the Development of Personal Data Protection Law

Client of United Nation careers

I. GENERAL SCOPE The widespread adoption of information and communications technologies (ICTs) across public and private institutions has made the establishment of comprehensive cyber and data related legislation imperative. In the Arab region, many countries have made progress in developing cyber laws; however, the rapid evolution of digital services such as cloud computing, artificial intelligence (AI), platform economies, and cross border data flows continues to outpace existing legal frameworks. To fully harness the benefits of digital transformation while addressing risks related to privacy, security, and misuse of data, Arab countries are encouraged to develop and modernize their legislative frameworks to meet the demands of the digital age. At the global level, the UN promotes responsible, inclusive, and trustworthy use of digital and emerging technologies in support of sustainable development. In September 2024, world leaders adopted the Pact for the Future during the Summit of the Future, together with its annexes: the Global Digital Compact (GDC) and the Declaration on Future Generations. The GDC places strong emphasis on digital trust, effective digital governance, and the protection of human rights in the digital environment. Central to these objectives is the protection of personal data, which the GDC recognizes as a cornerstone of trust in digital systems and a prerequisite for people s safe and meaningful participation in the digital economy. The UN ESCWA has a long standing role in supporting its member States in the development and reform of cyber legislation. In 2007, UN ESCWA published Models for Cyber Legislation in UN ESCWA Member Countries, which reviewed regional and international legal developments and proposed practical templates to assist countries in assessing and harmonizing national cyber laws. Through its technical cooperation program, UN ESCWA continues to support member States in strengthening legal, institutional, and regulatory capacities related to digital and emerging technologies, including data protection and regulatory oversight. Recently, the Ministry of Telecommunications and Information Technology (MTIT) in Yemen has requested UN ESCWA s advisory services to support the development of a personal data protection law aligned with international standards and regional best practices. Such a law would contribute to strengthening trust in digital services, protecting individuals rights, and supporting Yemen s broader digital transformation efforts in line with global developments, including the principles set out in the GDC. In response, UN ESCWA is engaging a qualified legal consultant to provide specialized expertise in personal data protection, with specific attention to the Yemeni legal and institutional context. Yemen's ongoing conflict and fragile institutional environment require that the draft law include a realistic implementation sequencing recommendation, identifying which provisions can be operationalized in the near term and which require institutional prerequisites, such as the establishment of a data protection authority. The consultant shall draw on established international frameworks including the EU General Data Protection Regulation (GDPR), the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013 revision), the Council of Europe Convention 108+, and the Arab League's draft model data protection law, selecting and adapting provisions appropriate to Yemen's legal, institutional, and developmental context. This consultancy is part of a coordinated package of three inter-related legal instruments being developed simultaneously for Yemen: Access to Information Law, Personal Data Protection Law, and an e-Transactions and Trust Services Law. The consultant shall be aware of this broader legislative package and shall flag, in the drafting notes annex, any provisions in the assigned law that intersect with or depend upon the other instruments, to ensure coherence across the three laws. The advisory services, including the scope of work and expected outputs, are detailed in these Terms of Reference. III. DUTIES AND RESPONSIBILITIES The consultant shall propose to the designated ESCWA focal point a detailed version of the report on personal data protection law. To produce the draft report, the consultant is requested to conduct, among others, the main following tasks: 1. Benchmarking and Best Practices Review current national laws related to digital and emerging technologies in Yemen; Review best regional and international practices in personal data protection law covering at least 2 regional cases and 2 international cases, with justification for case selection provided in the report; 2. Stakeholder Engagement Identify main national stakeholders, hold, in coordination with MTIT, interviews and meetings with the main national stakeholders and preparing minutes of each meeting/interview summarizing the discussed points, their remarks, observations and proposals; Contribute to sectoral workshops to discuss needs and priorities, if needed; Discuss priorities and needs with MTIT and ESCWA; Document findings, priorities, and challenges. 3. Situational analysis Analyze existing legislation, and regulatory frameworks, including data-related provisions currently embedded in Yemen's telecommunications law, e-government frameworks, and sector-specific regulations, mapping these against international PDPL standards; Conduct a comprehensive gap analysis to identify gaps, overlaps, and contradictions with international PDPL standards 4. Law Development Draft a suggested law based on national needs, gap analysis, international/regional best practices, and ESCWA template for cyber legislations. The draft Personal Data Protection Law (PDPL) shall include, at a minimum: o Preamble, objectives, and guiding principles (including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality); o Definitions and material/territorial scope of application (including extraterritorial reach, where applicable); o Legal bases for processing personal data, including consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests, with specific conditions for validity of consent; o Special categories of personal data (sensitive data) and rules governing their processing, including additional safeguards;