jurisdictions.
A substantial amount of personal data will be processed by hosts and online platforms during the course of providing accommodation services in connection with WC22. These hosts and platforms, it appears, will further be requested to disclose certain personal data to third parties in various instances. In all cases, they will need to ensure they comply with the provisions of the DP Law as well as, where applicable, data protection regulations in their own jurisdictions (which may have extra-territorial application). This may require some detailed consideration. Otherwise the excitement of WC22, and the satisfaction of taking part in such a momentous event while at the same time being able to generate a good return on providing accommodation services during such period, may well turn sour in the event of being faced with a potential claim for breach of data privacy (together with the resultant risk of the imposition of a fine and/or payment of related damages/compensation).
For further information, please contactRoberto Lusardi or Neil Morgan.
Published in October 2022
