The UAE publishes its first ever federal Data Protection Law

Although similar in approach to so called ‘best-in-class’ data protection laws internationally, the Data Law heralds a fundamental shift in the approach to data protection in the UAE. Its introduction will significantly impact how organisations collect, use and interact with the personal data of their customers and employees. Allen & Overy’s dedicated UAE data protection experts have summarised the key points of the Data Law below. 

Is the data law really that different from the current position? 

Yes. Before the Data Law, the UAE did not have a comprehensive data protection law at a federal level. Instead, organisations looked to specific provisions in laws such as the UAE Penal Code and the Constitution which indirectly govern privacy and data security in the UAE. 

Separately, the financial free-zones in the UAE (the Abu Dhabi Global Market (“ADGM”) and the Dubai International Financial Centre (“DIFC”)) have previously implemented their own data protection laws, both of which are largely modelled on the European Union’s approach to data protection. 

So whilst many of the provisions of the Data Law will be familiar to those organisations based in the ADGM or DIFC or indeed operating in third countries which have their own data protection laws, for many onshore UAE organisations the introduction of the Data Law really will necessitate a step-change in how they process Personal Data.

To whom does the data law apply to?

The Data Law applies to: 

• an individual who resides or has a place of business in the UAE;
• an organisation that is established in the UAE that processes the Personal Data of individuals, whether those individuals are located inside or outside the UAE; and
• an organisation that is not established in the UAE that processes the Personal Data of individuals that are located inside the UAE. 

This means that an organisation established in the UAE that processes the Personal Data of individuals in, for instance, Europe, will have to comply with the Data Law even if the actual processing is carried out in Europe. 

In addition, the Data Law will have extra-territorial effect and apply to organisations that are not based in the UAE, but which process the Personal Data of individuals located in the UAE. It remains to be seen how this will be policed and enforced, particularly where the processing is conducted outside the UAE and the concerned organisation has no other nexus with the UAE.

It is important to note that the nationality of an individual is irrelevant; what matters is whether the individual is located in the UAE or not.

• There are some important exceptions to the Data Law. In particular, it does not apply to: 
  government data;
• government authorities;
• organisations incorporated in the ADGM and DIFC and any other free-zones which have introduced their own specific data protection legislation (the “Free-zones”);
• Personal Data in the hands of security and judicial authorities (e.g. the police); and
• individuals who process data relating to themselves for personal purposes. 

In addition, the Data Law will not apply to any health and banking Personal Data that is the subject of legislation which addresses its protection and processing (such as the ICT Healthcare Law (Federal Law No. 2 of 2019) and the Central Banking Law (Federal Law No. 14 of 2018)). 

Finally, the Data Law does allow for organisations to be exempted from some or all of its provisions if they do not process ‘large volumes’ of Personal Data. Further details will be set out in the executive regulations, which have not yet been published. Time will tell but this does potentially open the door to many organisations which process Personal Data on a relatively limited basis being exempted from the Data Law.

Is the data law the same as the EU General Data Protection Regulation ("GDPR") or Freezone laws?

Although there are many similarities with the GDPR, the existing Freezone laws and other international data protection laws are fundamentally not the same as the Data Law.
The primary lawful basis on which organisations may process Personal Data remains consent, as was the case under the Penal Code. Crucially, unlike the GDPR and the data protection laws in force in the ADGM and the DIFC, there is no ‘legitimate business interests’ basis. There are, however, limited exceptions to the requirement to obtain an individual’s consent, which include: 

• processing Personal Data which is necessary for the performance of a contract to which the individual is a party, or to take actions at the request of the individual with the aim of concluding, amending or terminating a contract;
• public interest;
• defence of a legal claim;
• processing Personal Data made public by the individual;
• processing Personal Data which is necessary for the fulfilment of the organisation’s obligations under applicable UAE laws; and
• processing Personal Data which is necessary for the purposes of carrying out the obligations and exercising the rights of the organisation or of the individual in the field of employment and social security and social protection law. 

The Data Law does introduce many definitions and concepts into UAE law for the first time that are similar to the equivalent terms used in the GDPR, ADGM and DIFC data protection laws. These include the following; 

• “Personal Data”: which is any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his or her name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics. Personal Data includes Sensitive Personal Data and biometric data.
• “Sensitive Personal Data”: which is as any information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person’s health.
• “Data Controller”: which is anyone who determines the means, methods, standards and purposes of the processing of an individual’s Personal Data.
• “Data Processor”: which is anyone who processes Personal Data on behalf of a Data Controller and under their supervision and instruction.
• “Consent”: which is the consent by which an individual authorises third parties to process Personal Data relating to him or her. Consent must be clear, simple, specific, unambiguous and accessible. It can be given electronically. 

• The Data Law also introduces the following principles that are well established in the GDPR and Free-zone data protection laws: 
  the processing of Personal Data must be fair, transparent and lawful;
• Personal Data must be collected for a clear specific purpose. It cannot be processed for a purpose other than that for which it was collected;
• Personal Data collected and processed by an organisation must be adequate and restricted to what is necessary for the purpose for which it was collected;
• Personal Data must be correct and accurate and subject to update, where relevant;
• measures or actions to ensure the erasure or rectification of incorrect Personal Data must be in place;
• Personal Data must be safely stored and protected from any breach or unlawful or unauthorised processing by implementing appropriate technical and organisational measures; and
• Personal Data must not be stored for longer than is necessary. 

Given these principles are outcome focussed, as opposed to being prescriptive in terms of how to achieve compliance, they are necessarily open to interpretation. However, we do expect that formal guidance will be issued in due course. 

Individuals rights

For the first time, individuals are afforded the following rights under UAE federal law: 

• The right to be informed: Individuals have the right to be provided with clear, transparent and easily understandable information about how companies use their information. This is essentially an obligation to provide privacy notices to individuals.
• The right of access: Individuals have the right to obtain access to their information so they can check that companies are using their information in accordance with the Data Law.
• The right to rectification: Individuals are entitled to have their information corrected if it is inaccurate or incomplete.
• The right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables individuals to request the deletion or removal of their information where there is no compelling reason to keep using it, subject to certain exceptions.
• The right to restrict processing: Individuals have rights to ‘block’ or suppress further use of their information.
• The right to data portability: Individuals have rights to obtain and reuse their Personal Data for their own purposes across different services. For example, if they decide to switch to a new provider, it enables individuals to move, copy or transfer their information easily between one company’s IT systems and another’s safely and securely, without affecting its usability.
• The right to object to processing: Individuals have the right to object to certain types of processing.
• The right to lodge a complaint: Individuals have the right to lodge a complaint about the way companies handle or process their Personal Data.
• The right to withdraw Consent: If an individual has given their Consent to anything an organisation does with their Personal Data, they have the right to withdraw their Consent at any time. 

Organisations will need to implement new (or at least updated) policies and procedures that account for these different rights. 

International data transfers

Personal Data may be transferred outside of the UAE in limited circumstances only, which include: 

• if the country to which the Personal Data is being transferred to has appropriate data protection legislation in place;
• if the transfer is made pursuant to a contract that requires the counterparty to comply with the Data Law; and
• if the transfer is necessary for the entry into, or the performance of, a contract, between:
• a company and an individual; or
• a company and a third party in the interests of an individual. 

It is not clear who will determine whether a given country has ‘appropriate’ data protection legislation in place. This may be addressed in the forthcoming executive regulations. Overall, the approach to international transfers broadly reflects that taken in the GDPR and Free-zone data protection laws. 

Data protection officers 

Organisations that conduct the following activities will be required to appoint a formal data protection officer: 

• data processing which is likely to cause a high risk to the confidentiality and privacy of the data subject’s Personal Data as a consequence of the volume of data being processed or the use of ‘new technologies’ to carry out the processing;
• data processing which involves a systematic and comprehensive assessment of Sensitive Personal Data, including profiling and automated processing; or
• processing large volumes of Sensitive Personal Data. 

The data protection officer may be an employee or contractor and does not necessarily need to be located in the UAE. 

This approach broadly reflects that taken in the GDPR and Free-zone data protection laws. 

Impact assessments

Organisations are required to carry out a formal assessment of the necessity, proportionality, risks and measures required to reduce such risks when processing Personal Data in certain circumstances, including when: 

• using technology for that processing that is likely to pose a high risk to the privacy and confidentiality of Personal Data; and
• processing large volumes of Sensitive Personal Data. 

Data security

Organisations must put in place sufficient technical and organisational measures to protect and secure Personal Data, preserve its confidentiality and privacy, and ensure that it is not breached, destroyed or altered. 

These measures need to take into account the nature, scope and purposes of processing data and the possibility of risk to the confidentiality and privacy of the data subject’s Personal Data. This means the higher the risk of harm to an individual, the greater the steps needed to secure Personal Data. 

This approach broadly reflects that taken in the GDPR and Free-zone data protection laws. 

Notification of data breaches

Organisations must notify the new federal data protection regulator (to be called the “UAE Data Office”) and affected individuals in the event of a data breach that could prejudice the privacy, confidentiality and security of the individuals’ data. In practice it means that organisations will be required to report almost all breaches. This is a stricter requirement than is the case in the GDPR and other international data protection laws. 

The time period within which notification must be made will be confirmed in the Data Law’s executive regulations, which have not been published yet. 

Enforcement

The UAE Data Office will be established to monitor compliance with the Data Law and deal with individuals’ complaints. 

The regulator will also have the power to fine organisations for non-compliance, although the maximum levels of these fines will be confirmed in the Data Law’s executive regulations, which have not been published yet. 

What happens next? 

The Data Law will come into effect on 2 January 2022. Organisations will then have a grace period of six months after the Data Law’s executive regulations are published to become compliant. It is unclear exactly when the executive regulations will be published. Similarly, we do not know yet when the UAE Data Office will be set up and operational. 

Despite this uncertainty, organisations should begin the process of evaluating how the Data Law will impact them specifically and the extent to which their current processes and operations will need to be adapted to ensure compliance.

Please contact Tom Butcher and Ravinder Mattu, our UAE based data protection specialists, should you require any assistance in relation to your compliance programme or if you wish to discuss any aspect of the Data Law.