TMT focus
Fatma Al Zadjali Associate, Corporate Commercial
Reem AlFori Intern. Litigation
The recent publication of the Personal Data Protection Law (“Data Protection Law” or the “Law”) by virtue of Royal Decree No. 6 of 2022 marks a monumental development in the privacy law sector in Oman. Previously regulated by a dispersed body of laws and regulations, personal data protection is expected to witness improved regulation once the Law comes to force on February 9th, 2023. The Law shall repeal and replace Chapter 7 of the Electronic Transactions Law (issued by Royal Decree No. 69 of 2008), which was previously considered one of the main Omani legislations regulating the use of personal data, along with the Cybersecurity Law (issued by Royal Decree No. 12 of 2011).
The institution of personal data protection under this Law stems from a set of solid principles, including transparency, honesty, respect for human dignity and consent of the personal data owner. The new Law provides an exhaustive list of definitions of the commonly used terminology in this area, such as “personal data”, “controllers”, “processors”, and, importantly, the operation of “processing”. Disregarding some exceptions, the Law calls for the establishment of personal data owners’ consent prior to undergoing the processing of their data.
The scope of the Law extends to the processing of health, genetic, biological and personal data by parties and/or individuals. However, it does not extend to the processing of data in matters relating to the preservation of national security or public interest; preserving the country’s economic interests; where the processing occurs on a personal or familial level; or in the name of executing the law; as well as other circumstances encompassed in Article 3.
Interestingly, the Law prohibits the processing of personal data relating to genetics, biology, health, ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions or security measures, unless the relevant permit is obtained from the Ministry of Transport, Communications and Information Technology (the “Ministry”), which is the regulatory body responsible for implementing the Data Protection Law. It appears that the Law recognises the aforementioned categories of data as sensitive and thus establishes such regulation of it.
A wide range of rights is granted to personal data owners under Chapter 3 of the new Law. Arguably, the most fundamental of which is the right of consent to the usage of their personal data. As such, the processing of personal data is not permissible if the owner of said data has not granted their written consent to the processing. Such consent may also be revoked if the owner no longer agrees to the processing of their data. The Law also allows the owner to register complaints with the Ministry if they believe that the processing of their personal data occurred in a matter that is against the Law. Further information regarding the controls and procedures necessary to exercise these rights shall come to light with the issuance of the executive regulations of the Law.
The institution of personal data protection under this Law stems from a set of solid principles, including transparency, honesty, respect for human dignity and consent of the Personal Data Owner”.
The Law defines a “controller” as “the person who determines the purposes and means of processing personal data, and performs such processing by themselves or entrusts it to others”, whereas a “processor” is defined as “the person who processes personal data on behalf of the controller”. Chapter 4 includes the obligations of controllers and processors of personal data. Generally, controllers/processors are obliged to ensure the confidentiality of the personal data and to not disclose it without obtaining the consent of the personal data owner in accordance the specifications of the executive regulations. In requesting the consent of personal data owners, it must be ensured that such request be written, clear, explicit and understandable. Regarding the distribution of personal data by controllers for commercial purposes, the Law clearly stipulates that the written consent of the personal data owner should be obtained prior to such distribution
Moreover, within an entity, the controller shall designate the position of a personal data protection officer. Further information regarding this position shall be revealed with the issuance of the executive regulations of the Law. Controllers and processors are also obliged to provide a written notice to the personal data owner, enclosing within it the controller or processor’s details; the data protection officer’s contact information; the purpose for which their personal data is considered for processing; the rights of the personal data owner in relation to the data, including the right to access, correct, transfer and update such data. To ensure that the provisions of the Law are abided to in the implementation of processing procedures, the Ministry may request that controllers and processors employ external auditors to undertake this task.
More specifications and clarity will be provided in due course, especially once the Ministry publishes the executive regulations of the Law. Practically, it may take some time to test the Law’s provisions before Omani courts and build a jurisprudence that is based on judicial precedents. Such jurisprudence would illustrate how the provisions of Law would change in accordance to Omani courts’ interpretations. Nonetheless, the issuance of the Data Protection Law is an outstanding development in the Omani jurisdiction and one which would surely have an impact on notions of privacy and personal autonomy in relation to the usage and processing of personal data.
For further information, please contact Fatma Al Zadjali.
Published in June 2022
