UAE enacts New Data Protection Law

Article by Tsaaro

7 min read

UAE enacts New Data Protection Law

The UAE Data Protection Law has been adopted after its announcement on 5 September 2021. UAE introduced a new Federal Data Protection Law (“UAE Data Law”) which is its first-ever comprehensive data privacy and protection law to be issued.  The new law forms part of the UAE’s Projects of the 50, a set of economic and developmental initiatives designed to mark the country’s 50th anniversary, and launches the next phase of the UAE’s growth, and introduces a number of major changes to data protection in the UAE affecting those who live in and have a business in UAE.

The UAE Data Law was developed in consultation with major technology companies. H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, has stated that “every single data law on the planet” was considered when drafting the new legislation. The new law aims to be a “global law” that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for Small & Medium size enterprises(SMEs).

This New Data Protection Law in the UAE includes some important aspects like:

  1. The right to be forgotten, the right of access, the right of correction, and the right to be informed, all of which are already included in EU GDPR, Dubai International Financial Centre (DIFC), and Abu Dhabi Global Market (ADGM) data protection laws;
  2. Consent obligations regarding the marketing of data by companies seeking to monetize data;
  3. Minimal restrictions on cross-border data flow or references to sensitive or restricted data; and
  4. Provisions for a new national data privacy regulator.

Background

As part of its 50th anniversary, the UAE has issued a set of sweeping legal reforms, including the much anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”), which was issued on 26 September 2021. The PDPL, and the other laws forming part of this package, are part of an ambitious set of legal reforms intended to place the UAE at the forefront of digitization in the Middle East.

PDPL does not contain any major divergences from other well-known data protection regimes, including the GDPR. International businesses with global privacy compliance programs should seek to expand those to cover the UAE and achieve some synergies. However, businesses that are not used to compliance with laws like the GDPR may find some of the new obligations challenging, for example, the PDPL introduces rights for individuals to access; rectify; correct; delete; restrict processing; request cessation of processing, or transfer of data; and object to automated processing.  

There are also new requirements around transfers of data outside of the UAE and requirements to keep data secure and to notify the new data protection regulator and in some circumstances data subjects, of data breaches. With that said, the PDPL keeps intact existing laws within the UAE’s financial-free zones,  as well as applicable laws regulating health data and banking and credit data.  For this reason, the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.

Key Principles of the UAE Data Protection Law

UAE Data Protection Law introduces a number of key requirements and principles:

  1. To appoint a Data Protection Officer (DPO) who has sufficient skills and knowledge in data protection.
  2. A requirement to create “Record of Processing Activities” or “RoPA”.
  3. Data Subject Rights‘ (i.e. people to whom personal data belongs, like you and me).
  4. Mandatory data breach reporting. 
  5. The concept of “lawful basis for processing” like “consent” and requires entities to capture the consent of the Data Subject prior to processing it. 
  6. Privacy Notices” where entities must make it clear the process of Data Subject’s data.
  7. Data Protection Impact Assessments” (DPIAs) on processing activities.
  8. Cross-border data transfers” (i.e. transfers where data is transferred from one country to another).

Conclusion

According to United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications, the Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed.” The Data Protection Law is a step towards establishing a data protection regime in the UAE that would provide an adequate level of protection for the purposes of data transfers from the European Union and other regulated jurisdictions.

This article has been authored by Prajwala D Dinesh.

11 thoughts on “UAE enacts New Data Protection Law”

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Tsaaro Consulting

Introduction   With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in …

Tsaaro Consulting

The FinTech industry has transformed the financial landscape, offering customers digital solutions that make banking, lending, insurance, and investing more …

Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them