The Wait is Finally Over: The Executive Regulation of the Personal Data Protection Law Issued

After almost 2 years from the issuance of the Personal Data Protection Law, the Ministry of Transport, Communications, and Information Technology published in this week’s issue of the Official Gazette the long-awaited Executive Regulation of the Personal Data Protection Law. When the Personal Data Protection Law was issued in 2022, it was a groundbreaking development for the Omani legal system since it was the first comprehensive privacy legislation to be issued in the country, however, due to the fact that the law left many of the practical implementation details to the executive regulation, many organisations in Oman had struggled waiting in frustration as they were unable to comply because the regulation was not issued, which was extremely problematic because this law grants the courts the power to impose fines up to 500,000 Rial Omani against those who fail to comply with the law.

I hope that I can say that the wait is finally over now that the regulation is finally out, but, realistically speaking, it will probably take the government at least several months to be able to create the processes required for them to receive and process applications relating to the permits envisioned by the law, and for this reason, the decision issuing the executive regulation has given another 1 year grace period for all parties involved to comply with the regulation and, by association, comply with the law.

This blog post will highlight some of the key features of the new regulation.

Permits for Processing of Sensitive Data

Article 5 of the Personal Data Protection Law requires any entity wishing to process sensitive data, such as health data, biometric data, and other forms of sensitive data, to obtain a permit from the MTCIT before processing such data. This provision has a wide scope of application and can include organisations using fingerprint readers to track the attendance of their employees, organisations asking their employees or customers to provide vaccination data, organisations asking customers to provide allergy requirements, and any other organisation that asks for health or biometric data from any person.

The regulation has now provided details regarding the information that is required to be provided by those applying for such permits and stipulates that the MTCIT has 45 days to decide on the application. If the MTCIT fails to respond within this time limit, the application is automatically deemed rejected. The applicant has the right to appeal to the minister, but if the minister fails to respond within 60 days, the appeal is also automatically deemed rejected. I believe that the approach adopted by the MTCIT in this regard is outrageous and is intended to relieve the ministry from carrying out one of its most basic duties: responding to applications legitimately made by Omani businesses. Given that MTCIT was unable to put in place a system for receiving such applications for a period of two years, it would be reasonable for applicants to check if the MTCIT is ready to receive their applications before they submit them to avoid having their applications rejected by the operation of law.

Data Subject Rights

One of the nice things about the Personal Data Protection Law was the recognition of data subject rights in article 11 which includes the right of a data subject to have their personal data erased, retrieved, or transferred to another entity. The regulation stipulates that data controllers have a duty to respond to such requests within 45 days. If the controller fails to respond to the request or denies it, the data subject has the right to complain to the MTCIT, and if the MTCIT fails to respond within 60 days, the complaint is … deemed rejected.

Of course, failure by the MTCIT to respond to a complaint can still be challenged under the administrative justice system, but I do not think that it is reasonable to expect individuals to go to court for simple matters such as the failure of a controller to fulfil a subject access request.

Article 17 of the executive regulation also creates two grounds to allow a controller to refuse to fulfil a request by a data subject, namely, refusal on the ground that a request is vexatious, and refusal on the ground that a request requires extraordinary effort to fulfil. In my opinion, granting the controller the right to refuse a request simply because it requires effort is not reasonable. Certain complex requests can be extremely fundamental to the livelihood of a person, such as a request to transfer health data from one private hospital to another private hospital, or a request to obtain data from an employer so that an employee can use it in an unfair dismissal lawsuit. The law and the regulation should have required the controller to fulfil all legitimate requests, and provide a framework for allowing the controller to request compensation to cover the cost required to fulfil the request. This is a common approach found in other similar laws including the GDPR.

Personal Data Protection Officer

Many people have been anxious about the obligation under article 20 of the Personal Data Protection Law which requires controllers to identify a personal data protection officer. The regulation did not provide any limitations regarding who would be expected to comply with this obligation. This means that if you are a small restaurant that saves its customers’ phone numbers or if you are a major utilities company, you must have a personal data protection officer. However, it is worth noting that the wording of the law and the regulation does not actually appear to require appointing an employee as a personal data protection officer, but simply designating one to be responsible for this task. This means that any existing employee can be designated as the organisation’s personal data protection officer and have him recognised as such while simultaneously carrying out another function.

Cross-Border Transfer of Personal Data

Another major area of uncertainty in Omani law in general and in the Personal Data Protection Law in particular has been the extent to which personal data can be transferred outside Oman. The regulation has now confirmed that there are no requirements to obtain the approval of the MTCIT before doing so and that there is no white list or black list of countries to which the data can be transferred. Instead, the regulation simply requires that the external processing entity has an adequate level of protection for personal data not less than the level of protection prescribed in accordance with Omani law. There are also some general requirements that stipulate that the transfer must not prejudice national security or higher state interests.

The cross-border chapter of the regulation also has an interesting provision in article 37 regarding the cases in which a transfer outside the Sultanate would be permitted without the consent of the data subject, namely, transfers required by treaties that Oman has signed and transfers carried out after anonymising the data. The first exemption probably relates to judicial cooperation agreements and tax cooperation agreements that require states to share information between themselves for a variety of purposes. On the other hand, the second exemption is weird because the exchange of anonymised data does not require the approval of the data subject in all cases because this data is incapable of identifying the person and therefore it would not fall under the definition of personal data to start with.

Final Thoughts

The issuance of the Executive Regulation of the Personal Data Protection Law is an extremely positive step towards the protection of privacy in Oman. However, it is important to remember that the Personal Data Protection itself only offers the bare minimum of rights to data subjects and does not address many of the contemporary issues of data protection, especially those relating to the use of artificial intelligence. The executive regulation created a very simple framework for implementing subject access requests, but the regulation has been written with a mindset of minimising the obligations of the MTCIT and not with a mindset of maximising the upholding of personal data protection rights.

Article II of the decision issuing the Executive Regulation of the Personal Data Protection Law grants data controllers and processes a year to comply with the law, but the regulation has technically entered into force already today. It is highly recommended that organisations subject to the provisions of this law take the necessary measures to comply with it.

Translation Note

Decree’s translation of the Personal Data Protection Law and its regulation follows the English terminology found in foreign and model data protection laws. However, the Omani law uses the terms [نقل] and [تحويل] in Arabic, which can both be translated as transfer without having any commonly known technical differences between them, and for which we were unable to find direct counterparts in our resources. We decided to retain this distinction in English by translating them as transport and transfer, as we suspect that the Arabic term for transport might refer to the transfer of physical location of the data from one physical data centre to another (in a data portability and a data localisation sense), while transfer might refer to the digital transfer of data between two physical locations without removing the data from its original source.