After being in the making for almost a decade, the Omani Personal Data Protection Law is finally out. This vital piece of legislation aims at protecting what is considered by many as the most fundamental right in the digital age, and one that those living in this country badly needed. While there is no doubt that this law is groundbreaking for the Omani legal system, it only provides the bare minimum of rights in comparison to contemporary data protection laws elsewhere, includes wide exemptions for government entities to process personal data without the need to comply with the law, and leaves a significant amount of critical specifics to a future executive regulation that will be issued by the Ministry of Transport, Communications, and Information Technology (MTCIT).
Up until a couple of weeks ago, Oman did not have a comprehensive framework for the protection of personal data or privacy, and instead had a variety of criminal offences relating to the infringement of privacy in general in the Penal Law and the Cybercrime Law along with scattered provisions sector-specific in instruments such as the Banking Law, the Electronic Transactions Law, and the Medical Profession Law. In fact, privacy was not even recognised in Oman as a constitutional right in the Basic Statute of State of 1996 or its amendment in 2011, and it was not until His Majesty Sultan Haitham came into power and promulgated the current Basic Statute of the State of 2021 which recognised privacy as a constitutional right in article 36.
Private life is inviolable, protected, and must not be violated.
The Basic Statute of the State 2021, Royal Decree 6/2021 (issued 11 January 2021, published 12 January 2021) OG Annex 1374, art 36.
Even though we have been waiting for this new law for a very long time, within the GCC context, Oman is not too far behind its neighbours in issuing this law as Qatar issued its data protection law in 2016, Bahrain issued its law in 2017, Saudi and the UAE issued their laws only in 2021, and Kuwait does not have a data protection law until now.
Omani Data Protection Law: The Basics
The Omani Data Protection Law follows the same structure found in most data protection laws around the world by relying on the concepts of data subject, data controller, and data processor to create a framework for the governance of personal data. Under this framework, a data subject is a natural person who may become identifiable through data, a data controller is a party that determines the purpose and means for processing certain personal data, and a data processor is a party that carries out the processing of data on behalf of a controller.
For example, Otaxi is a service in Oman for ordering taxis using independent taxi drivers. In this case, if a customer uses Otaxi, the customer is considered the data subject, Otaxi the company is considered the data controller because it controls the purpose and means of processing, and the individual taxi driver is the data processor. The law grants certain rights to data subjects, and imposes different obligations on data controllers and data processors.
The law requires the consent of a data subject before processing his or her data, requires the data controller to be fundamentally responsible for the processing of the data, and imposes specific additional obligations on both the data controller and the data processor. The Omani Personal Data Protection Law frames all these rights and obligations around transparency, honesty, and respect of human dignity.
It is not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject.
The Personal Data Protection Law, Royal Decree 6/2022 (issued 9 February 2022, published 13 February 2022) OG 1429, art 10.
Rights of the Data Subject
The primary right of data subjects under the Personal Data Protection Law is that their personal data may not be processed without obtaining their explicit written consent. In addition to this, a data subject has the right to revoke their consent for data processing, request to have the data amended or restricted, obtain a copy of the data, transfer the data to another controller, request the erasure of the data, and be notified of data breaches relating to his or her personal data.
The law also requires obtaining the permission of the guardian of a child prior to the processing of the personal data of children, and also explicitly prohibits sending marketing material of a commercial nature to any data subject without their prior written consent.
The law has a separate framework for processing certain sensitive data, such as biometric and health data, and requires a prior permit for this from the MTCIT.
Obligations of Controllers & Processors
In addition to the requirement to respect the rights of data subjects, controllers are required to notify data subjects when making a request to process their data of the contact details of the data controller and processor, explain the purpose for processing their data, and details of how the processing will take place.
The law envisages the creation of a data protection register where certain data controllers and processors will be required to register with the MTCIT. The details of this register and who will be required to register will be provided in the upcoming executive regulation of the law. The law also gives the MTCIT the power to require any data controller or processor to appoint an external auditor to carry out a data audit, and requires all data controllers to designate a data protection officer.
There are very serious fines for data controllers and processors who violate the provisions of this law that can go up to half a million Rial Omani—one of the highest fines under Omani law exceeded only by the like of the fines found in the Oil and Gas Law.
Exemptions
Article 3 of the law has a long list of cases in which the provisions of the law do not apply. Some of these are obvious, such as the protection of national security interest and processing within the family sphere, while others are extremely wide and unclear, such as protection of public interest and the implementation of government units of their competences.
I am not sure if the true intention of the law is to exempt the cases mentioned in article 3 from the requirement to obtain prior written consent for processing data only, or if it aims to deprive data subjects of all their rights including the right of rectification, erasure, and access. A literal reading of article 3 makes it appear as a blanket exclusion from all the provisions of law, which is worrying because the scope of these exemptions is wide and vague, and not in line with best international practices or even the practice found in some neighbouring countries. For example, the law in Bahrain explicitly makes the exemption in regard to the requirement for consent, and does not deprive data subjects of other personal data rights.
Final Thoughts
The importance of the Personal Data Protection Law cannot be understated, but it also has to be acknowledged that this law only provides the bare minimum of rights to data subjects and does not deal with contemporary data issues such as the right to be forgotten or the right to be notified of the use of personal data in algorithm-based decision making. The law also does not recognise some basic data governance principles such as the principle of data minimalism, and it does not attempt to explore state of the art concepts such as data trusts.
The law also recognises the right to access personal data, but does not create a legal framework for making subject access requests (i.e. the framework for demanding that data controller releases the personal data of a data subject), which is one of the most powerful rights a data protection law can grant.
The law also leaves a lot of the specifics of the law to the MTCIT to decide on, such as, I assume, the extent to which personal data of Omanis can be moved to another country, the criteria for requiring a data controller and data processor to register with the government, and the cases in which the government may request a data audit. Hopefully, the MTCIT will not keep us waiting for too long to see the executive regulation of this law and all these very important details.
The Personal Data Protection Law will enter into force next year in February 2023.
Translation Note
Decree’s translation of the Personal Data Protection Law follows the English terminology found in foreign and model data protection laws. However, the Omani law uses the terms [نقل] and [تحويل] in Arabic, which can both be translated as transfer without having any commonly known technical differences between them, and for which we were unable to find direct counterparts in our resources. We decided to retain this distinction in English by translating them as transport and transfer, as we suspect that the Arabic term for transport might refer to the transfer of physical location of the data from one physical data centre to another (in a data portability and a data localisation sense), while transfer might refer to the digital transfer of data between two physical locations without removing the data from its original source.
