Privacy Regulations in Middle East & North Africa

16 privacy and data protection laws across Middle East & North Africa

UAE PDPL
United Arab Emirates
Flag of AE
Opt-inFederal

The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.

KSA PDPL
Kingdom of Saudi Arabia
Flag of SA
Opt-in

Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.

Egypt PDPL
Egypt
Flag of EG
Opt-in

Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.

Israel PPL Amendment 13
State of Israel
Flag of IL
Opt-in

A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.

Algeria Law 18-07
Algeria
Flag of DZ
Opt-in

Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.

Morocco Loi 09-08
Morocco
Flag of MA
Opt-in

Among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP is an autonomous supervisory authority. All processing activities must be declared to the CNDP prior to implementation. The CNDP takes a graduated enforcement approach with warnings before fines or criminal referrals.

Bahrain PDPL
Kingdom of Bahrain
Flag of BH
Opt-in

Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Qatar PDPPL
State of Qatar
Flag of QA
Opt-in

Qatar's national data protection law applying outside the QFC free zone. Notable for imposing only financial penalties without criminal sanctions, which is unusual for the region. Consent is required for data processing, with restrictions on direct electronic marketing and cross-border transfers. The QFC operates its own separate data protection regime.

Tunisia Organic Act
Tunisia
Flag of TN
Opt-in

The first data protection law in the Maghreb region and among the earliest in Africa. Requires prior notification to INPDP before processing. Tunisia joined CoE Convention 108 in 2017, signaling alignment with European standards. Criminal penalties including imprisonment apply.

Kuwait DPPR
State of Kuwait
Flag of KW
Opt-in

Kuwait's data protection regulation with a critically narrow scope — it only applies to CITRA-licensed telecom and ISP service providers, not all businesses. The 2024 update significantly narrowed the previously broader framework. Most businesses in Kuwait are not covered by this data protection regime, making it among the most limited in the Middle East.

Oman PDPL
Sultanate of Oman
Flag of OM
Opt-in

Oman's data protection law with one of the strictest consent models in the Middle East — no legitimate interests basis and written consent is mandatory. The tiered penalty structure escalates significantly for cross-border transfer violations up to OMR 500,000. Standard implied consent or browsing-based consent mechanisms are insufficient under this framework.

Jordan PDPL
Hashemite Kingdom of Jordan
Flag of JO
Opt-in

Jordan's first comprehensive data protection law with a dual governance structure: the Personal Data Protection Council sets policy while the Directorate handles day-to-day enforcement. Consent must be clear, written, with a specified period and purpose in plain language. The 24-hour breach notification to data subjects is among the shortest globally.

Lebanon Law 81/2018
Republic of Lebanon
Flag of LB
Opt-in

Lebanon's combined electronic transactions and data protection law — not a comprehensive standalone data protection framework. Lacks a dedicated supervisory authority and has significant gaps including no formal definition of consent. The country's political and economic crisis has further delayed enforcement and development of the framework.

ADGM DPR
Abu Dhabi Global Market (ADGM) free zone
Flag of AE
Opt-in

ADGM's comprehensive data protection regulations closely modeled on GDPR principles, carrying the highest penalty ceiling in the Middle East at USD 28 million. Requires data protection by design and default, record-keeping of processing activities, and written contracts between controllers and processors. Part of the UAE's three-regime system.

DIFC DPL
Dubai International Financial Centre
Flag of AE
Opt-in

DIFC's standalone data protection law applying within the Dubai financial free zone, significantly strengthened by a 2025 amendment introducing a private right of action for data subjects. Explicitly requires minimum necessary cookies and easily accessible cookie controls, making it one of the more cookie-specific frameworks in the Middle East.

QFC DPR
Qatar Financial Centre
Flag of QA
Opt-in

The QFC's standalone data protection regulations applying within the financial centre, separate from Qatar's national PDPPL. Closely aligned with GDPR principles with explicit cookie-specific provisions requiring easily accessible cookie controls. Penalties are cumulative per provision infringed, and the QFC has actively issued fines for data breach violations.