The UAE has recently introduced its first federal level data protection law, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (‘the PDPL’), on 20 September 2021. This law will become enforceable six months after the issuance of the associated executive regulations, which are expected to provide practical and operational details of the PDPL.
Table of Contents
These Executive Regulations are to be issued by 20 March 2022, and enforcement is likely to commence on 20 September 2022, unless the UAE Data Office (‘the Data Office’) extends the enforcement date or there is a delay in the issuance of the Executive Regulations. While waiting for the Executive Regulations, it is important to note that the Constitution of the UAE and the Civil Code provide some privacy-related rights.
Additionally, sector-specific laws like the telecommunications, consumer protection, and cybercrime laws also offer limited data protection rights in specific scenarios. As the Executive Regulations are issued, this overview will be reviewed and revised accordingly.
As a significant part of the legal changes implemented to celebrate the UAE’s 50th anniversary, the Federal Data Protection Law (Law No. 45 of 2021) suggests that companies will have approximately one year (unless extended) to adjust their handling of personal data before the UAE data protection law comes into effect on January 2, 2022, and enforcement begins.
Whom does the UAE Data Protection Law apply to?
- The UAE data protection Law applies to individuals who process personal data and:
- Reside in the UAE
- Have a place of business in the UAE
- The UAE data protection Law applies to organizations established in the UAE that process personal data of:
- Individuals located inside the UAE
- Individuals located outside the UAE
- The UAE data protection Law applies to organizations established outside the UAE that process personal data of individuals located inside the UAE.
Businesses that are exempt from the UAE data protection Law
UAE Data Protection Law exempts the following:
- Government data
- Government authorities processing personal data
- Free zone companies under data protection legislation
- Security and judicial authorities processing personal data
- Health personal data under data protection legislation
- Banking and credit personal data under data processing and protection regulation
Kinds of Data Affected by UAE data protection Law
The UAE DATA PROTECTION LAW oversees the handling of personal data, which pertains to any information concerning a particular individual or a natural person whose identity can be identified through data linkage. Such data encompasses personal details like name, voice, image, electronic identifier, identification number, and location. Additionally, it also encompasses biometric data and sensitive personal information. The law also considers any information that can reveal an individual’s family identity to fall within its purview, which is broader than the GDPR.
Regulator of UAE Data Protection Law
The enforcement of the PDPL will be overseen by the Data Office, established under Federal Decree-Law No. 44 of 2021 (also known as Law No. 44/2021). However, during the initial two-year period, the Telecommunications and Digital Government Regulatory Authority (TDRA) will offer administrative and logistical assistance.
Foundation for handling personal data
The DP Law in the UAE has maintained the importance of obtaining a data subject’s consent to process their personal data, as it was required under the previous UAE Penal Code. This consent must be clear, simple, and unambiguous, and must indicate the data subject’s right to withdraw consent easily. Companies that did not provide this information previously will need to update their consent forms and policy documents accordingly.
However, it is important to note that consent is not the only basis for processing personal data under the DP Law. The law also permits processing in various circumstances, including situations where it is necessary for the performance of a contract, to commence or defend a legal claim, to fulfill the organization’s obligations under applicable UAE laws, and for the purposes of carrying out obligations and exercising rights related to employment and social security.
In addition, processing personal data for the protection of public interest and public health, including protection from epidemics, and processing personal data that has been made public by the individual are also permissible.
It should be noted that the DP Law does not include “legitimate interest” as a valid basis for processing personal data, unlike other data protection laws such as the GDPR or the DIFC and ADGM data protection laws. It remains to be seen if the Executive Regulations will introduce this as a valid basis for processing personal data.
Appointment of a Data Protection Office (DPO) &Conducting Data Protection Impact Assessments
Similar to the GDPR and the data protection laws in ADGM and DIFC, the DP Law necessitates the appointment of a DPO by companies that engage in high-risk data processing activities. These activities include:
- Implementing new technology that may pose a significant risk to the privacy and confidentiality of personal data.
- Automated processing, such as profiling data subjects, with limited or no human involvement.
- Processing vast quantities of sensitive personal data.
The DPO may be an employee or contractor and does not necessarily have to be based in the UAE. This provision could be beneficial for international organizations that have centralized DPO functions.
Additionally, the DP Law mandates that companies perform a data protection impact assessment before processing personal data in accordance with points two and three mentioned above.
Are Contracts with Processors Required by DP Law?
The DP Law suggests that a contract between a data controller and a data processor outlining the processing scope and related specifics is necessary. However, it is uncertain if this contract is mandatory, as it is in the GDPR and the data protection laws of DIFC and ADGM, and additional guidance is needed. If there is co-processing involved, the processors must distinctly outline their responsibilities and obligations in a contract, or they will face shared liability. Sub-processors are not explicitly covered in the DP Law, and possible clarity could come from the Executive Regulations.
Rights of Users as per Data Protection Law in the UAE
The DP Law grants data subjects similar rights to those provided under the GDPR, such as the right to access, transfer, and withdraw consent for their data to be processed. Additionally, data subjects have the right to object to automated data processing and opt-out of marketing and survey-related processing. It remains to be seen whether these new rights will result in an uptick in access requests, as has been observed in the EU and DIFC. Companies must provide information about these rights to data subjects through their privacy policies, necessitating the creation or revision of such policies. It will be interesting to observe if the implementation of these data subject rights will have an impact on the frequency of unsolicited marketing calls.
Data Subject Rights, as outlined in the UAE Data protection law , include the following:
- Right to be informed: Controllers must provide data subjects with information on the purposes of processing, sectors or entities with whom their personal data will be shared, and safeguards used for cross-border processing. Upon request, data subjects can obtain additional information, including types of personal data processed, decisions made through automated processing, storage periods, and measures taken in case of data breaches.
- Right to access: Data subjects have the right to receive their personal data in a structured and machine-readable format when processing is based on consent or necessary for contractual obligation and implemented through automated means.
- Right to rectification: Data subjects have the right to request the rectification of inaccurate personal data and completion of incomplete data.
- Right to erasure: Data subjects have the right to request deletion of personal data if it is no longer necessary for processing or if consent is withdrawn or objected to without legitimate grounds for continuing processing.
- Right to object/opt-out: Data subjects have the right to object to processing for direct marketing or statistical survey purposes.
- Right to data portability: Data subjects have the right to transfer personal data to another controller where technically feasible.
- Right not to be subject to automated decision-making: Data subjects have the right to object to decisions made through automated processing.
- Other rights: Data subjects may lodge a complaint with the Data Office if they suspect a violation of PDPL provisions.
Notification of Data Breaches as per UAE data protection Law
The UAE data protection law (PDPL) mandates in Article 9 that the controller must inform the Data Office of the breach as soon as they become aware of it. This notification must contain the following information:
- Details on the nature, category, reasons, approximate number, and records involved in the data breach
- A description of the potential consequences of the data breach
- An account of the measures and corrective actions that the controller has taken to address the data breach.
To maintain compliance with international standards and best practices, organizations that handle personal data must establish and implement appropriate technical security measures. In the event of a data breach that may endanger the privacy, confidentiality, and security of personal data, organizations must inform the UAE Data Office and the individuals affected. The notification threshold for affected individuals is lower than that of the GDPR, making it applicable in more cases. The data controller must notify the UAE Data Office immediately, and additional information regarding timing and the notification process is anticipated in the Executive Regulations.
Managing Data Transfers as per UAE Data Protection Law
Article 22 of the UAE data protection law restricts the transfer of personal data to any country or territory outside the UAE unless such country or territory guarantees an ‘adequate level of protection’ for the data subject’s rights and freedoms regarding personal data processing. In case such guarantees are not in place, Article 23 of the law contains several exceptions that allow for the lawful transfer of personal data across borders, including:
- Implementing adequate protection via appropriate safeguards such as Standard Contractual Clauses (‘SCCs’); and
- Obtaining explicit consent from the data subject, provided that the transfer does not conflict with the UAE’s public and security interests.
The Executive Regulations, expected to be issued soon, are likely to provide more information on cross border transfers, including a list of jurisdictions that are considered to offer an ‘adequate level of protection’.
The UAE data protection law is based on the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018. The law requires businesses to adhere to strict data protection policies, ensuring that they collect, process, store, and share personal data lawfully and securely.
The law applies to all companies, organizations, and individuals that handle personal data. It provides the right to individuals to know how their personal data is being used and gives them the right to request access to their data. The law also requires companies to obtain explicit consent from individuals before processing their data.
The UAE data protection law mandates that businesses take appropriate measures to protect personal data from unauthorized access, theft, loss, or damage. The law requires businesses to take specific measures to ensure that they meet these requirements, such as appointing data protection officers and providing regular training to staff on data protection issues.
Non-compliance with the UAE data protection law can result in significant penalties. Businesses that violate the law can be fined up to AED 5 million, and individuals can be fined up to AED 500,000. Companies that breach the law can also face criminal charges, which can result in imprisonment.
The UAE data protection law is a significant development for the country, as it provides individuals with the right to protect their personal data from misuse and abuse. As technology continues to play a significant role in the country’s growth and development, it is essential that businesses and organizations adhere to the law’s principles to ensure that they operate ethically and responsibly.
The introduction of the DP Law and regulator in the UAE is a positive step towards aligning with global privacy standards. The DP Law incorporates certain principles from the GDPR and DIFC and ADGM data protection laws, but also has distinct differences as outlined in this briefing. As we await further guidance on fines and penalties through the Executive Regulations, companies are advised to initiate compliance efforts early for a competitive advantage.
Key definitions of Terms in UAE data protection law
- Data controller: The entity that obtains personal data and determines the method, means, criteria, and purposes of the processing of such personal data.
- Data processor: The entity that processes personal data on behalf of the controller, under the supervision of, and as directed by, the controller.
- Personal data: Any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identifier.
- Sensitive data: Any information that reveals a natural person’s family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, or any information concerning the health of such person.
- Health data: All electronic data originating in the UAE, regardless of its form, including alpha-numerical identifiers, common procedural technology codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results, and names of patients.
- Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a data subject, which allows or confirms the unique identification of that data subject.
- Pseudonymisation: The processing of personal data in such a manner that the personal data processed as such can no longer be attributed to the data subject without the use of additional information, provided that such additional information is kept separately and safely.
- Data protection officer: A natural or legal person appointed by the controller or processor to monitor compliance with controls, requirements, procedures, and rules of the processing and protection of personal data provided for in the Law, and to ensure the integrity of the systems and procedures.