At the end of last year, Qatar became the first Gulf state to enact a comprehensive privacy law. Until now, the many companies that market to consumers or have employees based in Gulf Cooperation Council (GCC) countries have had to determine their local practices based on the various countries’ patchwork of sector-specific laws and regulations, as well as the differing privacy regimes in force in the region’s business-focused free zones. Now, at least in Qatar, the Personal Data Privacy Law ostensibly serves as a single law governing the collection and processing of data subjects’ personal information, and may serve as an exemplar for future GCC privacy laws.

The text of the law does not appear to be available online in English at present, but the Qatari government has issued a statement summarizing some of the law’s most important points. Although questions remain as to the scope and meaning of some of the law’s provisions, the statement provides some indication of the types of companies and practices that will fall within the law’s purview.

  • Prior consent is an important component of the new law. Data subjects’ consent is required before their personal data may be “used by an organization.” Along those same lines, the law forbids businesses from sending an individual “direct marketing messages” without obtaining that individual’s consent. Although the scope of the term “direct marketing messages” is not apparent from the text of the statement, it indicates that companies engaged in direct marketing in Qatar should review their policies and privacy notices to ensure that they are obtaining the consent of Qatari consumers.
  • The law imposes certain data protection-related responsibilities on organizations, including the responsibility to ensure that “data handlers are properly trained.” Again, although the scope of this requirement is not entirely clear, companies doing business in Qatar should review their training policies or consider implementing such policies if they have not done so already.
  • Article 17 of the law requires owners and operators of websites “related to children” (another term that remains unclear for the time being) must post a policy explaining how they handle minors’ personal information, and must obtain parental consent in order to process minors’ personal information.

While this post provides a brief overview of some of the most important aspects of the law, companies collecting the personal data of Qatari consumers and/or employees should review the law’s requirements to ensure compliance.