Applicability of Bahrain's Personal Data Protection Law

Introduction

Bahrain's Law No. (30) of 2018 with Respect to Personal Data Protection Law (RPDPL) establishes a comprehensive framework for data protection in the Kingdom. This analysis examines the law's applicability based on material and territorial factors.

Material Applicability Factors

The RPDPL's material scope is primarily defined by its exemptions, particularly the National Security and Law Enforcement Exemption.

National Security and Law Enforcement Exemption

The RPDPL explicitly excludes certain processing operations from its scope, as outlined in Article 2(4)(b):

RPDPL Art.2(4)(b):

"Notwithstanding provisions of Paragraph (1) of this Article, the provisions of this Law shall not apply to the following: Processing operations concerning public security handled by the Ministry of Defense, Ministry of Interior, National Guard, National Security Service, or other security body in the Kingdom."

This exemption creates a significant carve-out for national security and law enforcement activities. It applies to processing operations related to public security conducted by:

• Ministry of Defense
• Ministry of Interior
• National Guard
• National Security Service
• Other security bodies in the Kingdom

The broad nature of this exemption allows these entities greater flexibility in processing personal data without being constrained by the RPDPL's requirements. However, it also raises questions about the balance between individual privacy rights and state security interests.

Territorial Applicability Factors

The RPDPL's territorial scope is determined by several factors that establish a connection between the data processing activities and the Kingdom of Bahrain.

Doing Business in Jurisdiction

The law applies to organizations with a commercial presence or engaging in economic activities within Bahrain, as specified in Article 2(2)(b):

RPDPL Art.2(2)(b):

"This Law shall apply to the following persons: Every legal person with a place of business in the Kingdom;"

This provision ensures that any company operating within Bahrain's borders is subject to the RPDPL, regardless of where the actual data processing takes place.

Use of Equipment Within Jurisdiction

The law also applies to entities using equipment located in Bahrain for data processing, as stated in Article 2(2)(c):

RPDPL Art.2(2)(c):

"This Law shall apply to the following persons: Every natural or legal person not habitually resident nor maintains a place of business in the Kingdom, but processes data by using means situated in the Kingdom, unless such means are used only for purposes of transit of data over the Kingdom's territory."

This provision extends the law's reach to entities that may not have a physical presence in Bahrain but use local infrastructure for data processing activities.

Long-Term Residency Threshold

The RPDPL applies to individuals based on their habitual residency in Bahrain, as outlined in Article 2(2)(a):

RPDPL Art.2(2)(a):

"This Law shall apply to the following persons: Every natural person who is habitually resident in the Kingdom or maintains a place of business in the Kingdom;"

This factor ensures that long-term residents of Bahrain, including expatriate workers, are covered by the law's protections and obligations.

Processing by Local Establishment

The law applies to data processing activities carried out by entities established in Bahrain, as indicated in Article 2(2)(a):

RPDPL Art.2(2)(a):

"This Law shall apply to the following persons: Every natural person who is habitually resident in the Kingdom or maintains a place of business in the Kingdom;"

This provision ensures that individuals and businesses with a physical presence or established operations in Bahrain are subject to the RPDPL's requirements.

Conclusion

Bahrain's Personal Data Protection Law has a broad territorial scope, applying to entities and individuals with various connections to the Kingdom, including business operations, use of local equipment, habitual residency, and local establishments. However, its material scope is limited by significant exemptions for national security and law enforcement activities. This framework aims to balance data protection with other national interests while ensuring comprehensive coverage of data processing activities within Bahrain's jurisdiction.