Middle East

Image

Middle East Topic Page

Navigate by Topic

Below, you can find the IAPP’s collection of coverage, analysis and resources related to the privacy industry in the Middle East region.

Featured Resources

ARTICLE

Saudi Arabia publishes final Personal Data Protection Law

Saudi Arabia’s Personal Data Protection Law represents the country’s first privacy law that aligns with other international data protection laws. This article explores what privacy professionals need to consider with the law.
Read More

VIDEO

Privacy Around the Globe: Dubai International Financial Centre

This LinkedIn Live covers the Dubai International Financial Centre, discussing the uniqueness of standing up a privacy law and a data protection regulator in a free zone, what that means, and the opportunities and challenges it presents.
Read More

VIDEO

Keynote: Zahra Mosawi, Ex-Commissioner, Access to Information Commission of Afghanistan

In this keynote, Zahra Mosawi, former commissioner of the Access to Information Commission of Afghanistan, speaks about her experience working to establish freedom of expression and information rights for the Afghan people.
Read More

ARTICLE

DPOs in Israel — An analysis of a regulatory maze

This article reviews Israel’s published guidelines on DPOs and a set of introduced bills to amend the Protection of Privacy Law and explains the interplay between them.
Read More

ARTICLE

A turning point for privacy laws in Israel

The Israeli government introduced Bill No. 14, a substantial amendment to the Protection of Privacy Law. which includes new procedures and regulatory powers that portend a dramatic increase in risks associated with information security and purposeful processing violations. This article examines Bill No. 14’s proposed changes and impacts.’
Read More

ARTICLE

The long-awaited amendments in Turkish data protection law

The KVKK seeks to amend Articles 6 and 9 of the LPDP on the processing special category of personal data and cross-border data transfers. The proposal has yet to be shared with the National Assembly, but is expected to be approved and take force sometime in 2022.
Read More


Additional News and Resources

Report: Half of Middle East-North African companies don't yet realize business imperative of data privacy

Less than half of businesses in the Middle East and North Africa recognize the value of data security and customer privacy, The FinTech Times reports, citing a joint survey conducted by the Harvard Business Review Analytic Services and Mastercard. With approximately half the populations in both regions under the age of 24, UNICEF estimates consumer trust will rely heavily on companies' ability to implement data security principals catering to younger customers. According to the report, 80% of co... Read More

DIFC launches data protection law consultation

The Dubai International Financial Centre announced a consultation on proposed amendments to Data Protection Law regulations. The proposed updates aim to "establish additional areas of regulation that support robust implementation" of the DPL. Topics covered within the updates include data breaches, controller and processor obligations in digital enablement technology systems, and incorporating privacy by design or default in artificial intelligence deployments. The public comment deadline is 17 ... Read More

'Data transfer theater:' The US and Israel take the stage

This week, U.S. President Joe Biden is expected to sign an executive order cementing the legal basis for the Trans-Atlantic Data Privacy Framework, aka “Privacy Shield 2.0.” The executive order will likely create a redress mechanism, which will allow European individuals to challenge — or at least gain a modicum of insight into — surveillance practices by U.S. national security agencies. On a smaller scale but in the same vein, the government of Israel issued a draft decision Monday, announcing... Read More

Israel tightens marketing rules with a do not call registry

A do not call registry in Israel starts operating early 2023 and joins an already stringent set of consumer privacy protection under Israeli laws. Marketers who call numbers listed in the registry will face significant fines and class actions. Israel joins more than 30 other countries with government-operated opt-out lists for marketing calls. Opt out of marketing calls In December 2020, the Consumer Protection and Fair Trade Authority imposed an NIS 8.3 million (about US$2.5 million) fine on ... Read More

UK, DIFC commit to updated data partnership

The U.K. government and Dubai International Financial Centre Authority released a joint statement committing to increased facilitation of personal data flows. The two sides called the new agreement "a robust data bridge" that will help realize "the benefits of the important role that the trustworthy use of data across borders play." The U.K. and the DIFC indicated a mutual understanding on "the importance of existing and future regulatory cooperation as a means of enhancing our objectives."Full ... Read More

Implementation of Saudia Arabia’s PDPL delayed to 2023

The Saudi Data and Artificial Intelligence Authority postponed implementation of the Personal Data Protection Law until March 17, 2023, the Saudi Gazette reports. In a press release shared on Twitter, the SDAIA said the postponement follows stakeholder views and responses to a public consultation and was made “in order to achieve the ultimate goal of such a law.” The SDAIA encouraged stakeholders to participate in a second public consultation process to “enhance” the law, which had been set to t... Read More

How to prepare for Saudi Arabia’s Personal Data Protection Law

In September 2021, the Kingdom of Saudi Arabia issued its Personal Data Protection Law to regulate the processing of personal data. The PDPL is the first federal, sector-agnostic data privacy legislation in Saudi Arabia. Organizations will be faced with significant changes to their operations to ensure compliance. The PDPL comes into effect only 180 days after the publication in the Official Gazette, meaning the law will be effective March 23, subject to the passage of the implementing regulati... Read More

Oman approves data protection law

Oman's Ministry of Information announced the Law on the Protection of Personal Data was published in the Official Gazette No. 1429. The law provides for various data subject rights while the Ministry of Transport, Communications and Information Technology will have exclusive enforcement powers and be tasked with drawing up regulations. The law becomes effective Feb. 9, 2023.Full Story... Read More

10 practical steps to prepare for the UAE’s Personal Data Protection Law

Organizations in the United Arab Emirates are entering a new era of data privacy enforcement. In late November, as part of its 50th anniversary, the UAE federal government issued a sweeping set of legal reforms, which notably included the UAE Federal Decree Law No. 45 for the 2021 Personal Data Protection Law. While this law has been long-awaited by data privacy experts in the region, many organizations are not prepared for the new obligations and controls that pertain to data processing and res... Read More

UAE president signs off on Personal Data Protection Law

Gulf News reports United Arab Emirates President Sheikh Khalifa bin Zayed Al Nahyan approved wide-ranging reforms to the country’s legal system, including passage of the Personal Data Protection Law. The legislation includes data subject rights, controls and obligations for data processing activities and strong provisions on user consent. Additionally, a law was passed to create the UAE Data Office, which will provide guidance for and enforcement of the PDPL.Full Story... Read More

Amid evolving privacy regulation in the Middle East, stalling on compliance is not an option

In the Middle East and North Africa regions, the business world is just beginning to encounter the regulatory and operational pressures that European and U.S. companies have faced in recent years. Six new data privacy laws have been introduced in the last 18 months and authorities in the Dubai International Financial Centre have already issued 88 fines since the region’s new regulations became effective in late 2020. These new laws come in addition to dozens of existing regulations in Saudi Ara... Read More

Taliban reportedly seize US military biometrics devices

The Taliban is believed to have seized the U.S. military’s biometric devices storing iris scans, fingerprints and biographical data. The technology, known as the Handheld Interagency Identity Detection Equipment, was intended to gather biometric data of 25 million people, 80% of the Afghan population. “We processed thousands of locals a day, had to ID, sweep for suicide vests, weapons, intel gathering, etcetera,” a U.S. military contractor explained. “(HIIDE) was used as a biometric ID tool to h... Read More

Abu Dhabi Global Market releases Data Protection Regulations 2021 guidelines

The Abu Dhabi Global Market’s Office of Data Protection released guidelines aiming to improve compliance with the Data Protection Regulations 2021. The guidance covers eight key areas of the regulations, includes advisory information and provides examples of practical application. ADGM Commissioner of Data Protection Sami Mohammed said the guidance provides “entities and authorities with a robust foundation to update their existing data protection compliance programmes.”Full Story... Read More

China, League of Arab States sign data security agreement

China and the League of Arab States signed an agreement on data security, the South China Morning Post reports. Deputy Foreign Minister Ma Zhaoxu said the agreement aims to create an “open, fair, non-discriminative” digital environment. “The prominent risks and challenges on data security posed by personal information infringement and massive cyber-surveillance on other countries have made it urgent [to find] a global solution,” he said.Full Story... Read More

Regulatory activism — The unique Israeli journey

Amid uncertainty around modernizing the timeworn Protection of Privacy Law, the Israeli privacy regulator has emerged as a dominant driving force. In a series of guidelines and recommendations, the Protection of Privacy Authority aims to fill the void with EU General Data Protection Regulation-like concepts and assumes an unprecedented active role in shaping the privacy regime. At the same time, Israeli privacy laws demand more than other data protection laws, especially in relation to cybersec... Read More

Big data and the pursuit of herd immunity: Israel’s COVID-19 data-sharing agreement

Israel is in the midst of a nationwide effort to achieve herd immunity to COVID-19 through an extensive vaccination campaign. In less than a month, Israel has managed to provide the first dose of the Pfizer-BioNTech COVID-19 vaccine to more than 2.5 million residents (approximately 27% of the population) and the second dose to more than 950 thousand residents (approximately 10% of the population). Per a statement of Israeli Prime Minister Benjamin Netanyahu, these efforts rely on an agreement b... Read More

How one tech vendor adapted its services in response to 'Schrems II'

Since launching last May, InCountry has been operating primarily in the tech vendor equivalent of a journalism beat. The company offers services to assist with data localization law compliance, and thus, their business primarily came from areas in which those rules are prevalent, such as the Middle East, Asia and Russia. InCountry CEO Peter Yared said the vendor started to have conversations with a few European Union countries, but its primary focus still centered on the lands where data locali... Read More

Data breach cost in Middle East higher than global average

An IBM Security report found the average cost of $6.52 million per data breach in the Middle East is higher than the $3.86 million global average, TechRadar reports. The United States tops the average cost at $8.64 million, according to the study of 17 countries from August 2019 to April 2020. In Saudi Arabia and the United Arab Emirates, the cost of data breaches increased by 9.4% in the past year.Full Story... Read More

Regional Resources

Saudi Arabia publishes final Personal Data Protection Law

On 7 Sept., the Saudi Data and Artificial Intelligence Authority formally released the Kingdom of Saudi Arabia Personal Data Protection Law. Enforcement of the law will begin 14 Sept. 2024, which gives organizations one year to prepare for compliance. This law is the first privacy law in the KSA that aligns the kingdom with international privacy laws, in particular, the EU General Data Protection Regulation, along with some localization that addresses the Middle Eastern culture and adopts the l... Read More

Saudi Arabia enacts Personal Data Protection Law

Saudi Arabia's Personal Data Protection Law was enacted 16 Sept., the Saudi Gazette reports. The law regulates the collection, processing, disclosure and preservation of data, including a "detailed framework of processing standards, the rights of data subjects, the obligations of relevant bodies when processing, as well as data sovereignty, and penalties in the event of violating the provisions of the law." Full story... Read More

DIFC launches data protection law consultation

The Dubai International Financial Centre announced a consultation on proposed amendments to Data Protection Law regulations. The proposed updates aim to "establish additional areas of regulation that support robust implementation" of the DPL. Topics covered within the updates include data breaches, controller and processor obligations in digital enablement technology systems, and incorporating privacy by design or default in artificial intelligence deployments. The public comment deadline is 17 ... Read More

Privacy Around the Globe: Dubai International Financial Centre

Original broadcast date: 12 April 2023 This month in our Privacy Around the Globe series, we turn our attention to the Dubai International Financial Centre. In this LinkedIn Live series, we virtually travel around the world for an up-close analysis of the current and future state of privacy in a particular region. For this session, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, will speak with DIFC Vice President, Legal and Director of Data Protection Lori Baker, CIP... Read More

'Data transfer theater:' The US and Israel take the stage

This week, U.S. President Joe Biden is expected to sign an executive order cementing the legal basis for the Trans-Atlantic Data Privacy Framework, aka “Privacy Shield 2.0.” The executive order will likely create a redress mechanism, which will allow European individuals to challenge — or at least gain a modicum of insight into — surveillance practices by U.S. national security agencies. On a smaller scale but in the same vein, the government of Israel issued a draft decision Monday, announcing... Read More

Israel tightens marketing rules with a do not call registry

A do not call registry in Israel starts operating early 2023 and joins an already stringent set of consumer privacy protection under Israeli laws. Marketers who call numbers listed in the registry will face significant fines and class actions. Israel joins more than 30 other countries with government-operated opt-out lists for marketing calls. Opt out of marketing calls In December 2020, the Consumer Protection and Fair Trade Authority imposed an NIS 8.3 million (about US$2.5 million) fine on ... Read More

Implementation of Saudia Arabia’s PDPL delayed to 2023

The Saudi Data and Artificial Intelligence Authority postponed implementation of the Personal Data Protection Law until March 17, 2023, the Saudi Gazette reports. In a press release shared on Twitter, the SDAIA said the postponement follows stakeholder views and responses to a public consultation and was made “in order to achieve the ultimate goal of such a law.” The SDAIA encouraged stakeholders to participate in a second public consultation process to “enhance” the law, which had been set to t... Read More

How to prepare for Saudi Arabia’s Personal Data Protection Law

In September 2021, the Kingdom of Saudi Arabia issued its Personal Data Protection Law to regulate the processing of personal data. The PDPL is the first federal, sector-agnostic data privacy legislation in Saudi Arabia. Organizations will be faced with significant changes to their operations to ensure compliance. The PDPL comes into effect only 180 days after the publication in the Official Gazette, meaning the law will be effective March 23, subject to the passage of the implementing regulati... Read More

DPOs in Israel — An analysis of a regulatory maze

Do Israeli privacy laws mandate the appointment of a data protection officer? The simple answer is that currently, it is not entirely clear. Israel faces significant changes to its privacy laws and the duty to appoint a DPO may either become part of the law or remain a regulatory recommendation only. On Jan. 25, the Protection of Privacy Authority released guidelines on the appointment of data protection officers, their roles and responsibilities. The guidelines set forth recommendations and re... Read More

Oman approves data protection law

Oman's Ministry of Information announced the Law on the Protection of Personal Data was published in the Official Gazette No. 1429. The law provides for various data subject rights while the Ministry of Transport, Communications and Information Technology will have exclusive enforcement powers and be tasked with drawing up regulations. The law becomes effective Feb. 9, 2023.Full Story... Read More

A turning point for privacy laws in Israel

Israel is recognized around the world as an important technology hub. It is home to hundreds of large, multinational tech corporations operating substantial local research and development, sales, and management activities. It is the incubator for thousands of startups, dozens of which are publicly traded unicorns. And it boasts an environment where innovation is fostered, growth achieved and the commerce of modern industries flourishes on a global scale. Because data is a core asset in many tec... Read More

The long-awaited amendments in Turkish data protection law

The Turkish data protection authority, Kişisel Verileri Koruma Kurumu, has proposed amendments to the most controversial provisions of the Law on Personal Data Protection numbered 6698. The provisions have been heavily criticized by academia and business circles due to their inapplicability and inadequacy to meet needs. The amendments were actually part of the Economic Reforms, and specific tasks were introduced under the Economic Reforms to comply with the EU General Data Protection Regulation.... Read More

Social media platforms secure Afghans' privacy

The Jerusalem Post reports Facebook, Twitter and LinkedIn moved to increase the privacy of accounts belonging to citizens of Afghanistan to combat potential targeting in the wake of the Taliban seizing control of the country. All three platforms are providing varying levels of increased security, ranging from limiting account searchability to accepting requests to delete archived communications. The moves come after human rights groups voiced concerns about the potential tracking of Afghans' dig... Read More

Taliban reportedly seize US military biometrics devices

The Taliban is believed to have seized the U.S. military’s biometric devices storing iris scans, fingerprints and biographical data. The technology, known as the Handheld Interagency Identity Detection Equipment, was intended to gather biometric data of 25 million people, 80% of the Afghan population. “We processed thousands of locals a day, had to ID, sweep for suicide vests, weapons, intel gathering, etcetera,” a U.S. military contractor explained. “(HIIDE) was used as a biometric ID tool to h... Read More

DOD Inspector General publishes advisory on removing data from Afghanistan

The U.S. Department of Defense's Office of the Inspector General published a management advisory for the military to ensure sensitive data is protected and removed from equipment used in Afghanistan, Nextgov reports. The advisory highlights Army Regulation 735-5 and the 401st Army Field Support Brigade’s standard operating procedures for property accountability, which covers the proper methods for handling inventory devices and items with hard drives.Full Story... Read More

Comparing the role of the DPO under the GDPR and Turkish law

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

Regulatory activism — The unique Israeli journey

Amid uncertainty around modernizing the timeworn Protection of Privacy Law, the Israeli privacy regulator has emerged as a dominant driving force. In a series of guidelines and recommendations, the Protection of Privacy Authority aims to fill the void with EU General Data Protection Regulation-like concepts and assumes an unprecedented active role in shaping the privacy regime. At the same time, Israeli privacy laws demand more than other data protection laws, especially in relation to cybersec... Read More

Big data and the pursuit of herd immunity: Israel’s COVID-19 data-sharing agreement

Israel is in the midst of a nationwide effort to achieve herd immunity to COVID-19 through an extensive vaccination campaign. In less than a month, Israel has managed to provide the first dose of the Pfizer-BioNTech COVID-19 vaccine to more than 2.5 million residents (approximately 27% of the population) and the second dose to more than 950 thousand residents (approximately 10% of the population). Per a statement of Israeli Prime Minister Benjamin Netanyahu, these efforts rely on an agreement b... Read More

Pakistan considers federal privacy law following WhatsApp changes

Pakistani Minister for Science and Technology Chaudhry Fawad Hussain said his ministry is considering a federal privacy law, Dawn.com reports. Hussain's comments came in response to the change in WhatsApp's privacy policy requiring users to share data with Facebook. The minister added WhatsApp should have made the changes to its policy following a period of consultation.Full Story... Read More

Installation of surveillance cameras in Kabul raises privacy concerns

Human rights groups are raising privacy concerns as surveillance cameras are planned to be installed around Kabul, Afghanistan, Reuters reports. An Interior Ministry spokesman said the cameras are being installed to “curb criminal and terrorist activities.” Peace and Human Rights Organization's Mohammad Nizam said, “Under current circumstances, honestly, it would be quite difficult for the masses to have full faith and trust that their privacy would not be harmed with the installation of these s... Read More

Op-ed: Businesses should take ‘holistic’ approach to Egypt’s PDPL

Egypt’s Personal Data Protection Law will be enforced Oct. 14, bringing a range of new obligations for businesses, PwC Middle East Partner for Assurance Services Nabil Diab wrote in an op-ed for Daily News Egypt. To prepare for enforcement, Diab said businesses should “take a holistic approach.” He outlines 10 “essential” steps, including appointing a data protection officer, establishing a data breach management process and reviewing cross-border data transfer operations.Full Story... Read More

Turkey’s new data storage and transfer requirements for banks

Amendments to Turkish Banking Law No. 5411 in February 2020 introduced important provisions regarding how banks handle confidential customer data. Based on these provisions, the Banking Regulation and Supervision Agency introduced a secondary regulation that was finalized in March, the Regulation on Banks’ Information Technology and Electronic Banking Services. This regulation contains binding provisions related to data processing and transferring of bank customers. Definition of customer confi... Read More

Big tech companies push back on Pakistan's censorship rules

The New York Times reports Facebook, Google and Twitter are among the big tech companies refusing to comply with proposed internet censorship rules in Pakistan. The Asia Internet Coalition wrote a letter to Pakistan Prime Minister Imran Khan regarding the opposition of the companies, which proposed abandoning service in Pakistan entirely if the rules stood. The Pakistani government then eased its position, saying the proposal will be put through an "extensive and broad-based consultation process... Read More

Bahrain’s Personal Data Protection Law goes into effect

Gulf Daily News reports Bahrain’s Personal Data Protection Law has now gone into effect. Organizations covered by the PDPL are required to obtain user consent in order collect, store, process and use personal information. Any organization found to have violated the law could face a fine between BD1,000 and BD20,000 and up to one year in prison. While the law has been implemented, there has been no announcement regarding the creation of the Personal Data Protection Authority that will enforce the... Read More

Egypt passes first data protection law

Legislators in Egypt have passed the country’s first data protection law, Daily News Egypt reports. The laws will protect the information of Egyptian citizens, as well as European Union citizens who are in the country. Companies are required to obtain consent before any personal data can be collected, processed or disclosed. Any organization found to have violated the rules faces “[no] less than three months” of imprisonment and fines that can range from EGP 100,000 to EGP 1 million. Any entity ... Read More

DHS warns against potential Iranian malware attacks

ZDNet reports the U.S. Department of Homeland Security's cybersecurity agency is alerting online users to the rise in activity for Iranian hackers and urging U.S. companies to take action to protect systems. Cybersecurity and Infrastructure Security Agency Director Christopher Krebs tweeted a statement from the department, warning users to be wary of cyberattacks, such as data-wiping malware, credential stuffing attacks, password spraying and spear-phishing. "In times like these it's important t... Read More