On November 27, 2021, the UAE Cabinet Office enacted its first federal Personal Data Protection Law (Federal Decree Law No. 45 of 2021, the “UAE Data Protection Law”). The UAE Data Protection Law will come into force on January 2, 2022.
The new law, drafted in consultation with major technology companies, seeks to protect the privacy of personal data across the UAE, without creating an overly burdensome regulatory regime. In particular, the law seeks to control the misuse of personal information and the use of personal data for profit.
Prior to adopting the UAE Data Protection Law, the UAE had no principle source of data protection or privacy regulation. Several existing laws have implications on the transfer or use of personal data within the UAE (including the UAE Constitution, the UAE Penal Code, the Health Data Law and the Telecommunications Law), but a lack of centralized regulation meant that these laws did not apply to all businesses operating as data processors or data controllers in the UAE.
Scope of the UAE Data Protection Law
The UAE Data Protection Law applies to the processing of “Personal Data:”
- of any data subject who resides or has a place of business in the UAE;
- by any data controller or data processor established in the UAE (regardless of whether the processing of personal data is carried out inside or outside of the UAE); and
- by any data controller or data processor established outside of the UAE, but who carries out processing of personal data within the UAE.
Consequently, the UAE Data Protection Law has a degree of extra-territorial reach. There is, however, some uncertainty about the extent to which the law would apply in situations where the data subject is a UAE resident, but neither the data controller nor the data processor have any nexus to the UAE. This situation exists in other jurisdictions to varying degrees, for example the General Data Protection Regulations (“GDPR”) in the EU can still apply to targeting and monitoring activities of data subjects located in the EU even if the data processor is not established in the EU. We expect the scope of the law to be clarified in new data protection regulations, which are to be issued within six months of the promulgation of the UAE Data Protection Law.
For purposes of the UAE Data Protection Law, Personal Data is defined to mean “any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person” (English translation).
The UAE Data Protection Law does not apply to processing of government data, health data, and banking and personal credit data. Such data is subject to its own regulatory regimes and policies, much of which we anticipate will be revised in the coming months as part of the UAE’s comprehensive legal reforms intended to position the UAE as a global leader in technology and digitization.
Free zones that have implemented their own data protection rules also are excluded from the application of the UAE Data Protection Law and will continue to be regulated by their individual data privacy regimes. Free zones with self-regulated data protection laws include the Dubai International Financial Centre (“DIFC”), Abu Dhabi Global Market (“ADGM”) and Dubai Healthcare City. DIFC and ADGM have data privacy regimes comparable to the protections offered by the GDPR.
Key Features of the UAE Data Protection Law
A significant aspect of the UAE Data Protection Law is that consent to process personal data is now a requirement for any organization established in the UAE or processing data within the UAE, regardless of the industry sector in which an organization operates, with limited exceptions, such as processing for the protection of the public interest, processing that is necessary to fulfill other obligations imposed under the laws of the UAE, or processing that is necessary to perform a contract. Notably, the UAE Data Protection Law does not include an exception to consent that would allow for processing on the basis of a controller’s ‘legitimate interests’, as is common in data protection legislation in other jurisdictions.
Consent must be “specific, informed and unambiguous” and must be given by a statement or by a clear affirmative action in writing or electronic form. The data controller must be able to prove that the data subject gave consent to process his/her personal data, unless one of the exceptions applies. Data subjects may withdraw their consent at any time. In addition, before undertaking any data processing, data subjects must be provided with notice of:
- the purpose of processing;
- the sectors or organizations with which that personal data is to be shared;
- the protections in place for cross-border transfers; and
- the process for filing a complaint with the UAE Data Office.
Several standards and controls have been introduced in relation to the processing of personal data, none of which previously existed in relation to the collection or processing of personal data onshore UAE. In particular:
- processing must be made in a fair, transparent and lawful manner;
- personal data must be collected for a specific purpose;
- personal data may not be retained after fulfilling the purpose of processing, save where the identity of the data subject is anonymized;
- appropriate measures and procedures must be in place to ensure erasure or correction of incorrect personal data; and
- personal data must be kept securely and protected from any illegal or unauthorized processing.
Under the UAE Data Protection Law, data subjects are given (1) the right to request access to information that is being held on them; (2), the right to request the transfer of their personal data; and (3) subject to limited exceptions, the right to be forgotten (i.e., the erasure of personal data that is no longer required for the purposes for which it is collected or processed). In addition, the UAE Data Protection Law extends the protections already offered under the Unsolicited Electronic Communications Regulation and the Consumer Protection Law and gives data subjects the right to object to and stop the processing of his/her personal data if the processing is for direct marketing purposes or profiling.
Special protections are provided for “Sensitive Personal Data” and “Biometric Data.” For example, any organization processing a large amount of Sensitive Personal Data, or processing personal data in circumstances that would cause a high risk to the confidentiality and privacy of the data subject, must appoint a data protection officer responsible for ascertaining compliance by the data controller or data processor with the provisions of the UAE Data Protection Law. The data protection officer need not be based in the UAE and may be an external provider.
Cross-border data transfers to jurisdictions with an “adequate” level of protection are “pre-approved”, though the list of such “adequate” jurisdictions is not yet published by the UAE’s new national data privacy regulator. Transfers to jurisdictions where there is not an adequate level of protection will require compliance with the controls and requirements to be set out in the data protection regulations, and an agreement in place between the disclosing entity and the receiving entity obliging the receiving party to implement those requirements.
National Data Privacy Regulator
In parallel with the UAE Data Protection Law, the UAE will establish a national data privacy regulator, the UAE Data Office, whose responsibilities will include proposing and preparing policies and legislation related to data protection, issuing guidelines relating to data privacy legislation and establishing a grievance and complaints process for data subjects who object to the processing or storage of their data. Once the regulator is established, data breaches that are likely to result in a risk to the privacy, confidentiality or security of personal data will need to be notified to both the UAE Data Office and the affected data subjects. Notably, there is no materiality threshold for triggering the requirement to notify a data subject; rather, as drafted, any risk (rather than a high risk, as under the GDPR) to the privacy, confidentiality or security of personal data would trigger such a notification. A data controller who becomes aware of any infringement or breach of personal data is required to report the infringement or breach within a period to be established under the data protection regulations.
Organizations that fall within the scope of the law will have six months from issuance of the data protection regulations to prepare for compliance with the UAE Data Protection Law. The compliance deadline will likely be December 2022, and will be confirmed once the data protection regulations have been issued.