The UAE Data Protection Law has been adopted after its announcement on 5 September 2021. UAE introduced a new Federal Data Protection Law (“UAE Data Law”) which is its first-ever comprehensive data privacy and protection law to be issued. The new law forms part of the UAE’s Projects of the 50, a set of economic and developmental initiatives designed to mark the country’s 50th anniversary, and launches the next phase of the UAE’s growth, and introduces a number of major changes to data protection in the UAE affecting those who live in and have a business in UAE.
The UAE Data Law was developed in consultation with major technology companies. H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, has stated that “every single data law on the planet” was considered when drafting the new legislation. The new law aims to be a “global law” that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for Small & Medium size enterprises(SMEs).
This New Data Protection Law in the UAE includes some important aspects like:
- The right to be forgotten, the right of access, the right of correction, and the right to be informed, all of which are already included in EU GDPR, Dubai International Financial Centre (DIFC), and Abu Dhabi Global Market (ADGM) data protection laws;
- Consent obligations regarding the marketing of data by companies seeking to monetize data;
- Minimal restrictions on cross-border data flow or references to sensitive or restricted data; and
- Provisions for a new national data privacy regulator.
As part of its 50th anniversary, the UAE has issued a set of sweeping legal reforms, including the much anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”), which was issued on 26 September 2021. The PDPL, and the other laws forming part of this package, are part of an ambitious set of legal reforms intended to place the UAE at the forefront of digitization in the Middle East.
PDPL does not contain any major divergences from other well-known data protection regimes, including the GDPR. International businesses with global privacy compliance programs should seek to expand those to cover the UAE and achieve some synergies. However, businesses that are not used to compliance with laws like the GDPR may find some of the new obligations challenging, for example, the PDPL introduces rights for individuals to access; rectify; correct; delete; restrict processing; request cessation of processing, or transfer of data; and object to automated processing.
There are also new requirements around transfers of data outside of the UAE and requirements to keep data secure and to notify the new data protection regulator and in some circumstances data subjects, of data breaches. With that said, the PDPL keeps intact existing laws within the UAE’s financial-free zones, as well as applicable laws regulating health data and banking and credit data. For this reason, the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.
Key Principles of the UAE Data Protection Law
UAE Data Protection Law introduces a number of key requirements and principles:
- To appoint a Data Protection Officer (DPO) who has sufficient skills and knowledge in data protection.
- A requirement to create “Record of Processing Activities” or “RoPA”.
- ‘Data Subject Rights‘ (i.e. people to whom personal data belongs, like you and me).
- Mandatory data breach reporting.
- The concept of “lawful basis for processing” like “consent” and requires entities to capture the consent of the Data Subject prior to processing it.
- “Privacy Notices” where entities must make it clear the process of Data Subject’s data.
- “Data Protection Impact Assessments” (DPIAs) on processing activities.
- “Cross-border data transfers” (i.e. transfers where data is transferred from one country to another).
According to United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications, the Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed.” The Data Protection Law is a step towards establishing a data protection regime in the UAE that would provide an adequate level of protection for the purposes of data transfers from the European Union and other regulated jurisdictions.
This article has been authored by Prajwala D Dinesh.