This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Ashish Mehta

Founder & Managing Partner, Ashish Mehta & Associates

Quotation Marks
"the PDL does not cover certain areas, such as governmental data processors, personal data possessed by security or judicial authorities, or self-processing of personal data by the data subject."

Personal data protection in the UAE

International
Share:
Personal data protection in the UAE

By

Ashish Mehta examines the data protection regime under the new federal personal data protection law in the UAE

Personal data is precious, and it must be protected at all costs. This is no longer an overstatement. From businesses to lawmakers, the importance of personal data protection has gained recognition in phases, and rightly so, around the world. Keeping up with this trend, countries around the world have been implementing legislations and legal frameworks to ensure the protection of individuals’ personal data.

In 2021, in its 50th year as a nation, the United Arab Emirates (UAE) introduced the Federal Decree-Law No. 45/ 2021 regarding personal data protection law (the DPL). This marked first time a federal law was introduced on personal data protection in the country. However, the subject per se is not new in the UAE as the Dubai International Financial Centre (DIFC), a financial free zone in the UAE, has had own version of personal data protection law prior before the DPL. The DPL officially came into effect on 2 January 2022.

Application of the DPL

In line with similar laws on the subject, the DPL extends beyond the UAE’s borders. Any entity (within or outside the UAE) processing personal data of a ‘UAE data subject’ (ie with domicile or place of business in the UAE) automatically becomes subject to the provisions of the DPL.

Nevertheless, the PDL does not cover certain areas, such as governmental data processors, personal data possessed by security or judicial authorities, or self-processing of personal data by the data subject. Also excluded are health personal data and banking and credit personal data which are subject to other legislations. Entities in freezones with their own personal data protection laws eg the DIFC and ADGM (Abu Dhabi Global Market) are not covered by the DPL.

The DPL defines personal data as information pertaining to an identified natural person or a natural person who can be identified directly or indirectly, through data linking, using identifiers such as their name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, culture or social characteristics. This definition further includes sensitive personal data such as race, ethnicity, political views, religious beliefs, criminal records and biometric data.

Consent and obligations

By the DPL’s provisions, the personal data of UAE data subjects cannot be processed without the consent of the data owner or the data subject. This consent must be specific, clearly stated and unambiguous. It requires the data subject to affirm their understanding of the data being submitted for processing and the purposes for which the data shall be used by the controller (at whose disposal the data shall be), among other things. Under the DPL, UAE data subjects possess several rights, including the right to receive information from controllers, request data transfer, seek corrections and deletion of their data, restrict processing, raise objections to data processing, and object to automated processing.

The DPL requires all data processing entities (the ‘processors’) to appoint their own 'Data Protection Officer.' This officer will be responsible for ensuring the protection of personal data with the entities and also to address concerns raised by the data subjects regarding their personal data.

The processors must also have clear and transparent records of the purposes for which they may obtain personal data. They must also carry out assessments in terms of consequences and impact of usage of any technology or tools in processing or storage of personal data, particularly whether they would pose any risk to the personal data at their disposal.

However, it is important to note that processing personal data of UAE data subjects for marketing purposes may be done only with the clear consent of the data subject.

Further obligations

Further regulations and by-laws pertaining to the DPL are expected to come in, with time. Such regulations shall further clarify the position of controllers and as to what compliance requirements they must fulfil.

Nonetheless, per the current DPL provisions, the processors have the following obligations:

·        Information Obligations: Processors must inform data subjects about the data controller and the data protection officer in the entity, description of the categories of personal data the entity processes, purpose(s) of the processing., They must also disclose details about persons accessing the personal data, retention period and limits of the processing of the personal data, erasure or rectification of personal data, and cross border data transfers if applicable. Additionally, processors need to communicate information about technical and organizational measures used to secure personal information, controls and standards of storage of data, safeguards for cross-border data transfer, actions to be taken in case of personal data breaches and the process for lodging a complaint with the UAE Data Office.

·        Third-party processors: If a data controller needs to share personal data with a third party for processing, the controller must also ensure that there are firmly drafted contracts in place with such third parties. These contracts should include specific information about the data processing, such as the scope, purpose and the type of personal data processed, and clear demarcations of the obligations, responsibilities and the roles of the processor.

UAE Data Protection Office

The DPL along with the Federal Law No 44/2021 prescribes for the establishment of a UAE Data Office. A data office as such, shall be the federal (ie of the UAE cabinet) regulatory authority governing data controllers and data processors responsible for processing personal data of UAE data subjects.

It is learnt that the UAE Data Office is currently being set up and further details are expected to come in soon. The UAE Data Office shall be responsible for: preparing policies and legislations regarding data protection, proposing and approving standards for monitoring the DPL, establishing systems for handling complaints and grievances related to personal data processing, and issuing guidelines and instructions for implementing the DPL.

Impact of the DPL

It has been little over a year since the DPL came into effect in the UAE. The impact and effects of the law have started to show in contracts and other legal documents drafted in the country. Previously, contracts with cross-border or multi-jurisdictional applications used to have a clause on personal data protection, whereby the contracting parties would agree to abide by the provisions of the GDPR or the California Consumer Privacy Act. Following the DPL’s implementation, contracts domestic or multi-jurisdictional prepared in the UAE, whether domestic or multi-jurisdictional, have started to incorporate clauses on personal data protection, with a specific reference to the DPL.

Notably, entities in the UAE have also been carefully assessing their obligations under the DPL and have accordingly started to create necessary frameworks for compliance.

Conclusion

The UAE’s personal data protection law was drafted in consultation and participation of a myriad number of experts from various backgrounds, in addition to the lawmakers themselves.  The legislation draws upon similar laws and global standards on the subject of personal data protection, to ensure that the UAE’s approach is both robust and balanced. Data protection and privacy are also covered generally under other federal laws of the United Arab Emirates.

Ashish Mehta, is the founder and managing partner at Ashish Mehta & Associates, Solicitors amaLawyers.com