My typical day often starts with checking my iPhone for the Weather, WhatsApp, and Messenger. Next, I’ll check Waze or Maps to find the fastest route to work. Finally, I might use Talabat or UberEATS for lunch and will inevitably “Google” something or browse Amazon throughout the day. My daily routine is one of the millions of examples of our dependence on personal data-fueled technologies.
Personal data is how Google, Netflix, and YouTube anticipate preferred content, how Maps and Waze create alerts of en-route traffic accidents or delays, and how Talabat and Uber remember your payment information and pick-up and delivery addresses.
We give away personal data whenever we join a mailing list, use social media, or download apps. Even the smartwatches on our wrists, the cell phones in our pockets, and the smart speakers on our nightstand continuously collect personal data.
Platforms like Facebook, YouTube, and Twitter give users free access to create and distribute content they use to collect the personal data that fuels their ad sales.
Countries like Saudi Arabia, the UAE, and Bahrain use personal data-heavy national identity cards to facilitate the administration of government and private services. Countries worldwide have also adopted personal data-dependent technologies for contact tracking and digital health certificates, like Tawakkalna (Saudi Arabia) and Be Aware (Bahrain), to respond to the global COVID-19 crisis.
Without regulation, governments have unrestricted access to their citizens' personal data. Private companies are also free to exploit and sell vast amounts of personal data for profit without user knowledge or consent.
To address these concerns, countries in the Middle East have started adopting personal data protection laws and regulations. For example, Bahrain was an early adopter of a comprehensive personal data protection law in 2018, followed by the Kingdom of Saudi Arabia and the United Arab Emirates (UAE) in 2021.
This article highlights the global appetite and market for personal data and how it is collected and used to provide context for the Personal Data Protection laws implemented in the Middle East.
Data is the new oil
Let’s start with how personal data is used and consumed around the world. SeedScientificpublished statics that provides context to the volume of data created and consumed. For example, as of 2020, ninety percent (90%) of North American and European consumers used the internet, while Asian consumers made up over fifty percent (50%) of global internet traffic. Between 2000 and 2020, Africa had the highest global internet adoption rate.[i] Another article reports that Saudi Arabia has the largest social media presence globally.[ii]
Other notable statistics include nearly sixty percent (60%) of the world’s population (4.8 billion) are digitally active. Approximately 1.8 billion people log on to Facebook daily, Twitter publishes 500 million tweets daily, and over 210 million Snapchats are created. There are also more than 1 billion global Instagram users. Google handles 1.2 trillion searches every year, and 71.5 billion apps were downloaded in the first half of 2020.
In 2020, global consumers spent almost $1 million per minute on commodities on the internet. The SeedScientific article also included statistics showing how the use and exploitation of personal data would increase as the global number of Internet-of-Things (IoT) devices increases to 75 billion by 2025 and the population of online users older than six years grows to ninety percent (90%) by 2030.
If it’s free, you’re the product
Richard Serra’s iconic comment about the television in 1973, “if something is free, you’re the product,” continues to apply to the current market for personal data.
Platforms like Facebook, Twitter, and YouTube provide millions of users a place to share birthday wishes, family vacations, and other interests for their personal data that can be sold to companies and advertisers.[iii]
You’re being tracked by cookies, cross-device tracking, and biometrics that remember your preferences and collect your personal data across different websites and devices every time you go online.[iv] While many of us may be willing to exchange personal data for direct services or benefits, much of our personal data is collected without our knowledge and for unknown purposes. For example, even if you knew that your phone’s location is constantly tracked, did you know that it only takes four location points combined with information in most social media posts to identify you by name?[v]
Third-party trackers use first-party mobile applications to link user activity across multiple apps to an individual and their activity on other devices and other places on the web. For example, they track and record the sites visited, clicks on a site, and what’s read. The personal data collected by many apps include names, photos, email addresses, phone numbers, activity in the app, and IP addresses.[vi]
A study of almost a million apps on the US and UK Google Play stores revealed that many apps are set up to transfer data to big tech companies, with eighty-eight percent (88 %) of this data going to Google’s parent company Alphabet.[vii]
Companies invest billions in collecting data sets used to create detailed profiles. By collecting vast amounts of personal data across various demographics, companies and advertisers can better identify customer needs, wants, and dislikes and adjust their products, services, and messages accordingly. Access to enough personal data can define personal preferences, shopping habits, socio-economic class, affiliations, sexual orientations, family dynamics, politics, and more.[viii] Knowing personal milestones like becoming a new parent, moving homes, getting engaged, buying a car, or going through a divorce, can indicate predictable changes in a consumer’s buying patterns.[ix] Companies and advertisers use personal data to ensure the right message hits the right audience at the right time.[x]
A 2020 study showed that personal data for 18–24-year-olds is notably higher than any other demographic, and companies are willing to pay more for Middle Eastern audiences' personal data.[xi]
The internet, emerging mobile commerce devices, and social commerce are helping companies grow their businesses and expand into new countries and access their citizens. For example, in Saudi Arabia, which has the largest social media presence in the world, social media plays a decisive role in the rapidly transforming Saudi society. Approximately 27.08 million, or seventy-nine point twenty-five percent (79.25%) of the Saudi population, are active social media users. And Saudi youth make up seventy-five percent (75%) of the total UAE population.[xii]
Fueled by personal data, internet advertising increased profits by at least twelve percent (12%) from 2018, earning $139.9 billion in revenue in 2020.[xiii]
Check out MacKeeper’s graphic showing how you’re tracked online.
Government Uses
Governments have quickly introduced data-heavy technologies such as national digital identity programs, biometric passports, and e-health services. In Saudi Arabia, Vision 2030 and the National Transformation Program (NTP) are accelerating primary and digital infrastructure projects intending to raise living standards. The shift from the National Register to the electronic identification (e-ID) program started in 2007 as part of the government’s broader digital transformation strategy.
Middle Eastern countries have already embraced several digital ID programs that work in tandem with new e-services. For example, the Emirates ID has been used as a travel document since special e-gates were added to the country’s airports in 2002. Insurance companies and medical facilities have also started linking ID cards to their networks, removing the need to carry a health insurance card.[xiv]
Misuse of Personal data
Without regulation, the collection and processing of vast amounts of commercially valuable personal data can lead to risks ranging from misuse to theft.
Misuse typically occurs when a company does not disclose how personal data is collected or assumes that the personal data collected for specified purposes can be used for other purposes. Misuse can also occur when employees transfer personal data to their personal devices for easy access. And while criminals steal personal data for identity theft and extortion, the most common purpose is to sell your personal data to anyone willing to pay.[xv]
Growing technology adoption in the Middle East has enabled many organizations to operate more efficiently and open new business avenues. However, it has also exposed organizations to more cyber-attacks. As a result, sophisticated cybercrimes and digital espionage are rising in the Middle East.
Between March 2020 and March 2021, the cost of cybersecurity incidents in the Middle East rose by six percent (6%), amounting to $6.93 million per data breach, and the number of cyberattacks rose by at least two-hundred and fifty (250%) in 2020.[xvi]
As a result of the pandemic, cyber-attackers have also held hospitals and healthcare systems hostage, with healthcare breaches increasing to fifty-five percent (55%) in 2020.[xvii]
Personal Data Protection Laws in the Middle East
To address the risks to personal data and protect individual rights, Saudi Arabia, the United Arab Emirates (UAE), Bahrain, and other Middle Eastern countries are adopting comprehensive personal data protection laws and regulations.
The Right to know
Let’s start with the right to know that your personal data is being collected in the first place. The personal data protection laws of the UAE, Bahrain, and Saudi Arabia all prohibit the processing of personal data without the consent of the personal data owner or data subject.[xviii]
Moreover, when collecting personal data from the owner directly, the Saudi[xix] and Bahraini[xx] Personal Data Protection Law explicitly requires giving notice to the personal data owner before collection. The Saudi PDPL even requires companies to adopt a personal data privacy policy and make it available to personal data owners before collecting their data.[xxi]
These laws also require companies to define the purposes for collecting personal data and prohibit personal data from being used for purposes other than consent.[xxii]
To operate in the Middle East, companies like Google, Facebook, Twitter, and the thousands of app developers will have to notify personal data owners in the region why their personal data is being collected and how it will be used, including the third-party tracking cookies.
Direct Marketing
The Personal Data Protection laws even regulate how advertisers collect and use personal data. For example, the Saudi PDPL establishes the requirements advertisers must follow to send promotional or awareness materials to Saudi Arabian residents.[xxiii] The Bahrain PDPL requires companies to notify data subjects of their right to object to their personal data being used for marketing purposes[xxiv] and give data subjects the right to object to processing their personal data for marketing purposes.[xxv] Even the UAE PDPL gives data subjects the right to object to processing their personal data for direct marketing purposes.[xxvi]
Personal Data Breach
To protect personal data owners and mitigate against the risk of misuse and theft of Personal Data, Personal Data Protection Laws require companies to implement appropriate technical and organizational measures to protect and secure Personal Data from a breach, corruption, modification, or manipulation.[xxvii] The UAE and Saudi PDPL also require companies to notify the authorities and personal data owners of breaches of Personal Data.[xxviii]
What’s Next?
It’s time for the region’s largest consumers and contributors to the personal data economy to adopt and implement their own comprehensive Personal Data Protection laws. When these laws come into force, companies and advertisers will have to develop policies and notices that inform residents of Saudi Arabia, the UAE, and Bahrain when their personal data is being collected and how it will be used, giving them the opportunity to consent to its collection and even object to its use.
Companies will also have to develop and implement procedures and measures to report personal data breaches to regulatory authorities and their owners and to protect personal data from misuse and unauthorized access.
To meet these obligations, companies must develop and implement policies, procedures, and practices to ensure that personal data is collected, processed, and protected in compliance with the region’s Personal Data Protection laws and regulations.
For help reviewing, developing, and implementing your Personal Data Protection Compliance programs, contactus@emme-advisory.com.
[i] How Much Data Is Created Every Day? by Branka Vuleta, October 28, 2021, https://seedscientific.com/how-much-data-is-created-every-day/
[ii] Saudi Arabia Social Media Statistics 2021 by GMI Blogger, December 25, 2021, https://www.globalmediainsight.com/blog/saudi-arabia-social-media-statistics/
[iii] How Much is Your Data Worth? The Complete Breakdown for 2021, Invisibly, July 13, 2021, https://www.invisibly.com/learn-blog/how-much-is-data-worth
[iv] How Tracking Your Personal Data Really Adds Up, SoGoSurvey by Kathy Edens, October 7, 2020.
[v] Study shows how easy it is to determine someone's identity with cell phone data, Phys.org by Lisa Zyga, March25, 2013.
[vi] Personal data tracking is getting out of control, The New York Post by Andy Meek, October 24, 2018, https://nypost.com/2018/10/24/personal-data-tracking-is-getting-out-of-control/
[vii] Oxford researchers exposed the avalanche of data Google and Facebook can hoover up from apps on your phone, Business Insider by Isobel Asher Hamilton, Oct 23, 2018, https://www.businessinsider.com/google-and-facebook-big-data-apps-oxford-study-finds-2018-10
[viii] How Much is Your Data Worth? The Complete Breakdown for 2021, Invisibly
[ix] How much is your personal data worth? Financial Times by Emily Steel, Callum Locke, Emily Cadman and Ben Freese, June 12, 2013, https://ig.ft.com/how-much-is-your-personal-data-worth/
[x] How Much is Your Data Worth? The Complete Breakdown for 2021, Invisibly
[xi] Most Desired Data: Whose is the most in demand, and how much is it worth? by Ruslana Lishchuk, November 16, 2020, https://mackeeper.com/blog/most-desired-data/
[xii] Saudi Arabia Social Media Statistics 2021 by GMI Blogger
[xiii] Internet Advertising Revenue Report – Full-year 2020 results, PWC, April 2021, https://s3.amazonaws.com/media.mediapost.com/uploads/InternetAdvertisingRevenueReportApril2021.pdf
[xiv] Electronic ID key to Saudi Arabia’s digital transformation, Arab News by Jumana Khamis,
November 19, 2020, https://www.arabnews.com/node/1765151/saudi-arabia
[xv] 7 Examples of Data Misuse in the Modern World, Invisbly, August 6, 2021, https://www.invisibly.com/learn-blog/data-misuse-7-examples
[xvi] Data Breaches in the Middle East Region, Seclore by Sanchari Mitra, December 22, 2021, https://blog.seclore.com/data-breaches-in-the-middle-east-region/
[xvii] How Much is Your Data Worth? The Complete Breakdown for 2021, Invisibly
[xviii] UAE Federal Decree-Law No.(45) of 2021 on Personal Data Protection (UAE PDPL), Article 4 – “The Processing of Personal Data without consent of the Data Subject is prohibited.”; The Personal Data Protection Law of Saudi Arabia (Saudi PDPL), Article 5 – Except for cases stipulated in the law, personal data may not be processed . . . without the consent of its owner.”; Bahrain Law No (30) of 2018 with Respect to Personal Data Protection Law (Bahrain PDPL), Article 4 – “Processing Personal Data is prohibited without the data subject’s consent”
[xix] Saudi PDPL, Article 13(2) – “The Controller must – in the case of collecting personal data directly from the owner – use adequate means to inform him . . . before starting to collect his data . . . the purpose of collecting his personal data, and whether collecting all of some of it is mandatory or optional”.
[xx] Bahrain PDPL, Article 17 – “In situations where data is directly obtained from the data subject, the data controller shall brief the data subject, upon registration of such data, on . . . the purposes for which the data is intended to be processed”.
[xxi] Saudi PDPL, Article 12 – “The controlling entity must adopt a personal data privacy policy, and make it available to personal data owners to review it before collecting their data/”
[xxii] UAE PDPL, Article 5(2) – to process personal data “the Personal Data must have been collected for a clear specific purpose, and shall not be processed at a later stage in such a manner that is contrary to such purpose.”; Saudi PDPL, Article 5 – Except for cases stipulated in the law, personal data may not be processed or the purpose of processing changed without the consent of its owner.”; Bahrain PDPL, Article 3 – to process personal data “Personal data is collected for specific, explicit and legitimate purpose and shall not be further processed in a way incompatible with the purpose for which it was collected.”
[xxiii] Saudi PDPL, Article 25 – “With the exception of awareness materials sent by public authorities, the controlling entity may not use personal means of communication . . . of the personal data owner in order to send promotional or awareness materials, except in accordance with the following . . .”; Article 26 – “With the exception of sensitive data, personal data may be processed for marketing purposes, if it is collected directly form the its owner and he agrees hereto in accordance with the provisions of the Law.”
[xxiv] Bahrain PDPL, Article 19 – “Where a Data Controller anticipates that personal data . . . may be processed for the purposes of direct marketing, the data controller shall inform the data subject of [their] right to [object] with respect to such processing.”
[xxv] Bahrain PDPL, Article 20 – “The Data controller, within a period not exceeding 10 working days of date of receipt of a request from the data subject with proof of identity, shall not begin processing for the purpose of direct marketing of personal data in respect of the applicant or shall cease the processing.”
[xxvi] UAE PDPL, Article 17 – A Data Subject shall have the right to object to the Processing of Personal Data . . . where Personal Data is Processed for direct marketing purposes,”.
[xxvii] UAE PDPL, Article 5(6) – “the Personal Data must be safely stored and protected from any Breach or unlawful or unauthorized Processing by putting in place and implementing appropriate technical and organizational measures and actions in pursuance of laws and legislation in force in this regard.”; Saudi PDPL, Article 19 – “The controlling entity shall take the necessary organizational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred, in accordance with the provisions and controls specified by the Regulations.”; Bahrain PDPL, Article 8 – “The Data Controller shall implement appropriate technical and organizational measures to guarantee protection of data against accidental or unauthorized destruction, accidental loss, as well as against alteration or disclosure of, access to and any other unauthorized forms of processing.”
[xxviii] UAE PDPL, Article 9 – “. . . the Controller shall immediately after having become aware of it, notify the Office of any Personal Data Breach relating to a Data Subject which is likely to result in a risk to privacy, confidentiality, and security of his Data and the findings of the investigation within such period and in accordance with such procedures and conditions specified by the Executive Regulations of this Decree-Law”; Saudi PDPL, Article 20 – “The Controlling entity shall notify the competent authority as soon as it becomes aware of the occurrence of a leakage or damage of personal data or the occurrence of an illegal access thereto. The Regulations specific the circumstances in which the controlling entity much notify the personal data owner in the event of a leakage or damage of his personal data or an illegal access thereto. If the occurrence of any of the above would cause serious harm to his data or himself, the controlling entity must immediately notify him.