The United Arab Emirates recently passed a collection of legislative reforms to bring their economic and commercial development goals in alignment with international best practice. This strategic look at regulations for data protection, electronic transactions and trust services, industrial property rights, copyrights, trademarks, and other commercial and social topics was prompted by the country’s 50th year anniversary to proactively strengthen the country’s legal foundation for future growth.
One of the nearly 50 legislative additions to the UAE’s federal laws is №45, the Personal Data Protection Law (PDPL), which was announced in December 2021 and came into effect on January 2, 2022. The law will be accompanied by an Executive Regulations that provide additional technical and operational details on complying with the Data Protection law, and the publication of these will trigger a 6-month grace period that companies have to bring their operations and processes into compliance with the regulation. The accompanying Executive Regulations are expected in spring 2022. Supporting the Data Protection Law (№45) is Law №44 which establishes the UAE Data Office which will be the data protection regulatory authority to operationalize the Data Protection Law’s requirements.
This law will elevate and standardize data protection for companies operating in and handling personal data from the UAE. As with many other regions, organizations in the UAE often have little visibility into the corporate data that is collected, stored, and transferred, which creates risks for data breaches and losses due to ransomware; investigations from 2021 indicate that only approximately 31% of data stored by the participating UAE companies is critical to business operations, leaving 69% of redundant, obsolete, trivial, or shadow data that presents significant risk.
This is the first federally applicable data protection law in the UAE. Other data protection laws have been established in some of the many financial free zones in the UAE, where their applicability is limited to the free zone that passed it, for example in the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM). While the new law does not apply to these financial free zones (existing data protection laws enforced in each free zone still stand), it takes important steps to create alignment between data protection practices in the EU and ‘global best practice’, closely oriented around the EU’s GDPR.
The United Arab Emirates (hereinafter referred to as “U.A.E”) Cabinet Office on 27 November 2021 announced that the President of UAE, His Highness Sheikh Khalifa bin Zayed Al Nahyan, has approved wide-ranging reforms to the country’s legal system, including the including the enactment of Federal Decree-Law №45 of 2021 regarding personal data protection (hereinafter referred to as the “Personal Data Protection Law”) among a set of other legislations, in order to ensure the strengthening of economy, investment, and commercial opportunities, in addition to maximizing the social stability, security and ensuring the rights of both individuals and institutions. The new legislation is the first federal law of its kind in the UAE and is aimed at regulating the collection and processing of personal data in the country.
Prior to the legislation only the Dubai International Financial Center (hereinafter referred to as the “DIFC”), Dubai Healthcare City (hereinafter referred to as the “DHCC”), both free trade zones in the Emirate of Dubai, and Abu Dhabi Global Market (hereinafter referred to as the “ADGM”), in the Emirate of Abu Dhabi, had formal data protection regimes. At the federal level, there was no unified set of privacy or data protection legislation, and there was no single national data privacy regulator. The Federal Decree-Law №45 of 2021 regarding the Protection of Personal Data is part of the proposed legal reforms and as such the law covers the processing of personal data belonging to data subjects within the UAE, regardless of the location of the data controller or data processor, and includes comprehensive requirements for controllers and processors, conditions for valid consent, data subject rights, notification of data breaches to the Data Office, appointment of DPOs for controllers and processors, and the implementation of technical and organizational measures to support data security.
FEDERAL DECREE-LAW №45 of 2021 -PERSONAL DATA PROTECTION LAW, the Personal Data Protection Law creates a framework to protect the privacy of individuals (i.e. data subjects) and ensure confidentiality by obligating organizations that fall within its scope to implement appropriate governance for the management and protection of personal data. It is expected to be published in the Official Gazette on 2 January 2022, meaning that Executive Regulations are expected within six months from this date and companies must comply following a 12-month transition period, concluding on 2 January 2023. The legislation is aims to protect “personal data”, which has been defined under Article 1 to mean:-
“any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”Personal data is expressly said to include “sensitive personal data” and “biometric data” besides individual’s name, voice, image, identification number, electronic identifier and geographical location.
Scope and Applicability
The Personal Data Protection Law has extra-territorial jurisdiction and shall apply to any organizations (both established within or outside the UAE) that process personal data of data subjects inside or outside the UAE.
Although the Law does not apply to public entities (i.e. government data, government entities that control or process personal data, personal data held by security and judicial authorities) or free zones with their own data protection legislation (notably the Dubai International Financial Center and Abu Dhabi Global Market) as well as health (i.e. health personal data regulated by the ICT Healthcare Law (Law №2 of 2019)) or credit data governing by existing sectoral legislation, it repeals all laws which conflict with its provisions.
The provisions of this law apply to:
Any Data Subject who resides in, or has a place of business in the UAE
Any firm carrying out the processing of personal data inside or outside the UAE as a controller or processor
Any firm located outside the UAE that carries out activities of processing data inside the UAE.
The Personal Data Protection Law aims at providing proper governance for optimal data management and protection, in addition to defining the rights and duties of all concerned parties and shall be applicable to the processing of personal data, whether all or part of it through electronic systems, inside or outside the country. The main features of the Personal Data Protection Law are as follows:
Consent: The Personal Data Protection Law prohibits the processing of personal data without the consent of its owner, with the exception of some case in which the processing is deemed to be necessary to protect public interest, or that the processing is related to the personal data that has become available and known to all by an act of the data owner, or that the processing is necessary to carry out any of the legal procedures and rights. Hence it provides for “opt-in” requirements. Consent needs to be specific, clear and unambiguous and in a form of a clear positive statement or action.
Data subject rights: Under the new legislation the Data subjects have a number of rights with respect to their personal data, including:
right to access i.e. the right to receive information from a controller;
the right to request the transfer of their personal data;
the right to be forgotten i.e.the right to have their personal data corrected or erased;
the right to restrict the processing of personal data in certain cases;
the right to object to certain types of data processing; and
the right to object to automated processing.
Data Protection Officer: The Personal Data Protection Law obligates, under certain circumstances, companies to appoint a Data Protection Officer (hereinafter referred to as the “DPO”) who could be an employee of the company or an external party based inside or outside the UAE.
Purpose limitation: The new law obligates entities collecting personal data to make clear the purpose for which it is collected and used, and to limit the processing to what is necessary in accordance with the purpose for which the processing is carried out.
Impact assessment: The Personal Data Protection Law obligates organizations using technologies posing a high risk to the privacy and confidentiality of the data subjects, to carry out an impact assessment on the protection of personal data. The law also sets out the minimum information that should be included in an impact assessment.
UAE Data Office
The Personal Data Protection Law provides (under a separate statute) for the setup of the UAE Data Office who will act as a single national data privacy regulator with the ability to exempt certain organizations that do not process a large volume of personal data from some or all of the requirements prescribed by the Data Protection Law in accordance with the standards and controls to be set out in the executive regulations. The UAE Data Office shall be responsible for i) proposing and preparing policies relating to data protection; ii) proposing and approving the standards for monitoring the application of federal legislation regulating personal data; iii) preparing and approving systems for complaints and grievances; and iv) issuing guidelines and instructions for the implementation of data protection legislations.
Next Step for Companies
Organizations that already comply with the GDPR in relation to the data processing that is in scope of the Data Protection Law will be able to take fewer additional compliance steps. However, these organizations still need to consider the nuances of the Data Protection Law and take steps, including the below, to comply:
Review the scope of processing subject to sector or free zone-specific data protection laws
Establish another legal basis for processing that relies on legitimate interests under the GDPR
Update the record of processing activities to comply with the specific requirements of the Data Protection Law
Ensure the organization can comply with data breach reporting requirements
Appoint a DPO for the UAE, if the organization carries out certain high-risk processing
Review data transfers from the UAE to determine if an exception can be relied on or if the recipient is located in a country approved by the UAE Data Office
Organizations that have not already developed a compliance framework in line with the GDPR or have not extended it to their UAE-related data processing activities will need to carry out a more comprehensive data protection compliance program. These organizations should take the steps listed above and additional steps, including the below, to comply:
Put in place a legal basis for each processing activity, including reviewing and updating current methods of collecting consent to ensure they meet the specific requirements of the Data Protection Law
Establish measures to comply with the data protection principles as well as data subject rights requests
Create a record of processing activities
Review processing activities carried out by data processors, and situations in which the organization acts as a data processor on behalf of others
Ensure appropriate technical and organizational measures are in place to secure data
Prior to processing, provide data subjects with transparency information on the purposes of processing, data sharing, and data transfers
Carry out data protection impact assessments in relation to certain high-risk processing