Skip to content

First comprehensive federal data privacy law adopted

Browse this blog post

On 27 November 2021, the UAE Cabinet Office announced the Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the Data Protection Law) that creates a comprehensive data protection regime, with key principles and requirements similar to those contained in the GDPR and other modern data protection laws.

 These include mandatory data breach notification to the regulator and data subjects (the notification period will be determined by special regulations), an obligation of data controllers to keep records of processing activities, and, under certain circumstances, conduct DPIAs and designate a data protection officer (DPO).

The Data Protection Law, which is expected to take effect on 2 January 2022, will have extra-territorial reach, establish a national regulator (UAE Data Office) under the auspices of the Cabinet and contains, among others, detailed requirements for cross-border data transfers. The new law contemplates adoption of further executive regulations, expected by March 2022. Controllers and processors will have a grace period of six months from the date of issuance of these detailed regulations to ensure compliance with the Data Protection Law. The new law will not apply to entities operating in free zones that have their own data protection legislation (such as Dubai International Financial Centre).

Allen & Overy’s Abu Dhabi partner Tom Butcher and senior associate Ravinder Mattu published a detailed analysis of the new law: The UAE publishes its first ever Federal Data Protection Law.

Read the press release, 'UAE adopts largest legislative reform in its history'

Related expertise