New Data Protection Law in Bahrain

Guiding Principle

The new law of personal data protection was published on 19 July 2018, and will come into effect on 1 August 2019.

A. Introduction and Brief Explanation of the Law
Data protection so far has not been a high priority topic for most businesses in Bahrain, with the limited exception of international entities subject to data protection requirements in other jurisdictions in which they operate. While the publication of the new Law provides a considerable lead-in period during which entities subject to the Law will need to comply, the fact that the Law creates criminal offences means that compliance is all the more important and should be treated with high priority.

The law is a pioneering legislative step on both regional and international level as it complies with the UN’s policies to urge states to issue laws regulating the collection and preservation of personal information by use of computer, data banks and other means, in addition to inclusion of provisions concerning civil and criminal liability in case of violation.

Under the new law, the Personal Data Protection Authority intends to provide legal protection for privacy, in light of the widespread use of social media networks that may pose a threat to individuals’ private lives.

It comes as part of the Kingdom’s commitment towards having a friendly and regulatory environment where startups and businesses can thrive. Additionally, the promulgation of this pioneering law and the inclusion of comprehensive provisions on the protection of personal data will reflect positively on the principle of respect for and protection of the right to inviolability of private life. A right that is guaranteed by the Bahraini Constitution, where Article 26 stipulates that “the freedom of postal, telegraphic, telephonic and electronic communication is safeguarded and its confidentiality is guaranteed. Communications shall not be censored or their confidentiality breached except in exigencies specified by law and in accordance with procedures and under guarantees prescribed by law”.

The Personal Data Protection Law is also in line with Article 17 of the International Covenant on Civil and Political Rights, ratified by the kingdom as per Law 56/2006, which states that “(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. (2) Everyone has the right to the protection of the law against such interference or attacks”.

The Law is composed of 60 articles divided into three broad sections, as follows:

1. Processing Provisions – Including definitions and general rules for the legality of processing, controls of data processing and transfer, statements as well as the rights of the data holder.
2. Data Protection Authority – Including provisions relating to the establishment of the regulator, and its rights and responsibilities.
3. Accountability of the data manager (data controller) and data processor – Including provisions relating to accountability to the regulator, investigation procedures, civil and criminal liability, and penalties for violation.

B. The key outcomes of the Personal Data Protection Law
Data protection is one of the fundamental steps towards having a Digital Economy. On a larger scale, economic growth, job creation and increased collaboration can result from accessing new markets and opportunities through cross-border data flows. In addition, it will encourage a greater exchange of digital information. Finally, individuals and businesses will have the opportunity to increase growth and trade through making use of data flows.

C. To whom the Personal Data Protection Law applies
The Personal Data Protection Law applies to:

• Every individual residing normally in Bahrain or having a workplace in Bahrain, and every legal person (corporate) having a place of business in the Kingdom of Bahrain; and
• Every individual not residing normally in Bahrain or having a workplace in Bahrain, and every legal person (corporate) not having a place of business in the Kingdom of Bahrain, where such persons are processing data using means available in Bahrain, except where such processing means are solely for the purpose of passing data through Bahrain.

D. Penalties for violating the Personal Data Protection Law
The Personal Data Protection Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000.The following are examples of activities that attract criminal penalties under the Law:

• Processing sensitive personal data in violation of the provision specifying requirements for processing sensitive personal data;
• Processing personal data without notifying the new Data Protection Authority in accordance with the provision that sets out the obligation to notify the Authority before commencing any data processing activities (except where certain exceptions apply), or failing to update such notification to the Authority;
• Transferring personal data outside Bahrain contrary to the provisions specifying requirements for transfers to jurisdictions that provide an adequate level of data protection, and associated exceptions;
• Transferring personal data outside Bahrain contrary to the provisions specifying requirements for transfers to jurisdictions that provide an adequate level of data protection, and associated exceptions;
• Providing false or misleading information to the Authority or to a data subject, or withholding relevant information from the Authority, or otherwise hindering the Authority’s work;
• Disclosing any data or information accessed due to work, or using the same for own benefit or for the benefit of others unreasonably and in violation of the provisions of this law.