Qatar Recording Laws: All-Party Consent Rules and Penalties (2026)

Qatar's Recording Consent Standard: Total Prohibition

Qatar is one of the strictest countries in the world when it comes to recording laws. The legal framework does not merely require consent from all parties. It treats unauthorized recording as a criminal act carrying real prison time.

This article covers recording consent rules under Qatar national law (Penal Code, Cybercrime Law, and Personal Data Privacy Protection Law) and the parallel Qatar Financial Centre (QFC) Data Protection regime. For cross-border data flows involving EU organizations, see the cross-border section below.

Unlike most Western legal systems, which draw a line between private and public settings or between one-party and all-party consent, Qatar's approach is broader. The state considers the act of recording another person without permission to be an invasion of privacy in virtually all circumstances. That position is rooted in the country's constitution and reinforced by multiple overlapping statutes.

For anyone living in, visiting, or doing business in Qatar, the practical takeaway is straightforward: do not record anyone without explicit permission. That applies to phone calls, face-to-face conversations, photographs, and video.

Constitutional Foundation: Article 37

The starting point for Qatar's recording laws is Article 37 of the Permanent Constitution of the State of Qatar. The provision states: "The sanctity of private life is inviolable. Interference in a person's private life, family affairs, home, correspondence and other interference is not permitted except in circumstances defined by the law."

Under Article 37, interference with a person's private life, family affairs, home, or correspondence is prohibited except as permitted by specific provisions of law. The constitution treats privacy not as a policy preference but as a fundamental right.

This constitutional guarantee forms the legal backbone for every statute and amendment that restricts recording in Qatar. When courts interpret recording-related offenses, they do so against the backdrop of Article 37's broad privacy protections.

Penal Code Article 333: The Core Recording Offense

Privacy Crimes Under the Penal Code

Qatar's Penal Code (Law No. 11 of 2004) addresses privacy violations through a cluster of articles in the "Calumny, Defamation and Secret Disclosure" chapter. Articles 331 through 333 together cover the spectrum of unlawful privacy intrusions: Article 331 addresses spreading private information even if true; Article 332 covers unlawful disclosure of secrets obtained through professional roles; Article 333 is the principal recording and surveillance offense.

What Article 333 Prohibits

Article 333 of Law No. 11 of 2004 is the primary statute governing unauthorized recording. The article criminalizes invading the privacy of another person without their consent and outside conditions authorized by law.

The prohibited acts include:

• Eavesdropping, recording, or transmitting any conversation conducted by telephone or by any other device
• Recording or transmitting conversations held in private places, by any means
• Photographing or filming another person in a private place using any device
• Transmitting or distributing any image, recording, or conversation obtained through the acts listed above

The scope is broad. Article 333 does not limit itself to hidden microphones or wiretaps. It covers any device capable of capturing audio or visual content. That includes smartphones, cameras, laptops, smart glasses, and recording apps.

Penalties Under Article 333

A person convicted under Article 333 faces:

• Imprisonment for up to two years
• A fine of up to QAR 10,000 (approximately USD $2,750)
• Or both imprisonment and a fine

These penalties were established by Law Gazette No. 4 of 2017, which amended and strengthened the original Article 333 provisions. A court may impose both the prison term and the fine together based on the severity of the violation and the circumstances of the case.

How the Law Differs from Western Standards

Most common-law jurisdictions, and many civil-law countries, permit at least one-party consent recording. The United States, for example, allows a participant in a conversation to record it in the majority of states without notifying the other party.

Qatar does not recognize one-party consent. Even if you are a direct participant in a conversation, recording it without the other person's knowledge violates Article 333. There is no exception for recording your own phone calls or preserving conversations for personal records.

The 2017 Amendment: Protecting the Injured and Deceased

What Changed

In March 2017, Qatar published Law Gazette No. 4 of 2017, which amended Article 333 of the Penal Code. The amendment expanded the scope of the law in two significant ways.

First, it extended the prohibited acts to cover photographing or filming individuals in a public place with the intention of causing harm or defaming them.

Second, and more notably, it added a prohibition against photographing, filming, or transmitting images of individuals who are injured, deceased, or involved in accidents. This applies specifically in public places, using any kind of device.

Why the Amendment Was Introduced

Before 2017, Qatar's recording laws focused primarily on private settings. The amendment was a direct response to the growing practice of bystanders filming accident scenes, medical emergencies, and crime scenes with their phones and sharing the footage on social media.

Qatari authorities viewed this behavior as a violation of human dignity. Recording a person who is bleeding at the side of the road, or sharing images of a deceased person with identifiable features, became a criminal offense carrying the same penalties as traditional wiretapping.

Practical Impact

The 2017 amendment means that stopping at a traffic accident in Qatar and pulling out your phone to record the scene can result in criminal charges. The same applies to photographing the aftermath of a building collapse, a workplace injury, or any incident involving injured or dead individuals.

Emergency services personnel acting under official authority are exempt. Private citizens are not.

Law No. 11 of 2025: The Cybercrime Amendment

Article 8(bis): A New Layer of Restriction

On August 4, 2025, Qatar published Law No. 11 of 2025 in the Official Gazette (Edition No. 20 of 2025). The law introduces Article 8(bis) into the existing Cybercrime Prevention Law (Law No. 14 of 2014).

Article 8(bis) criminalizes the publication or circulation, through information networks or information technology means, of photographs, audio recordings, or video recordings of individuals taken in public places without their knowledge or consent, where such conduct constitutes an infringement of privacy.

This is a meaningful expansion. Before this amendment, Qatar's Penal Code already prohibited unauthorized recording. The new cybercrime provision targets a different act: sharing visual or audio content of identifiable individuals online without permission, even if the original capture was innocuous.

Penalties Under Article 8(bis)

Violating Article 8(bis) carries:

• Imprisonment for up to one year
• A fine of up to QAR 100,000 (approximately USD $27,500)
• Or both

The fine under the cybercrime amendment is ten times higher than the fine under Penal Code Article 333, reflecting Qatar's concern about the amplified harm caused by digital distribution.

What Triggers a Violation

The law does not require malicious intent. Unauthorized sharing alone is enough to trigger liability. Posting someone's photograph to Instagram, forwarding a video clip via WhatsApp, or uploading footage to TikTok without the subject's consent can constitute a criminal offense.

There are practical boundaries. Photographing a large crowd at a public event, where no individual is the focal point, does not generally require individual consent. However, consent becomes necessary when:

• A specific person is the main subject of the image or video
• The content could harm someone's dignity, reputation, or privacy
• The material is intended for publication or online distribution

Press Freedom Implications

The Committee to Protect Journalists (CPJ) raised concerns when the amendment was published, noting that the broadly worded law "poses a serious threat to press freedom" and "risks silencing journalists and undermining their ability to report on matters of public interest." The CPJ cited a 2021 case in which blogger Malcolm Bidali was charged under Qatar's cybercrime law for reporting on migrant labor rights.

Journalists and media organizations operating in Qatar should be aware that photographing individuals in public without explicit consent, including at protests, labor disputes, or public gatherings, falls within the statute's potential reach.

Business and Media Implications

The 2025 amendment has direct consequences for businesses, media organizations, and content creators operating in Qatar. Marketing teams that use customer images, influencers who film in public spaces, and news organizations that publish footage of identifiable individuals all fall within the law's reach.

Companies operating in Qatar should update internal policies on content creation, establish explicit consent mechanisms for any visual material featuring identifiable people, and train employees on the new requirements.

Phone Calls and In-Person Conversations

Phone Call Recording

Recording phone calls in Qatar without the consent of all parties is illegal under Article 333 of the Penal Code. This applies to:

• Personal phone calls
• Business calls
• VoIP and internet-based calls (WhatsApp, Zoom, Teams, etc.)
• Calls recorded by automated systems or call center software

There is no exception for recording your own calls. A business that records customer service calls must obtain clear, affirmative consent from the caller before recording begins.

In-Person Conversations

The same rules apply to face-to-face conversations. Recording a meeting, a negotiation, a conversation at a coffee shop, or a discussion in someone's office without the knowledge and consent of all participants violates Article 333.

Wearing a hidden microphone or body camera to a meeting, activating a phone's voice recorder in your pocket, or using a smartwatch to capture audio all constitute criminal conduct under Qatari law.

Public Spaces: Qatar's Unique Restrictions

No Safe Harbor for Public Recording

Many countries treat public spaces differently from private ones. In the United States, the United Kingdom, and much of the European Union, there is a general expectation that activities in public spaces can be photographed or filmed.

Qatar does not follow that approach. The 2017 amendment to Article 333 and the 2025 Cybercrime amendment together create a legal environment where recording in public places carries significant risk.

Filming a person at a shopping mall, photographing someone at a park, or recording a conversation at a restaurant can all result in criminal charges if the subject did not consent.

Tourist and Visitor Considerations

Qatar's strict public-recording rules catch many visitors off guard. Tourists accustomed to freely photographing street scenes, markets, and public gatherings need to understand that focusing a camera on an identifiable individual without their permission may violate the law.

Visitors who attended the 2022 FIFA World Cup were required to install mandatory apps (Ehteraz and Hayya) that prompted warnings from French, German, and Norwegian data protection authorities about device surveillance risks. That World Cup experience illustrated the gap between data protection expectations in EU countries and the legal environment in Qatar.

Photographing government buildings, military installations, and certain infrastructure is separately restricted under national security provisions and carries additional penalties beyond the recording laws.

Workplace Recording and Surveillance

CCTV and Surveillance Cameras

Qatar regulates workplace surveillance through Law No. 9 of 2011, which governs the use of security and surveillance CCTV cameras and devices. The law requires businesses in certain categories to install surveillance systems but imposes strict conditions on their use.

Key requirements under Law No. 9 of 2011:

• Businesses must maintain a control room and operate surveillance systems around the clock
• Recordings must be retained for a minimum of 120 days
• Footage cannot be altered before being handed over to government authorities upon request
• Recording is prohibited in bedrooms, patient rooms, restrooms, and women's changing areas
• Installation and operation require licensing from the Security Systems Department of the Ministry of Interior

Violating the CCTV surveillance law carries penalties of up to three years in prison, fines of up to QAR 50,000, and potential suspension or cancellation of the business license.

Employee Monitoring

Employers in Qatar cannot record employees' private conversations, personal phone calls, or off-duty activities. Workplace surveillance must be limited to security purposes and must comply with both Law No. 9 of 2011 and the Personal Data Privacy Protection Law (Law No. 13 of 2016).

Under the PDPPL, employers processing employee personal data must have a valid legal basis. The NCSA has specifically noted that consent is not the preferred legal basis for employee data processing, because the power imbalance in employment relationships makes consent inherently unreliable. Employers must conduct data protection impact assessments before deploying any monitoring systems likely to cause serious damage to employees' privacy.

Personal Data Privacy Protection Law (Law No. 13 of 2016)

Qatar's Comprehensive Data Protection Statute

Law No. 13 of 2016, known as the Personal Data Privacy Protection Law (PDPPL), is the first comprehensive data protection statute in the Gulf region. Issued by HH the Emir Sheikh Tamim Bin Hamad Al-Thani on November 13, 2016 and effective since 2017, the PDPPL applies to any electronically processed personal data.

Personal data under the PDPPL means information identifying an individual "whether through such personal data or through the combination of such data with any other data." Processing covers gathering, receipt, registration, organisation, storage, preparation, modification, retrieval, usage, and disclosure.

The NCSA as Supervisory Authority

The National Cybersecurity Agency (NCSA) is the primary enforcement body for the PDPPL. Within the NCSA, the National Cyber Governance and Assurance Affairs (NCGAA) department performs the duties of the competent authority supervising personal data processing in Qatar.

The Ministry of Communications and Information Technology provides additional guidance through its Compliance and Data Protection Department (CDPD). In 2021, the NCSA published PDPPL Guidelines establishing an implementation framework, and has since issued AI-specific guidance covering the secure adoption of artificial intelligence systems.

Core Obligations Under the PDPPL

Controllers processing personal data in Qatar must:

• Process data lawfully, fairly, and transparently
• Collect data only for specified, explicit, and legitimate purposes
• Maintain prior informed consent where consent is the legal basis
• Implement appropriate technical and organisational security measures
• Report serious data breaches to the NCSA
• Obtain prior NCSA approval before processing sensitive personal data categories (ethnic origin, health data, religion, marital status, criminal records, children's data)

Enforcement Actions

The NCSA has begun exercising its enforcement powers. In December 2024, the agency issued a compliance ruling against a company in the ICT sector, requiring strengthened PDPPL compliance procedures. In March 2025, an e-commerce company received a binding order to enhance its administrative, technical, and financial procedures for personal data protection.

Penalties Under the PDPPL

Organizations found violating the PDPPL face fines ranging from QAR 1,000,000 to QAR 5,000,000 (approximately USD $275,000 to $1,375,000). Criminal proceedings and civil liability are also possible under the combined operation of the PDPPL, Penal Code, and Cybercrime Law.

Data Subject Rights

Individuals whose data is processed have the right to:

• Be informed of collection and processing
• Access data held about them
• Rectification of inaccurate data
• Erasure where data is no longer necessary
• Object to processing
• Withdraw consent at any time

Qatar Financial Centre: Parallel Data Protection Regime

A GDPR-Aligned Regime Within Qatar

The Qatar Financial Centre (QFC) is a financial and business free zone operating under its own legal framework, separate from Qatar national law. The QFC issued the QFC Data Protection Regulations 2021, which came into force on June 19, 2022. These regulations replace the QFC's earlier 2005 Data Protection Regulations and align the QFC closely with the European General Data Protection Regulation (GDPR).

The QFC Data Protection Office (DPO) is an independent institution within the QFC responsible for administering the regulations and handling complaints.

Key Features of the QFC Data Protection Regulations 2021

The QFC regulations establish that firms, as data controllers, must manage personal data lawfully and transparently. The regulations:

• Enhance data subject rights, adding the right to data portability, the right to withdraw consent, and the right not to be subjected to decisions based solely on automated processing
• Abolish the previous mandatory notification process (permits are still required for sensitive personal data processing and cross-border transfers out of the QFC)
• Require privacy-by-design and privacy-by-default approaches
• Impose data breach notification obligations to the DPO

Penalties Under the QFC Regulations

The maximum penalty for non-compliance with the QFC Data Protection Regulations is USD $1.5 million per offense. This significantly exceeds the penalty ceiling for violations of Qatar's national PDPPL.

Which Regime Applies

Businesses incorporated or registered in the QFC are subject to the QFC Data Protection Regulations for their personal data processing. They are not subject to Qatar's national PDPPL for that same processing activity. However, the QFC regulations have extra-territorial effect: they apply to businesses not in the QFC if those businesses process personal data through a QFC-registered entity as part of ongoing arrangements.

Businesses operating outside the QFC but within mainland Qatar are subject solely to the PDPPL.

Recording Police Officers and Government Officials

No Explicit Exception for Recording Law Enforcement

Qatar's Penal Code does not create any exception for recording police officers, government officials, or law enforcement activity. Article 333 applies to all persons without distinction. Recording a police officer during an arrest, a government inspection, or a public engagement without their consent carries the same criminal exposure as recording a private citizen.

MOI Warning (March 2026)

In March 2026, Qatar's Ministry of Interior issued a public warning specifically cautioning against filming and sharing videos of ongoing incidents. The MOI stated that photographing and sharing such footage constitutes potential legal accountability, and emphasized that recording at incident scenes hinders the work of emergency responders, including ambulance crews, Civil Defense units, and security patrols.

The warning did not create new law, but it signals active enforcement attention to incident-site recording. Anyone who films a police operation, a fire, or a road accident in Qatar and shares that footage online faces compounding exposure: Article 333 (unauthorized recording), the 2017 amendment (filming accident victims), and Article 8(bis) (online publication without consent).

Practical Guidance

Individuals in Qatar who believe they have witnessed police misconduct or a matter of public concern have no clear legal right to document it through recording. Legal counsel from a Qatar-licensed lawyer is advisable before taking any recording action near law enforcement activities.

Voyeurism and Non-Consensual Intimate Imagery

Framework Under Existing Law

Qatar has no standalone voyeurism statute as of 2026. However, the existing statutory framework covers voyeuristic conduct through multiple overlapping provisions.

Covert recording of a person in a private space, including bathrooms, bedrooms, changing rooms, or other areas where a person has a reasonable expectation of privacy, is a straightforward Article 333 offense. The penalty is up to two years in prison and QAR 10,000.

Non-consensual distribution of intimate imagery ("revenge porn") falls under both Article 333 and Article 8(bis) of the Cybercrime Law. Publishing such content online can result in up to one year in prison and a QAR 100,000 fine under the cybercrime provision, in addition to Penal Code exposure.

CCTV Prohibition Zones

Law No. 9 of 2011 explicitly prohibits the installation of surveillance cameras in bedrooms, patient rooms, restrooms, and women's changing areas. Installation in these locations by a business operator is a criminal offense under the CCTV surveillance law, carrying up to three years in prison and a QAR 50,000 fine. This prohibition reinforces the general Article 333 protection in intimate settings.

Deepfakes and AI-Generated Content

Current Legal Position

As of 2026, Qatar has no standalone legislation specifically targeting deepfakes or AI-generated synthetic media. The legislative landscape consists of:

Article 8(bis) (Cybercrime Law, 2025): This provision covers "photographs, audio recordings, or video recordings" of individuals without consent. The text references recordings of real individuals captured in public places. The provision does not expressly address AI-synthesized content that was never recorded in the first instance. Applying Article 8(bis) to deepfakes where no real underlying recording exists remains legally untested.

PDPPL (Law 13/2016): The NCSA has issued Guidelines for Secure Adoption and Usage of Artificial Intelligence, which apply PDPPL principles to AI systems. Where an AI system processes personal data (including biometric data used to train or generate synthetic images), the PDPPL obligations apply: lawful purpose, data minimization, transparency, and consent where required.

Practical Risk: The absence of a targeted deepfake law does not create a permissive environment. Using AI to generate realistic images or video purporting to depict a real person without their consent could constitute: defamation under Penal Code Article 331 (spreading information harmful to private life); violation of dignity under general privacy provisions; and PDPPL violations where biometric data was used without consent.

Legislative trajectory: The Gulf region is moving toward AI-specific legislation. The UAE issued an AI regulation framework in 2024. Qatar's NCSA AI guidelines suggest regulatory attention, but no dedicated deepfake criminal statute has been enacted as of the date of this article.

Court Admissibility: Recordings Are Not Evidence

One of the most consequential aspects of Qatar's recording laws is how courts treat unauthorized recordings.

In Qatar, a voice recording obtained without the consent of all parties cannot be used as evidence in court proceedings, regardless of how relevant or important the content may be to the case. This rule applies in criminal proceedings, civil disputes, family law matters, and commercial litigation.

The rationale is twofold. First, Article 333 makes the recording itself a criminal act. Allowing illegally obtained evidence would reward criminal behavior. Second, Qatari authorities have determined that recorded calls and conversations can be manipulated, edited, or taken out of context, making them inherently unreliable.

This means that even if a recording captures a clear confession, an admission of fraud, or evidence of a contractual breach, a Qatari court will not consider it. A person who presents an unauthorized recording in court may also face prosecution for having made the recording in the first place.

Cross-Border Data Flows and the World Cup Legacy

Qatar's Position in the Global Data Transfer Landscape

Qatar does not hold an EU GDPR adequacy decision. Organizations transferring personal data from the European Union to Qatar must rely on Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms. The adequacy list, maintained by the European Commission, does not include Qatar as of 2026.

Qatar's PDPPL permits international data transfers unless the processing would violate the PDPPL provisions or cause gross damage to the data subject. Sensitive personal data transfers require prior NCSA approval. Beyond those constraints, the PDPPL does not prescribe specific transfer mechanisms equivalent to GDPR's SCCs or binding corporate rules.

World Cup 2022 Legacy

The 2022 FIFA World Cup in Qatar created heightened cross-border data flow scrutiny that continued into the post-event period. Attendees were required to install the Ehteraz (COVID-19 contact tracing) and Hayya (ticketing and fan identification) apps. European data protection authorities responded with direct consumer warnings:

• France's CNIL advised travelers to "if possible, travel with a blank phone" and delete mandatory apps
• German and Norwegian supervisory authorities similarly warned about the apps' access to device data, including pictures, videos, and location

The World Cup demonstrated the tension between Qatar's domestic surveillance framework and the data protection expectations of visitors from GDPR jurisdictions. For EU businesses with ongoing operations or partnerships in Qatar, those concerns translate into due-diligence obligations under GDPR when personal data flows to Qatari entities.

QFC as a Bridge Regime

The QFC Data Protection Regulations 2021 were explicitly designed to align with GDPR. For EU organizations dealing with Qatar-based counterparties, contracting through QFC-registered entities may reduce the compliance burden compared to dealing directly with mainland Qatar entities governed solely by the PDPPL.

Penalties Summary

Business Compliance Checklist

Organizations operating in Qatar should take the following steps to comply with the country's recording laws and data protection framework:

• Determine which regime applies. If your business operates within the QFC, the QFC Data Protection Regulations 2021 govern your data processing. If you operate in mainland Qatar, the PDPPL applies. Both regimes apply where a non-QFC entity processes data through a QFC-registered entity.
• Audit all recording systems. Identify every system that captures audio or video, including phone systems, CCTV, conferencing platforms, and customer service tools.
• Obtain explicit consent. Before recording any call, meeting, or interaction, secure clear consent from all parties involved.
• License CCTV systems. Ensure all surveillance cameras comply with Law No. 9 of 2011 and are properly licensed through the Ministry of Interior.
• Restrict surveillance zones. Never install cameras in restrooms, prayer rooms, changing areas, or other private spaces.
• Update social media policies. Train employees that posting photos or videos of colleagues, customers, or members of the public without consent can result in criminal prosecution under the 2025 Cybercrime amendment.
• Retain footage properly. Maintain CCTV recordings for the mandatory 120-day retention period and ensure footage is not altered.
• Appoint a data protection officer. Under both the PDPPL and the QFC regulations, organizations processing personal data should designate a responsible compliance officer.
• Conduct data protection impact assessments. Evaluate the risks of any surveillance or recording activity before implementation, particularly for employee monitoring systems.
• Address EU-Qatar data flows. If transferring personal data from the EU to Qatar, execute Standard Contractual Clauses with the Qatari receiving entity, or consider routing through QFC-registered counterparties where the GDPR-aligned QFC regime offers stronger transfer compatibility.
• Review AI usage. If deploying AI systems that process personal data or generate synthetic media, align with NCSA AI guidance and PDPPL obligations. No activity should involve processing biometric data without explicit consent.