UAE issues landmark personal data protection law

The UAE has issued new legislation to regulate the collection and processing of personal data in the country. This long-awaited development is in line with wider international practices in protecting the privacy of individuals and personal data. In this article, we provide an initial commentary on the implications of this important development, which will be the first comprehensive federal data privacy law in the UAE.

What is the new law?

Federal Decree-Law No. 45 of 2021 regarding personal data protection (the Data Protection Law) was announced by the UAE Cabinet Office on 27 November 2021, along with several other significant legislative changes introduced as part of an unprecedented legal reform programme in advance of the UAE’s Golden Jubilee.

The Data Protection Law creates a framework to ensure confidentiality and to protect the privacy of individuals (i.e. data subjects) by requiring organisations that fall within the scope of the Data Protection Law to implement appropriate governance for the management and protection of personal data.

A single national data privacy regulator – to be known as the UAE Data Office – will be established under a separate statute to regulate the implementation of the Data Protection Law. The UAE Data Office will be responsible for a wide range of tasks that include:

• proposing and preparing policies relating to data protection;
• proposing and approving the standards for monitoring the application of federal legislation regulating personal data;
• preparing and approving systems for complaints and grievances; and
• issuing guidelines and instructions for the implementation of data protection legislations.

Who and what is within the scope of the Data Protection Law?

The Data Protection Law is designed to protect “personal data”, which is “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This expressly includes an individual’s name, voice, image, identification number, electronic identifier, and geographical location. It also includes sensitive personal data and biometric data.

The Data Protection Law will have extra-territorial reach, similar to the EU General Data Protection Regulation (GDPR) and the recently-issued Personal Data Protection Law in Saudi Arabia. It will apply to any organisation that is established in the UAE and processes personal data of data subjects inside or outside the UAE, as well as any organisation that is established outside the UAE and processes personal data of data subjects inside the UAE. Unlike the Saudi legislation, the Data Protection Law does not link the extra-territorial reach to the residency of data subjects: “inside” the UAE appears to suggest that the Data Protection Law applies to any processing of personal data of data subjects who are physically located in the UAE.

The Data Protection Law will not apply to government data, government entities that control or process personal data, personal data held by security and judicial authorities or any processing of personal data for personal purposes. Additionally, the Data Protection Law does not apply to: (i) health personal data regulated by the ICT Healthcare Law (Law No.2 of 2019); (ii) banking personal data that is subject to laws regulating the protection of such data; and (iii) companies and establishments located in free zones in the UAE that have a specific legislation on data protection, such as Dubai International Financial Centre and Abu Dhabi Global Market. Accordingly, it is clear that the federal Data Protection Law will operate alongside – but not replace – the existing free zone regimes.

The Data Protection Law also provides the UAE Data Office with the ability to exempt certain organisations that do not process a large volume of personal data from some or all of the requirements prescribed by the Data Protection Law in accordance with the standards and controls to be set out in the executive regulations.

What are the main features of the Data Protection Law?

Many of the features of the Data Protection Law are consistent with international data protection laws. By way of example:

• Legal bases: The Data Protection Law prohibits the processing of personal data without the consent of the individual (i.e. the data subject), unless an exception applies. For example, processing will be permitted if the processing is necessary to execute a contract with a data subject; to comply with legal obligations; to protect public interest; or if it is necessary for the purpose of the controller or data subject to carry out obligations and exercise their rights in the field of employment or social security. However, the Data Protection Law does not allow for processing on the basis of a controller’s “legitimate interests” as found in other international legislation.
• Consent: The Data Protection Law includes a similar requirement for “opt-in” consent as contained in the GDPR. Consent needs to be specific, clear and unambiguous and in a form of a clear positive statement or action.
• Data subject rights: Data subjects will have a number of rights under the Data Protection Law with respect to their personal data, including: (i) the right to receive information from a controller (i.e. right to access); (ii) the right to request the transfer of their personal data (which is broadly consistent with the right to data portability under the GDPR); (iii) the right to have their personal data corrected or erased (i.e. the right to be forgotten); (iv) the right to restrict the processing of personal data in certain cases; (v) the right to object to certain types of data processing (for example, if it is intended for the purpose of direct marketing or scientific and statistical research); and (vi) the right to object to automated processing. Controllers are required to put in place a mechanism for communicating with data subjects.
• Data Protection Officer (DPO): Companies will need to appoint a DPO under certain circumstances. The DPO may be an employee of the company or an external party who may be based inside or outside the UAE. Companies who have DPOs based in Europe for compliance with the GDPR could use the same individual to fulfil a similar role in relation to the UAE, although we would strongly recommend that any such person is suitably upskilled to understand the local requirements and is available to support the UAE business during local working hours. It is likely that organisations will need to have local privacy leaders and champions to adequately implement the necessary changes and support the UAE business, particularly in data-heavy organisations.
• Marketing: There is no obvious exception to the requirement for a data subject’s consent that would apply to the use of personal data for marketing purposes. Accordingly, organisations may only use such data for marketing purposes with the consent of the data subject. They will also need to incorporate opt-out mechanisms to allow data subjects to withdraw their consent or object to receiving marketing communications.
• Purpose limitation: Organisations are required to make clear the purpose for which personal data is collected and used, and to limit the processing to what is necessary in accordance with the purpose for which the processing is carried out.
• Impact assessment: Organisations are required to carry out an impact assessment on the protection of personal data when using any modern technologies that would pose a high risk to the privacy and confidentiality of the data subjects. The Data Protection Law sets out the minimum information that should be included in an impact assessment.

How does it differ from other international laws?

While the Data Protection Law contains many principles and requirements that are similar to the GDPR and other data protection laws around the world, there are a number of unique aspects that sets the Data Protection Law apart from others:

• Data breaches that are likely to result in a risk to the privacy, confidentiality and security of personal data must be notified to the UAE Data Office and to affected data subjects within a period that will be specified in the executive regulations that will follow in due course. Unlike certain other data protection laws (such as the GDPR), there does not seem to be a materiality threshold or higher bar for notifications to data subjects – the GDPR only requires data subjects to be notified if the breach is “likely to result in a high risk” to the individuals’ rights and freedoms. Under the UAE legislation, the controller is required to provide the UAE Data Office with the findings of any investigation, as well as other information about the breach and its effects.
• Personal data may be transferred outside the UAE to states or territories that offer an adequate level of protection but subject to the approval of the UAE Data Office. It is unclear at present whether this approval will need to be sought after the controller has made its own assessment of the level of protection or if the UAE Data Office will designate approved countries for data transfers similar to the adequacy decisions made by other international regulators. In the absence of an adequate level of protection, there are derogations listed that allow for transfers in certain situations. Some of these will be familiar to companies operating under the GDPR, such as transfers that are necessary for the performance of a contract with, or in the interests of, the data subject or transfers necessary for establishing legal claims. Transfers may also occur with the express consent of the data subject provided that the transfer does not conflict with the public and security interests of the UAE. This national security assessment does not feature in the GDPR but has been seen in other recent data protection legislation elsewhere in the Middle East.
• The Data Protection Law requires only a limited amount of information to be provided to data subjects before processing their personal data, compared to the more detailed privacy notices requires under the GDPR. Such information is limited to (i) the purpose of processing; (ii) any recipients or categories of recipients with whom the personal data will be shared, whether inside or outside the UAE; and (iii) safeguards for cross-border personal data processing. Data subjects have the right to receive further information by submitting a request to the controller and controllers should provide specific information, such as the type of data that is processed, procedures for exercising their rights and how to lodge a complaint. There is also a requirement to provide data subjects with “clear and appropriate means and mechanisms” to enable the data subject to communicate with the controller and exercise any of his/her rights, which will likely be satisfied by providing contact information through relevant channels.
• Similar to the GDPR, third party data processors are required to act on the instructions of a controller and implement contracts with the controller for the processing of personal data, which should include specific information about the data processing (such as the scope, purpose and the type of personal data processed). However, where there is more than one processor participating in the processing of personal data, the Data Protection Law expressly requires such processing to be carried out in accordance with a contract, which should clearly define the obligations, responsibilities and the roles of each processor. Otherwise, the processors shall be jointly responsible for the obligations and responsibilities contained in the Data Protection Law. The executive regulations will specify the procedures, controls, conditions and technical standards related to the processor obligations, and it may be that further clarity will be provided as to the contracts that should be put in place with processors, and whether they should include specific obligations (such as those required by Article 28 of the GDPR).
• The Data Protection Law requires controllers and processors to maintain a “special record for personal data”. While the concept of a record of processing activities (or ROPA) is found in the GDPR and elsewhere, further detail is required in the UAE equivalent than in many international laws. For example, details of persons authorised to access the personal data and the mechanisms for erasing, modifying or processing personal data need to be specified. 

What are the penalties for non-compliance?

The Data Protection Law does not expressly state the penalties that will apply for breaches of the Law. The level of sanctions will be specified in subsequent executive regulations, including any administrative penalties that may be imposed. It is unclear whether those regulations will contain a schedule of fines (and other sanctions) for different violations or simply specify a maximum amount with more discretion available to the UAE Data Office and the Courts.

What happens next?

The Data Protection Law is stated to take effect from 2 January 2022, although it also anticipates further executive regulations that will clarify various aspects (including the scope and level of sanctions). Controllers and processors will then have a period of six months from the date of issuance of such regulations to adjust their status and comply with the Data Protection Law.

All businesses operating in the UAE, or that are based outside the UAE but process personal data of data subjects located in the UAE, will need to assess their activities and make changes to align with the Data Protection Law as quickly as possible. We have previously issued tips for enterprises on how to create an effective privacy framework and worked with many organisations to help them implement the required processes and policies for compliance.