radiofree.asia

Biometric Surveillance and Personal Data Protection in the Gulf: A Growing Human Rights Concern

Over the past decade, the Gulf Cooperation Council (GCC) countries have been enacting Personal Data Protection Laws (PDPLs) in order to better regulate the collection and processing of their citizens’ personal information. Even though these laws can be considered as an important step forward in safeguarding privacy in increasingly digitalized societies, they also raise important questions about data protection, state control and human rights. As a matter of fact, the governments in the region have been expanding their use of biometric technologies (i.e. facial recognition, fingerprints scanning) – especially in the United Arab Emirates (UAE) thanks to large investments made in AI development – and this has raised concerns about how  such measures could be leveraged for unauthorized surveillance or even political suppression. Such a concern is legitimate especially after analysing the different PDPLs of every one of these countries.

Among the GCC countries, Qatar was the first to issue a Personal Data Protection Law (PDPL) in 2016. However, the country still faces significant shortcomings in implementing this law, especially when it comes to protecting data subjects’ rights, clearly defining sensitive data (such as biometric and genetic data), and outlining the obligations of data processors and controllers toward the data subjects. In fact, the law provides a list of several cases in which the consent of the data subject is not necessary for the processing of personal data. One of these cases being data processing for reasons of  “public interest” – a term that leaves space for broad interpretation.

The Kingdom of Saudi Arabia (KSA), at  first glance, seems to have established a more comprehensive system for data protection under the supervision of the Saudi Arabia for Data and Artificial Intelligence (SDAIA) and its PDPL of 2024 tries to resemble the European General Data Protection Regulation (GDPR). Despite explicitly recognizing biometric data and imposing strong penalties for violations, the PDPL’s exceptions – similarly to Qatar’s – includes reasons of “public interest or security purposes” in which the data subject’s consent is not a requisite. These provisions, in the hands of a government known for being highly suppressive against political dissent and criticism, effectively legitimize and institutionalize mass data collection under the pretext of “national security”.

The United Arab Emirates (UAE) presents a complex framework when it comes to data protection laws.  On one hand, in the PDPL of 2022 biometric data falls under the scope and definition of “Sensitive Personal Data” and it also contains a broad obligation to process personal data in a transparent manner, on the other hand the law remains largely unenforced – the Data Office responsible for its implementation has yet to be established and no penalties are specified in case of violations. Moreover, the coexistence of  parallel data protection frameworks such as the Dubai Data Law No. 26 of 2015 and the Dubai International Financial Centre (DIFC) Data Protection Law of 2020, fragments accountability and creates loopholes that can easily become a tool of power in the hands of the government. The UAE is known for extensive use of biometric surveillance technologies – like the KSA – in public places too. This lack of enforcement can only raise serious concerns about unchecked biometric monitoring and the erosion of privacy.

In analysing the other GCC countries, it emerges that Oman’s 2022 PDPL contains relatively progressive provisions, including recognition of biometric data as “sensitive personal data”, explicit consent requirement and restrictions of processing biometric information without the authorization of the ministry. Bahrain, with its Law No. 30 of 2018 (enacted in 2019), goes further in enforcement, with criminal penalties up to one year of imprisonment and large fines for unauthorized processing. It also specifies that the processing  of biometric data, together with genetic data too, needs a written authorization by the competent Authority, otherwise is prohibited. Yet both laws – like those of their neighboring countries – include broad exemptions for “national security” and “public interest”. These vague terms provide legal cover for the very practices the laws claim to regulate. Moreover, it is interesting to notice how Bahrain, in listing the countries that are considered to have adequate protection of personal data for cross-border transfers, includes also Kuwait in which, as of today, there is no specific PDPL in force. This contradiction highlights how data protection in the Gulf often serves more as a legal façade than a genuine commitment to safeguarding individual privacy.

The uneven implementation and varying strength of GCC data protection frameworks highlight a broader tension between privacy rights and state control. While these laws appear to align with international standards like the GDPR, their exceptions and lack of particular consideration for biometric data often completely negate their protective potential. Without independent oversight bodies and enforceable transparency mechanisms, biometric surveillance risks becoming a political tool. For genuine progress, the region must move beyond formal legislation and ensure that data protection serves its intended purpose: the defense of individual rights and human dignity.

The post Biometric Surveillance and Personal Data Protection in the Gulf: A Growing Human Rights Concern appeared first on Americans for Democracy & Human Rights in Bahrain.

This post was originally published on Americans for Democracy & Human Rights in Bahrain.