Data Protection

UAE Data Protection Law 45/2021

In case other people are also struggling to find the UAE Personal Data Protection Law 45/2021 (مرسوم بقانون اتحادي رقم (٤٥) لسنة ٢٠٢١ بشأن حماية البيانات الشخصية) here is a direct link to download the PDF:

Data Protection

New Omani Data Protection Law

A very quick update to note the Omani Personal Data Protection Law was published in the Official Gazette this morning. Many of us have been waiting for this law to be issued for years and it is great to finally read it in full. You can view the full text of the law in Arabic on this link, and in English on this link.

Data Protection Privacy

Online Privacy – A Fundamental Right For Oman

Privacy on the Internet is more important to us than ever now that all of our photographs, phone numbers and the location of our every single move are all recorded and shared by many web services.Privacy is not considered as a fundamental right in Oman for which each individual has an entitlement to, unlike the freedom of expression, the freedom to practice religion, and many of the other freedoms provided for in the Basic Statute of the State.

There are a few instances where a limited right of privacy is protected by the Omani law such as the guarantee to maintain the confidentiality of communications, the protection of the sanctity of family life from violation by technological means such as camera equipped mobile phones, and the protection against misuse of personal data by institutions regulated by the electronic transactions law.
These limited instances of the protection of privacy are not a substitute for the protection of privacy as a wider concept, which can be violated through electronic and traditional means and without necessarily disclosing that information to the public.

Private information is now extremely valuable to companies as their knowledge of our habits and personal details can help them target potential consumers. Many companies now try to collect as much personal information about us as they can, and this puts us at a risk when they collect this information without our knowledge or when they do not handle this information with care while dealing with extremely sensitive information about us such as our health and medical conditions, family life, and business transactions.

Attempting to draw a clear scope for the right of privacy is not as easy as it sounds due to the fact that this right needs to be balanced against the security interests of the state in acquiring information in order to avert crimes. These interests are legitimate, but they are not always applied reasonably. For example, the telecommunication law in Oman prohibits the use of any encryption method without acquiring the prior permission of the minister for that use. This provision is unrealistic and has no practical value because we use encryption on the Internet to do many simple daily tasks such as checking our online banking account, paying our bills, and even sending messages using Gmail.

There are some legislative issues in the area of privacy in Oman, but there is little that local legislation here can do to mitigate the risks of the violation of privacy on the Internet due to the fact that the majority of web businesses do not have any presence in Oman and therefore will not be bound by the laws of this country.

We as individuals must take precaution when giving out our information on the Internet. We need to familiarise ourselves with the privacy aspects of the services that we use and must be aware of how much information we are sharing because it is impossible to retract information we share publicly once it gets on the Internet.

Data Protection Privacy

Personal Data in the Digital Age

The internet in Oman has developed a great deal in recent years, we now have fast speed internet spreading across the country and we have an extensive reach of high speed wireless internet as well. However, the way the content of this internet is regulated and censored did not see much of a development since the Internet was first introduced in the 90s.
Oman is one of the more liberal and tolerant countries in the Gulf and no major websites such as YouTube, Flickr, or Facebook were ever blocked. The recent report on internet censorship issued by the OpenNet Initiative found that there is no evidence of any political Internet censorship in Oman and the majority of Internet censorship is made on social and cultural grounds, for example, hacking and pornographic websites are usually blocked, but websites that criticize government officials are not. The government usually uses legal methods, such as criminal law to deal with issues of defamation and breach of confidence to hold authors accountable for what they write. However, the government will not block their website.

The aim of the censorship process is to protect society values and help prevent minors from being exposed to pornographic material. The process by which such websites are selected and blocked is arranged by an automation software that is operated by Omantel. This software is expected to use a number search and indexing methods to know which websites to block.

Using the method of censorship to help “protect” society values might have worked in the early days of the Internet when the number of websites was small and manageable, but we now live in an age where the Internet is massively expanding every second due to low cost for hosting websites and the expansion in user-generated content. It is now impossible to be able to block all pornographic websites when there are hundreds new of them being created every single minute.

The result is a failing system that cannot logically protect us from all pornographic websites, instead, the automated nature of censorship leads to overblocking clean websites that have no offending content. There are also a number of specialist users who need access to websites that may include “offending content”, such as nudity, for medical or research purposes – but such users cannot access these websites here due to the fact that they are classified as offending websites.

The regulators should admit the fact that such censorship is not a solution, anybody can do a Google image for porn right now to be entertained with loads of offending materials. The internet is expanding as we speak and there is no way to “block” it at the top yet allow people to use it efficiently as the same time.

If it is society values which we aim to protect, then we should educate parents and families on how to use software protection shields on their own computers to protect their kids from accessing any offending websites or restricting their access to a limited number of websites to visit. Specialist users and students should be able to have the option to have unfiltered internet if they would like to access websites that feature nudity for legitimate purposes.

Data Protection Privacy

Is Google Street View Legal in the UK?

Google Street View
A lot of fuss is happening in the UK regarding the legality of Google Street View. Though the service has been out in the US for about two years now, the UK only got it last month. Many people, including Privacy International, believe that that service is illegal in the UK. Google was aware that the original format of the service would have potentially violated UK legislation, but it consulted the ICO which approved the service when Google stated that it will blur the faces of pedestrians and car number plates.

Some people still argue that their privacy is infringed, but do they have any basis for this argument? 

There are two grounds for suing for the “privacy” violation in the UK, the first is through the Data Protection Act 1998 and the second is through the Article 8 on Privacy of the Human Rights Act 1998.

I will discuss the DPA in this post and will discuss Artile 8 in another post.

Does Google Street View Violate the DPA 1998?

The DPA 1998 covers personal data related to identifiable living persons when processed by a data collector. On its face, Google might fall under the act as it the scope of the act is very wide to include any information related to individual processed in any way using a computer. However, looking closer at the definitions of the these terms might indicate otherwise.

First of all, the personal data (in this case the photograph of the individual and their location when photographed by Google) must ‘relate’ to an identifiable person. The requirement for the info to ‘relate’ to the person is not defined by the act, but the court said in the case of Durant v Financial Services Authority [2003] EWCA Civ 1746 that the mere inclusion of someone’s information in the data is not sufficient for it to ‘relate’ to him. The person must be the ‘focus’ of the  information for it to relate to him and it must affect his privacy whether in his personal, family life, business or professional capacity.

There mere inclusion of someone’s photo on the street in an incidental manner which does not show him as a focus nor affects his privacy in anyway will probably not be held by the court to be falling under the DPA. This means will exclude these pictures from the scope of the act.

In circumstances where a person is the focus of a photograph and the picture shows him in a situation that infringes his privacy that person will be covered by the act if that person is identifiable. Google has tried to blur as many faces as it can. If this person cannot be identified by looking at the picture then that information is not covered by the act. The fact that the person can be identified by using the Google Street View information with other information taken from other sources which help identify the person will not bring the information within the scope of the act.

There are no such thing as the right not have to someone’s house or neighbourhood photographed. The DPA is about personal information and not about owned objects or companies.

Even if someone’s data is considered to fall under the DPA, that does not give them the right to ask for that information to be removed – except in situation of direct marketing or situations where the information causes substantial unwarranted damage or distress.

There is no requirement for a person to ‘consent’ to have his information processed under the DPA if the data collector satisfies any of the conditions of Schedule 2 of the act.

Google’s original form of Street View might have violated the DPA, but their current form with blurred faces and number plates would not violate the DPA if it works correctly to make the individuals unidentifiable. The majority of people photographed in the public not doing anything private would not be subject to the DPA even if there faces were not covered as the information would not be considered to be ‘related’ to them if Durant is to be applied.

Data Protection

Data Protection in the UK

Data Protection in the UK(Photo Credits: -12°C)

Data protection law is the law that protects personal information about living individuals in the UK from being processed in anyway by commercial entities. This is governed by the Data Protection Act 1998 in the UK. Members of the EU have country-specific legislation implemented through the Directive 95/46/EC (the Data Protection Directive).

Though technically about data, the data protection law in effect is a privacy legislation that is meant to ensure that private information about people is not misused when collected by companies. 

The provisions of the DPA 1996 apply when personal information relating to an identifiable individual is processed by a data controller.

Personal data is defined by the act as “data which relate to a living individual”. This can be ANY data which relates to a person such as name and address, health conditions,  religious beliefs, or any form of recorded information whether textual, visual, etc.  The exact meaning of “relate” is not explained in the act, but it was discussed in the case of Duran v Financial Services Authority [2003] EWCA Civ 1746, where the court held that it “is information that affects [the person’s] privacy, whether in his personal or family life, business or professional capacity'” and that it the person must be “the focus rather than some other person” with home the information is concerned.

The personal information must be related to an “identifiable” person who can be identified (a) from the data or (b) from those data and other information which is in possession of, or is likely to come into the possession of, the data controller. Unlike the EU Directive, the UK act doesn’t cover the incidents where the processed personal data is used along with information held by a 3rd party is combined to identify the person.

 The personal data will only be regulated when it is ‘processed’ by  data controller. This is a very wide term that means obtaining, recording, or holding information or carrying out any operation or set of operations on the information or data, including organisation, retrieval, disclosure, or alignment. The definition used in the act is wide to include every imaginable action you may perform in relationship to data. 

The law imposes obligations on all “data controllers” – these are natural or legal persons who determine the purpose and means for prosesing the personal data. The law also imposes some additional obligations on a “data processor” – which is the natural or legal persons who processes the data on behalf of the data controller.

Rights for Individuals

If an individual’s personal data has been processed by a data collector, then he has the following rights:

  1. Right to access the personal information stored about him to have inaccurate data rectified.
  2. Right to to request an assessement of processing.
  3. Right to prevent processing of data if it causes substantial unwarranted damage or distress.
  4. Right to object to direct marketing.

It is possible to claim compensation for the breach of some of the rights mentioned above.

The Data Protection Principles

The act requires all data controllers to abide by eight data protection principles:

  1. Data must be fairly and lawfully processed and in accordance with one of the conditions in Schedule 2 of the act.
  2. It must be processed for limited purposes and not used for any purposes other than these.
  3. It must be adequate and relevant for the purpose and not excessive.
  4. It must be accurate and up to date.
  5. It must not be kept for longer than is necessary.
  6. It must be processed in line with the rights of data subjects.
  7. It must be processed using appropriate secure measures.
  8. It must not transferred outside the EEA without adequate protection.

The Information Commissioner’s Office is the body responsible for superivsing the adequate compliance by data controllers with the DPA.