Last review date: 31 December 2024

• omnibus – all personal data
• sector-specific
• constitutional

Last review date: 31 December 2024

The primary laws relevant to privacy and data protection are:

• Law No. 30 of 2018 on the Personal Data Protection Law (“PDPL”)
• Ministry of Justice, Islamic Affairs and Waqf Executive Orders:
  • No. 42 of 2022 regarding the transfer of personal data outside the Kingdom of Bahrain
  • No. 43 of 2022 regarding the conditions to be met in the technical and organizational measures that guarantee protection of personal data
  • No. 44 of 2022 regarding the rules and procedures for submitting notifications and prior authorization requests to the Personal Data Protection Authority
  • No. 45 of 2022 regarding the rules and procedures for processing sensitive personal data
  • No. 46 of 2022 regarding Data Protection Guardians
  • No. 47 of 2022 determining the fees of enrollment and renewal in the Data Protection Guardians register and cases of waiver and refund
  • No. 48 of 2022 regarding the Data Subject’s Rights
  • No. 49 of 2022 with respect to rules and procedures governing submission of complaints regarding violations of the Personal Data Protection Law
  • No. 50 of 2022 determining the controls and safeguards for protecting the confidentiality of data concerning instituting and pursuing of criminal proceedings, and related judgements
  • No. 51 of 2022 regarding the conditions to be met while creating registers accessible to the public

Last review date: 31 December 2024

Cybersecurity is a fundamental pillar of the national ICT framework in the Kingdom of Bahrain. The Kingdom has a national cybersecurity framework governed by the General Directorate of Anti-Corruption and Economic and Electronic Security at the Ministry of Interior that addresses cybersecurity in sectors including energy, finance, education and health.

In addition to the security-related provisions in the PDPL and its Executive Orders, the primary laws relevant to cybersecurity include:

• Law No. 16 of 2014 regarding the Protection of Information and State Documents
• Law No. 2 of 2017 for Ratifying the Arab Agreement on Combating IT Crimes
• Law No. 60 of 2014 regarding IT Crimes
• Decree-Law No. 54 of 2018 for Issuance of Letters and Electronic Transactions
• Prime Ministerial Decree No. 36 of 2018 regulating the technical requirements for sending, receiving, and updating the electronic records and signatures of public bodies

Last review date: 31 December 2024

• Law No. 16 of 2014 regarding the Protection of Information and State Documents: This law mandates the protection of sensitive information and state documents, ensuring their security and confidentiality.
• Law No. 2 of 2017 for Ratifying the Arab Agreement on Combating IT Crimes: This law focuses on combating various forms of IT crimes, including those involving non-personal data.
• Law No. 60 of 2014 regarding IT Crimes: This law addresses offenses related to information technology, including unauthorized access and data breaches involving non-personal data.
• Decree-Law No. 54 of 2018 for Issuance of Letters and Electronic Transactions: This law regulates electronic transactions, ensuring their security and integrity, which is crucial for the protection of non-personal data.
• Prime Ministerial Decree No. 36 of 2018: This decree sets technical requirements for sending, receiving, and updating electronic records and signatures of public bodies, which includes non-personal data.

Last review date: 31 December 2024

No imminent changes to the PDPL or core cybersecurity laws are anticipated. However, in early 2024, it was reported that the Shura Council had approved a proposal on a draft law relating to artificial intelligence that would include a new authority to regulate AI, penalties for breaches, and compensation for damages caused by AI systems.