The New UAE Data Protection Law Explained!

Introduction

Over the last 15 years, the United Arab Emirates (UAE) has become a significant technology and innovation hub by attracting both foreign global tech giants (e.g. Microsoft with its Cloud Data Centers installed in the UAE in 2020 and Amazon Web Services currently installing Data Centers in the UAE as well).  The UAE has also attracted a large number of tech startups in recent years as well. In 2020, out of the $577 million of funding that the MENA region attracted in 2020, UAE start-ups amassed 56 per cent of all capital invested.

However, up until November 2021, the UAE only had in place local (at free zone level) data protection/privacy laws or regulations [inspired by the EU's General Data Protection Regulation (GDPR)], in the two main UAE financial free zones, namely the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). Indeed, in 2007 the DIFC Data Protection Law No. 1 was enacted. Then in 2015, the ADGM Data Protection Regulations was adopted.

Both these DIFC and ADGM laws/regulations were then replaced by new laws/regulations namely the DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations of 2021. In other words, up until recently, the UAE never had a standalone nation-wide data protection law applicable throughout the entire territory of the UAE.

Thus, on November 27, 2021, the Federal Decree-Law No. 45 on the Protection of Personal Data (PDPL) was enacted. This new law is the first comprehensive federal data privacy and protection law to be adopted UAE wide, and it aims to create a legal framework that ensures the effective governance of the management and collection of personal data. The PDPL brings the UAE's federal data protection regime in line with modern global data protection and data privacy standards, including EU's GDPR.

The PDPL will come into effect as of January 2, 2022. However, businesses (Data Controllers and/or Processors) to which the PDPL applies, will have six months from the moment executive regulations are made (to explain how the PDPL should be implemented and complied with), to become fully compliant with the PDPL (basically by the end of 2022).

In this post we will summarize some of the key components of the PDPL, and outline its major provisions.

1. Scope of the PDPL

1.1 Law with Extra-Territorial Reach: The PDPL will apply to all businesses that are processing personal data in the UAE (regardless of whether the personal data relates to data subjects inside the UAE or not) or that are based abroad but are processing personal data relating to data subjects who are inside the UAE. In other words, the PDPL has extra-territorial reach (which is similar in that regard to the GDPR).

1.2 Exceptions/Exclusions

1.2.1 The PDPL does not apply to government data. Government authorities which control/process personal data or personal data held by security and judicial authorities are not subject to the PDPL.

1.2.2 The PDPL also does not apply to the processing of personal data for personal reasons or transactions, to health personal data or to banking personal data, as there are separate laws regulating the protection of such specific data. 

1.2.3 The PDPL will not apply to entities based in UAE free zones (e.g. DIFC or ADGM) where such free zones have their own data protection and privacy laws (as mentioned above). While it is expected that the PDPL will operate parallel to the existing free zone data protection legal regimes in the UAE, it is still not clear how the different data protection regimes in the UAE will interact with one another (Federal level versus Free zone level).

2. Key Notable/Distinctive Features of the PDPL

2.1 Lawful Bases for Processing Personal Data

Under Articles 4, 5 and 6 of the PDPL, Personal data can only be processed with the consent of the data subject except in limited circumstances. These limited/exceptional circumstances include if the processing is:

- necessary to execute a contract to which the data subject is a party;

- required to protect interests of the public;

- related to data already in the public domain;

- required for filing or defending against legal proceedings;

- necessary for certain medical purposes, including assessing one's ability to perform work, medical diagnosis, providing health or social care, health insurance services or management of health care systems pursuant to applicable laws;

- necessary to comply with legal obligations or exercising legal rights in the fields of recruitment or social security; and

- necessary to comply with other laws.

It must be particularly noted that PDPL, unlike the GDPR for instance, does not include any right to process personal data on the basis of the business’ legitimate interests.

2.2 Consent: If consent is used as the lawful basis for processing Data Subjects’ data, then it should be obtained from any such data subjects in a specific, clear and unambiguous form and should be made through a positive statement or clear affirmative action. Data subjects are entitled to withdraw their consent at any time.

2.3 Rights of Data Subjects: Under Articles 13, 14, 15, 16, 17, 18 of the PDPL, Data subjects are granted various rights including the rights to:

- transfer their personal data;

- rectification or erasure of personal data;

- restriction on processing of personal data;

- object to certain types of processing and automated processing; and

- access information without any charge applied by data controllers.

2.4 Data Protection Impact Assessments (DPIAs): Under Article 21 of the PDPL, the Data controllers are required to assess their proposed processing activities if there is a high risk to the privacy and confidentiality of the Data Subject’s data. The PDPL lists the minimum information that should be included in such assessments. 

2.5 Limitations on Processing: It is required under the PDPL that Personal data may be processed only for a specified and clear purpose. Personal data must also be kept secure and only for as long as required by the specified purpose.

2.6 Transparent Personal Data Processing Requirement: The PDPL does not include any express requirement on data controllers (businesses subject to the PDPL) to provide privacy notices to data subjects when collecting their personal data. However, processing must be transparent and lawful. The data controller must provide certain information to the data subject with respect to any processing of their personal data, including the purposes of the processing, the sectors or entities inside or outside of the UAE with whom personal data will be shared and the appropriate safeguards to be applied if the personal data is transferred outside of the UAE.

2.7 International Transfers: Articles 22 and 23 of the PDPL allow for the transfer of personal data outside of the UAE to countries that are approved by the UAE’s Data Office as having an ‘adequate’ level of data protection. By exception (exemptions from the requirement of adequacy), it may be possible to transfer data to other “less adequate” jurisdictions:

- if justified by the objective of securing the explicit consent of the data subject, provided that this does not conflict with the public or security interests of the UAE,

or

- if the transfer is necessary to perform obligations or to execute a contract with the data subject.

The list of "adequate" jurisdictions together with the listed exemptions will be provided/determined either under a future executive Regulations or directly by the regulator (UAE’s Data Office) itself. 

2.8 Breach Notification: If a data breach is likely to result in a risk to the privacy, confidentiality and security of personal data, then it must be communicated by the business to the UAE’s Data Office (more details about this regulating body below) as required by Article 9 of the PDPL. The data controller (business subject to the PDPL) must always notify the data subject of any breach of a data subject’s personal data, regardless of whether there is a high risk to the data subject or not. The timelines for breach notifications are to be determined in future executive regulations.

3. Internal Compliance Process

3.1 Audit: Businesses which are subject to the PDPL, shall conduct during the second part of 2022 an audit of their data processing activities to ensure that:

(i) data (including personal data) being processed is relevant, accurate and being processed for the purposes for which it was collected in line with the PDPL;

(ii) data subjects’ consent has been, is and/or will be obtained in a specific, clear and unambiguous form and through a positive statement or clear affirmative action; and

(iii) appropriate technical and operational measures (towards legally compliant data processing control/monitoring) are in place under the supervision of the business’ internally appointed Data Protection Officer (as required under Articles 10 and 11 of the PDPL).

The PDPL requires businesses (both controllers and processors) to appoint a data protection officer (DPO) IF:

-       the processing creates a high-level risk due to the use of new technology or due to the volume of the personal data processed;

-       processing includes an assessment of sensitive personal data as part of profiling or automated processing; or

-       large volumes of sensitive personal data are processed.

The DPO may be an existing employee of the business or a third party and may be based in the UAE or outside of the UAE.  

3.2 Supply Chain Management: If the Business (subject to the PDPL) outsources any of its data processing activities (e.g. payroll, HR, recruitment, direct marketing, employee benefits) then it will have to execute robust data processing agreements with its suppliers to ensure compliance with the PDPL.

4. Public Compliance Control & Enforcement by New UAE’s Data Protection Regulating Body (the UAE's Data Office)

PDPL’s compliance oversight will be performed by the UAE's Data Office which was instituted by a separate Federal Decree-Law No. 44 of 2021 (enacted at the same time as the PDPL). The Data Office will be responsible for the protection of personal data in the UAE. It will be responsible for:

-      issuing guidelines for implementing the PDPL;

-      handling complaints and data breach notifications; and

-      imposing administrative penalties as proposed by Data Office’s Director General. 

The PDPL does not set out the administrate penalties that can be imposed on businesses for breaching the PDPL. It is expected that the details about such penalties will be included in the PDPL’s executive regulations to be made by Spring 2022. 

For any legal or data protection related regulatory compliance, get in touch with us today at info@borderlesscounsel.com

zakir mir