Personal data is sacrosanct and an extension of an individual’s privacy. The law therefore has a compelling and overriding interest in ensuring its proper retention and dissemination by a party to whom personal data has been entrusted by its owner.
In recent years, breaches of data security and wrongful use of personal data around the world has thrust the issue of data protection in the limelight. The need has arisen for robust legislation to protect against wrongful use of personal data — an act which is as harmful as assault on an individual person.
Although there are no specific laws in the Sultanate of Oman dealing with the protection of personal data, pieces of Omani legislation deal with aspects relating to personal data transmission, storage and dissemination.
The first and foremost of these laws is the Oman Basic Law set out in Royal Decree 101/96 which operates as the constitution of Oman.
Article 30 of the Basic Law (Chapter III, Public Rights and Duties) guarantees freedom of correspondence by post, telegraph, telephone or other means of communication and makes it unlawful to monitor, search, disclose the confidentiality, delay or confiscate the same except in cases specified by the law and in accordance with procedures prescribed therein. This general norm forms the cornerstone of all legislation enacted in Oman dealing with the protection of private/private communication and data.
Another Omani legislation dealing with protection of personal data is the Electronic Transactions Law (ETL) set out in Royal Decree 69/2008. ETL, which applies to transactions performed between parties who have agreed to perform their transactions electronically, contains rules relating to the processing of personal data as well as the requirements relating to the obtaining, retention and dissemination of such data.
ETL contains definitions of several important terms used therein one of which is “personal data processing”. This term has been defined as: “Any transaction or number of transactions performed on the personal particulars, either through automatic or other means, or accumulation, recording, sorting, storing, amending, modifying, recovering, proof reading, disclosing through dispatching or forwarding or making them available through other means, or classifying, merging, concealing, deleting or cancelling.”
Although the term ‘personal data’ has not been defined in ETL and the meaning ascribed to this term would depend upon judicial discretion, it is to be noted that definition of term “personal data processing” is robust which includes not only the accumulation and storage of data but also disclosing or dispatching/forwarding it.
Most importantly, ETL prohibits collecting or processing of any information about personal particulars for any purpose without obtaining the express consent of the person about whom such personal particulars are being collected. The requirement of obtaining specific consent of the individual concerned is a condition precedent to lawfully obtaining personal data.
Failing consent of the individual concerned, the act of obtaining personal data would be unlawful. As an exception to the above rule, ETL states circumstances when the obtaining, disclosing, providing or processing of personal data is lawful.
These circumstances are: (i) when the information is necessary for preventing or detecting a crime; (ii) such personal data is required or authorised by law, or if collecting it is done in accordance with an order from court; (iii) if such particulars are necessary for assessment of any tax or fees; or (iv) if the processing of such particulars is necessary for safeguarding the vital interests of the person about whom such particulars were being collected (Article 43).
Clearly, the onus or burden of proving compliance with the above requirements would be on the person (natural or juristic person) using personal data for any of the above purposes.
ETL also prohibits personal data processing by any person who controls such particulars if such processing inflicts any damage upon persons about whom such particulars were collected or would adversely affect that persons’ rights or freedom (Article 48). This rule would apply to employers as well as traders and merchants who are in possession of personal data of their employees and customers, respectively.
Additionally, ETL contains requirements relating to the transfer or dissemination of personal data outside of Oman by entities in possession of private or personal data.
Article 49 of ETL provides that whenever it is necessary to transfer personal particulars outside the Sultanate of Oman, adequate protection level for such particulars shall be maintained with particular reference to the following: (i) the nature of personal information in question; (ii) source of such personal particulars; (iii) purposes and period for which such particulars are required to be processed; (iv) the country to which such personal particulars are intended to be transferred and such country’s international commitments and the law that applies; (v) the relevant regulations enforceable in such country; and (vi) security measures taken for safeguarding such information at such country.
(The author head the Corporate and Commercial department at ARAB Advocates and Legal Consultants, Sultanate of Oman)