UAE Personal Data Protection Law
The United Arab Emirates’ (UAE) two financial free zones, the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), have data protection laws in place (largely inspired by the European Union’s General Data Protection Regulation (GDPR), however until recently there was no comprehensive data protection law at the UAE federal level and persons impacted by data breaches or misuse of personal data had to rely on certain restricted provisions set out in the UAE’s Constitution, Penal Code and Cyber Crime Law.
Keeping in mind current global standards and the needs of a modern digital society, the UAE Federal Government has now enacted Federal Decree Law No. 45/2021 on the Protection of Personal Data (PPD Law) and established a dedicated data protection regulatory authority (the UAE Data Bureau). The PPD Law is largely similar to GDPR and includes core concepts such as personal data; sensitive personal data, controllers, consent, processors, processing; the data protection principles; data protection officer (DPO) requirements; and rights of the individuals.
In this legal update, we have covered certain key aspects of the PPD Law.
When does the PPD Law take effect?
The PPD Law came into force on 2nd January 2022. While the substantive law is in force, some of the finer elements (including procedural aspects, investigations and reporting of breaches) are expected to be outlined in Executive Regulations which will be issued subsequently. Controllers and processors of data have been provided six (6) months from the date the Executive Regulations are issued to regularise their status and comply with the PPD Law. Further, applicable penalties for violations of the PPD Law will be set out in subsequent decisions which will be issued by the UAE Cabinet.
Who does the PPD Law apply to?
The PPD Law applies to:
- An individual who resides or has a place of business in the UAE;
- Any business in the UAE which processes the personal data of individuals, whether those individuals are located within or outside the UAE; and
- Any business located outside the UAE that processes the personal data of individuals who are located inside the UAE.
As such, similar to GDPR, the PPD Law also has extraterritorial reach and applies to enterprises who do not have a physical presence in the UAE but process the personal data of UAE residents.
Data subjects have a number of rights under the PPD Law with respect to their personal data. Controllers are required to put in place a mechanism for communicating with data subjects.
Exemptions from Applicability of the PPD Law?
The PPD Law does not apply to (a) government data; (b) government authorities that control or process personal data; (c) personal data held by security or judicial authorities; (d) individuals who process their data for personal purposes; (e) health personal data that is subject to separate legislations; (f) banking and credit personal data that is subject to separate legislation; and (g) entities located in UAE free zones that have their own special legislation on data protection (for example the DIFC and ADGM).
Can Personal Data be Processed without Consent?
There are certain circumstances in which the PPD Law permits the processing of personal data without the consent of the data subject. These include circumstances where processing is:
necessary to protect public interest, public health or the interests of the data subject; for personal data has become available and known to the public by an act of the data subject; necessary for the purposes of occupational or preventive medicine, assessment of working capacity of an employee, medical diagnosis, etc;necessary to perform, amend or terminate a contract to which the data subject is a party; or necessary for archival purposes or for scientific, historical or statistical studies.
An important and much needed impact of the PDD Law is that it provides no obvious exception to the requirement for a data subject’s consent that would apply to the use of personal data for marketing purposes. Accordingly, organisations may only use such data for marketing purposes with the consent of the data subject. This means that organisations will also need to incorporate opt-out mechanisms to allow data subjects to withdraw their consent or object to receiving marketing communications.
Except for the circumstances described above and certain other circumstances which are prescribed in the PPD Law, there is an absolute prohibition on processing of personal data without the consent of the data subject.
Are International Data Transfers Permitted?
International transfer of personal data is permitted to countries approved by the UAE Data Bureau, countries with a data protection agreement with the UAE, or where certain exceptions that are set out in the PPD Law apply.
What are the rights of the Data Subjects?
Data subjects have a number of rights under the PPD Law with respect to their personal data, including: (i) the right to receive information from a controller (i.e. right to access); (ii) the right to request the transfer of their personal data (which is broadly consistent with the right to data portability under GDPR); (iii) the right to have their personal data corrected or erased (i.e. the right to be forgotten); (iv) the right to restrict the processing of personal data in certain cases; (v) the right to object to certain types of data processing (for example, if it is intended for the purpose of direct marketing or scientific and statistical research); and (vi) the right to object to automated processing. Controllers are required to put in place a mechanism for communicating with data subjects.
Is a Data Protection Officer required?
Companies will need to appoint a Data Protection Officer under certain circumstances. The Data Protection Officer may be an employee of the company or an external party who may be based within or outside the UAE.
What are the Penalties for Non-Compliance?
The PDD Law does not expressly provide penalties which will apply for breaches. These will be specified in the Executive Regulations. It is also unclear whether the Executive Regulations will contain a schedule of fines (and other sanctions) for different violations or simply specify a maximum amount with more discretion available to the UAE Data Bureau and the local UAE courts.
What Steps should Organisations Take Next?
Organisations should assess their present personal data processing procedures and conduct a gap analysis of their current compliance position in comparison to the new requirements under the PPD Law.
Should you require more information or have any other queries relating to this legal alert, please do not hesitate to contact our Partner, Adil Shafi or Senior Associate, Devvrat Periwal.