The new law of personal data protection was published on 19 July 2018, and will come into effect on 1 August 2019.
A. Introduction and Brief Explanation of the Law
Data protection so far has not been a high priority topic for most businesses in Bahrain, with the limited exception of international entities subject to data protection requirements in other jurisdictions in which they operate. While the publication of the new Law provides a considerable lead-in period during which entities subject to the Law will need to comply, the fact that the Law creates criminal offences means that compliance is all the more important and should be treated with high priority.
The law is a pioneering legislative step on both regional and international level as it complies with the UN’s policies to urge states to issue laws regulating the collection and preservation of personal information by use of computer, data banks and other means, in addition to inclusion of provisions concerning civil and criminal liability in case of violation.
Under the new law, the Personal Data Protection Authority intends to provide legal protection for privacy, in light of the widespread use of social media networks that may pose a threat to individuals’ private lives.
It comes as part of the Kingdom’s commitment towards having a friendly and regulatory environment where startups and businesses can thrive. Additionally, the promulgation of this pioneering law and the inclusion of comprehensive provisions on the protection of personal data will reflect positively on the principle of respect for and protection of the right to inviolability of private life. A right that is guaranteed by the Bahraini Constitution, where Article 26 stipulates that “the freedom of postal, telegraphic, telephonic and electronic communication is safeguarded and its confidentiality is guaranteed. Communications shall not be censored or their confidentiality breached except in exigencies specified by law and in accordance with procedures and under guarantees prescribed by law”.
The Personal Data Protection Law is also in line with Article 17 of the International Covenant on Civil and Political Rights, ratified by the kingdom as per Law 56/2006, which states that “(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. (2) Everyone has the right to the protection of the law against such interference or attacks”.
The Law is composed of 60 articles divided into three broad sections, as follows:
B. The key outcomes of the Personal Data Protection Law
Data protection is one of the fundamental steps towards having a Digital Economy. On a larger scale, economic growth, job creation and increased collaboration can result from accessing new markets and opportunities through cross-border data flows. In addition, it will encourage a greater exchange of digital information. Finally, individuals and businesses will have the opportunity to increase growth and trade through making use of data flows.
C. To whom the Personal Data Protection Law applies
The Personal Data Protection Law applies to:
D. Penalties for violating the Personal Data Protection Law
The Personal Data Protection Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000.The following are examples of activities that attract criminal penalties under the Law: