On November 27, 2021, the UAE Cabinet Office enacted its first federal Personal Data Protection Law (Federal Decree Law No. 45 of 2021, the “UAE Data Protection Law”). The UAE Data Protection Law will come into force on January 2, 2022.
The new law, drafted in consultation with major technology companies, seeks to protect the privacy of personal data across the UAE, without creating an overly burdensome regulatory regime. In particular, the law seeks to control the misuse of personal information and the use of personal data for profit.
Prior to adopting the UAE Data Protection Law, the UAE had no principle source of data protection or privacy regulation. Several existing laws have implications on the transfer or use of personal data within the UAE (including the UAE Constitution, the UAE Penal Code, the Health Data Law and the Telecommunications Law), but a lack of centralized regulation meant that these laws did not apply to all businesses operating as data processors or data controllers in the UAE.
Scope of the UAE Data Protection Law
The UAE Data Protection Law applies to the processing of “Personal Data:”
- of any data subject who resides or has a place of business in the UAE;
- by any data controller or data processor established in the UAE (regardless of whether the processing of personal data is carried out inside or outside of the UAE); and
- by any data controller or data processor established outside of the UAE, but who carries out processing of personal data within the UAE.
Consequently, the UAE Data Protection Law has a degree of extra-territorial reach. There is, however, some uncertainty about the extent to which the law would apply in situations where the data subject is a UAE resident, but neither the data controller nor the data processor have any nexus to the UAE. This situation exists in other jurisdictions to varying degrees, for example the General Data Protection Regulations (“GDPR”) in the EU can still apply to targeting and monitoring activities of data subjects located in the EU even if the data processor is not established in the EU. We expect the scope of the law to be clarified in new data protection regulations, which are to be issued within six months of the promulgation of the UAE Data Protection Law.
For purposes of the UAE Data Protection Law, Personal Data is defined to mean “any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person” (English translation).
The UAE Data Protection Law does not apply to processing of government data, health data, and banking and personal credit data. Such data is subject to its own regulatory regimes and policies, much of which we anticipate will be revised in the coming months as part of the UAE’s comprehensive legal reforms intended to position the UAE as a global leader in technology and digitization.
Free zones that have implemented their own data protection rules also are excluded from the application of the UAE Data Protection Law and will continue to be regulated by their individual data privacy regimes. Free zones with self-regulated data protection laws include the Dubai International Financial Centre (“DIFC”), Abu Dhabi Global Market (“ADGM”) and Dubai Healthcare City. DIFC and ADGM have data privacy regimes comparable to the protections offered by the GDPR.
Key Features of the UAE Data Protection Law
A significant aspect of the UAE Data Protection Law is that consent to process personal data is now a requirement for any organization established in the UAE or processing data within the UAE, regardless of the industry sector in which an organization operates, with limited exceptions, such as processing for the protection of the public interest, processing that is necessary to fulfill other obligations imposed under the laws of the UAE, or processing that is necessary to perform a contract. Notably, the UAE Data Protection Law does not include an exception to consent that would allow for processing on the basis of a controller’s ‘legitimate interests’, as is common in data protection legislation in other jurisdictions.
Consent must be “specific, informed and unambiguous” and must be given by a statement or by a clear affirmative action in writing or electronic form. The data controller must be able to prove that the data subject gave consent to process his/her personal data, unless one of the exceptions applies. Data subjects may withdraw their consent at any time. In addition, before undertaking any data processing, data subjects must be provided with notice of:
- the purpose of processing;
- the sectors or organizations with which that personal data is to be shared;
- the protections in place for cross-border transfers; and
- the process for filing a complaint with the UAE Data Office.
Several standards and controls have been introduced in relation to the processing of personal data, none of which previously existed in relation to the collection or processing of personal data onshore UAE. In particular:
- processing must be made in a fair, transparent and lawful manner;
- personal data must be collected for a specific purpose;
- personal data may not be retained after fulfilling the purpose of processing, save where the identity of the data subject is anonymized;
- appropriate measures and procedures must be in place to ensure erasure or correction of incorrect personal data; and
- personal data must be kept securely and protected from any illegal or unauthorized processing.
Under the UAE Data Protection Law, data subjects are given (1) the right to request access to information that is being held on them; (2), the right to request the transfer of their personal data; and (3) subject to limited exceptions, the right to be forgotten (i.e., the erasure of personal data that is no longer required for the purposes for which it is collected or processed). In addition, the UAE Data Protection Law extends the protections already offered under the Unsolicited Electronic Communications Regulation and the Consumer Protection Law and gives data subjects the right to object to and stop the processing of his/her personal data if the processing is for direct marketing purposes or profiling.
Special protections are provided for “Sensitive Personal Data” and “Biometric Data.” For example, any organization processing a large amount of Sensitive Personal Data, or processing personal data in circumstances that would cause a high risk to the confidentiality and privacy of the data subject, must appoint a data protection officer responsible for ascertaining compliance by the data controller or data processor with the provisions of the UAE Data Protection Law. The data protection officer need not be based in the UAE and may be an external provider.
Cross-border data transfers to jurisdictions with an “adequate” level of protection are “pre-approved”, though the list of such “adequate” jurisdictions is not yet published by the UAE’s new national data privacy regulator. Transfers to jurisdictions where there is not an adequate level of protection will require compliance with the controls and requirements to be set out in the data protection regulations, and an agreement in place between the disclosing entity and the receiving entity obliging the receiving party to implement those requirements.
National Data Privacy Regulator
In parallel with the UAE Data Protection Law, the UAE will establish a national data privacy regulator, the UAE Data Office, whose responsibilities will include proposing and preparing policies and legislation related to data protection, issuing guidelines relating to data privacy legislation and establishing a grievance and complaints process for data subjects who object to the processing or storage of their data. Once the regulator is established, data breaches that are likely to result in a risk to the privacy, confidentiality or security of personal data will need to be notified to both the UAE Data Office and the affected data subjects. Notably, there is no materiality threshold for triggering the requirement to notify a data subject; rather, as drafted, any risk (rather than a high risk, as under the GDPR) to the privacy, confidentiality or security of personal data would trigger such a notification. A data controller who becomes aware of any infringement or breach of personal data is required to report the infringement or breach within a period to be established under the data protection regulations.
Compliance Deadline
Organizations that fall within the scope of the law will have six months from issuance of the data protection regulations to prepare for compliance with the UAE Data Protection Law. The compliance deadline will likely be December 2022, and will be confirmed once the data protection regulations have been issued.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code