This week, the United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications (the “Minister”) announced that the UAE would introduce a new federal data protection law (“Data Protection Law”), the first federal law of its kind in the UAE. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.

In the UAE, regulation of data protection differs between free trade zones and the remaining, onshore, areas of the UAE. Onshore areas are under federal jurisdiction, while the free trade zones are empowered to create their own legal and regulatory framework for all civil and commercial matters. Only the Dubai International Financial Centre (“DIFC”), Dubai Healthcare City (“DHCC”), both free trade zones in the Emirate of Dubai, and Abu Dhabi Global Market (“ADGM”), in the Emirate of Abu Dhabi, have formal data protection regimes, with laws in these free trade zones generally consistent with data protection laws in other developed jurisdictions.

At present, there is no unified set of privacy or data protection laws at the federal level and there is no single national data privacy regulator. Consequently, while there are UAE laws that provide general rights to privacy, the concept of processing or transferring data is not extensively regulated for companies operating outside of the DIFC, DHCC or ADGM.

General rights to privacy in the UAE include:

  • the UAE Constitution addresses privacy by providing that freedom of communication by post or other means of communication and the secrecy thereof is guaranteed in accordance with the law;
  • the UAE Penal Code prohibits those who have access to an individuals’ personal data from disclosing or publicizing that information; and
  • the Cyber Crimes Law (Federal Law No. 5 of 2012 relating to Combating Information Technology Crimes, as amended by Federal No. 12 of 2016 and Emiri Decree No. 2 of 2018) prohibits invading the privacy of another person via technological means, without their consent.

According to the Minister, the Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed.”

The Data Protection Law is a step towards establishing a data protection regime in the UAE that would provide an adequate level of protection for the purposes of data transfers from the European Union and other regulated jurisdictions.

We will provide an analysis of the law following its official release later this year.