We have seen an emergence of data privacy laws across the Middle East and North Africa (MENA) region since 2020. Economic powerhouses like Egypt, Saudi Arabia, and the United Arab Emirates have now adopted omnibus data protection laws.
The right to personal privacy and a private life has long been protected as a fundamental right in jurisdictions across the region. Historically, this right was enshrined in constitutional law and underpinned by Sharia principles. However, the development and adoption of powerful technologies that can store and leverage high volumes of personally identifiable data is driving the adoption of more sophisticated privacy laws, designed to address the risks of the digital age.
The connection between data and tech
Data is the lifeblood of technology. This is why as technology advances, our personally identifiable data will play an increasingly pivotal role in informing the strategy and objectives of public and private organizations.
The COVID-19 pandemic super-charged the pace of digitalization across the region. This pace seems set to continue with the wide adoption of applications that leverage artificial intelligence. Hence, they will look to process greater volumes of personally identifiable data than ever before.
The European General Data Protection Regulation (GDPR), which came into effect in 2018, arguably represents the international “gold standard” for data protection compliance. Due to its extended extra-territorial effect, the GDPR’s impact has reverberated globally. It influences the practice of suppliers of technology services in the region and the expectations of their consumers more broadly.
The GDPR has also, to an extent, enhanced peoples’ expectations as to how their personally identifiable data should be safeguarded. Moreover, it has served as one of the most influential texts for the development of privacy laws in the region.
Key trends
The recent developments in privacy law have given rise to some emerging trends in the region.
The Growing Importance of Privacy Compliance
The customer (or person the personal data identifies) needs to be at the forefront of everything organizations now do. Gone are the days when data compliance was an afterthought. For data-heavy companies and companies that leverage technology in their customer-facing or back-office operations, understanding the nature and extent of this data processing and the risks it creates has become a key part of their overall organizational health. Privacy by design was a principle the GDPR coined but it has carried through to other international frameworks. Besides, it is an increasingly recognized concept enshrined in various MENA countries’ laws. In short, it is the concept of embedding good privacy practices into the design and specifications for all technologies and business processes at the point of development, rather than implementation.
As a case in point, we have begun to see privacy compliance increase in importance when conducting due diligence in some corporate transactions. It is not unusual for the target of an acquisition to have a poor privacy compliance posture given that some of the region’s frameworks are not yet being actively enforced. However, where the methods for obtaining the personally identifiable data that a company leverages in its business are no longer lawful and cannot be easily remediated, this will bring into question the commercial viability of the target’s business.
Data breach reporting
Data breach reporting requirements have been built into a whole range of privacy laws and sector-specific regulations in the region. They are creating a greater need for cyber-breach-response policies and cyber-breach readiness. Unfortunately, the risk of cyberattacks is only likely to increase as we see greater levels of digitalization and increased interfacing of systems. For organizations, it is not a question of “if they suffer an attack,” but rather “when they suffer an attack.”
In MENA, the law most commonly requires organizations to notify regulators of data breaches within 72 hours or less (which is in line with the period the GDPR stipulates). Many of the laws adopted also include requirements to notify the person to whom the personally identifiable data relates in certain circumstances. In addition, some countries are likely to publish details of those organizations that suffer data breaches. This includes companies that are found to have failed to comply with their legal obligations.
This issue is also informed by mandatory, minimum-security standards that apply in certain sectors and in certain market segments, which underpin the national privacy legislation in the region. As the threat landscape evolves so too will information security regulations and standards. This includes the need to keep pace with leading international frameworks like the NIST Cybersecurity Framework.
Dedicated regulators
Most countries in the region have or will soon establish dedicated data privacy regulators. In some cases, those regulators will also be responsible for policing the country’s policy surrounding the development and permitted use of AI.
Notwithstanding recent legislative developments, many countries in the region still stand out in the global marketplace as having relatively light regulation. This, together with excellent technical infrastructure and a track record for openly supporting technological innovation, has led some global organizations to pilot AI technologies in the region to help refine their approach and policies.
Read: Blockchain digital assets transforming investments
The road to implementation
The publication of data privacy laws by governments in the region is only the first step in what is likely to be a marathon-like effort to develop and implement full data regulatory frameworks. Many regional governments are now focusing on the next step of developing and implementing regulations to supplement the core privacy law. They are focusing on developing detailed guidance to aid understanding, as well as developing enforcement regimes to monitor compliance. In the interim, organizations will have to make key decisions about how to operationalize those requirements in the absence of prescriptive guidance, and the finer level of detail to aid interpretation of these new laws. An understanding of the wider principles and the direction of travel is critical in devising a coherent and future-proof approach.
The ambition of many governments in the region to position their nation as a global leader in technological innovation is unbridled. So, we fully expect that they will continue their efforts to adopt laws and work with industry stakeholders to safeguard individuals’ rights, promote consumer confidence, encourage innovation, and enable the responsible leverage of the full value of data.
About the authors
Kellie is a partner at the UK law firm, Addleshaw Goddard based in Dubai. She leads a team that advises on information, communications and technology (ICT) mandates across the Middle East region, including technology procurement, outsourcing, complex services and digital transformation projects, as well as data governance, cyber security and regulatory technology and telecoms matters. Jay Kesaria is a legal counsel and Charles Christie is an associate in the team.
For more op-eds, click here.