The United Arab Emirates (UAE) is a nation in the Middle East made up of the seven emirates of Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. On 27 November 2021, the UAE Cabinet Office announced the new national data protection law (UAE DP Law). The UAE DP Law protects personal data held and processed by organisations that are registered in the UAE and processes personal data of individuals inside or outside the UAE. It also applies to any organisation that is established outside the UAE that process personal data of individuals inside the UAE, and external organisations with personal data links to the UAE. The law encourages data processing controls which includes lawfulness, fairness, transparency, using personal data for specific and clear purposes, accuracy, personal data security and responsible data retention. Individuals have rights to receive information, request a transfer of their personal data (data portability), correction, erasure, restrict processing, the right to object to types of processing like direct marketing and the right to object to automated processing. The UAE Data Office will be the regulator, established under a separate law. The UAE DP Law comes into force 1 January 2022. Further regulations will also follow, allowing time for compliance after these regulations are published. The UAE Data Office will also publish rules and guidance.
- What types or organisations are covered by UAE DP Law?
The law applies to businesses and organisations, both controllers and processors, that are registered in the UAE and that process personal data or sensitive personal data. It also applies to businesses and organisations based outside the UAE that process personal data of individuals who are in the UAE. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Controllers are those that decide the method, criteria and purpose for processing personal data. Processors collect use and store personal data on behalf of, under the direction of and in accordance with the instructions of the controller. Data processors must follow the instructions of controllers and agree personal data processing contracts setting out the scope, purpose and types of data processing.
The UAE DP Law does not apply to government data, government organisations that control or process personal data, personal data held by security and judicial authorities and personal data used for personal purposes by individuals. Health personal data regulated by the ICT Healthcare Law of 2019 are excluded. Banking personal data regulated by other laws are also out of scope. Companies and organisations registered in UAE free zones that have their own specific free zone data protection laws are excluded. The Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) have their own separate data protection laws.
2. What types of data or information are covered by UAE DP Law?
The UAE DP Law protects personal data, which is defined as any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data. The definition includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. Sensitive personal data are also covered by the UAE DP Law. This category is defined as data that directly or indirectly reveals the family or ethnic origin of a natural person, political or philosophical opinions or religious beliefs, criminal record, biometric data and any data relating to an individual’s health.
3. What are the main UAE DP Law obligations for businesses?
UAE registered businesses and foreign based organisations should:
(a) Create a UAE (or Middle East and Africa) data protection framework with data processing controls and apply the law’s data protection principles, such as transparency (notices), fairness, lawfulness, accuracy and responsible data retention.
(b) Businesses and organisations acting as controllers and processors should establish and maintain a Special Record for Personal Data (SRPD). This should be available to the UAE Data Office, if requested. This appears to be like the GDPR’s Record of Processing Activities (ROPA).
(c) Establish opt-in consent mechanisms and ensure that each consent transaction is specific, clear, unambiguous and forms a clear positive statement or action.
(d) Appoint a sufficiently skilled and knowledgeable Data Protection Officer (DPO), as an employee or via an external service provider based inside or outside of the UAE. A DPO is legally required where personal data processing creates a high risk to the privacy of the personal data because of the adoption of new technologies or the volume of personal data processed. Also, where processing involves the assessment of sensitive personal data as part of profiling or automated processing. Or, where large volumes of sensitive personal data are processed.
(e) Report personal data breaches and data leakages to the UAE Data Office and to individuals affected, where necessary, as soon as they become aware of these incidents.
(f) Complete Data Protection Impact Assessments (DPIAs) when using any modern technologies that pose a high risk to the privacy and confidentiality of individuals.
(g) Create appropriate policies for processing sensitive personal data.
(h) Put in place appropriate technical and organisational measures to protect personal data and manage automatic processing to remain limited to the intended purpose, including anonymisation and pseudonymisation.
(i) Set up accessible systems and processes to allow individuals to exercise their data protection rights, free of charge.
(j) Prepare for the new UAE DP Law international data transfer regime. There will be rules for countries that the UAE deem to have an adequate level of data protection and those that are treated differently by mandating contractual clauses, assessments and personal data transfer mechanisms.
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), UAE ADGM DP Law or UAE DIFC DP Law will they automatically comply with UAE DP Law?
Yes, to a certain extent, but not completely. GDPR, UAE free zone data protection laws and UAE DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. UAE DP Law was enacted to include provisions that largely reflect the EU’s GDPR requirements. GDPR data mapping and Records of Processing Activities logs can help to identify UAE DP Law-impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist UAE DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. The UAE DP Law also contains broad sector and data exclusions from government data, government bodies, health bodies, judicial and security bodies and some banking related personal data. UAE DP Law will also be supported by a range of further regulations in the coming months and years that will expand, specify and interpret the law.
5. Does the UAE DP Law apply to foreign based companies and what are the penalties for breach of the law?
Yes, it can. If foreign businesses are registered in UAE and process personal data in the UAE or elsewhere, then the UAE DP Law will apply. The law also applies to foreign based businesses that process personal data on behalf of organisations registered in the UAE as well as foreign based businesses that externally process personal data about individuals who live, work or are otherwise in the UAE.
The UAE DP Law has not yet published the penalties that will apply. These will appear in future regulations and output from the UAE Data Office.