The Kingdom of Bahrain has officially introduced the new Personal Data Protection Law (PDPL), an important legislation designed to safeguard the online privacy of internet users in the country. Effective from Aug 1, 2019, the new law is applicable to all Bahrain-based businesses, as well as overseas companies that process data using technological infrastructure in Bahrain.
Important to note here is that only a few specific aspects of the PDPL are currently enforceable. For the new law to come into effect in its entirety, the Board of Directors of the Personal Data Protection Authority will have to sort out with the technical and legal challenges to some of its provisions.
Once the Authority is formally established, it will deliberate on all the pending provisions and issue fresh guidelines accordingly. However, the law, even in its current limited form, is a big leap forward from the perspective of all end users who value their rights to online privacy.
Also, some of the most important sections in the law are already enforceable. For example, Chapter 5, which deals with the rights of data owners, is already in effect starting Aug 1. Among other things, it includes a provision that makes it mandatory for a data manager to notify data owners of certain information such as the latter’s right to access own personal information and to withdraw consent to the processing of their data under certain circumstances.
Similarly, Article 8, which deals with the security of processing, makes it mandatory to data managers to enter a written agreement with a data owner before processing the latter’s data using a third-party service provider.
While breaching any of these provisions won’t draw criminal proceedings against a data manager, the law requires affected parties (data owners) to be compensated in an amount ranging between BHD 1,000 and BHD 20,000.