Following several years of discussions about the need for better protection of personal data in the UAE, the UAE government published in November 2021 Federal Law no. 45 of 2021 regarding personal data protection (the DP Law). This landmark piece of legislation is the first federal law in the UAE to regulate the processing of personal data in general and aims to bring the UAE’s standards for personal data protection to a level that meets international best practices and global standards. If you are familiar with the European Union’s General Data Protection Regulation (GDPR) you will find a large number of similarities, but also important differences.
The DP Law came into effect on 2 January 2022. However, its Executive Regulation (the “Regulations”), which is intended under the DP Law to address numerous important details, is outstanding. This should be issued by the end of March 2022 and the DP Law provides that as a data controllers and processors you will have a six month period following the issuance of the Regulation (i.e., to the end of September 2022) to comply with the DP Law and the Regulation.
The DP Law has an extra-terrestrial reach similar to GDPR. It applies to all your businesses processing personal data in the UAE (even if that personal data is related to a data subject outside of the UAE) and your businesses based outside of the UAE when processing personal data relating to data subjects within the UAE. Personal data under the law is defined as “any data related to a specific natural personal or related to a natural person that can be identified directly or indirectly by linking the data.” This includes:
Any data relating to an identified natural person or relating to a natural person who is directly or indirectly identifiable though data connection, by use of identification elements such as their name, voice, photo, an identification number, an electronic identifier, location data or one or more physical, physiological, economic, cultural, or social characteristics of such person, including:
For health, banking, and credit data the existing sector-specific laws and regulations will remain the solely applicable legislation. The processing of any such data shall not fall into the scope of the DP Law.
Also, the DP Law does not apply to:
The key concepts of the DP Law are very similar to the GDPR as well as the data protection legislations issued for DIFC and ADGM already. The DP Law differentiates between data controller and data processors, imposes a number of obligations on any entity processing personal data within the scope of the DP Law, sets out core principles for all processing activities, provides restrictions for cross-border processing of personal data, and grants the individuals who are protected under the DP Law (the Data Subjects) several rights.
The DP Law includes (although in less detail than the GDPR and not in entirely the same way) the same 7 core principles, for personal data processing to be:
It is noteworthy that unlike the GDPR the DP Law, as part of the transparency requirement, does not expressly require you as data controller to provide information notices to the Data Subject at the time when you collect the Personal Data.
The DP Law takes a slightly different systematic approach as to how you can establish a lawful bases for your processing activities. The default position is that the DP Law does not allow the processing of personal data without the explicit consent of the Data Subject unless one of the exception under the DP Law applies.
The consent as to be specific, clear and unambiguous, indicated through a clear positive action in writing or electronically. The Data Subject has to be informed that the consent can be withdrawn.
The exceptions that you can consider relying on include:
Unlike other international legislation, the Data Protection Law does not allow for processing on the basis of the data controller’s "legitimate interests". However, the DP Law has two more exceptions that are particularly interesting in employment and health insurance relationships. As you will also not need consent:
Data Subjects will have certain key rights as prescribed by and subject to the limitations outlined in the DP Law:
Similar to the requirements under GDPR, if your entity is a data controller or a data processor that meets any of the following criteria it will be required to appoint a DPO:
The DPO must have sufficient skills and know-how about personal data protection. It may be an employee of your company or an external party, which may be based inside or outside of the UAE. If your company or group of companies has an existing DPO based in Europe who currently monitors compliance with the GDPR then you may nominate the same person to be the DPO for your entity(ies) that are required to comply with the DP Law.
The DP law outlines several responsibilities of the DPO. At the same time is also obliges your entity as the data controller or processor for which the DPO acts, to provide the required resources to the DPO, not to assign tasks to the DPO that could create a conflict of interest to the DPO role, and also not to terminate or discipline the DPO for a reason relating to his/her performance under the DP Law.
Subject to approval of the UAE Data Office (which has been established under Federal Decree Law No. 44/2021 on Establishing the UAE Data Office) the DP Law allows for the transfer of Personal Data to those jurisdictions deemed to have an adequate level of data protection. Further details of the jurisdictions that have an adequate level of data protection are yet to be released by the Data Office. You may also be permitted to transfer Personal Data to a jurisdiction without an adequate level of protection in the instances where an exemption applies, for example, to countries that have a data protection agreement with the UAE to secure an equivalent level of data protection, where you have secured the explicit consent of the Data Subject. or where the Personal Data transfer is necessary for a contract with a Data Subject.
In the almost unavoidable case of a data breach, if the breach would cause prejudice to the privacy, confidentiality and security of "Data Subjects" Personal Data, as a data controller you are obliged to notify the Data Office. The details and applicable timeframes will be outlined in the Regulations. If your entity as the function of a data processor then you have to inform the controller immediately of any breach so that they can take the appropriate actions.
The penalties for violation of the DP Law are expected to be specified in the Regulations and the Data Office will be in charge for monitoring of all compliance elements.
If the DP Law is applicable to your company(ies) then you should review your current personal data processing activities and evaluate your current compliance situation. Doing so it is important to keep in mind that you may also need to comply with sector specific data protection legislation.
You should also create, maintain, and update records of Personal Data processing, keeping in mind that once compliance with the DP Law is mandatory, you will have to make such records available for inspection by the Data Office on request. Cross-border transfer activities require particular attention.
Identifying a legal bases for all your processing activities is very important bearing in mind that ‘legitimate interest’ available under GDPR is not a viable option under the DP Law. Processing activities for which no legal bases exist or can be established eg by seeking consent from the Data Subjects, will ultimately have to be ceased.
Developing appropriate policies and procedures to comply with the several obligations under the DP Law, the assessment on whether you are required to appoint a DPO and/or conduct a data processing impact assessment, as well as taking steps to ensure appropriate technical and organisational measures are in place to secure any Personal Data that you are processing will then have to follow.
While (at least) nine months may seem like a long time to get ready to comply with the new DP Law, experience with GDPR and other data protection legislation has shown that the steps to be taken are time consuming and require coordination between all part of the business. Please reach out to our team at Taylor Wessing in Dubai, we are available to support and guide you through the processes and prepare the appropriate documentation.