Oman's data protection and artificial intelligence framework continues to develop following the introduction of the country's first comprehensive privacy legislation. Since the enactment of the Personal Data Protection Law (Oman PDPL) in 2022, the Ministry of Transport, Communications and Information Technology (MTCIT) has issued implementing regulations and further guidance aimed at clarifying compliance with the law. More recently, AI-specific regulatory and commercial developments have also emerged.
The Oman PDPL
The Oman PDPL was promulgated by the Oman Sultani Decree No. 6/2022 Promulgating the Personal Data Protection Law on 9 February 2022 and entered into force one year later. The Oman PDPL establishes the principal legal framework governing the protection of personal data in Oman and represents a significant step in aligning Oman with global trends in data protection regulation.
The Oman PDPL regulates the collection, use, disclosure, storage and transfer of personal data and imposes obligations on entities that process such data. It seeks to ensure that personal data is processed in a manner that respects privacy, transparency and human dignity, while providing individuals with rights in relation to their personal data.
The Oman PDPL contains enhanced protections for sensitive categories of personal data, including biological, genetic and health-related data, as well as data relating to religious beliefs, political opinions and criminal records. It also establishes specific safeguards for the processing of children's personal data and regulates the transfer of personal data outside Oman. In addition, the Oman PDPL provides for regulatory oversight by the MTCIT and introduces penalties for non-compliance.
Existing regulatory guidance
Since the enactment of the Oman PDPL, the MTCIT has taken steps to support its implementation through both formal regulations and supplementary regulatory guidance. Most notably, the MTCIT issued the Implementing Regulations of the Personal Data Protection Law pursuant to Oman Ministerial Decision No. 34/2024 Issuing the Implementing Regulation of the Personal Data Protection Law (Implementing Regulation) which builds on the framework established under the Oman PDPL by providing the procedural and administrative framework necessary for the operation of the Oman PDPL and establishing the mechanisms through which organisations can demonstrate compliance with the Oman PDPL.
In addition to the Implementing Regulation, the MTCIT has published a suite of personal data protection guidance/ forms on its website, which aid compliance. Amongst them, the Oman Circular No. 6/2024 on the Personal Data Protection Policy of the Units of the Administrative Apparatus of the State (Circular) is particularly significant as it provides practical guidance on the management and protection of personal data within government entities. The Circular introduces a number of governance requirements relating to the processing, storage, disclosure and protection of personal data. The Circular also addresses matters such as privacy notices, contractual arrangements with third-party processors, security controls and oversight mechanisms. Of particular note is the Circular's emphasis on processing personal data within Oman and the additional safeguards surrounding transfers of government-held personal data outside Oman, which is subject to obtaining prior approval of the Electronic Defence Centre.
A further regulatory development emerged from the MTCIT Decision No. 6/2025 Issuing the Implementing Regulation of the Personal Data Protection Law (Decision). The Decision amended the Implementing Regulation by extending the period available for organisations to regularise their compliance with the Implementing Regulation. The Decision effectively provided organisations with additional time to implement the governance, operational and technical measures required under Oman's data protection framework. Organisations must have regularised their position in accordance with the Implementing Regulation by 5 February 2026.
Future developments
In May 2026, the Oman's Shura Council was reportedly reviewing and considering amendments to the Oman PDPL. Aimed at improving digital governance, the proposed amendments are expected to tie applicability of the Oman PDPL to data subject's (Omani) residency as well as clarify expectations for automated data processing and data retention.
As Oman's privacy regime continues to mature, organisations should remain attentive to potential amendments to the Oman PDPL and future guidance and regulatory developments issued by the MTCIT particularly as the MTCIT continues to refine its approach to implementation, supervision and enforcement.
Digital and artificial intelligence developments
Alongside the continued development of its data protection framework, Oman has recently taken further steps to strengthen its position as a regional technology and innovation hub. Most notably, the MTCIT issued the Public Policy for Safe and Ethical Use of Artificial Intelligence on 1 April 2025 (AI Policy), which seeks to establish guidance for safe, ethical and trusted AI usage by the public and private sector and has been prepared in line with Islamic principles. The AI Policy enshrines internationally recognised principles of AI governance (for example, accountability, transparency, human-centricity and social responsibility) and adopts a proactive and lifecycle approach to AI governance. Policy compliance and oversight sits with the MCTIT and sector-specific regulatory authorities.
Entities operating in the artificial intelligence space may also welcome the establishment of the Artificial Intelligence Special Zone in Muscat by His Majesty Sultan Haitham bin Tarik on 30 April 2026 vide the Oman Royal Decree No. 50/2026 (Decree). The Decree provides for the creation of a dedicated zone focused on the development and deployment of artificial intelligence technologies, and extends the incentives, privileges and facilitations under special economic zones (for example, tax breaks and customs exemptions) to projects established within this zone . The Public Authority for Special Economic Zones and Free Zones has been tasked with appointing the entity responsible for managing, operating and developing the zone, in coordination with the MTCIT.
Although the Decree does not introduce specific artificial intelligence regulation, it reflects Oman's broader commitment to digital transformation and emerging technologies. As artificial intelligence adoption continues to increase across both the public and private sectors, robust data governance and compliance with the Oman PDPL are likely to remain important considerations for organisations developing or deploying AI-driven technologies within Oman.
Comparative regulatory requirements – perspectives from the GCC
Developments in Oman are generally consistent with broader recent data and AI regulatory trends observed across Gulf Cooperation Council (GCC) nations.
However, while the Oman PDPL shares parallels with other GCC privacy laws, including the UAE Federal Decree-Law No. 45/2021 (UAE PDPL), it differs in material ways including:
- the UAE PDPL provides for: (i) more GDPR-aligned lawful processing bases (compared to the Oman PDPL which relies heavily on consent as the primary lawful processing basis); and (ii) lawful processing and data minimisation requirements – which are currently absent under the Oman PDPL and Implementing Regulation;
- unlike the UAE PDPL, the Oman PDPL contains regulatory permit/ notification requirements imposed by the Omani data privacy regulator which must be complied with before personal data (whether through automated or other means); and
- the Oman PDPL requires transparency information (for example privacy notices) to capture a broader range of processing details (for example, information in respect of data subject rights and contact information of the controller's data protection officer) compared to the more simplified requirements under the UAE PDPL.
Notably, the UAE PDPL remains in force but unenforceable, pending issuance of its Executive Regulations, though this could soon change. In June 2026, the UAE approved the establishment of a national body – the Artificial Intelligence and Data Authority – which brings AI, digital government and data functions under one unified mandate. This dual structure is similar to the approach adopted in KSA where the Saudi Data and AI Authority regulates both AI and data, and appears to reflect broadening recognition of the significance of adopting an intersectional approach to (big) data and AI governance.
Conclusion
The introduction of the Oman PDPL marks a significant milestone in the development of privacy law in Oman. Subsequent measures, including the Implementing Regulation, Circular and Decision, demonstrate the MTCIT's ongoing efforts to build a comprehensive and practical data protection framework.
Whilst we will only see the practical application of the Oman PDPL over time, these developments come at a time when Oman is also advancing its broader digital transformation agenda, as reflected by the recent establishment of the Artificial Intelligence Special Zone in Muscat. While the new zone is aimed at fostering investment and innovation in artificial intelligence and emerging technologies, it also highlights the growing importance of robust data governance within Oman's evolving digital economy.
Organisations operating in Oman should continue to monitor regulatory developments to ensure their data and AI governance practices remain aligned with evolving legal requirements. Noting local regulatory divergences and the evolving regulatory landscape, organisations should proactively monitor regulatory developments more broadly across the GCC, to ensure their data privacy and AI governance practices remain aligned and effective.
