Bahrain’s Personal Data Protection Law (Law No. 30 of 2018) came into force on 1 August 2019, 12 months after its publication in the official gazette. The law is based on a draft produced more than ten years ago, and does not specifically contemplate GDPR. Whether Bahrain will seek to revise this new legislation to be more aligned to GDPR is unclear, but would seem unlikely at this stage.
While many companies active in Bahrain are seeking to comply with the requirements set out in the Personal Data Protection Law, the fact that associated Regulations have not yet been issued makes this difficult. For the moment, and noting our comments below regarding criminal offences, the fact that the Data Protection Authority contemplated in the law has not yet been established provides some comfort in terms of the low practical risk of enforcement.
The Personal Data Protection Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000 (between about USD 2,600 to about USD 53,000) or a fine only in the case of corporate entities. The following are examples of activities that attract criminal penalties under the Law:
The Personal Data Protection Law does not specifically provide for data breach notification obligations (either to affected individuals or to the Data Protection Authority), although it is possible that requirements of this nature could be introduced when the Regulations are issued. Otherwise, loss or damage arising out of such events could be captured under other Bahrain law provisions, such as those providing for remedy where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.