The United Arab Emirates’ Data Protection Law (PDPL) has enriched the data privacy landscape of the UAE by being the first federal data privacy law in this region. The development provides crucial insight into conducting business in the UAE whilst ensuring the personal data of its citizens are protected.
Federal vs Free Zone Data Protection Laws:
Prior to the PDPL being introduced, the UAE did not have a federal data protection law in scope. Companies operating in the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM) only, would be required to adhere to region-specific data protection legislation.
Whilst the PDPL may have similarities to the region-specific legislation in scope across the UAE, the PDPL is a federal law and thus for many onshore UAE companies who may have been operating in a non-privacy regulated emirate as well as those operating in the DIFC or ADGM, consideration of how personal data is collected and used has become paramount.
DIFC:
Prior to its creation, the Dubai International Financial Centre established its Data Protection Law, No. 5 of 2020. For organisations this law applies to those incorporated in this region regardless of where the processing takes place.
This regulation closely mirrors the GDPR and outlines rules on the use, collection, handling and disclosure of personal data across the region. The Office of the Commissioner of Data Protection is the independent regulator who observes whether data must be disclosed in the public interest.
Additionally, the Dubai government published the Dubai Law No.26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai. This regulated the collection and management of data across Dubai as opposed to the PDPL which regulates the whole of the Emirates.
In particular, the Dubai law was seen as being unique due to its concept of “open data” which provides the government with the power to make private sector entities give information held by the company in relation to a city for the purposes of making it open data. In relation to international data practice, the use of open data is controversial, and this is similar to the “governmental data” head found under the PDPL. It remains to be seen how this will be used in practice.
ADGM:
Similar to the DIFC, the ADGM draws on the international best practice standards of the GDPR. The legislation established the independent Office of Data Protection to oversee its implementation.
Why is it important to know about UAE’s Data Protection Law?
On the 28th of November 2021, the UAE announced the enactment of the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL 2021). It came into force in January 2022.
As it stands, it is the first federal data protection law operating across the UAE and including the financial “free zones”. The PDPL covers the processing of personal data belonging to the data subjects of the UAE regardless of where the data controller or processor may be established. The Office enforcing the regulation is the Emirates Data Office established by the Federal Decree No.44 of 2021 and stands to be the defacto regulator for this legislation.
The wide scope dictated by the enactment of PDPL means that companies who fail to protect personal data and comply with the new standard of regulation outlined risk losing access to this market completely, as well as the implementation of regulatory sanctions. The UAE Data Office acts as the regulator for the UAE and may enforce audits, request access to documentation and evidence or stop the processing of personal data where these requirements are not being complied with. Heavy financial penalties can be imposed on businesses who breach the law.
From a reputational perspective, non-compliance with the law can result in brand damage and a loss of consumer trust where it is seen that a company is not adhering to the protections afforded within a certain consumer market such as the Middle East. As the Data Protection Law provides UAE citizens with more rights and access over the data, the non-compliance with its provisions highlights to consumers that a company is willing to monetise their personal data for its growth without recognising the trade-off.
Moreover, as Articles 13-19 of the PDPL clearly outline data subject rights, were a company not to have the requisite measures in place in the event of a data subject vindicating their rights, a significant burden on the company would be created. It is thus better to have these mechanisms set out at the outset.
Deep Dive into UAE’s Law:
Principles of the PDPL:
Overall, the PDPL remains in line with international privacy practice. The UAE Data Protection Law is built on a fundamental set of principles which establishes the framework for the protection of personal data. The same framework found under the GDPR has been established and thus for companies already adhering to the GDPR, it will be easier to understand the underpinnings of the PDPL.
Lawfulness, fairness, and transparency and ensures that personal data is processed in a fair, lawful, and transparent manner.
Purpose limitation: processing of personal data must be limited to a specified and lawful purpose.
Data minimisation: processing must be limited to what is needed and processing does not go beyond this purpose.
Personal data must be accurate, and measures must be in place for correcting and updating this data.
Storage limitation: personal data should only be stored for a limited time.
The data must be kept as confidential and security controls must be implemented to maintain this.
Appropriate measures and records must be in place to demonstrate compliance.
Definition of Personal Data:
In maintaining consistency with Article 4 GDPR, Article 1 UAE Data Protection Law adopts the same concepts and definitions found. The definitions of the processing of personal data matches the same broad definition under the GDPR including both electronic means and other processing methods.
The PDPL however does not apply to certain types of data such as “governmental data” which lacks a definition under Article 2 of the regulation, personal data held by UAE security, judicial authorities, health and financial personal data where it is covered by a sector-specific laws and regulations. These exceptions are important for companies to consider as “governmental data” has not been defined by the regulation and thus could potentially have a wide scope.
Another difference with respect to the scope of personal data within the PDPL is that there are no specific provisions within the PDPL which regulate the processing of children’s data. This could raise some issues to do with the protection of minors and does defer from the GDPR where clear safeguards must be implemented by companies seeking to process the data of minors.
Sensitive Data:
The definition of sensitive data under Article 9 of the GDPR matches that found in Article 1 of the PDPL. This means that for companies who process sensitive data operating under the scope of the GDPR and the UAE, the same protections must be in place.
Data Subject Rights:
Under Articles 13-19, the PDPL sets out data subject rights which align with the international standards of the GDPR (Articles 12-22). This thus includes:
The right to obtain information (PDPL, Article 19 GDPR, Articles 12-14)
The right to data portability (PDPL, Article 14, GDPR, Article 20)
The right to rectification and erasure (PDPL, Article 15, GDPR, Article 16-17)
The right to restrict processing (PDPL, Article 16, GDPR, Article 19)
The right to stop processing (PDPL, Article 17, GDPR Article 21)
The right not to be subject to automated processing. (PDPL, Article 18, GDPR Article 22)
This means data subjects are afforded the same level of protection as can be found across the GDPR.
Data Controllers and Processors:
The UAE has created a clear distinction between the rights and responsibilities of Data Controllers and Data Processors under the regulation. Additionally, to help compliance with this regulation, the UAE law requires data controllers and processors in certain circumstances to appoint a Data Protection Officer under Article 10 of the PDPL.
As these requirements are strongly linked to those found under Article 37 of the GDPR, it is helpful for companies who operate globally to have the same standards outlined across both non-UAE regulations and the UAE regulations because it means their mechanisms to adhere to data privacy standards can be consistent and replicated for each of the markets, they operate in.
Lawful Basis of Processing:
Article 6 of the GDPR states there are six legal bases available for the processing of personal data and Article 4 of the PDPL adopts a similar approach. This means that processing takes place legally where:
the consent of the data subject has been given
there is a legal or contractual obligation
in protection of the data subject’s interest
in the public’s interest.
A main difference with the GDPR in this respect is the fact that legitimate interest is not used as a lawful basis for processing. This does mean that processing is more closely restricted under the UAE law, and it is important for organisations to be more attuned to this requirement as legitimate interest is generally a common lawful basis. We have yet to see how this will take effect.
Record of Processing Activities:
Similar to Article 30 of the GDPR, maintaining a record of data processing activities with the use of data privacy impact assessments and incident logs will allow an organisation to identify and document all of their processing activities. This is a legal requirement for both data controllers and processors under the PDPL (Article 7(4) and Article 8(4)).
The data register under the UAE law must contain:
The contact details of the DPO, data controller or processor
The purpose of the processing activity
A description of the categories of data
The details of those who can access the data, the mechanism for erasing, modifying and processing the personal data
The technical and organisational measures in place to protect the personal data
Whether personal data will or has been transferred outside the UAE
The data retention period
The details above must further be included in the Privacy Notice and shared with individuals when the collection of their personal data takes place or within a reasonable timeframe where it has been collected from other sources. This ensures the requirements of processing are fair, transparent, and lawful.
Data Breach Notification:
The PDPL provides a stricter approach to notification of a data breach to the Office than the GDPR. Under Article 9 of the PDPL, where a data infringement or breach prejudices the privacy, confidentiality, and security of the data subject’s personal data, it and the results of the investigation must be immediately disclosed to the Office. This will be in accordance with the procedures in the Executive Regulations which to date have yet to be published. However, under Articles 33-34 of the GDPR, only where the breach causes a high risk to the rights and freedoms of individuals should the relevant supervisory authority or data subjects be notified.
Similar to the GDPR however, the notification, the controller must observe the nature, category, reasons, and the approximate number of data breach records, a description of the likely consequences and a description of the measures and remedial action taken to assess the data breach.
Transfers:
As with the GDPR’s “adequacy decision” under Article 46, the cross-border transfer of personal data is regulated by the Office where certain countries have been approved as having an adequate level of protection by the UAE’s standard. This list is currently in progress and should be published alongside the Executive Regulations. Where a personal data transfer takes place to a country not on this list, organisational or technical measures must be in place to enforce data protection requirements. Penalties can be imposed for violations.
For now, Article 22 of the PDPL clarifies that where the state or territory has personal data protection legislation in place and appropriate legal recourse for the individual, then a cross-border transfer can take place. Furthermore, where the state has acceded to a bilateral or multilateral agreement in respect of this protection, such a transfer can be made as approved by the Office.
Data Retention:
Similar to Article 5(1)(e) of GDPR, organisations should not store personal data beyond the purpose of the processing under Article 5(3) of the PDPL. The UAE has however caveated this by stating that where the data subject is no longer identifiable, then it can continue to be stored. Although not explicitly stated in the GDPR, this does fall in line with international practices on data retention, deletion, anonymisation and pseudonymisation.
Concluding Remarks
The PDPL has made a big impact in its wake. For companies operating globally and processing the data of UAE citizens, it has now become even more important to embed data privacy into systems, processes and services to avoid regulatory consequences such as fines. However, for those already complying with the GDPR, the approach of the UAE’s PDPL resonates largely with the GDPR’s principles and articles, making compliance easier.
In being the first federal regulation to apply to all seven Emirates, the PDPL means that onshore UAE companies acting outside of the DIFC and the ADGM will need to change their use, collection and processing of personal data in line with the regulation’s requirements. The PDPL thus standardises the regulation and enforcement of data protection across all emirates, rather than the previous regional enforcement across the DIFC and the ADGM.
It has yet to be seen how the PDPL will sit alongside the DIFC and the ADGM. The publication of the Executive Regulations, at a date not yet confirmed by the UAE regulator, will provide better visibility on the practical reality of the PDPL for companies.
The PDPL not only reinforces the importance of data protection in the UAE but also aligns with international standards, simplifying compliance efforts for global entities while ensuring robust data privacy practices across the Emirates.
Bottom line:
The scope of PDPL is for any company processing the data of UAE citizens and thus it is important for global companies to adhere to its requirements.
The PDPL is the first federal data protection law in the Emirates and thus is wider in scope than the region-specific data protection laws.
The PDPL aligns with international data protection practice but differs in the GDPR in four key ways:
Definition of personal and sensitive data
Lack of legitimate interest head as a lawful basis of processing
The concept of “governmental data” and how this is applied in practice.
The non-regulation of processing children’s data