The well-known Brussels effect has been felt from North America to Oceania, as GDPR-modeled data privacy measures continue to emerge. Middle Eastern countries, similarly, have been heavily influenced by European regulations. But, as UCLA law student Noah Usman explores, newly passed laws sport some key differences.
As privacy and cybersecurity have become increasingly relevant concerns in healthcare and technology, the GDPR (General Data Protection Regulation) has enjoyed an almost uncontested reputation as the world’s foremost privacy law. Its influence, known as the “Brussels effect,” has shaped the regulatory landscape far beyond the European Union.
Indeed, jurisdictions in places like Asia, North American and Australia have emulated the strict protections pioneered by the EU, and the comprehensive nature of many incoming regulations in other parts of the world shows that the space between regulation in various regions is rapidly closing.
In the Middle East, recently passed data privacy and protection legislation in Saudi Arabia, the United Arab Emirates and Bahrain, for example, has demonstrated an increased commitment to consumer rights, business interests and the protection of the personal information of these nations’ respective citizens.
Saudi Arabia
Saudi Arabia recently transitioned from interim regulations, which were superseded by a comprehensive measure, the Personal Data Protection Law, which went into effect Sept. 14, 2023.
The Saudi data protection law shares many similarities with the GDPR, including data subject rights and privacy notice requirements, but differs significantly in how data transfers are regulated. While the European Commission determines the permissibility of data transfers according to the adequacy of the recipient country’s data protection regulations, the Saudi government imposes more stringent requirements, including harsher restrictions pertaining to data localization and residency.
The Saudi law requires that data transfers be approved by the Saudi Authority for Data and Artificial Intelligence on a case-by-case basis, and that only the minimum amount of data necessary to accomplish the corresponding objective is transferred[JG1] [NU2] .
While these stricter data transfer regulations position Saudi Arabia as a potential regional leader in data protection and security, the enforcement of such regulations may prove a barrier in the country’s efforts to attract offshore investment. The dynamic between these competing interests will be important to monitor in the coming years.
Will 2024 Finally Be the Year for Federal Data Privacy Law in US?
With a notoriously ineffective legislative body at the federal level, hope may seem thin, but cybersecurity expert Scott Allendevaux makes the case that 2024 may be perfect time.
Read moreDetailsUAE
The UAE Federal Data Protection Law, passed in 2021, covers a wide range of topics, including data transfers, subject rights, marketing and data protection impact assessments. (The law is also supplemented by a set of consumer protection standards that apply exclusively to the finance and healthcare industries.) While many of the provisions are like the GDPR, some of the guidelines — especially regarding response to subject requests to exercise rights — remain vague, most explicitly by not articulating a clear timeline for response to inquiries. In contrast, the GDPR sets a deadline of one calendar month for response to a data subject request.
However, the scope of the UAE Federal Data Protection Law is considerably broader than that of the GDPR in that the former applies to both data controllers and processors, while the GDPR applies directly to controllers. The UAE legislation is also more explicit in its criteria for how other countries can be evaluated for “adequacy” for data transfer: Criteria include data subject consent, the necessity for execution of a contract and protection of the public interest. While the GDPR contains similar criteria, these provisions are not mentioned in the context of international data transfers, which are never explicitly referenced.
Bahrain
Circa 2018, the Bahraini Personal Data Protection Law similarly establishes guidelines for data quality control, incident response and notification, and the exercise of rights by consumers. The Bahraini legislation is most similar to the GDPR out of the new Middle Eastern privacy laws, especially in its far-reaching scope, in that they both apply to entities that process data of their respective citizens (the Bahraini regulation refers to “natural or legal person[s]”).
Similarly to the GDPR, the Bahraini Personal Data Protection Law specifies that data transfers may be carried out to a pre-approved adequate country.
The main deviation of the Bahraini law from the GDPR occurs in how data subject rights are delineated: although the legislation does provide data subjects the opportunity to be notified when their personal data is processed, the right to access personal data is not clearly articulated. Given the limited history of enforcement of the regulation, it remains to be seen how robustly this prerogative is protected for Bahraini data subjects.[JG3] [NU4]
What does the future hold?
Within the past five years alone, Middle Eastern privacy legislation has drastically expanded in scope and power, which owes a significant amount of influence to the GDPR, as evidenced by the provisions that closely reflect those in the GDPR. However, the new Middle Eastern privacy laws remain extremely protective of local data, possibly due to the still-expanding nature of Gulf economies and their dependence on a narrow range of economic sectors, most notably petroleum. As the economic landscape of the Middle East continues to evolve, it may prove useful to monitor how the current array of privacy legislation and enforcement also continues to change. Such activity may help analysts to gain a deeper understanding of the motivations and economic interests of individual governments as well as adherence to the relevant local data privacy requirements.