The recent announcement that Bahrain’s Ministry of Justice, Islamic Affairs and Endowments will monitor and regulate compliance with Bahrain’s Personal Data Protection Law (PDPL) finally puts to bed any suspense on who would take on the role of regulatory watchdog for legislation which came into effect on 1 August 2019. Introducing strong privacy and monitoring framework should significantly strengthen Bahrain’s efforts to lead digital adoption and growth – at least across the GCC – through initiatives like its cloud-first policy, the open banking framework, the digital sandbox and eKYC (electronic know your customer) – and many others. A stable, secure and reliable data privacy platform should give people sharing personal data information comfort that their data will be protected.
According to the Economist, the world’s most valuable resource is no longer oil, but data. This is, admittedly, quite a hard argument to win: although five of the largest global businesses may well be data-driven, crude oil is a tangible liquid that is refined into many of the products that we can no longer live without (Bahrain in summer without AC is not as appealing as it used to be) whereas data – while it may be personal – tends only to have value to its owner(s).
The PDPL includes restrictions on direct marketing activities, the sharing of information and the retention of information beyond agreed timelines.
Any entity or person that acquires and processes data – either directly or through a network – will now be held accountable for how that data is processed. Compliance means technical and organisational controls need to be defined, implemented and monitored – by both the ordinary man or woman in the street and functions within organisations – to protect the personal (and sensitive) data that they manage.
Of course, organisations in Bahrain should already have implemented data controls to protect the data they hold.
From this perspective, rather than increasing controls, the law clarifies responsibilities, further protecting data owners. In the future, it should be easier and quicker to assign responsibility and accountability for privacy violations. However, readers shouldn’t automatically assume that the law is a panacea for all data issues – and nor should they simply assume that the law will always find in favour of the individual. In Europe, organisations which have suffered data leaks or some other form of privacy violation but were able to prove that the privacy controls required by the EU’s General Data Protection Regulation (GDPR) were in place were found not to be liable.
Recently, Google – which has faced a number of data protection issues – won a case in the European Court of Justice (ECJ), meaning that it does not have to apply the right to be forgotten – a right granted to EU citizens who can demand that data about them be deleted – outside of the EU. The French privacy regulator, CNIL, had ordered Google to remove search result listings to pages containing damaging or false information about a person. In response, in 2016, Google introduced a geo-blocking feature that prevents European users from being able to see delisted links. However, CNIL insisted that search results should be extended to people outside the EU and fined Google €100,000 for refusing to do so. Google argued that the right to be forgotten could be misused – although it has delisted over 1.5 million web addresses in response to almost one million requests. The ECJ ruled that there is no obligation under EU law for a search engine operator that de-references a data subject to de-reference all versions of its search engine.
On the other hand, the significant fines – €110m against Marriott International for insufficient technical and organisational measures to ensure information security which led to the exposure of the personal data of approximately 340 million hotel guests globally or €204m against British Airways after the data of 500,000 customers was compromised – should be more than enough to persuade most CIOs and CFOs that data protection – whether here in Bahrain or globally – should be an immediate, high priority focus. Bahrain’s PDPL – unusually – includes both financial and criminal penalties.
Data protection laws are not going to go away – and we should all be very glad about that. Adoption of the spirit of data privacy – and the understanding that data needs to be protected – by all stakeholders should usher in an era of better transparency, trust and sharing all around.