The UAE has announced that it intends to enact a new Federal Data Law (Data Law) as part of its ‘Projects of the 50’, a series of developmental and economic initiatives marking the UAE's 50th anniversary this year.
The Data Law constitutes a significant development in modernising the UAE's onshore data protection laws and may even represent the first stepping stone to "Adequacy" decisions from other regulators, both in the UAE's financial freezones and globally.
Whilst a draft of the new law is awaited, Mr Omar Al Olama, the UAE Minister of State for Digital Economy, AI and Remote Working Systems, has revealed that the Data Law is being drafted in partnership with, and with the input of, major technology companies.
Mr Al Olama expressed that the Data Law has been designed to:
- have a low cost of compliance, so as not to burden SMES;
- work effectively in the global data marketplace, allowing international companies based in the UAE to operate data transfers effectively across borders;
- protect the privacy of individuals, particularly from private enterprises seeking to monetise consumers' personal data for profit; and
- subject to certain controls, enable businesses to extract value from the personal data of their customer.
The Data Law seeks to find harmony between privacy, cost, compliance and commerce.
Mr Al Olama has given us some clues as to what data subject rights we can expect from the Data Law, referring to rights such as the right to be forgotten, rights of access, and the right to information. There is also mention of consent obligations where marketing is concerned. All of these are features of other gold standard data protection regulations, including Europe's GDPR, the UK's Data Protection Act, the DIFC's Data Protection Regulation and the ADGM's Data Protection Regulation.
It will be interesting to see how the Data Law compares to the DIFC's and ADGM's recently enacted data protection laws and how the Data Law incorporates the views of the consulted technology companies.