The UAE has now enacted a new federal data protection law no. 45 of 2021 (dp law) to regulate the processing of personal data in the uae as part of its 50th anniversary this year
The DP Law was issued on 26 September 2021 and recently announced by the UAE's Cabinet Office on 27 November 2021 in the UAE's official gazette. The DP Law is stated to take effect from 2 January 2022. However, the executive regulations (Regulations) which will clarify various elements of the DP Law are yet to be released. The Regulations are expected to be issued within six months of the date of the issuance of the DP Law (i.e. before the end of March 2022). Businesses will then have a grace period of six months from the date of the Regulations to bring their organisations into compliance with the DP Law meaning enforcement is likely to commence from September 2022.
The DP Law brings the UAE's federal data protection regime in line with modern global data protection and data privacy standards, including Europe's General Data Protection Regulation (GDPR). We therefore expect it will be welcomed by local and international businesses.
- DOES THIS APPLY TO ME?
The DP Law applies to all businesses that are processing personal data in the UAE (irrespective of whether the personal data relates to data subjects inside the UAE) or that are based abroad but are processing personal data relating to data subjects that are inside the UAE. The new DP Law therefore has an "extra-territorial" reach similar to the GDPR.
- WHO DOES THE LAW NOT APPLY TO?
The DP Law does not apply to government data (which is left undefined in the DP Law), government authorities that control or process personal data or personal data held by security and judicial authorities. It also does not cover the processing of personal data for personal purposes, health personal data or banking personal data as there are separate laws regulating the protection of such data.
The DP Law will not apply to entities in UAE free zones where such free zones have their own data protection and privacy laws (such as the Dubai International Financial Centre and Abu Dhabi Global Market). Whilst it is expected that the DP Law will operate alongside the existing free zone regimes in the UAE, there is at this point some uncertainty as to how the different data protection regimes in the UAE will interact with one another.
The DP Law also provides that certain UAE businesses that do not process large volumes of personal data in their ordinary course of business may be able to obtain an exemption from some or all elements of the DP Law. Further details of the exemption are to be set out in the Regulations.
- SO WHAT'S ACTUALLY INCLUDED?
Many elements of the DP Law are consistent with those adopted in other modern data protection regulations. However, there are some notable differences too.
Lawful bases – Personal data can only be processed with the consent of the data subject except in limited circumstances. These include if the processing is: necessary to execute a contract to which the data subject is a party; required to protect interests of the public; relates to data already in the public domain; required for filing or defending against legal proceedings; necessary for certain medical purposes, including assessing one's ability to perform work, medical diagnosis, providing health or social care, health insurance services or management of health care systems pursuant to applicable laws; necessary to comply with legal obligations or exercising legal rights in the fields of recruitment or social security; necessary to comply with other laws. Interestingly, the DP Law does not include a right to process personal data pursuant to one's "legitimate interests", a common legal basis in other international data protection and privacy laws.
Consent – If consent is used as the lawful basis for processing then it should be obtained from data subjects in a specific, clear and unambiguous form and should be made through a positive statement or clear affirmative action. Data subjects are entitled to withdraw their consent at any time.
Rights of Data Subjects – Data subjects are granted various rights under the DP Law. These include the rights to transfer their personal data; rectification or erasure of personal data; restriction on processing of personal data; the right to object to certain types of processing and automated processing; and rights to access information without any charge applied by data controllers.
Data Protection Officer – The DP Law requires businesses (both controllers and processors) to appoint a data protection officer (DPO) in certain circumstances, including where the processing creates a high-level risk due to the use of new technology or the volume of the personal data; processing includes an assessment of sensitive personal data as part of profiling or automated processing; or where large volumes of sensitive personal data are processed. The DPO may be an existing employee of the business or a third party and may be based in the UAE or outside of the UAE.
Data Protection Impact Assessments – Data controllers are required to assess their proposed processing activities where there is a high risk to the privacy and confidentiality of personal data when using modern technologies. The DP Law prescribes the minimum information that should be included in such assessments.
Limitations on Processing – Personal data must only be processed in accordance with a specified and clear purpose. Personal data must also be kept up to date, secure and kept only for as long as is required by the specified purpose.
Privacy Notice – The DP Law does not include an express requirement on data controllers to provide privacy notices to data subjects at the time of collecting their personal data. However, processing must be transparent and lawful. This would suggest that the data controller must provide certain information to the data subject in respect of any processing of their personal data, including the purposes of the processing, the sectors or entities inside or outside of the UAE with whom personal data will be shared and the appropriate safeguards to be applied if the personal data is transferred outside of the UAE.
International Transfers – Similar to the GDPR's concept of "adequacy", the DP Law allows for the transfer of personal data outside of the UAE to countries that are approved by the Data Office as having an adequate level of data protection. It may be possible to transfer data to other jurisdictions where any exemptions apply. These include securing the explicit consent of the data subject, provided that this does not conflict with the public or security interests of the UAE, or if the transfer is necessary to perform obligations or to execute a contract with the data subject. Further details on the list of "adequate" countries is expected in the Regulations or from the Data Office at a later stage.
Notification of Breach – If a data breach is likely to result in a risk to the privacy, confidentiality and security of personal data then it must be notified to the Data Office. The data controller must always notify the data subject irrespective of whether there is a high risk to the data subject or not. The timelines for breach notifications are to be set out in the Regulations.
- WHO WILL BE RESPONSIBLE FOR REGULATING COMPLIANCE WITH THE NEW DP LAW?
The DP Law will be overseen by the UAE's Data Office which is to be established pursuant to a separate Federal Decree-Law No. 44 of 2021 that was enacted at the same time as the DP Law. The Data Office is the first "onshore" data protection regulator and will be responsible for the protection of personal data in the UAE. The Data Office will be responsible for preparing legislation and policies regarding data protection; issuing guidance for implementing the data protection legislation; handling complaints and data breach notifications; and imposing administrative penalties based on a proposal by the Director General (to be appointed in due course) of the Data Office.
The DP Law does not set out the administrate penalties that can be imposed on businesses for breaches of the DP Law. We expect the details to be included in the Regulations.
- WHAT DOES THIS MEAN FOR US, WHAT SHOULD WE DO?
All businesses that are covered by the DP Law will need to audit their existing data use in order to update processes, contracts, notices and employee awareness to ensure compliance with the DP Law. For any business with a global privacy program it should be expanded to include the UAE and we would strongly recommend taking appropriate steps now to ensure compliance as soon as possible:
DPO: If you wish to use your existing DPO to also cover the UAE then you should consider whether that individual has the sufficient skills and know-how of the local requirements in the UAE to properly fulfil its role.
Audit: Undertake an audit of your processing activities to ensure that (1) data being processed is relevant, accurate and being processed for the purposes for which it was collected pursuant to a legal basis set out in the DP Law; (2) consents obtained remain valid; and (3) appropriate technical and operational measures are in place. Audits are crucial to start populating registers of processing activities that record personal data use and demonstrate compliance and accountability.
Employment: Update your employment contracts to reflect the DP Law regime, taking note of changes to consent requirements.
Supply Chain Management: If you outsource any of your processing activities (e.g. payroll, HR, recruitment, direct marketing, employee benefits) then you will need to enter into robust data processing agreements with their suppliers to ensure compliance with the DP Law. Audits of supply chain are essential.
Training: Undertake staff training to ensure that changes are understood and to explain what is expected of staff when handling personal data.
HOW CAN WE HELP?
For any questions or practical assistance about how we can help you comply with the requirements of the DP Law, please contact our experts in Dubai.