Doing business in the UAE: navigating the data protection regime

The UAE has onshore federal data protection laws and offshore data protection laws specific to offshore financial centre 'free zones' – such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), which are governed under their own legal frameworks; and Dubai Healthcare City (DHCC), a Dubai healthcare free zone.

The UAE also has other laws and regulations, including emirate and sector-specific laws and regulations, that include data protection provisions. The UAE has not entered into any international agreements with a specific data protection focus. 

Protection of personal data in the UAE

On 28 November 2021, the UAE Cabinet announced that it had enacted Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL 2021), which was issued on 20 September 2021. The PDPL 2021 entered into force on 2 January 2022. Prior to then, the UAE did not have a stand-alone federal data protection law.

The PDPL 2021 provides for further executive regulations to be enacted to provide further detail on the data protection requirements businesses must meet. The executive regulations have yet to be issued and there is no indication when this will happen.

Scope

The PDPL 2021 covers the processing of personal data belonging to UAE data subjects, regardless of where the data controller or data processor is established.

However, the PDPL 2021 does not apply to certain types of data. This includes government data, which is a term not defined in the PDPL 2021; personal data held by UAE security and judicial authorities; and health and financial personal data in the circumstances where separate legislation is in place covering the regulation of that data – see the section on sector-specific laws and regulations below. The PDPL 2021 also does not apply to government authorities’ data processing activities.

International data protection best practice

The PDPL 2021 is largely in line with international privacy practices. For example, it adopts the principles of “lawfulness”, “fairness” and “transparency” and outlines standard lawful bases for processing personal data, such as consent, protecting the interests of the data subject or public, and where it is necessary to perform a contract with the data subject. Unlike the EU General Data Protection Regulation (GDPR), however, the PDPL 2021 does not currently include legitimate interests as a lawful basis for processing personal data.  

The PDPL 2021 sets out data subject rights in line with international standards, such as the right to obtain information, the right to data portability, the right to correct or erase personal data, the right to restrict personal data processing, the right to stop personal data processing and the right not to be subject to automated processing – such as profiling – which could have legal consequences or seriously affect the data subject.

The PDPL 2021 also includes comprehensive requirements for controllers and processors, breach notification requirements, obligations around the appointment of data protection officers, data protection impact assessment requirements, and requirements for privacy notices.

Transfers

The PDPL 2021 provides for cross-border transfer of personal data outside the UAE to countries approved by the Data Office (defined below) as having an adequate level of protection, or where a bilateral or multilateral agreement relating to protection of personal data is in place.

Where there is a personal data transfer outside the UAE to a country which is not approved by the Data Office as having an adequate level of protection, companies may still transfer personal data under certain limited circumstances – for example, where contractual provisions are entered into which include appropriate and enforceable data protection requirements, measures and controls.

The Data Office has the power to impose penalties for violations of the PDPL 2021. What those penalties will be and whether these will be criminal and civil penalties will be determined in the executive regulations, or otherwise by the Data Office. 

The regulator

Federal Decree-Law No. 44/2021 established the UAE Data Office (Data Office) which, once fully set up, will act as the UAE data protection regulatory authority. The Data Office is responsible for preparing policies and legislation, monitoring the implementation of the PDPL 2021, preparing a system for complaints and grievances, and issuing guidance on the PDPL 2021. The Data Office is in the process of being established. 

Data subjects have the right to file a complaint with the Data Office for any violation of the PDPL 2021. The Data Office may then impose penalties. The penalties and fines regime should be further clarified in the executive regulations and may include criminal and civil penalties.

Other relevant federal laws

There are other federal UAE laws that cover data protection and privacy more generally. These include:

• The UAE Constitution of 1971;
• Federal Law No. 15/2020 on Consumer Protection (Consumer Protection Law) – consumers have the right to the privacy and security of their data and restrictions on its use for promotional and marketing purposes;
• Federal Decree-Law No. 31/2021 on the Issuance of the Crimes and Penalties Law (Penal Code) – the Penal Code protects against the release of “secrets”, including secrets of the state. The Penal Code also refers to the protection of privacy in the case of family life;
• Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumors and Cybercrime (Cybercrimes Law) – the Cybercrimes Law covers, amongst other things, the unauthorised access of personal data using IT systems.

Free zone data protection laws

DIFC

The relevant general data protection framework in the DIFC is the Data Protection Law, DIFC Law No. 5 of 2020 (DIFC DP Law) and the updated Data Protection Regulations. The framework was enacted on 21 May 2020 and came into force on 1 July 2020.

The DIFC DP Law applies to companies incorporated in the DIFC which process personal data, regardless of whether the processing takes place in the DIFC or abroad, and, in certain circumstances, also applies to foreign companies which process personal data in the DIFC. The DIFC DP Law aligns closely with the GDPR and prescribes detailed rules and regulations regarding the collection, handling, disclosure, and use of personal data in the DIFC. There are certain minor differences between the DIFC DP Law and the GDPR, including the requirements and timelines for reporting personal data breaches and the penalty structures.

The Office of the Commissioner of Data Protection is the independent regulator set up to uphold information rights in the public interest and data privacy for individuals in or from the DIFC.

While the DIFC is a common law jurisdiction with its own civil and commercial laws, UAE criminal laws continue to apply within the DIFC.

ADGM

The relevant data protection law in the ADGM freezone is the ADGM Data Protection Regulations 2021 (ADGM DPR). The regulations were issued on 11 February 2021 and published on 14 February 2021. A transition period for enforcement of 12 months for existing businesses – i.e. 14 February 2022 – and six months for new companies – i.e. 14 August 2021 – applied. The ADGM DPR applies to the processing of personal data within the ADGM. Similar to with the DIFC DP Law, the ADGM DPR draws on international standards and best practices, particularly the GDPR.

The ADGM DPR established the independent Office of Data Protection (ODP) headed by the newly created commissioner of data protection.

Similar to with the DIFC, whilst the ADGM is a common law jurisdiction with its own civil and commercial laws, UAE criminal laws continue to apply within the ADGM.

Emirate- and sector-specific laws

Depending on which sector and location a business operates in, further consideration of specific sector laws and regulations, and emirate laws and regulations, may be necessary. The list of examples below is not exhaustive.

Health

Federal Decree-Law No. 2/2019 Concerning the Use of Information and Communication Technology in Health Fields including Cabinet Resolution No. 32/2020 and exceptions pursuant to Ministerial Resolution No. 51/2021 (together Health Data Law) covers the collection, processing and circulation of health data. The Health Data Law sets out data processing, data security and data retention requirements, and places certain restrictions on the transfer of health data.  

The emirates have their own health data laws. These include the Dubai Healthcare City Health Data Protection Regulation No. 7/2013 (DHCC Regulation), which applies to any ‘licensee’ that conducts business within the DHCC. A ‘licensee’ is defined in the DHCC Regulation as any licensed healthcare professional, licensed complementary and alternative medicine professional, a licensed healthcare operator, approved education operator, approved research operator, licensed commercial company, or a non-clinical operating permit holder operator.

The DHCC Regulation places restrictions on the licensee’s management of patient health data, regardless of where that data might be held, and sets out the requirements for patient health data retention and transfer of patient health data.

Financial services

In the UAE financial services sector, there are a number of regulations that govern the protection of personal data. These include the Consumer Protection Regulation (Central Bank Circular No. 8/2020) and related Consumer Protection Standards, which include detailed data protection provisions. Other relevant regulations include the Central Bank Circular No. 112/2018 on Finance Companies Regulation, and Central Bank Circular No. 14/2021 Outsourcing Regulation and Standards covering banks’ outsourcing activities.

Telecoms

In the UAE telecoms sector, the Telecommunications and Digital Government Regulatory Authority, the independent regulator regulating the information, communications and telecommunications sector, has issued various regulations that include data protection provisions. These include the Internet of Things (IoT) Regulatory Policy, which applies broadly to IoT service providers and IoT service users and sets out, among other things, data classification requirements and related restrictions on cross-border data transfers.

Government data

There are also UAE government laws and regulations at the federal and emirate level covering the use of government data by government entities and government service providers. These include the UAE Information Security Regulations and the Dubai Data Law. UAE government entities focused on the protection and use of government data include Digital Dubai, the Dubai Electronic Security Centre, and the Abu Dhabi Digital Authority.