Data Protection under Omani Law

Oman does not have a single law governing data protection. Instead, data protection and privacy are regulated through various general and specific laws, including: • The Basic Law of Oman (Royal Decree 101/1996, as amended) • The Electronic Transactions Law (Royal Decree 69/2008, as amended) • The Cyber Crimes Law (Royal Decree 12/2011, as amended)

Oman does not have a single law governing data protection. Instead, data protection and privacy are regulated through various general and specific laws, including:

  • The Basic Law of Oman (Royal Decree 101/1996, as amended)
  • The Electronic Transactions Law (Royal Decree 69/2008, as amended)
  • The Cyber Crimes Law (Royal Decree 12/2011, as amended)

1.     The Basic Law:
The Basic Law is essentially Oman’s constitution and provides the right to a private life to citizens and guarantees confidentiality in all forms of communication. Article 30 specially provides that:

Freedom of postal, telegraphic, telephonic and other forms of communication is sacrosanct and their confidentiality is guaranteed. Hence, it is not permitted to monitor or inspect them, reveal their contents, or delay or confiscate them except in circumstances defined by the Law and in accordance with the procedures laid down therein.”

2.     The Electronic Transactions Law

The Electronic Transactions Law regulates how data must be retained and secured electronically. It applies (inter alia) to any dealing or contract concluded or performed wholly or partly through “electronic messages”.

“Electronic message” is defined as any “electronic” information sent through “electronic” means irrespective of the means of its extraction at the place where it is received; and “electronic” includes any means that relates to modern technology having electrical, digital, magnetic, wireless, optical, electromagnetic or photonic capabilities or similar to the aforesaid.

Processing personal data is prohibited if doing so will cause damage to the concerned person or prejudice their rights. A person who is in control of personal data by virtue of its engagement in “electronic transactions” must, prior to processing any such data, inform the data subject by a “special notification” of the procedures they follow to protect the personal data. An “electronic transaction” includes any dealing or contract concluded or performed, wholly or partly through “electronic messages” (as defined above). These procedures must specify: (a) the identity of the processing manager; (b) the nature of the data; (c) the purpose for which the data is processed; and (d) the methods and sites for the processing and all necessary information to ensure trustworthy processing of the data.

“Processing personal data” is broadly defined in Article 1 to include “any process or processes of personal data by automated means or otherwise, collection, registration, arrangement, storing, amendment, modification, retrieval, revision or disclosure thereof by sending, distributing, making them available by other means, classifying, grouping, concealing, erasing or deletion of the same”.

It is an offence under Article 52(10) for a person to intentionally, without authorisation, disclose confidential data that they are able to access using their authorities under the Electronic Transactions Law or any other law.

Subject to certain exceptions, a provider of certification services may not gather, process or use data without the express consent of the data subject. A provider of certification services must also take appropriate measures to uphold the confidentiality of personal data and may not divulge ,relay, disclose or publish such personal data without the prior consent of the data subject. Such provider must also give a data subject access to the personal data and allow the data subject to update such information.

Cryptography must be used to protect electronic transactions. The Electronic Transactions Law also requires the use of security measures when collecting, recording, organizing or storing data. Those retaining the data are permitted to select the means of protection. However, in the absence of a selection, Article 19 mandates the use of one of the following measures for protection:

(a)      public key ciphering;

(b)      firewalls;

(c)      information filters

(d)      non-repudiation means;

(e)      file and message ciphering technology;

(f)       protection of backup data;

(g)      anti-worm and antivirus programs; or any other means authorized by the government.

3.     Cyber Crimes Law:

Under the Cyber Crimes Law, a person may not secure access to an electronic website, information system or other means of information technology where such access is unlawful or in excess of any permitted access rights. Penalties are higher where the foregoing results in damage and/or relates to personal data.

Offences under the Cyber Crimes Law also include, inter alia, the following:

(a)        using information technology, electronic data or information to intentionally/unlawfully modify, alter or damage medical records and

(b)        Intentionally/unlawfully intercepting the passage of electronic data or information sent through the internet or other information technology.

4.     Other Laws:

There are several other laws that regulate data protection and privacy, including:

(a)        the Penal Law 7/2018;

(b)        The Telecommunications Regulatory Law 30/2002 (as amended), in addition to several other regulations issued by the Telecommunications Regulatory Authority ('TRA') in respect of data protection of telecoms consumers.

Published in SASLO Legal Updates Newsletter (June 2020)