The New UAE Federal Data Protection Law
The long-anticipated UAE federal level data protection law (The Law No. (45) of 2021 on Protection of Personal Data (“Law”)) was announced as having been enacted by the UAE Cabinet at the end of November (although it has an issuance date of 20 September 2021), and will come into effect on 2 January 2022 (subject to the compliance grace period discussed below).
We are continuing to assess the wider implications of the Law; however, we thought it would be useful to provide you our view of some of the key features at the earliest. We set out these high-level observations below:
In keeping with the trend we have been seeing across the region in recent years, the Law is (broadly) aligned with the General Data Protection Regulation (GDPR) – meaning that familiar general processing principles and related obligations such as fairness/transparency; purpose limitation; restrictions on processing to what is necessary; accuracy / relevancy of data; erasure / rectification of incorrect data; implementation of appropriate safeguards; and storage limitations, are applicable.
“Personal Data” is that relating to an identified or identifiable natural person, which also includes “Sensitive Personal Data” and “Biometric Data”.
The Law contemplates its administration by a federal data protection regulator referred to as the UAE Data Office (“Office”).
Consent (which is to be “specific, informed and unambiguous”, and which may be withdrawn) is the primary basis for processing, unless another enumerated ground can be established (for example, processing that is necessary for reasons of public interest, protection of the data subject’s interests, performance of a contract to which the data subject is a party or the processing of data which has been made publicly available by the data subject).
The Law applies to the processing of data of data subjects who are based in the UAE, controllers and processors based in the UAE conducting processing activities (whether or not the relevant data subjects are in the UAE or not), and controllers and processors outside of the UAE that process data of data subjects inside the UAE – as such, the Law purports to have an extra-territorial effect.
The Law does not apply to certain categories of personal data, data subjects or data processors / controllers – such as government data / entities, processing by a data subject for personal purposes, data that is separately regulated by another legal framework, and entities that are established in a UAE free zone that already has its own comprehensive data protection framework (the most well-known to date being the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”)).
Data breach notification obligations are set out in the Law (including notifications to the Office), which may result in the imposition of administrative sanctions.
The Law requires that controllers and processors appoint a data protection officer (“DPO”) where certain criteria are met (for example, high-risk processing owing to the use of new technologies or processing large volumes of data – in particular sensitive personal data). The DPO may be an employee of the controller / processor or it may be someone that they authorize to act in this capacity on their behalf, whether inside or outside the UAE, so long as they have the “sufficient skills and knowledge to protect” the personal data as contemplated in the Law.
Data subjects have the right to request access to information about the personal data that is being processed about them, and a right to data portability.
The Law establishes the appropriate mechanisms whereby data may be transferred outside of the UAE (both where the recipient jurisdiction has an “adequate level of protection” and where it does not).
It is worth noting that the more granular detail needed to more comprehensively understand the obligations imposed under the Law is expected to be promulgated by a series of pending Executive Regulations, which the Law states will be issued within 6 months following the date of its issuance (20 September 2021). Also noteworthy, is the fact that the Law states that “any provision contrary to or in conflict with the provisions of [the Law] shall be repealed”. How this will be interpreted in connection with any potentially conflicting provisions found in free zone data protection laws (which are ostensibly not subject to the Law altogether, as noted above) remains to be determined, and could mean that entities established in free zones such as DIFC or ADGM may also need to more closely assess the wider implications of the Law.
Once the above-noted Executive Regulations have been issued, controllers / processors will have a further 6 month compliance grace period to bring operations in line with the requirements of the Law. As such, there is still a period of time (although not possible to say with further certainty until the Executive Regulations are actually issued) for organizations to which the Law will apply to ensure the appropriate compliance measures have been taken.
It is also noteworthy that the Law was issued as part of a much wider legislative reform undertaken by the UAE government in commemoration of its 50th year anniversary, which included significant revisions to laws pertaining to electronic transactions, intellectual property, criminal laws (including cybercrimes and online security legislation) and companies laws.
Of particular relevance to the subject matter herein, the newly issued Cybercrimes Law (Law No. 34/2021), provides that any data processing that is conducted in violation of applicable data protection laws may result in penalties that include imprisonment and fines of up to AED 500,000. As such, the potential scope of enforcement is broader than what is set out in the Law alone (which only contemplates the pending issuance of an administrative penalties framework). Therefore, entities who will be subject to the Law should seek to prioritize assessing their operations and processing activities, and implementing any necessary organizational measures to ensure compliance.
We would be happy to answer any questions you might have in regards to the Law or otherwise in connection with the recent UAE legal reforms, so please do not hesitate to contact Kelly Tymburski at firstname.lastname@example.org if we can be of any assistance.