UAE prepares for enforcement of landmark personal data protection law

Out-Law News | 14 Dec 2021 | 12:42 pm | 3 min. read

The UAE is preparing for landmark new personal data legislation to come into force in a matter of weeks.

While the UAE Constitution and its penal code both have implications for the transfer and use of personal data, the new ‘UAE Data Protection Law’ (DPL) will be the first comprehensive federal data privacy law in the country’s history.

Barkha Doshi, data protection expert at Pinsent Masons, said the UAE now “joins the Kingdom of Saudi Arabia by passing a standalone federal data protection regime and brings comprehensive data protection legislation to another country in the Middle East.”

The law, which will come into force on 2 January 2022, is intended to protect “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”.

It will also apply to sensitive personal data, like race and philosophical beliefs, and biometric data such as fingerprints.

“Remarkably, the new Federal Data Protection law largely mirrors the European Union’s General Data Protection Regulation (GDPR) legislation,” Doshi said.

Like GDPR, the DPL will prohibit the processing of personal data without the specific, clear and unambiguous consent of data subjects, given in the form of a clear positive statement or action.

Exceptions to the consent rule include if the processing is necessary to fulfil a contract with a data subject, to comply with legal obligations, or to protect public interest.

Barkha Doshi

Associate at Pinsent Masons

Owing to this new regime, all businesses operating in the UAE...will need to assess their activities and make changes to align with the new Data Protection Law as quickly as possible.

The DPL will give data subjects a number of rights over their personal data, including the right to access their personal data held by a controller, to request the transfer of their personal data, to have their personal data amended or erased, to restrict the processing of their personal data in certain cases, and to object to automatic processing - and certain types of data processing like marketing.

Data controllers will be required to communicate with data subjects and will need to appoint a Data Protection Officer (DPO) to comply with the law.

An organisation will have to make clear to data subjects why their personal data is being collected and processed, and will only be able to use personal data for marketing purposes with the consent of data subjects.

Organisations will also have to provide an ‘opt-out’ method for data subjects to withdraw their consent, and will be required to limit their data processing, ensuring they do not collect more data than is needed for the purpose they have given.

The DPL sets out how impact assessments should be carried out by firms on the protection of personal data when using any modern technologies that pose potential risks to the privacy and confidentiality of data subjects.

Like the EU’s GDPR, the UAE’s DPL will have extra-territorial reach, applying to all organisations in the UAE that process the personal data of people inside or outside the country.

It will also apply to organisations established outside of the UAE that process the data of people inside the UAE.

Government data, meanwhile, and the government and judicial bodies that control and process personal data, will be exempt from the DPL.

The law will also not apply to personal health data regulated by the ICT healthcare law, personal banking data that is already governed separately, and companies in the free zones in the UAE that have pre-existing personal data protection laws – like the Abu Dhabi Global Market. 

Doshi said: “Owing to this new regime, all businesses operating in the UAE, or that are based outside the UAE but process personal data of data subjects located in the UAE, will need to assess their activities and make changes to align with the new Data Protection Law as quickly as possible”.

Additionally, a new ‘UAE Data Office’, which will regulate and update the DPL, will have the power to exempt other organisations that do not process large amounts of personal data.

The office will be responsible preparing data protection policies, monitoring the application of federal legislation regulating personal data and approving systems for complaints and grievances.

It will also issue guidelines for authorities on how to implement the data protection law.

From 2 January, data controllers and processors will have six months to ensure their operations comply with the new law.

Penalties for breaches are not included in the current legislation but will be specified in future executive regulations.

It is not yet clear whether the regulations will give the UAE Data Office and courts power to impose fines and other sanctions at their discretion.