This report analyzes data protection and privacy laws in Qatar, Bahrain, the United Arab Emirates, and Kuwait. Joey Shea, a researcher and analyst specialized in security and
political repression, documents the deployment of COVID-19 contact tracing applications in these states. The report, which was supported through our Applied Advocacy and Research Grants, compares each state’s data protection and privacy legal frameworks against international standards, as well as assesses whether their respective COVID-19 contact tracing applications have implemented adequate privacy preserving mechanisms.
The four countries were selected based on the timing of the release of their respective COVID-19 contact tracing application. This report includes separate country studies for Qatar, Bahrain, the UAE, and Kuwait. that analyze their fundamental data protection principles, the rights of data subjects and the legal obligations of data controllers. Each country study also includes an assessment of the state’s COVID-19 contact tracing application and the extent to which the policy framework and design features of the app complies with international standards.
Qatar, Bahrain, and the UAE have at least some form of data protection and privacy legislation, while Kuwait is the only jurisdiction surveyed without any data protection law at this time. The laws in the three jurisdictions with data protection legal frameworks broadly resemble international data protection standards, such as the General Data Protection Regulation
(GDPR), with some notable exceptions. These laws are comparable with international data protections laws in terms of their fundamental data protection principles, the rights of data subjects, and the legal obligations of data controllers. Importantly, some states diverge from international standards insofar as they grant large exemptions related to national security. These sweeping national security exceptions are most pronounced in Bahrain and Qatar. There is also a notable lack of evidence in most jurisdictions indicating broad enforcement of their data protection and privacy laws and their regulatory authorities are relatively inactive. Furthermore, there is a lack of evidence of people or entities taken to court under these laws. Widespread accusations of sweeping domestic surveillance programs in Qatar, Bahrain, the UAE and Kuwait also raise serious doubts about the extent to which these governments and state security agencies respect and adhere to data protection and privacy principles outlined in the law.
COVID-19 contact tracing apps surveyed within these jurisdictions lack a limited purpose and clear timelines on their deployment and use. There is also a notable lack of transparency in both their technical design and regulatory mechanisms. Finally, the report finds that the more robust a state’s privacy legal framework is, the more privacy preserving their app has proven to be.