The Gulf Cooperation Council (GCC) is in the midst of significant legal reform, especially within the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA). The reforms have as their goal foreign investment and economic diversification away from oil reliance. Among the most important changes is the modernization of data protection and privacy legislation. Companies doing business in the region need to remain updated and in compliance with these changing regulations.

The Evolving Legal Framework within GCC

The GCC comprises several jurisdictions that have a blend of civil law and common law. Traditionally, the laws of data protection in the region were fragmented into different regulations with minimal or no enforcement. But the times are changing fast, with numerous GCC nations bringing their laws in line with global norms such as the EU General Data Protection Regulation (GDPR).

Pivotal Trends in Onshore Jurisdictions

1. Stage of Data Protection Laws

All GCC nations are in a different phase of adopting complete data protection laws:

• Qatar & Bahrain: Qatar has already passed its data protection law in 2017, and Bahrain enacted it in 2019. Both have since made amendments to have more alignment with GDPR.
• Saudi Arabia (KSA): The standalone data protection law (KSA PDPL) fully entered into effect on September 14, 2024, after a grace period of one year. The Saudi Data & Artificial Intelligence Authority (SDAIA) continues to streamline its application.
• Oman: The personal data protection law in the country will be fully enforceable by February 5, 2026.
• UAE: The UAE Personal Data Protection Law (UAE PDPL) became effective on January 2, 2022, but is yet to come into full force and effect due to outstanding Executive Regulations.
• Kuwait: In contrast to others, Kuwait’s law is only applicable to licensed entities by the Kuwait Communications and Telecommunications Regulatory Authority (CITRA). Compliance is mandatory by February 26, 2025.

Although these laws replicate GDPR principles, companies should take note of significant distinctions in each jurisdiction.

2. Extra-Territorial Scope

Except in Kuwait, GCC data protection legislation extends to both local and international parties processing personal data within the region. In certain jurisdictions, registration on regulatory portals is also a prerequisite before notification to authorities of a data breach.

3. Penalties for Non-Compliance

Penalties for non-compliance differ greatly:

• Bahrain: Fines are a minimum of $2,600.
• KSA: Penalties can be as much as $1.33 million, with possible doubling in case of repeated breaches.
• Kuwait & Bahrain: Imprisonment is also an option for serious violations.

4. Enforcement Trends

Historically, onshore regulators have been complacent, but the trend is towards more severe enforcement. As regulatory regimes improve, companies should anticipate more rigorous scrutiny and possible enforcement action.

5. Data Subject Claims

To date, there have been no notable third-party claims for data privacy violations in onshore jurisdictions. However, this will likely change as enforcement increases.

Offshore Jurisdictions: Tighter Rules, Restrictions & More Severe Penalties

Offshore financial free zones within the UAE and Qatar, like Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM), and Qatar Financial Centre (QFC), are governed by common law systems based on English law.

In contrast to onshore regulators, offshore regulators are extremely active. Regulations in these regions mirror GDPR very closely, and fines for non-compliance are far greater. Most importantly, DIFC’s Data Commissioner can issue unlimited fines for non-compliance.

For companies that have operations in the UAE or Qatar, this dual regulatory system means they could have to adhere to both onshore and offshore data protection regulations at the same time.

Steps to Achieve Compliance

To address the changing regulatory environment, companies should:

• Assess Relevant Laws: Determine which GCC data protection legislation applies to your business and register, if required, under relevant regulation.
• Establish a Framework of Compliance: Put in place policies consistent with local legislation but uniformly compliant across jurisdictions.
• Harden Operational Controls: Have clear policies regarding data processing, retain documentation of processing activities, and outline personally identifiable information (PII) gathered.
• Train Employees: Regularly educate staff on data protection principles, regulatory requirements, and potential penalties for non-compliance.

Final Thoughts

The GCC’s regulatory environment for data protection is transforming quickly, with emerging laws and stronger enforcement procedures on the table. Companies have to anticipate and evolve in step with these changes in order to maintain compliance, escape substantial fines, and sustain the trust of their customers. With continuing regulatory maturity, anticipating these advancements will be the key to sustained success within the region.