Data Protection and Privacy Laws in the UAE
UAE Regulations and the Adoption of the New Law
Data Protection Laws and Regulations have become fundamental pillars of national legislation considering the importance of privacy rights and the necessity of regulating how personal data is handled across different sectors. As technology advances and data exchange becomes more prevalent, it becomes necessary to set clear ground rules regarding the collection of personal data, the transfer and use of such data, and the rights of data subjects to oversee the process through which their personal information is being manipulated.
In light of these circumstances, the European Union implemented its General Data Protection Regulation (“GDPR”) which went into effect on May 25, 2018, and placed strict obligations on entities dealing with personal data. The GDPR imposed responsibilities on both data controllers[1] and third-party data processors[2] acting under the controller’s direction, and set a clear outline for the collection, processing, storage, and transfer of personal data. The GDPR inspired numerous countries to revise their data privacy regulations to provide similar protections to their citizens and notably served as a reference to the United Arab Emirates (“UAE”) which was witnessing at that time a series of high-profile data breaches concurrently to an increase in international business operations involving cross-border data transfers.
In November 2021, the UAE issued Federal Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) which entered into force on the 2nd of January 2022 and set stricter standards for data privacy and protection on a national level. Prior to PDPL, rules and regulations related to data privacy in the UAE were scattered among different local legislations including the UAE Constitution that grants citizens a general right to privacy, certain provisions of the Federal Law No. 5 of 1985 (the Civil Code) which addressed certain privacy-related issues, and some private data protection laws enacted by different free zones across the UAE and only applicable to businesses operating within their jurisdiction.
PDPL covers the processing of personal data of people residing in the UAE, or people having a business within the UAE. The law has also extraterritorial reach and applies to (i) each data controller or processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE, and to (ii) each data controller or processor located outside the UAE when processing information related to data subjects located inside the UAE.
It is important to note that PDPL does not apply to certain types of data that are specifically regulated by separate legislations such as the UAE Federal Law No. 2 of 2019 (the Health Data Law) that governs the collection, processing, and transfer of health-related personal data. Moreover, the law does not cover governmental data, personal data processed by the security and judicial authorities, personal banking and credit data, and does not apply to government authorities that control or process personal data or to UAE free zones (such as ADGM and DIFC) that have their own data protection laws.
The law regulates, on the other hand, the processing of personal data in all other circumstances. Personal data is defined as being “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This includes an individual’s name, voice, image, identification number, and geographical location as well as sensitive personal data, biometric data, or any information that can reveal the identity of a person’s family.
To be in line with international practices when collecting personal information, PDPL adopts the data privacy principles of (i) lawfulness, fairness, and transparency, (ii) purpose limitation, (iii) data minimization, (iv) accuracy, and (v) secure processing, and maintains the requirement of obtaining the data subject’s consent to process their data which was previously mentioned in the reform of the UAE Penal Code. The data subject’s consent should be clear, simple, specific, and unambiguous and should be provided only after the full disclosure of how his data is intended to be used.
It is important to mention that consent is not the only basis for processing personal data. Just as stated under the GDPR, the PDPL permits processing in other circumstances including (i) where processing is necessary for the performance of a contract to which the individual is a party, or to take actions at the request of the individual to conclude, amend or terminate a contract, (ii) for the commencement or defense of a legal claim or judicial or security procedures, (iii) processing personal data which is necessary for the fulfillment of the organisation’s obligations under applicable UAE laws, (iv) processing personal data which is necessary for carrying out the obligations and exercising the rights of the organisation or of the individual in the field of employment and social security and social protection law, (v) protection of public interest and also public health including protection from epidemics, and (vi) processing personal data made public by the individual. However, unlike the GDPR or the ADGM and DIFC data protection laws, PDPL does not include “legitimate interest” as a valid basis for the processing of personal data.
PDPL also sets out the rights data subjects are entitled to in line with international standards, such as the right to obtain information, the right to data portability, the right to correct or erase personal data, the right to restrict personal data processing, the right to stop personal data processing and the right not to be subject to automated processing. Moreover, the law mentions the obligations binding both data controllers and processors such as breach notifications, the obligation to appoint data protection officers, data protection impact assessment obligations, and the requirement of privacy notices.
In parallel with the issuance of PDPL, the UAE issued Federal Decree-Law No. 44 of 2021 which established the UAE Data Office (“Data Office”) that would act as the data protection regulatory authority in mainland UAE. The Data Office is responsible for preparing policies and legislation, monitoring the implementation of the PDPL, preparing a system for complaints and grievances, and issuing guidance relating to the law. Administrative penalties can be imposed as part of a decision by the Council of Ministers in response to a breach of the law or the executive regulations of the Data Office and based on a proposal from the Data Office’s director general.
On a final note, it is worth mentioning that PDPL states that where processing creates a high risk to the privacy of personal data through either the adoption of new technologies or the volume of personal data processed, data controllers and processors will need to appoint an experienced Data Protection Officer (“DPO”). A DPO will also be required where processing involves the assessment of sensitive personal data as part of profiling or automated processing or where large volumes of sensitive personal data are processed. The appointed individual can be an employee of the controller or processor, or another individual appointed by the organisation, either within or outside of the UAE.
PDPL states that the DPO should have sufficient skills and expert knowledge in data protection to assist data controllers and processors in monitoring internal compliance with the law, advising them on their data protection obligations, providing expert advice when needed, and acting as a point of contact for individuals and data protection authorities. Unfortunately, the requirements for the DPO are not currently very prescriptive noting that the law does not provide any additional information regarding the characteristics of such data officers nor the necessary skills and knowledge required to fulfill their obligations. However, it is worth mentioning that most legislations note that a DPO needs to be familiar with the requirements of the applicable data protection law within the jurisdiction they are appointed in and have in-depth experience and knowledge of the relevant business sector and the organisation’s objectives.
Following the above, it becomes clear that PDPL now aligns the UAE with global data protection standards and creates a favorable environment for international business operations and secure data transfers. The new law establishes clear grounds for data controllers and processors to handle personal data, prevent data breaches, and hold them accountable for not complying with the law’s dispositions.
Nour Souaiby
Junior Associate
11/11/2023
For personalized guidance regarding Data Protection Law in the UAE, please do not hesitate to contact our team by sending an email to: attorneys.ad@omlfirm.com.
DISCLAIMER: This blog post does not constitute legal advice, and no attorney-client relationship is formed by reading it. Additional facts or future developments may affect the content of this blog post. Before acting or relying upon any information within this newsletter, please seek the advice of an attorney.
[1] Data Controller refers to an entity or the natural person which determines the method, approach, criteria, and purpose of processing Personal Data, whether alone or jointly with other persons or entities
[2] Data Processor refers to an entity or the natural person that processes personal data on behalf of the controller and under his direction and instructions. Processing means any operation or set of operations performed on personal data through electronic means, including other processing methods. This includes collecting, storing, recording, organising, adapting, modifying, circulating, transferring, retrieving, exchanging, sharing, using, describing, and disclosing personal data by broadcasting, transfer, distributing, making available, coordinating, merging, restricting, deleting, destroying, or modeling the data.