Enforcing GDPR in Oman


December 23, 2018

The General Data Protection Regulation (GDPR) has entered into force earlier this year, and many Omani entities, both public and private, are still questioning the extent to which they are required to comply with this European law.

The GDPR is a European Union law that regulates the way personal information of individuals may be used. The law imposes obligations on those who control personal information and those who process personal information. It also grants specific rights to the subjects of personal data, such as the right to have that personal data retrieved, corrected, or completely erased.

The GDPR is not the first European Union law that deals with data protection. The European Union issued a Data Protection Directive in 1995 which entered into force in 1998. However, the GDPR takes the obligation to implement the law to a much more serious level by stipulating penalties up to €20mn or four per cent of the worldwide annual revenue of the offender, whichever is higher. The potential magnitude of the fines has made everyone take the GDPR seriously and this made many entities in Oman to question whether they are required to comply with the GDPR and the extent to which they can be fined for violating it.

The GDPR is a piece of European legislation. It is not an international treaty, and therefore countries outside the EU cannot become members of the GDPR and domestic courts outside the EU are under no obligation to consider it when examining local cases. Accordingly, on the most basic level, the GDPR, along with all other EU legislation, is not enforceable in Oman because it is not part of our legal system and does not constitute any of our international commitments.

However, there are Omani entities that conduct business in Europe, have branches of their offices in Europe, and deal with the personal data of customers based in Europe. For these Omani companies, it would be easy for the EU to force them to comply with the GDPR. For example, Oman Air has a significant part of its business activities in the EU, has offices in multiple EU countries, and collects the personal data of customers based in Europe. If an individual in the EU complains about the misuse of their personal data by Oman Air, it would be easy for them to complain about the incident in any country in which Oman Air has a branch or an office.

For Omani entities that have no presence or direct business in the EU, it is also still possible that they are required by their European partners or suppliers to comply with the GDPR. In this case, the obligation would be based on the contractual arrangement between the Omani entity and the European partner.

The GDPR has been a great development for the protection of personal data in Europe and beyond, and even though the EU legislation might not be capable of being easily enforced outside the territory of the EU, all countries and companies should strive to protect the data of individuals in any way possible. Oman has had a draft data protection law in the works for a while now, and we really need to get this law out soon so that Omanis enjoy the minimum standard of data protection offered to citizens in all modern societies.