First comprehensive federal data privacy law adopted

 These include mandatory data breach notification to the regulator and data subjects (the notification period will be determined by special regulations), an obligation of data controllers to keep records of processing activities, and, under certain circumstances, conduct DPIAs and designate a data protection officer (DPO).

The Data Protection Law, which is expected to take effect on 2 January 2022, will have extra-territorial reach, establish a national regulator (UAE Data Office) under the auspices of the Cabinet and contains, among others, detailed requirements for cross-border data transfers. The new law contemplates adoption of further executive regulations, expected by March 2022. Controllers and processors will have a grace period of six months from the date of issuance of these detailed regulations to ensure compliance with the Data Protection Law. The new law will not apply to entities operating in free zones that have their own data protection legislation (such as Dubai International Financial Centre).

Allen & Overy’s Abu Dhabi partner Tom Butcher and senior associate Ravinder Mattu published a detailed analysis of the new law: The UAE publishes its first ever Federal Data Protection Law.

Read the press release, 'UAE adopts largest legislative reform in its history'.