Home / Knowledge Hub / Regulatory & Legal Updates

Mind the Data Protection Gap: Oman's new Data Protection Law


Arsalan Tariq and Yasin Chowdhury recently spoke to Lexis Middle East Law Alert regarding the new Data Protection Law in Oman.

What’s happened and why?

Oman has recently promulgated the Personal Data Protection Law by Royal Decree No. 6 of 2022 (“the Law”). The Law shall be supplemented by the implementing (executive) regulations and the decisions necessary to enforce the provisions of the Law, which shall soon be issued by the Ministry of Transport, Communications and Information Technology, Oman (“the Ministry”) (“Regulations”). The Law shall become effective on 13th February 2023 i.e. after 1 (one) year from the date of its publication in the official gazette which is 13th February 2022. 

Like other jurisdictions in GCC, Oman aims to restructure its data protection law particularly following the pandemic in 2020 which led the world to become more dependent on technology with the resultant increasing personal data collection and processing, with a view to strike a balance by affording a better protectionist regime to individuals. Previously, the data protection regime in Oman existed under some general provisions of the Penal Code of Oman and in a very narrow way under Chapter 7 of the Electronic Transactions Law of Oman promulgated by Royal Decree No. 969 of 2008 (“ETL”). Thus, the Law has been enacted with a wide span of personal data protection related provisions keeping pace with the developments in the personal data protection sphere in the world and repealing Chapter 7 of ETL.

What’s changed?

As mentioned above, the Law has a wide range of provisions regarding the personal data protection. Unlike the previous legal regime in Oman on personal data protection, the Law defines “Personal Data” in a wider context to include any data which makes a natural person identifiable, directly or indirectly, by reference to one or more identifiers, such as a name, civil number, electronic identifiers’ data, or spatial data, or by reference to one or more factors related to genetic or physical identity, mental, psychological, social, cultural or economic.

In addition, the Law contains provisions as to privacy and data protection, data processing, data transfers and notification and record keeping requirements among others. It also entrusts the Ministry to enforce the provisions of the Law and to inflict administrative punishment for the violations thereof in addition to other specific penalties for various violations of the Law.

The Law has laid down the very framework for personal data protection i.e. transparency, honesty, and respect for human dignity, this is a milestone development where privacy and human dignity are put at the center for the statutory protection.

 
What are the most significant changes and why?

Among the changes that it brought into the fabric of personal data protection regime in Oman, the Law categorically sets out the framework of who is responsible under the Law and the requirements for collection and processing personal data. Accordingly, the controller and the processor are the responsible stakeholders towards the owner of personal data. As per the Law, a controller is the person who determines the objectives and means of processing personal data, and performs this processing themselves, or entrusts it to someone else, whereas the processor is defined as the person who processes personal data on behalf of the controller.

Under the Law, the controller is obliged to establish the controls and procedures that must be adhered to when processing personal data, and they must include in particular the following:

a. determining the risks that may fall on the owner of personal data as a result of the processing;
b. procedures and controls for transferring the personal data;
c. technical and procedural measures to ensure that the personal data is dealt with in accordance with the Law,
d. any other controls or procedures specified by the implementing Regulations.

The Law categorically requires the controller to notify the owner of the personal data in writing before commencing processing any personal data, such notification shall include data of the controller and the processor, contact information with the personal data protection officer of the controller, the purpose of personal data processing and its source, comprehensive and accurate description of personal data processing and procedures and the scope of disclosure of personal data, and the rights of the owner of personal data, including the right to access, correct, transfer and update the data.

Are there any areas left unclear which implementing Regulations will have to clarify?

There are several areas where the Law relies on the Regulations for clarity. In this modern age where cloud computing and online data storage are widely in use by service providers, the Law lacks clarification as to how its provisions will be applied to guarantee personal data protection particularly in relation to data security, remote data storage and data retention.

Moreover, whereas the Law sets out the rights of the personal data owner of to revoke their consent to processing their personal data, to request to update and to erase the data, it relies on the Regulations to lay down the procedures that the owner of the personal data will follow to exercise his rights under the Law.

Moreover, the Law has introduced judicial policing by Ministry officials to enforce its provisions. However, the Law leaves a gap to be filled by the implementing Regulations in dealing with procedures regarding how such judicial policing shall be exercised by the Ministry officials, with the required check and balance procedure to avoid any arbitrary measures.

The Law, while requiring the controller and the processor to establish the internal controls and procedures to adhere to while processing the personal data, does not speak of a detailed guideline as to what kind of policies and procedures should be adopted at a minimum that the relevant stakeholders should guarantee and observe.

Unlike other international personal data protection regimes, where privacy notices are required to be given in detail to the personal data owners before collection and processing their person data, the Law requires the controllers and the processors to give narrower privacy notices to the data owners as stated above. The privacy notice may specifically contain the grievance procedure in case any violation of the personal data protection legislation occurs, etc.

Lastly, but not least, the Law contains the provisions for data transfer outside Oman, but lacks in the benchmark criteria to be fulfilled by the controllers and the processors before they decide to transfer any data outside Oman, which is similar to the provisions under Chapter 7 of ETL. This particular issue has tremendous impact on protection of personal data and privacy issue in the present digital world.
What do affected entities have to do now?

The Law has imposed a well-defined set of obligations on the entities which come under the purview of the Law. In capacity as the controllers and the processors of personal data of the individuals, such entities are required to adopt the controls and put procedures in place internally based on the key personal data protection principles i.e. transparency, honesty and respect for human dignity. The controller is obligated to prove written consent of the owner of the personal data, whereas in case of a child, the consent of guardian is required for processing any child related data as per controls and procedures of the Law.

Moreover, while formulating the internal controls and procedures the entities (as controller/processor) should do so, with particular reference to understanding the risk involved in the personal data processing and transferring from the perspective of the data owners. They are also required to adopt technical and procedural measures as per the standards required under the Law.
Besides, the controllers and the processors are obligated, if so required by the Ministry, to appoint an external auditor to ensure the controls and procedures adopted internally are complaint with the provisions of the Law and to submit such external auditor’s report to the Ministry.

What’s next?

The Law will be effective from 13th February 2023 and the Ministry is expected to formulate its implementing Regulations by then and may issue related decisions from time to time to enforce the provisions of the Law. Once the Regulations are issued by the Ministry, a detailed personal data protection framework will unveil and the required clarification will also be available as to how the Law is to be enforced in practice.
The controllers and the processors, however, can take the advantage of this time gap to audit its processes ensuring to be compliant with the Law as well as prepare and train their employees to comply with the Law and help them understand the various risk and responsibilities while dealing with personal data of individuals.  

The full article can be read here: Lexis Middle East Law Alert

Related Insights
Got a question or enquiry? Contact us