SPEAKER_00 0:13

Hello, and welcome back to our podcast series where we explore privacy and data protection laws around the world. I'm Katie Birch and I'm joined with my colleague Maria Maloney. Hello, everyone. In this series, we examine how different jurisdictions regulate personal data and what that means for organizations who operate internationally. In the past, we have done Qatar's personal data privacy protection law. We covered the UAE federal law and some of their free zones. We also done India's data protection law and the Kingdom of Saudi Arabia's. But today we are turning our attention to Bahrain's personal data protection law along with its accompanying decisions. So as always, I'm joined by Dr. Maria Maloney, and together we're going to explore how the framework works, how it compares to the GDPR and its neighboring jurisdictions. And so yeah, I'll begin by asking you the first question, Maria, which is where does Bahrain's personal data protection law sit within the broader global privacy landscape?

SPEAKER_01 1:30

Thanks, Katie. That's an interesting question. So Bahrain enacted its personal data protection law, which is called Law Number 30 of 2018. And it came into force in August 9, 2019. And there was that this was a significant step for the kingdom, the Kingdom of Bahrain, and it marked its transition towards a comprehensive, standalone kind of data protection regime, rather than what they had relied on previously, which would have been kind of fragmented sectoral rules. So this was the one that kind of consolidated it across industries. What's particularly notable about this law is that Bahrain was one of the earlier adopters of a full privacy framework in the Gulf region. So you're talking back in 2019, the GDPR had just been in force like one year. So alongside jurisdictions like the DIFC that's in the United Arab Emirates, and we covered that in the free zones in one of our podcasts, it positions itself as a regional leader in recognizing personal data protection as both a regulatory requirement and a trust enabler for digital economies. So again, it wants to be like one of the leaders, one of the primary places in the Gulf region where you know people or organizations could come to and expect a good level of data protection for their personal data. From a structural perspective, the law clearly reflects a broader global convergence in privacy governance and is heavily influenced by the GDPR principles. So we've seen that again in the United Arab Emirates kind of free zones, they were also very heavily influenced by the GDPR. We see familiar concepts from the GDPR, such as lawful basis for processing data, data subject rights, accountability obligations, and restrictions on cross-border transfers. However, Bahrain has adopted these principles to its own legal and economic context. And again, we've seen that in many of our podcasts that they kind of they they borrow from the GDPR, but then they interpret it for their own culture, for their own needs and their own kind of their own context. So while the foundations are recognizable and they're kind of GDPR inspired, the operationalization of the law is more flexible and in some areas less prescriptive than the GDPR. From an implementation standpoint, this is important because it means organizing organizations operating across jurisdictions can leverage existing GDPR aligned governance frameworks. So if you're coming from Europe or if you you you deal with Europe, you can kind of port your you know the existing governance that you have for the GDPR. You can you can use a lot of it here when you move to Bahrain, such as their roper structures, their risk assessments, their accountability mechanisms are all very similar to the GDPR. But it's still you kind of still need to be mindful of the local nuances, particularly around regulatory oversight, enforcement practices, and specific procedural requirements. And we this is not the first time that we've seen this, you know, we're seeing kind of a trend in the Gulf where they you know they they ensure that they have adequacy with the GDPR, they take the principles from the GDPR, but then they kind of they uh adapt them to their own requirements. So when you think about it, like the the GDPR came in in 2018, Bahrain came in, their law came in in 2018. Um it came in 2018 as well, but it came into force in 2019, you had Qatar in 2016, and then you had the United Arab Emirates coming in in 2021, and then India finally in 2023. So when you look at it in that context, it is an earlier uh data protection framework. Okay, so Katie, uh my question for you then is when we discussed Qatar the last time, and prior to Qatar we discussed United Arab Emirates, we saw slightly different jurisdictional approaches, and I've just spoken about that as well for Bahrain. Um, who does Bahrain's law, data protection law, apply to thank you, uh Maria?

SPEAKER_00 5:56

So it applies to every resident inside the kingdom and businesses inside the kingdom, and anyone who processes data using means or tools situated inside the kingdom. So it's a lot more territorially focused than the GDPR, like the GDPR and the Indian DPDP apply to processing that targets European or Indian individuals, whereas from the wording of this law, uh Bahrain national who's not inside the kingdom, it seems that it wouldn't apply to them. As for the material scope, it also applies to all processing, whether it's fully partial or non-automatic, to all data when it forms part of a filing system or is intended to form part of a filing system. So that's digital and non-digital data because we did see in India that it only applies to the digital data.

SPEAKER_01 7:04

Yeah, exactly. Yeah, yeah. So it's both like the GDPR essentially.

SPEAKER_00 7:08

Yeah, so in material scope it's like the GDPR, and in territorial scope, it's more like guitar.

SPEAKER_02 7:18

Okay.

SPEAKER_00 7:19

So your question, Maria, what are the what do the core definitions look like in Bahrain's law?

SPEAKER_01 7:30

Thanks, Katie. Um essentially at the core of Bahrain's personal data protection law, there are a set of key concepts that will feel very familiar to anyone who's been working with uh privacy frameworks, especially the GDPR. These include definitions of personal data, sensitive personal data, which will be special category data under the GDPR, processing, as well as the roles of the data controller and the data processor. They're all very similar and they they they exist in the Bahrain law as well. Personal data is broadly defined as any information relating to an identifiable individual, and again, very similar to the GDPR there. While sensitive personal data captures higher risk categories such as health data, biometric information, religious beliefs, and again, like the GDPR, the this type of data triggers enhanced protections. Processing is also defined as a comprehensive way of covering the full life cycle of the data activities, from collection of the data to storage and through to disclosure and deletion. Okay, so again, you see the kind of the data lifecycle that would be very similar to the GDPR. But from a governance perspective, the distinction between data controllers and data processors is particularly important because controllers determine the purpose and the means of processing while the processor acts on behalf of the controller. This mirrors the accountability structures that we see in mature regimes like the GDPR. When we step back and compare this to other frameworks, some interesting differences emerge. However, the GDPR remains the most detailed and granular framework in terms of definitions and providing a very high level, a high level of legal precision that supports consistent interpretation across the member states. We saw in the Indian DPDP Act that they took a different kind of conceptual approach using terminology like the data principle and the data fiduciary. So even though the functionality would be similar to the GDPR, the you know the D DPDP Act kind of reframed things and shifted things slightly to kind of place the individual in the core to the to the core of the of the legislation and reflecting kind of principle-based uh kind of um approaches to data protection. In Bahrain then aligns much more closely to the GDPR model. Its terminology and structural approach will be immediately recognizable to organizations who have already worked with the GDPR. But from an operational standpoint, this creates a degree of interoperability, like I said before. And so anything that you've used with the GDPR, you know, uh in a GDPR aligned governance framework can be extended to Bahrain uh relatively easily, except of course, like we said, uh changing the the nuances for the cultural context. So I hope that makes that clear. Question four, then for you, Katie, is does Bahrain rely primarily on consent, or are there multiple lawful bases like we see in the GDPR?

SPEAKER_00 10:49

Thank you, Maria. So I mean, I suppose as a direct answer to that question, I would say both. It's almost like every other regime we've explored so far so far. Consent is the cornerstone for lawful processing, but they also make a stipulation that where you're not relying on consent, you can still process data according to a few certain situations. So the alternative lawful basis that they provide is basically performance of a contract, compliance with the legal obligation, vital interests, and legitimate interests. So that's not very different at all. But you do you do need consent for transferring personal data outside the kingdom. But we do have a question on that later on, so I won't go that much into that.

SPEAKER_01 11:45

But yeah, yeah. It's sounds complicated, but like you say, we'll talk about that further on in the podcast.

SPEAKER_00 11:54

Yeah, it's it's good to note all of these differences. Um they they also have special lawful basis for special category data.

SPEAKER_01 12:04

Like for like Article 9, then basically.

SPEAKER_00 12:07

Yeah. So what they have is a legal obligation, incapacity to consent, where the data is manifestly made public, pursuing your defense of legal claims, preventative medicine, medical diagnosis, healthcare, unions, charities, public tasks, and here's here's the interesting one, in my opinion. You can process special category data where you're detecting inequality based on special category data. Interesting. If you get what I mean, yeah.

SPEAKER_01 12:46

Yeah, so if there's a if there's a question mark about um inequality, then that's your law, that's your lawful basis for processing that data to investigate whether there is inequality.

SPEAKER_00 13:01

Yeah. If it's if it's equality based on their definition, um obviously like the racial, ethnic, religious, so yeah, you you if basically DEI, you know, if you're if you're investigating or kind of implementing DEI, that is your lawful basis. So that that's something unique we haven't seen.

SPEAKER_01 13:26

Yeah, DEI, diversity, equality, and what's the third one?

SPEAKER_00 13:32

Inclusion, I suppose. Yeah, just I suppose as an example, but yeah.

SPEAKER_01 13:38

Yeah, interesting. Okay. Um so again, very quite similar, not not exactly the same, but quite similar to the GDPR.

SPEAKER_00 13:47

The bulk of it, the bulk of it's similar. The fact that consent is the default is quite similar to all the countries we've explored so far, which is all Gulf regions and um and Asian countries too. So they share that similarity, and basically almost everything is the same, but they do have that interesting detection of inequality consideration, um which is worth the note.

SPEAKER_01 14:15

So yeah, it's interesting because that means if they if they have a lawful basis for processing that data, it doesn't necessarily have to be consent. So they can investigate they can investigate uh kind of uh allegations of bias or inequality without actually asking the consent of the individual to process their sensitive personal data, which is an interesting approach.

SPEAKER_00 14:43

That is interesting. Yeah.

SPEAKER_01 14:46

Okay.

SPEAKER_00 14:48

Yeah, there's something different about Bahrain special category data.

SPEAKER_01 14:52

Absolutely, yeah. Yeah.

SPEAKER_00 14:54

Um so the next question for yourself, Maria what data subject rights do individuals have under Bahrain's law?

SPEAKER_01 15:04

Okay, so again, I think we're gonna see a lot of similarity with the GDPR because when we look at the data subject rights under Bahrain's personal data, we see you know, it's a very familiar and a very pragmatic approach to data subject rights. Individuals are granted the right to access their personal data, which allows them to understand what information is being processed about them and for what purposes. But they also have the right to request correction if there's any inaccuracies or incomplete data and that's being stored about them. And this is an important mechanism for maintaining the quality and fairness of processing. And in addition, individuals, individuals can object to certain types of processing, like in the GDPR. But this is particularly relevant where processing is based on legitimate interests or where there may be an imbalance between the organization and the individual. So again, very similar to the GDPR there. But there is also a specific right to object to direct marketing, reflecting a clear recognition of the risks associated with unsolicited communication and profiling activities. So again, they take the profiling quite seriously. From a comparative perspective, the GDPR provides a more expansive suite of rights. In addition to access and rectification, it includes rights such as erasure, the so-called right to be forgotten, as well as data portability, which enables individuals to move their data from one service to another. These rights, these additional rights reflect the GDPR's kind of broader ambition to give individuals a higher degree of control over their personal data in the digital economy. From an operational perspective, what this means is that organizations adopting a global governance model can often use their GDPR high watermark in other jurisdictions in terms of rights management and offering uh the rights to their to their clients. However, they should also bear in mind that they still need to tailor their processes to reflect jurisdiction-specific nuances, as we've said before, and this is this happens in most jurisdictions, particularly in how rights are exercised, how they're responded to, and how they're enforced at a kind of a local level. So like when we're comparing the rights under the GDPR and Bahrain, the right to be informed is very strong under the GDPR, where it's kind of it's more or less implied, um, but not specifically called out under the uh Bahrain law. But the right to access, the right to rectification, and the right to erasure are very similar in both uh frameworks. But when you come to the right to restrict processing, again the GDPR trumps the Bahrain law because in the Bahrain law it's there, but it's not specific as it is, uh not as specific as it is um in the GDPR under Article 18. The right to data portability uh in the GDPR Article 20, um there's no explicit right uh to data portability with the Bahrain law. And uh so basically we still have the right to object, we have the right to uh object to direct marketing as well under the Bahrain law, but um the right to automated decision making or profiling is is present, but it's not as uh strong or expansive as the GDPR. And then the right to withdraw consent and the right to launch a complaint as well are kind of similar. So you know there are a few exceptions there, but in general, you know, the rights uh under the Bahrain law are very similar to the rights under the GDPR. So um now regarding supervisory authorities, Katie, my question for you is who oversees compliance with uh under the the Bahrain law uh thanks Maria.

SPEAKER_00 19:10

So the the Bahraini Authority is the personal data protection authority, and they're actually overseen by the Minister of Justice, who basically is a check on their work, basically ensures their overall harmonization with the rest of Bahrain's legal system, and make sure they're carrying out their duties too. So they have a long list of duties, just a couple of them, obviously overseeing compliance, inspecting data controllers, informing and educating the public, they accredit the well, this is uh related to a question that we haven't asked yet, but accrediting the data protection guardians, managing and investigating complaints. So, yeah, a lot of it, a lot of it is very similar. Uh, a couple of notes just about enforcement in particular. Civil compensation is possible for breaches for any individuals have incurred damage arising from a data controller. And very interestingly and uniquely, there's possible criminal penalties for violations of certain parts of this law.

SPEAKER_01 20:28

Oh gosh.

SPEAKER_00 20:30

Yeah.

SPEAKER_01 20:31

So and is that on the behalf of the controller, so the controller can have criminal charges taken against them, is it?

SPEAKER_00 20:38

Honestly, I would say perhaps it perhaps the data protection guardian, or if they could maybe look at the chain of causation and figure out, you know, if the data protection guardian perhaps advised against something and someone went ahead and done it. Uh that's a that's an imagined scenario. Um I'm actually not sure. I'll t I'll tell you what it says. Uh see what you think. It's article 58. It says a person shall be liable to imprisonment for a term not exceeding one year or a fine in the following circumstances. So I won't go through them all. There's a lot, there's a list um of over over half a dozen, but basically contraventions of the uh transfers of personal data abroad. Um where you process personal data. This is related to another question, but where you process personal data without uh notifying the authority uh of authorization, which again we're going to talk about later.

SPEAKER_01 22:00

So my interpretation would be that it's something blatant. So if you blatantly disregard the law, then you could yeah. Yeah.

SPEAKER_00 22:08

Yeah. Like here here's another one. If you withhold from the authority information records or documents that the authority should have access to to carry out its duties. So if you obstruct an investigation, if you delay their inspectors in an ongoing investigation. Um okay, so that makes sense. It's yeah, it is blatant. It is, yeah, you're it is a blatant disregard.

SPEAKER_01 22:36

Yeah, blatant disregard, yeah, yeah. Okay. So that's interesting though that they would feel the need to actually include that.

SPEAKER_00 22:44

Yeah. It's again, it's it can be quite tricky whenever we go through so many things and maybe 75 to 90 percent of it is quite similar to the GDPR, quite similar to other regimes, and then it's just you know, but you really have to pay attention to the to the differences because that's where you know you can rattle off all the lawful bases and all the rights, but you know, the point where you get tripped up where one thing's different can be quite important.

SPEAKER_01 23:14

Yes, so you can maybe because you think you know the GDPR, you can feel quite confident that you know we should be okay in other jurisdictions, but like you say, it's the nuances that could really trip you up and get you into the city. For sure. Yeah.

SPEAKER_00 23:27

Yeah.

SPEAKER_02 23:28

Yeah, that's true.

SPEAKER_01 23:29

And that's a big nuance.

SPEAKER_00 23:31

Yeah, exactly. So we'll we'll go on to question seven for yourself, Maria, and it's about well, what what we understand, what I touched mentioned earlier, what we understand is data protection officers. So does Bahrain require organizations to appoint someone responsible for privacy compliance?

SPEAKER_01 24:10

Thanks, Katie. So Bahrain's law also introduces a role that is very similar to the data protection officer that we have in the GDPR. Okay. It's similar, but again, the the terminology is different. They call this individual the data protection guardian, as you mentioned in your previous uh answer. And the role sits at the center of an organization's privacy governance framework, very similar to the DPO. Um, the data protection guardian is responsible for monitoring compliance with the law, ensuring that internal policies and procedures are aligned with the regulatory requirements, and that data protection is embedded into the day-to-day operations, again, very similar to the DPO. They also act as a key point of contact with the regulator, facilitating communication, responding to inquiries, and supporting any kind of supervisory or investigative processes that may take place. They oversee broader governance practices very often, ensuring that accountability is not just documented, but is actually operationalized across the organization. Again, very similar to the DPO. When we compare this to other frameworks, the closest equivalent would be that the DPO under the GDPR. The DPO has a similar independent oversight role with responsibilities around monitoring compliance, advising on obligations, and acting as a liaison with the supervisory authorities. The emphasis in both regimes is on embedding expertise within the organization to ensure continuous rather than reactive compliance. Okay. Now, uh again, I compare this to the DPDP Act. Uh in India, we see something slightly different. So the data protection officer is only mandatory for what was termed significant data produceries. And we discussed those in our uh in our podcast about um uh India. And that means the obligation is risk-based and not universally applied, like in these two exact r and in the Bahrain. And this reflects a more targeted model of governance, uh focusing on regulatory expectations and on the organization with a higher impact or scale. Okay, so we're talking in India, it was more, you know, the higher the processing, the more inclinated inclined you might be to have um a DPO. Whereas, you know, with uh with the GDPR, Bahrain is very similar to the GDPR in that you know, any kind of personal data processing would indicate that you would need um somebody within your organization like a DPO. From an organizational perspective, the takeaway is that while the titles may differ, so you have the data protection guardian and you have the data protection officer, the underlying functions are they converge kind of globally. Organizations need a clearly defined role, responsible for privacy oversight, regulatory engagement, a practical implementation of governance frameworks. And for those already operating under the GDPR, extending the DPO function to cover Bahrain is often a natural and efficient approach, provided the local requirements are properly understood. And again, we're looking there at the the nuances, but you know, the data data protection guardian a very similar role to what we have under the GDPR. So next question is about cross-border transfers, and it's for you, Katie. How does Bahrain regulate international data transfers?

SPEAKER_00 27:39

Thank you, Maria. So transfers are permitted to countries they're permitted with basically no complications to countries that are itemized in a list in one of their decrees, which we talked about earlier. So it's decree order number 42 of 2022 on transfers, and they have 73 countries listed as giving an adequate level of protection. They also have another route. If you want to transfer to a country not on that list, you need the authorization of the authority, and that can be conditional on certain measures that you have in place. So where you're transferring via authorization, you need to do it according to a contract. And they have listed a few things that need to be itemized in the contract. So obviously, they need to stipulate this exact scope of the processing, they need to follow data minimization and storage limitation. The data needs to be accurate, relevant, and up to date. They need to demonstrate that they have technical and organizational measures to keep it safe. And they also need to give the data subject a fair processing notice that lets them know about the transfer. And they they have to make sure that whatever processor or joint controller, whoever it is in the other country, can help facilitate data subject's rights. So it is very similar to the GDPR, like they have their list of 73 adequate countries, and then they have their obligation on the controller to bring in safeguards. Otherwise, so it's it's quite like the uh GDPR, again, like the Indian one, it's a bit opposite. They had they didn't say, well, we have a list of adequate countries, we have a list of blacklisted countries, and then Qatar is a bit more strict that they they do need approval. So I'd say of everything we've seen so far, this is definitely one of the closest to the GDPR.

SPEAKER_01 29:52

Okay, and it's kind of like a whitelist as well, isn't it? That as opposed to a blacklist that India has. Yeah.

SPEAKER_00 29:57

Yeah. Very good. So yeah, that's cross-border transfers. I will move on uh here to question nine for yourself, Maria. What security obligations do organizations have when they're processing personal data?

SPEAKER_01 30:15

So when thanks for that, Katie. So when we turn to security obligations under Bahrain's personal data protection law, we see a clear emphasis on the need for organizations to move beyond just policy and like they really kind of require you know practical application of security. Uh, controllers are required to implement appropriate technical security measures, like in the GDPR, and these would include things like encryption, access controls, and system monitoring to ensure that personal data is protected against unauthorized access, loss or misuse. Uh, but most importantly, the law doesn't stop at technology. There's also a strong expectation around organizational safeguards. This means putting in place internal policies, staff training, role-based access controls, and you know, in general, just governance structures that ensure that data protection is consistently applied across the organization. So, again, very much back to the GDPR kind of approach there. Um, in other words, security is not just an IT issue, it's an organizational responsibility. Um, confidentiality protections are another key component. Organisations must ensure that personal data is only accessible to those who are authorised to process it and that appropriate controls are in place to prevent accidental or unlawful disclosure. From a comparative perspective, this aligns very closely with Article 32 of the GDPR, which requires, as we know, organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The language and intent are remarkably consistent, again, reflecting that broader global convergence in privacy governance is important to Bahrain and making it easier for organizations to port their existing governance structure to Bahrain when moving into that jurisdiction. So we like we've looked at the DPDP Act in India, um, and that also uh incorporates security obligations, um, and they kind of require their data fiduciaries to implement reasonable safeguards to prevent personal data breaches. While the wording may be less prescriptive than the GDPR, the underlying expectations is the same. Organizations must be able to demonstrate that they have taken active steps to protect personal data. So, in that regard, you know, most of the laws that we've looked at so far are similar in that they do expect a level of security around the protection of personal data as well. So, from an operational standpoint, there is this is one of the clearest areas of global alignment, security governance, combining technical controls, organizational measures, and accountability mechanisms. It's now kind of became it's become baseline or you know, kind of fundamental to most data protection regimes across the various different jurisdictions that we've been looking at in this podcast. For organizations building a global compliance architecture, this is where integration between privacy and security tooling becomes critical, enabling not just compliance on paper but evidence of controls in operation over time. And we'll only see that increase as well as we start to see AI being considered by these jurisdictions because, as we know from the EU AI Act, uh AI governance is all about evidence as opposed to just policies and paper-based governance. So, so yeah, there's definitely a merge there between data protection and security across various different jurisdictions, and now we're seeing it with AI as well. So, yeah. Okay, so moving on to question 10 then uh for you, Katie. Are there any unique attributes to the law in Bahrain that we that kind of uh sets it apart from other uh jurisdictions that we've been looking at in this podcast series?

SPEAKER_00 34:30

Okay, so thank you for that, Maria. There is a bit of a unique attribute within the Bahrain law, which is the concept of prior authorization. So Article 15 of the law says that a processor is gonna need written prior authorization from the Ministry of Justice to use automated processing where it draws links between personal data between two different controllers, where they use automated processing of biometric data for the verification of an individual's identity, and where they use CCTV. So that's a bit of an interesting one. The controllers are going to need to notify the authority who's overseen by the Ministry of Justice for any wholly or partially automated processing operations and for the use of CCTV. So where authorization is granted, they have a few considerations that they have to follow, which are quite similar to the technical and organizational measures and the kind of data protection principles as well. But I suppose they just need to be able to demonstrate proof that they will uphold these four points when they complete this processing activity, and the four points are transparency, in which includes informing the data subjects of the exact use of the data, the second point is purpose limitation, the third point is basically access controls on a need-to-know basis for the data, and then the fourth is you need to demonstrate how you're going to facilitate data subject rights.

SPEAKER_01 36:29

So sorry, again, when was that when is that required? What scenario is that required?

SPEAKER_00 36:36

Okay, so it's required if you're using automated processing and CCTV. The automated processing does have a couple of conditions like where you use automated processing using biometric data, or where you use automated processing that links personal data between different controllers. So I would say maybe credit agencies might be doing that.

SPEAKER_01 37:04

Okay.

SPEAKER_00 37:09

Yeah, combine a lot of data from even broker, brokers and stuff would get a lot of data from different from different sources. So basically, if you put data from different sources into automated decision making process, you're going to need to write out the bat explain how you're going to be transparent, how there's going to be no scoop creep, that authorization is restricted to a need-to-no basis, and how you're going to facilitate data subject rights. So it's it's less after the fact. I mean, technically, people could be processing data contrary to the law, but the authority would only find out through an investigation, whereas in this situation you need to you need to show that you're compliant before you even start that processing activity.

SPEAKER_01 38:06

That's good because it makes people think and it makes them get a plan together. So when they have a plan together, they're more inclined to actually follow the plan than like you say, you know, what are we supposed to do now that we've been caught or something like that, you know? Yeah. Um as well, I've just a little note here on the difference between the GDPR and the Bahrain personal data protection law on automated decision making, now that you mention it. So the difference lies in the scope and the strength and structures of the right. Under the GDPR, which is we know Article 22, individuals have a clear, a clearly defined and standalone right not to subject, not to be subject to decisions based solely on automated processing, including profiling, which, like I think that's you know, you've described there, uh, where those decisions produce legal or similarly significant effects. This right is supposed supported by explicit safeguards, such as the right to obtain human intervention, express one's point of view, and contest the decision. In contrast, the Bahrain PDPL recognises concerns around automated decision making, but does not, but does so in a more limited and less codified manner. Uh the right is typically framed around the ability to object to decisions that cause material or moral harms rather than as a broad prohibition on solely automated decisions. So it's more like on a case-by-case basis. As a result, Bahrain's approach is more reactive and harm-based, whereas the GDPR establishes a proactive principle-driven control over automated decision-making, making it significantly more operationally demanding for organizations. But like you say there, um, it's interesting because it's the opposite in that exception there that you give when considering you know uh CCTV and so on. The Bahrain law is more uh specific and requires preparation to meet the law or you know, um accountability to meet the requirements of the law than the GDPR. So that's interesting.

SPEAKER_00 40:19

It is. And also to achieve that prior authorization they need to um submit a DPIA that they undertook.

SPEAKER_01 40:31

So Okay, interesting. Yeah. So there is accountability there's quite a lot of accountability around, you know, even though the GDPR would be seen as kind of more of an established right around automated decision making, there is still significant accountability within the the Bahrain law as well.

SPEAKER_00 40:51

Yeah, for sure. I mean it may be a bit more procedural with stuff like CCTV, because if you're under the GDPR, you just need to complete your DPIA and kind of work from there. But here, if you want to use CCTV, you have to do the DPIA, and you know, I don't know how long that process of getting prior authorization would take, you know, if you're gonna be waiting or anything, but yeah.

SPEAKER_01 41:21

It forces organizations to think about their governance, yeah.

SPEAKER_00 41:25

Which is good. So move on to the next question for yourself, Maria, which is still kind of on the same topic. So does Bahrain have a specific AI governance framework, or are AI systems primarily regulated through existing law and regulations?

SPEAKER_01 41:47

Thanks, Katie. Well, when we look at AI governance of Bahrain, it's important to note that at least for now, there's no standalone AI Act equivalent like to the EU AI Act that we have in the European Union. Instead, AI governance is being kind of addressed through a combination of existing legal and policy instruments. First, like you have the data protection obligations under the personal data law that we've been looking at in this podcast, and that plays a kind of central role when it when considering AI. So, like where AI systems process personal data, organizations must comply with the principles such as lawfulness, fairness, transparency, and accountability, which goes a long way with the AI systems as well. You know, effectively they're using the privacy law as a kind of a proxy for governing various different aspects of AI at the moment, anyway. Then sectoral regulations also come into play in areas such as finance or telecommunications. Regulators may impose additional requirements around risk management, oversight, system integrity, which indirectly shape how AI is deployed within these sectors. And then, third, Bahrain's national digital economy and innovation strategies provide a broad kind of policy framework that can also encompass AI adoption. So there this framework kind of encourages organizations to use AI while signaling expectations around responsible and secure use. When we compare this globally, uh the contrast is quite striking. The EU is moving towards a dedicated risk-based regulatory model through the EU AI Act. That's again industry agnostic and it cuts across all industries. And this AI Act, like the EU AI Act, classifies AI systems according to their level of risk and imposes corresponding obligations. This represents a more explicit and structured approach to AI governance. We saw in the UAE a slightly different model again, less focused on a single legislative instrument and more on a like on. National AI strategies and coordinated governance initiatives, and these would have been supported by sectoral guidance and regulatory activity. India is still in a formative phase when it comes to AI, it's actively developing its AI governance approach, but for now it relies largely on existing regulatory frameworks such as its data protection law to manage AI risks. So in Bahrain, from a per operational perspective, what this tells us is that AI governance is currently evolving along different trajectories, not just in Bahrain, but across the jurisdictions that we've kind of seen and we've looked at in the podcast. In Bahrain, there's no kind of dedicated AI law, and that kind of forces organizations to assume an absence of regulation. Instead, in Bahrain, they need to interpret and apply existing frameworks like, like I said, the data protection law and sectoral laws, and they have to apply these laws to various different AI use cases that they would encounter during their work and to make sure that governance is proactive and risk-aware and adaptable as more formal AI regulation inevitably comes down the line. But for the time being, they do rely heavily on industry regulation and their data protection law. So uh sticking with AI, Katie, this is our last question, and it's for you. Given the increasing role of AI in digital services, do you think Bahrain's privacy law provides a sufficient foundation for governing AI systems?

SPEAKER_00 45:46

Thank you for that, Maria. Um I think I would answer it going back a bit to what you said in that there are aspects of their current privacy law landscape that have an effect on AI, but at the end of the day, they don't have something specifically for AI as a use case. You know, it kind of is caught here and there by different by different existing laws and maybe regulatory standards, but they don't have they don't have something that might address in hard law anyway everything that you might be concerned about in AI, but they do have a couple of soft instruments that I think could form a foundation like what you were asking about, could could be a good foundation, or at least the beginnings of a foundation for governing AI systems if they continue to develop this. They have a number of core ethical principles guiding AI use and adoption, published by their information and e-government authority, because they're part they're part of the Gulf Cooperation Council, and they kind of said, well, if you're gonna continue to be part of the Gulf Cooperation Council, everyone is gonna have to adopt a certain amount of policies to govern AI, at least to start with. So we've seen that in Qatar as well. They had some very nice, uh very nicely laid out infographics and stuff about it. But yeah, so the core principles that they've put out is human oversight, safety and security, justice, equity and non-discrimination, privacy and data protection, transparency and explainability, accountability, awareness and education, integrity, sustainability, inclusion and diversity, and international cooperation.

SPEAKER_01 47:59

So isn't it? Yeah, yeah, it's quite comprehensive, isn't it?

SPEAKER_00 48:06

It's it's long, yeah. It was longer than I thought than I was expecting it to be. Um and they have they have more on it than just, you know, it's not just the list alone, they have more guidance um to go with it, but I know it's not hard law, but uh as a as guidance.

SPEAKER_01 48:26

Yeah, it's comprehensive. Yeah.

SPEAKER_00 48:29

It could be a sufficient foundation.

SPEAKER_01 48:31

Um And like you say, it gives guidance until hard law come you know comes down the line.

SPEAKER_00 48:38

Yeah, for sure. And like especially if this is kind of if people internalize this in practice Yeah.

SPEAKER_01 48:47

And I think if they fall in line like they have with the with their data protection law and they want to kind of follow international standards, that that's a good starting point. That you know, comprehensive list of recommendations, you know, guidance.

SPEAKER_00 49:03

I I agree. That those principles and the guitar guidance that we seen and I don't know if it was in our last our last podcast episode.

SPEAKER_01 49:12

I think it was, yeah.

SPEAKER_00 49:14

But it's good to see because those are some of the some of the first kind of nationally published official guidelines. So it's definitely a stepping stone.

SPEAKER_01 49:26

Yeah, yeah, and it's a sign of things to come. And it looks like they are they will stay with the international approach, you know, making it easy for organizations to move into Bahrain.

SPEAKER_00 49:36

Yeah. That that was our last question. So today we explored Bahrain's personal data protection law, along with a couple of the executive decisions that were issued under it. We placed it within the context of the Gulf regional landscape and also compared it to a few broader laws like the GDPR and the Indian law that we had explored before. So we seen where it was influenced by the GDPR, where it was influenced by the culture of the Gulf, where it actually is located, and we also did draw a few similarities to the Indian DPDP, which was interesting to see. As we've discussed in the past, privacy laws increasingly serve as the foundational layer for broader digital governance, including with emerging issues such as AI. And we've seen that as we as our last few questions touched on with Qatar and Bahrain. You know, this is, as you said, a sign of what's coming down the line and the principles that countries are taking into mind with things like AI. So I think that's it's quite a positive sign. So thanks everyone for joining us for this episode of our international privacy law series. And we look forward to continuing our journey through global data protection frameworks in the next episode.

SPEAKER_01 51:10

Thanks, Katie. Thanks to our listeners. See you in the next episode.