The UAE is to introduce a new Data Protection Law, the first federal law of its kind in the region. The new Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic, and social development of the UAE for the next 50 years. The announcement comes a year after the Dubai International Financial Centre (DIFC) brought in Data Protection Law No 5 - so the DIFC is ahead of the UAE on this. The aim of both is broadly the same, to simplify data transfer between different countries, particularly Europe.
The new data law has been drafted in partnership with major technology companies who are obvious beneficiaries. It explains why Computer Weekly has covered this story in some detail. They explain how the idea behind the data laws seek to ease international data transfers by aligning organisations that handle data within the DIFC or, going forward, the UAE, with Europe’s GDPR so minimising the need for individual organisations to put in place specific transfer mechanisms, such as standard contractual clauses, dealing with data exchange. The rules are enforced by a regulator, the commissioner of data protection, who has the power to impose sanctions, including big fines. On top of that there is the risk of having to pay uncapped compensation directly to data subjects.
The UAE’s Data Law is significant as a route to ‘adequacy’ decisions from other regulators both in the UAE's financial freezones and globally. So, in order to make it easier for global organisations, Data Protection Commissioners can examine the laws in other countries to determine if those other countries have adequate levels of data protection. So for example, the effect of an adequacy decision by the EU Commissioner is that personal data can flow from the EU to the other country without further safeguards, just as if the transfer were within the EU. In contrast, where an adequacy has not been found, further safeguards must be used. So, it’s easy to see the business drivers for these new data laws.
So let’s hear more about this. Ruth Stephen joined me by video-link from Dubai to discuss the issues. I asked her first about the DIFC’s data law which came in last year:
Ruth Stephen: “So, last year, the DIFC had an overhaul of its data privacy laws and this meant a lot for businesses all over the DIFC, particularly international businesses where they're transferring personal data between jurisdictions. For employers it's had quite a significant effect because it has given their employees enhanced rights in relation to their personal data. For example, the right to be forgotten, the right to have their data rectified, subject access requests, a whole raft of new obligations that employers have had to consider.”
Joe Glavina: “So in September we saw that announcement about a new UAE-wide regulation which is on its way, a federal law. Tell me about that.”
Ruth Stephen: “Yes, so the federal law which applies to the mainland jurisdiction, so outside of the DIFC and the free zones, this is an overarching law in relation to data privacy that we know is on the horizon, there is a draft law in circulation. Given the approaches to data privacy that other countries in the GCC have taken it is expected that the law will, to a large extent, be aligned with GDPR which, of course, is married up with data privacy laws in the DIFC. So the reason and the rationale for this is to make business work better for business but also for individuals to have clarity, and certainty, and protection, as to how their personal data is being used and who has access to it.”
Joe Glavina: “So, can I turn the action points around compliance. I guess you’re been advising on this?”
Joe Glavina: “Last question, Ruth. What if employers get this wrong and they face enforcement action?”
Ruth Stephen: “So we're really yet to see the ramifications but definitely the commissioner has far reaching powers and reputational harm is really one of the big risks to businesses. I mean, for these businesses, you know, obviously the financial consequences are immediate and hit them hard, but the reputational harm in terms of whether their stakeholders, their employees, their competitors, for example, those can be far reaching and longer term consequences and deterrents for companies to ensure compliance with the data privacy laws.”
Aside from data protection, last week Ruth talked to this programme about changes to the DIFC’s employment laws designed to simplify and clarify working arrangements, including home-working during the pandemic. That programme is called ‘DIFC enacts changes to its employment laws’ and is available for viewing now from the Outlaw website.