The Legal And Regulatory Changes Impacting Oman
| Law Firm | BSA Ahmad Bin Hezeem & Associates LLP |
| Subject Matter | Consumer Protection, Insolvency/Bankruptcy/Re-structuring, Privacy, Insolvency/Bankruptcy, Data Protection, Dodd-Frank, Consumer Protection Act |
| Author | Mr Arsalan Tariq, Sahil Taneja, Mundhir Al Barwani and Abdulaziz Al Rashdi |
| Published date | 10 February 2023 |
2022 saw a full host of legal and regulatory updates announced in the Sultanate of Oman, aimed at achieving the objectives set out in the 10th Five Year Plan (2021 - 2025). 35 regulations have been issued since 2020 specifically aimed at the improvement of the business climate. This progress affirms that Oman is on track with plans to further develop a lucrative environment for the growth of businesses and investments.
Our multi-disciplinary team have provided an analysis and overview of the key legal and regulatory updates from 2022 impacting our clients in Oman:
- Personal Data Protection Law
- New Securities Law
- The Financial Consumer Protection Regulatory Framework
- Code of Conduct for Experts and Bankruptcy Experts
The full list of all laws and regulations passed in 2022 in the Sultanate of Oman are provided in the appendix.
The report can be read in full below or downloaded here: THE LEGAL AND REGULATORY CHANGES IMPACTING OMAN.
THE LEGAL & REGULATORY CHANGES IMPACTING PERSONAL DATA PROTECTION THIS YEAR
1. Introduction & Summary
In 2022 the legislation on personal data protection was a milestone in privacy and related matters in Oman. Separating from the old legislative framework where the personal data protection laws were found in piecemeal, a wide reaching and detailed data protection law was promulgated in Oman. This change was more welcoming in the post C-19 era which led the world to become more efficient with increased technology use and therefore also an increase in personal data collection and processing. Oman, like other countries, introduced a personal data protection law with a view to provide better protection to individuals.
Previously, the data protection regime in Oman existed under general provisions of the Penal Code of Oman and in a very narrow way under Chapter 7 of the Electronic Transactions Law of Oman promulgated by Royal Decree No. 969 of 2008 ("ETL"). Thus, the new law has been enacted with a wide span of personal data protection related provisions keeping pace with the developments in the personal data protection sphere in the world.
2. Personal Data Protection Law by Royal Decree No.6 of 2022
Overview of the update
The new law was promulgated the Personal Data Protection Law by Royal Decree No. 6 of 2022 ("PDPL"). PDPL contains provisions as to privacy and data protection, data processing, data transfers, and notification and record-keeping requirements among others. It also entrusts the Ministry of Transport, Communications and Information Technology, Oman ("Ministry") to enforce the provisions of PDPL and to inflict administrative punishment for the violations thereof in addition to other specific penalties for various violations of PDPL.
What does this change mean?
As mentioned above, PDPL has a wide range of provisions regarding personal data protection. Unlike the previous regulations on personal data protection, PDPL defines "Personal Data" in a wider context to include any data which makes a natural person identifiable, directly or indirectly, by reference to one or more identifiers, such as a name, civil number, electronic identifiers' data, or spatial data, or by reference to one or more factors related to genetic or physical identity, mental, psychological, social, cultural or economic.
PDPL has laid down the very framework for personal data protection i.e. transparency, honesty, and respect for human dignity. This is a milestone development where privacy and human dignity are put at the centre of statutory protection.
Among the changes that it brought in, PDPL categorically sets out the framework of who is responsible under PDPL and the requirements for collection and processing personal data.
Accordingly, the controller and the processor are the responsible stakeholders towards the ownership of personal data. As per PDPL, a controller is the person who determines the objectives and means of processing personal data, and performs this processing themselves, or entrusts it to someone else, whereas the processor is defined as the person who processes personal data on behalf of the controller.
Under PDPL, the controller is obliged to establish the controls and procedures that must be adhered to when processing personal data, and they must include in particular the following:
Determining the risks that may fall on the owner of personal data as a result of the processing;
Procedures and controls for transferring personal data;
Technical and procedural measures to ensure that the personal data is dealt with in accordance with PDPL,
Any other controls or procedures specified by the implementing Regulations.
PDPL requires the controller to notify the owner of the personal data in writing before commencing processing of the aforementioned personal data. Such notification shall include the data of the controller and the processor, contact information of the personal data protection officer of the controller, the purpose of personal data processing and its source, comprehensive and accurate description of personal data processing and procedures and the scope of disclosure of personal data, and the rights of the owner of personal data, including the right to access, correct, transfer and update the data.
What is the impact / implications on businesses?
PDPL has imposed a well-defined set of obligations on the entities which come under the purview of PDPL. In capacity as the controllers and the processors of personal data of the individuals, such entities are required to adopt the controls and put procedures in place internally based on the key personal data protection principles i.e. transparency, honesty and respect for human dignity. The controller is obligated to prove written consent of the owner of the personal data, whereas in case of a child, the consent of guardian is required for processing any child related data as per controls and procedures of PDPL.
Moreover, while formulating the internal controls and procedures the entities (as controller / processor) should do so, with particular reference to understanding the risk involved in the personal data processing and transferring from the perspective of the data owners. They are also required to adopt technical and procedural measures as per the standards required under PDPL.
Will there be any further developments on this in 2023?
There are several areas where PDPL relies on the Regulations for clarity. In this modern age where cloud computing and online data storage are widely in use by service providers, PDPL lacks clarification as to how its provisions will be applied to guarantee personal data protection particularly in relation to data security, remote data storage and data retention.
Moreover, whereby PDPL sets out the rights of the personal data owner to revoke their consent to processing their personal data, to request to update and to erase the data, it relies on the Regulations to lay down the procedures that the owner of the personal data will follow to exercise his rights under PDPL.
Moreover, PDPL has introduced judicial policing by Ministry officials to enforce its provisions.
However, PDPL leaves a gap to be filled by the implementing Regulations in dealing with procedures regarding how such judicial policing shall be exercised by the Ministry officials, with the required check and balance procedure to avoid any arbitrary measures.
Unlike other international personal data protection regimes, where privacy notices are required to be given in detail to the personal data owners before collection and processing their person data, PDPL requires the controllers and the processors to give narrower privacy notices to the data owners as stated above. The privacy notice may specifically contain the grievance procedure in case any violation of the personal data protection legislation occurs etc.
Lastly, but not least, PDPL contains the provisions for data transfer outside Oman but lacks in the benchmark criteria to be fulfilled by the controllers and the processors before they decide to transfer any data outside Oman, which is similar to the provisions under Chapter 7 of ETL. This issue has tremendous impact on protection of personal data and privacy issue in the present digital world.
3. Thoughts & expectations for what is to come in 2023
PDPL will become effective on 13 February 2023 and the Ministry will issue the implementing regulations in this regard. In the meantime, businesses should reflect upon their internal policies and train their employees to adhere to the PDPL provisions once it comes into force. In the current data-intensive society, PDPL is a landmark legislation for the protection of personal data in Oman and is expected to fill in several gaps that existed in the previous regime.
THE LEGAL & REGULATORY CHANGES IMPACTING SECURITIES LAW THIS YEAR
1. Introduction & summary
Among GCC countries Oman has remained a stable and attractive market over the years as evident in its steady GDP growth rate of 5% over past years and an estimated USD 29,600 GDP per capita. This makes Oman an attractive destination for investment and the country saw innovation of different financial products to raise capital and help the start-ups to fuel their projects.
In line with the trend, a new Securities Law was introduced in the Sultanate which repealed the previous law. The law is intended to lay down the legislative framework to utilize modern and...
To continue reading
Request your trial