Global menu

Our global pages

Close

UAE enacts its first Federal Data Protection Law

  • UAE
  • Commercial agreements
  • Privacy, data protection and cybersecurity
  • Telecoms

08-12-2021

General Overview of the Data Protection Law

In line with the United Arab Emirates’ 50th anniversary, forty new federal laws have been approved. This represents the biggest legislative reform in the history of the United Arab Emirates (“UAE”). The reforms include the introduction of a federal data protection framework with the approval of Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “Data Protection Law”) and Decree-Law No. 44 of 2021 on the Data Protection Office (“DPO”) Establishment (the “DPO Law”).

Both laws were issued on 20 September 2021. The DPO Law took effect on 21 September 2021 and the Data Protection Law will take effect on 2nd January 2022. The Implementing Regulations are anticipated to be issued around March 2022. The Implementing Regulations will provide more detailed provisions for the Data Protection Law. In the meantime, we set out below a high-level summary of the main points.

1.1 Who Does The Law Apply To?

The Data Protection Law applies to all UAE residents or those working there, and to the processing of personal data by controllers or processors inside the UAE. It also applies to controllers and processors outside the UAE if the data subjects are in the UAE. The Data Protection Law does not apply to government data , or government entities controlling or processing personal data. This exception diverges from the approach taken by GDPR but is similar to other data protection laws in the region, including most recently the Saudi Data Protection Law which came into force on 24 September 2021.

The Data Protection Law further excludes from its scope (i) personal data held by judicial and security authorities; (ii) personal processing of a persons’ own data; and (iii) processing regulated under existing legislation (including health data, personal banking and credit data, and free-zone companies and institutions subject to relevant data protection legislation). The DPO will also have powers to exempt entities that do not process a large volume of personal data from part or all of the requirements of the Data Protection Law. This shall be in accordance with the criteria and controls which will be set out by the Implementing Regulations.

1.2 What Are the Fundamental Obligations?

Data Owner’s Consent

The Data Protection Law prohibits the processing of personal data without the data owner’s express and unambiguous consent. Furthermore the data subject is permitted to withdraw their consent by use of simple and straightforward procedures. Similarly, the data subject can consent to the cross-border transfer of his/her personal data even if the recipient country does not have an adequate data protection framework.

There are a limited number of grounds which allow for processing without consent, including where necessary to protect the public interest, the data subject or public health , if the data has been made freely available by the data owner or for judicial or security proceedings.

This emphasis means that data owner consent will become crucial to many, if not most, processing activities in future and organisations should start planning their implementation and roll-out of appropriately scoped data consents.

Obligations on Controllers and Processors

There is an extensive range of obligations which apply to controllers and processors. These include taking necessary actions to safeguard the confidentiality, privacy and security of the data and the implementation of appropriate supporting security measures. Controllers and processors must provide information to the data owner to identify the scope of the processing and to ensure that necessary consents, aligned to this scope, are in place. There are record keeping obligations as well as the requirement to notify data breaches.

Transferring Personal Data Outside UAE

The Data Protection Law provides that cross-jurisdictional transfers of data will be approved by the DPO, if the recipient country has appropriate legislative protections and controls for the safeguarding of data or where there is a bilateral or multilateral treaty relating to the protection of personal data. In the absence of this level of protection, personal data can still be transferred if certain conditions are met, such as the recipient agreeing contractual terms that require it to comply with the requirements of the Data Protection Law, or with the consent of the data owner.

Rectifying and Destroying of Personal Data

The Data Protection Law provides data owners with the right to request the rectification of inaccurate data which must be complied with by the controller without undue delay. Moreover, there are several obligations on the controller to delete personal data in certain circumstances, such as if the data owner objects to the processing, or withdraws consent, or the personal data is no longer necessary for the purpose for which it was collected.

The controller can refuse the request for deletion in certain limited cases, such as if the data is required to be preserved for compliance with another law.

Data Protection Officer

The Data Protection Law requires that the controller or processor appoints a data protection officer (the “Officer”) if the processing (i) is high risk; (ii) involves detailed assessment, or high volumes; or (iii) is of sensitive personal information. Such Officer may be an employee of the controller or processor, or merely authorised by them regardless of whether they are inside or outside of the UAE. The roles and responsibilities of the Officer listed in the Data Protection Law are extensive. They revolve around ensuring compliance by the controller or processor to the Data Protection Law, its Implementing Regulations and the DPO’s instructions.

For instance, the Officer is tasked with providing technical advice on the controller/processor’s evaluation procedures, and periodically examining their protection systems and documenting the results. It is also tasked with acting as a liaison between the controller/processor and the DPO. Interestingly, the Data Protection Law opens up a line of communication directly between the data owner and the Officer on all matters related to the former’s personal data and his/her ability to exercise the rights provided in the Data Protection Law. The Officer should have sufficient skills and knowledge to perform these role responsibilities.

Data Protection Office (DPO)’s Role

The new data protection obligations will be monitored and policed by a dedicated DPO that will be affiliated to the Cabinet of Ministers. The DPO has an extensive range of competencies, including being mandated to draft and implement policies, strategies and legislation relevant to data protection and monitoring for compliance. Most significantly, the DPO will be the formal body to whom data breaches must be reported.

Notification of Breaches

Similar to the Saudi Data Protection Law, the breach notification provisions are stricter than many international laws with requirements to notify “as soon as they become aware” rather than within a specified period. It is possible that the notification process may be further clarified by the Implementing Regulations. The Data Protection Law provides certain mechanisms to file complaints in case of breaches. Such complaints must be filed before the DPO and administrative penalties will be imposed for breaches.

Processing of Personal Data for Marketing Purposes

Under Article 17, data owners have the right to object to their data being used for direct marketing purposes, including profiling relevant to direct marketing.

Summary

Many of these provisions are similar to aspects of the EU GDPR. However, there are significant differences in many cases, and organisations which will be subject to the UAE Data Protection Law should ensure that they have, or put in place, procedures for processing personal data which comply with the law and the additional requirements which will be set out in the Implementing Regulations.

This update was authored by Nasser Ali Khasawneh, Geraldine Ahern, Christine Khoury and Rand Shahin (Trainee Solicitor).