UAE:
Although freedom and privacy of communication by mail, telegram or other means are guaranteed by the constitution, the UAE as a whole has no specific personal data protection regulations.
There is an Electronic Transactions and Commerce Act and a Cybercrime Act.
Abu Dhabi Global Market (ADGM), the international financial center established in the capital of the UAE, has a data protection regulation since 2015 as a Free Zone. ADGM has a Data Protection Office (ODP).
Another Free Zone within the UAE, Dubai International Financial Center (DIFC), since 2007, has a Data Protection Act.
The Dubai International Financial Center (DIFC) announced on June 1, 2020, that His Highness Sheikh Mohammed bin Rashid Al Maktoum has enacted the DIFC 5 Data Protection Act 2020 ('Act 2020'). This Law will enter into force on 1 July 2020 and will be implemented from 1 October. Companies that have offices and businesses in the DIFC will need to appoint a Data Protection Officer (DPO) to comply with the law.
Accountability, DPO requirement has been introduced.
Data subject rights are the same as other regulations, but taking into account that personal data may not be d in some scenarios such as blockchain, they are designed to absorb the impact of emerging technology and international data protection laws.
International transfers are rearranged and improved in line with current international standards. Existing additional mechanisms may be recognized, such as Binding Corporate Rules ('BCRs') approved by the European Commission.
The principles of data protection are the same.
Bahrain
The regulation on the protection of personal data entered into force in 2018.
The law bears striking similarities to the EU's GDPR. It includes the protection of the privacy of individuals, specific consent requirements for data processing, as well as the establishment of a Personal Data Protection Officer.
However, unlike the GDPR, the Law applies not only to residents and companies that process their data, but also to people who normally do not reside or work in Bahrain and to companies that do not have a place of business in the country that process personal data using tools located in Bahrain. Processing used only for data transfers is excluded from this third category.
Kuwait and Oman
There are laws in Oman and Kuwait that contain personal data protection provisions related to e-commerce. Oman's Electronic Transactions Act (Royal Decree 69/2008) and Qatar's Electronic Commerce and Transactions Act (Act 2010) are largely based on the UN Model Laws on e-commerce and electronic signatures.
Qatar
There is a regulation regarding the protection of personal given in Qatar. By law, any organization that processes personal data must respect the principles of transparency, fairness and human dignity.
Both Dubai International Financial Center and Qatar Financial Center have laws or regulations specific to their data protection. These legal provisions are generally in line with data protection laws in other developed jurisdictions (especially with the GDPR).
Saudi Arabia
Saudi Arabia's legislation is based on Islamic Sharia law. It does not have a special regulation for the protection of personal data. Its constitution largely protects individual privacy, stating that property, capital and labor are essential components of the economic and social structure of the kingdom and thus constitute private rights.
Egypt
The law on personal data protection was enacted on 15 July 2020. It is generally arranged in compliance with the GDPR. One of the striking differences is that the Egyptian KVKK creates a list of permissible legal bases to process personal information that can be changed with the express consent of the persons.
Organizations may need to obtain a license from the Personal Data Protection Center to process both personal and sensitive personal data.
Iraq
There is no regulation in Iraq.
Jordan
There is no modern data protection law in Jordan and there is no Data Protection Authority accordingly.
Israel
There is a regulated law in Israel. The Privacy Act regulates two basic issues: the general right to privacy and the protection of personal data in databases.
A database owner must register the database if one of the following conditions is met:
•if the database contains data on more than 10,000 data subjects,
•if the database contains sensitive data,
•the database contains data about individuals and if they are not provided by them, on their behalf or with their consent,
•if the database is owned by a public institution,
•if the database is used for direct mail services.
While the Privacy Act obliges the database owner to register, the Privacy Act also prohibits the management or maintenance of a database that should be recorded but not recorded. Therefore, database administrators or database owners may also face liability in connection with an unregistered database.
Databases are exempt from registration in the following cases:
•if the database contains only data that is publicly disclosed according to the legal authority; or
•if the database only contains data that, according to the legal authority, are available to the public.
Morocco
The data protection law of 18 February 2008 is the main law on the protection of private data in the country. All companies operating in Morocco must comply with this.
Personal data definition in the law: any information concerning a natural person
Sensitive data: racial or ethnic origin, political opinions or religious and philosophical beliefs, membership or health-related information,
Right of consent: Before any use of personal data, the person concerned must have expressed his consent in a clear, free and conscientious manner.
Data access: Any person should have access to the feature regarding the use of their data freely and without delay.
Right to rectification: To have the opportunity to freely correct, , lock your personal data when the data is damaged, incorrect or incomplete.
Right to object: Any individual has the right to freely object to the use of his personal data at any time if he presents legitimate grounds
CHINA PERSONAL DATA PROTECTION
The Personal Information Protection Act is the first specific and comprehensive law in China to address the personal data rights of individuals. This law is closely aligned with the GDPR.
The data owner rights listed in the KVKK are the same as the GDPR, but data portability is not mentioned. In addition, the right to object to profile creation is expressed in a more limited way than the general right in the GDPR.
The KVKK imposes a general requirement to promptly notify the relevant authorities, as well as a qualified obligation to report data leaks to affected persons. Any "leak" of personal data will need to be reported. The notification should explain, among other things, the remedial action that has already been taken and what individuals can do to mitigate the effects of the event.
A Data Protection Officer must be appointed.