Data privacy is naturally fast-moving and ever-changing and the last few weeks have been no exception. Following our blogs about Japan and India recently, another pair of key data privacy announcements were made – one on the frustrating delays to the EU’s ePrivacy Regulation, and a remarkable declaration of intent from Bahrain

ePrivacy Regulation delayed

So the news has come out that the long awaited ePrivacy Regulation has been delayed yet again, potentially for as much as two years – and met with fury in some quarters.

This Regulation, replacing the current Directive and all its local implementations, was supposed to come in at the same time as GDPR. Its much anticipated principal effect was that it would make important adjustments to key topics like consent.

The preferred text has been agreed since late last year, and all that remained was supposed to be simply going through the normal ratification process. However, since then, it has undergone delay after delay.

Although it missed the May date, most thought it would still be implemented in 2018. But with successive presidencies of the European council kicking it into the long grass, and questions being raised about the agreed text in local European parliaments, who knows when this will actually come to pass? Especially if the proposed two-year transition period is implemented.

The fact is an update to the Directive is highly needed, not only to provide additional protections, but also to simplify requirements for both data subjects and businesses. However, with it continuing to be the ball in a game of legislative ping pong, we may be waiting some time.

Bahrain ups the ante

Bahrain has published their law on the protection of personal data, which comes into effect on 1stAugust 2019.

As with many new privacy legislations, many of the rights, protections, duties and mechanics are similar to what has gone before in frameworks such as GDPR. The difference with Bahrain’s version however is that where other nations are imposing administrative fines on a sliding scale as penalties for non-compliance, Bahrain actually upgrades certain violations into criminal offences.

This is specifically the case where these violations concern:

  •  Processing of sensitive personal data
  • Transference of personal data outside Bahrain without an adequate level of data protection, and associated exceptions
  • Processing personal data without notifying the new Data Protection Authority appropriately
  • Processing personal data contrary to the provision that requires prior authorization from the Authority before processing personal data in certain circumstances
  • Providing false or misleading information to data subjects
  •  Hindering the Data Protection Authority’s work in any way
  • Inappropriate disclosures of personal data, or misusing personal data

Judging by the list above, clearly most imaginable breaches are likely to qualify for criminal charges. For a part of the world not famed for its privacy considerations, this is a fascinating step and it will be interesting to see how it is implemented and who follows suit.