The PDPL and the GDPR: A Comparison

Both the UAE Personal Data Protection Law and the GDPR have a number of similarities as well as some differences. Under both sets of rules, processing personal data requires obtaining consent from the individual whose information is being processed, limiting the collection and use of such data to predefined and allowed goals, and using suitable controls to prevent unauthorized access to the information. Nevertheless, the General Data Protection Regulation (GDPR) provides extra particular restrictions on the rights of data subjects, such as the right to have one’s data deleted, the right to have one’s data moved to another location, and the right to object to having one’s data processed. In contrast, the UAE PDPL requires both the competent authorities and impacted persons to be notified in the case of a data breach. Moreover, the UAE PDPL requires the appointment of a data protection officer.

The UAE Personal Data Protection Law (PDPL) has more rigorous regulations than the CCPA does regarding the adoption of acceptable security measures to protect personal data and the obtaining of data subject approval. The California Consumer Privacy Act (CCPA) does, however, include more specific requirements on the rights of data subjects. These rights include the rights to know what personal information is being collected, the right to seek deletion of personal information, and the right to opt-out of the sale of personal information.

The PDPL’s common criticisms

If an organization has a presence in the United Arab Emirates (UAE), it is required to take efforts to ensure that it complies with the UAE PDPL; otherwise, the organization runs the risk of experiencing legal and reputational penalties.

The United Arab Emirates’ Personal Data Protection Law has come under fire for allegedly including wording that is unclear in key areas, which may result in uneven application of the law. For example, It requires that data controllers get approval from data subjects before processing their personal data. However, it does not clarify what sort of consent is valid or whether or not it must be explicit or whether it might be implicit.

Another criticism is that it does not go into sufficient depth to protect the rights of data subjects, such as the right to deletion and the right to data portability. These are issues that are addressed in greater depth by other data privacy frameworks, such as the General Data Protection Regulation (GDPR). It’s possible that this will put people living in the UAE at a disadvantage in comparison to other people all around the world who are also data subjects.

In addition, there are skeptics who are concerned about the prospective effects that the PDPL might have on businesses headquartered in the UAE, particularly small and medium-sized enterprises (SMEs), who may find it difficult to fulfill the new requirements and incur substantial costs in the process of doing so. The PDPL has been viewed with skepticism since it introduces yet another set of laws for businesses operating in the United Arab Emirates. This has raised concerns that it may reduce the amount of money invested in the country by outside parties.

Despite the fact that the PDPL has been criticized, it is still a significant step in the right direction towards preserving the privacy and rights of data subjects in the UAE. It is likely that more advice and revisions will be made in order to address some of the problems that have been pointed out.