Monday, August 7, 2017

Protecting Personal Data and Individual Employee Privacy in Oman

While there are no specific Omani laws that explicitly protect the privacy and personal data of employees, there are general laws that govern an employer’s conduct with respect to an employee’s privacy. A summary of the laws that govern privacy and personal data protection of individuals is set out below.

The Basic Law, issued by Royal Decree 101/1996, provides for the individual’s right to privacy in communication.  Article 30 of the Basic Law prohibits any interference with or monitoring of an individual’s telephone calls or written correspondence and guarantees the confidentiality of their contents, except in certain circumstances. It is therefore generally not permitted for an employer at the workplace to impinge upon an employee’s privacy by making a recording without permission, confiscating an employee’s details or revealing confidential information about the employee to a third party. 

Individual privacy is also protected in the Penal Procedure Law promulgated by Royal Decree 97/1999, as amended (“CPL”). Article 90 of the CPL provides that correspondence and cables may not be confiscated or perused; newspapers, publications and parcels may not be confiscated; conversations taking place in private may not be recorded; telephone conversations may not be tapped; and dialogue may not be recorded without the permission of the Public Prosecutor of Oman. The permission specified in Article 90 of the CPL may only be issued by the Public Prosecutor, who would only permit audio or video recording of an individual if there is sufficient evidence of a an offence or misdemeanor punishable by imprisonment for a period exceeding three months. Once granted, the permission is valid for a renewable period not exceeding 30 days, during which the audio or video evidence must be obtained.

In general, the courts of Oman are very protective of employees’ interests.  In practice, therefore, the employer would need to have a compelling reason to obtain permission from the Public Prosecutor and violate an employee’s privacy using one of the methods described above.

Exceptions to the presumption of privacy
Royal Decree 69/2008, enacting the Law of Electronic Transactions (the “ETL”), applies to parties who have agreed to perform their transactions electronically and safeguards the confidentiality of information or data contained in such transactions.

The ETL allows for exceptional circumstances in which personal data may be disclosed (i.e., allowing access to electronic communications and the disclosure of their contents to third parties). According to Article 43 of the ETL, obtaining, disclosing, providing or processing of personal particulars or data shall be lawful in the following cases:

• If such information is necessary for preventing a crime or detecting a crime pursuant to an official request by the enquiring authority;

• If such particulars were required or authorised by any law, or if the collection of such particulars occurred pursuant to a court order;

• If such particulars were necessary for the assessment of any tax or fees; and

• If the processing of such particulars was necessary for the safeguarding of vital interests of the person about whom such particulars were being collected.

Penalties for breaching an employee’s privacy
The CPL sets out penalties for those who violate an individual’s privacy. Article 276 of the CPL provides that any person who illegally observes or collects information or data, violates another’s privacy or their right to protect their secrets, or reuses collected information and data shall be punished by imprisonment for a period of not less than three months and not more than two years, by a fine of OMR 100-500, or both.
The Cyber Crime Law, promulgated by the Royal Decree 12/2011, also sets out certain penalties for breaching an individual’s privacy, which include:

(a) Imprisonment for a period of not less than one month and not exceeding one year and/or a fine of not less than OMR 500 and not exceeding OMR 2,000 is applied to any person who uses information technology tools to obstruct or intercept the flow of data or electronic information transmitted by way of information technology.

(b) Imprisonment for a period not less than one year and not exceeding three years and/or a fine of not less than OMR 1,000 and not exceeding OMR 5,000 is applied to any person who uses information technology tools (such as camera phones) to photograph or record individuals without their permission; who disseminates such information, even if it is true; or who uses such information towards slander and defamation.

Taken as a whole, Omani law protects individual privacy, especially that of employees. Employers are prohibited from monitoring or recording their employees, and may only obtain permission to do so from the Public Prosecutor under stringent circumstances.  Employees and private individuals have a reasonable expectation that, if they are photographed or recorded without permission, they will have recourse in the law.