Overview
The rise of technology and its impact on privacy and data protection has been a long-standing debate, with the emergence of new forms of data and ways to process and use it. One such technology that has recently sparked this debate is Artificial Intelligence (AI).
In Bahrain, the legal framework surrounding privacy and data protection has continued to develop, with the issuance of Law No. 30 of 2018 with respect to the Personal Data Protection Law (PDPL). The PDPL is a great step forward for Bahrain because it is its first standalone legislation that establishes a framework that sufficiently protects the right to one’s privacy over their personal data.
This article will consider Bahrain’s PDPL in light of the privacy and data challenges posed by AI.
Artificial Intelligence- opportunity and risk
AI is broadly described as machine-learning technology which has the ability to learn in real-time and make decisions with the intelligence of humans. It presents a great deal of opportunities and benefits for households, business entities, and the economy, with financial services firms already implementing it to provide better services for customers[1].
However, concerns associated with privacy and data protection continue to be raised[2], particularly because of AI’s heavy reliance on the collection and processing of large volumes of data. The Italian Data-Protection Authority’s recent temporary ban of ChatGPT, an AI tool, highlighted these concerns, as it allegedly found that the AI tool processed Italian residents’ data without their consent, and therefore were in violation of the EU’s General Data Protection Regulation (GDPR)[3].
The risks associated with AI suggest a need for regulatory oversight that specifically addresses its negative implications. However, given that AI is a relatively new and fast-developing technology, hard laws that directly address AI are few and far between.
Bahrain’s Personal Data Protection Law
Although legislators in Bahrain have not yet directly addressed the potential impact of AI on privacy and data protection, the PDPL may be read in conjunction with it to understand how Bahrain may address it.
The PDPL and its related Resolutions establish rules that protect the rights and freedoms of individuals by regulating how organisations gather and process the data of individuals residing in Bahrain, regardless of whether the organisations are based in Bahrain or outside. The extraterritorial effect of the PDPL aligns itself with the EU’s GDPR, promoting a global standard to safeguard individuals’ right to privacy and data protection.
- PDPL scope of application
The PDPL establishes a wide scope of application, as it provides that its provisions apply to both non-automatic and automatic processing of data, which by default includes AI. Furthermore, its provisions shall affect every:
i) natural person residing in Bahrain or maintaining a place of business in Bahrain,
ii) legal person with a place of business in Bahrain, and
iii) natural or legal person not residing in Bahrain but processing data in Bahrain.
- Transfer of data outside Bahrain
The PDPL sets out provisions regarding the transfer of data outside Bahrain, as Resolution No. 43 of 2022 provides an “Adequacy List” of countries to which personal data may be transferred. However, if the country in question is not on the list, then authorisation should be obtained from the Personal Data Protection Authority (Authority) and compliance with additional restrictions must be ensured.
Bahrain’s strict approach towards the transfer of personal data outside of Bahrain is evident from the aforementioned obligations and procedures for authorisation. This approach ensures that personal data is under the supervision of the Authority and on a wider scale underscores the Kingdom’s commitment to protect the privacy and data protection rights of individuals.
- Obligations of Data Controllers
The person(s) entrusted with determining the means and purposes of processing personal data and entrusted with the processing obligation are referred to as “data controllers” under the PDPL.
The PDPL and its Resolutions impose measures on data controllers that align with GDPR Regulations. For example, Resolution No. 43 of 2022 specifies organisational measures that data controllers must implement to safeguard data privacy on a technical level.
Moreover, the PDPL requires data controllers to communicate with the Authority and notify it of any wholly or partially automated processing operations, with certain exceptions. It also prohibits the processing of sensitive personal data without the Authority’s prior authorisation.
The PDPL also requires data controllers to notify individuals about the processing of their personal data and imposes an obligation on the data controller to notify the Authority regarding breach of data within 72 hours from being aware of said breach. These measures establish a high level of transparency in order to protect the privacy and data protection rights of individuals.
- Consent, objection, and erasure of data
Resolution No. 48 of 2022 provides clarity regarding the direct consent of individuals to process their personal data. It establishes that express and informed consent must be given and may be withdrawn at any time upon their request. The PDPL further provides the individuals with the right to object to the processing of their data and request the data controller to erase it.
These provisions empower the individuals by giving them control over their personal data to ensure that the data is used for the purpose they provided consent for.
The PDPL and AI: Striking a Balance
The introduction of the PDPL was a significant step towards safeguarding individuals’ privacy and data, but AI systems and tools still have the potential to have adverse effects on these rights if not addressed appropriately.
To bring this discourse into perspective, consider an application that locates your parked car by taking a photo and processing the data. While doing so, the application may have captured other people’s faces and licence plates. This is referred to as data spillovers, where data is collected on individuals who are not the intended target of the data collection. In such a scenario, the information collected on others may be used and repurposed, without the knowledge or consent of the individual, as they would not even be aware of their involvement in the data[4].
This hypothetical scenario demonstrates how the general measures pertaining to privacy and data protection may not be sufficient to address the new challenges AI brings to the table. This is particularly concerning because AI operates on a much larger scale, making it more prone to data spillovers. Therefore, this may indicate that the fast-changing demands of AI require better regulatory oversight, beyond what is currently provided under the PDPL. Contrarily, introducing stringent regulations on AI may hinder its development and its adoption in Bahrain, so a balance must be struck.
Despite these challenges, Bahrain recognises the potential of AI to transform how businesses operate. In particular, the Bahrain Economic Development Board (EDB) announced that Bahrain would pilot new guidelines, established by the World Economic Forum Centre, for the procurement of Artificial Intelligence in the public sector[5].
As the regulatory landscape surrounding AI and data privacy and protection continues to evolve, it is crucial for legislators and regulators to encourage AI’s development whilst ensuring that privacy and data protection are not compromised.
——————————————————————————————————
[1] Artificial Intelligence & Machine Learning – KPMG Bahrain
[2] Data Protection update – April 2023 (shlegal.com)
[3] ChatGPT banned in Italy over privacy concerns – BBC News
[4] Beware the Privacy Violations in Artificial Intelligence Applications (isaca.org)
[5] Bahrain and UK first in the world to pilot new artificial intelligence procurement guidelines across government – Invest in Bahrain (bahrainedb.com)
ABOUT ZU’BI & PARTNERS
Zu’bi & Partners, Attorneys & Legal Consultants is one of the longest-established family law firms in the Middle East and the oldest law firm in Bahrain. With over 102 years of operational success, the Firm is regularly ranked as a top-tier legal services provider in Bahrain, Dubai, and through its affiliated office in Jordan.
The Firm provides services to local and multi-national clients (private and public corporates, individuals, and governments) from all sectors, industries, and backgrounds; from Corporate, Commercial, M&A, Banking & Finance, Technology, Employment, Regulatory, Construction, Real Estate & Property, Disputes (Litigation, Arbitration, ADR), to name a few.
The breadth of expertise and success of the Firm has been widely recognized by independent legal commentators and publications and is reflected in its client base of leaders in their fields, including both private and public institutions, government, and quasi-government bodies, as well as high-net-worth individuals.
contact@zubipartners.com