The United Arab Emirates has introduced a new Federal Law for the Protection of Personal Data, the first of its kind in the country and the latest edition to the country's Year of the 50th legislative reform package. Federal Decree-Law No. 45 of 2021 (the "Law") promises to bring the UAE in line with international best practice data protection principles and grants protections to individuals' personal data. Below, we summarise 10 key aspects of the law.
1. The meaning of 'personal data' under the Law
The Law is designed to protect "any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This expressly includes an individual's name, image, voice, identification number and geographical location or one or more of the natural person’s physical, physiological, economic, cultural or social characteristics and includes sensitive personal data.
2. Who does the Law apply to?
The Law applies to:
- Controllers – a person or entity that determines the method and criteria for processing personal data and the purpose for the processing; and
- Processors – a person or entity which processes the personal data on behalf of, under the direction of and in accordance with the instructions of the controller.
Similar to the EU General Data Protection Regulation ("GDPR"), the Law will have extra-territorial scope. The Law will apply to any organisation that is established in the UAE and processes personal data of data subjects inside or outside the UAE, as well as any organisation that is established outside the UAE and processes personal data of data subjects inside the UAE.
The Law does not apply inside the DIFC and ADGM financial freezones, which have their own data protection regimes. Nor does it apply to health personal data, regulated by the UAE Federal Law No. 2 of 2019 (the ICT Health Law), or to certain government entities.
3. Timing for compliance
The Law was announced by the UAE Cabinet on 28 November 2021 and will become effective on 2 January 2022. Executive Regulations are due to be issued by 20 March 2022 and are expected to contain additional detail on companies' obligations and compliance requirements under the Law. UAE companies will then have 6 months from the issuance of the Executive Regulations to comply with the New Law (although that period can be extended by the Cabinet).
4. Legal basis
Data subjects must give their consent for the processing of their personal data unless an exemption applies. Consent needs to be specific, clear and unambiguous and in a form of a positive statement or action.
Processing without the data subject's consent will be permitted if the processing is necessary: (i) to execute a contract with a data subject; (ii) to comply with legal obligations; (iii) to protect public interest; or (iv) for the purpose of the controller or data subject to carry out obligations and exercise their rights in the field of employment or social security. Unlike other international legislation, the Law does not allow for processing on the basis of a controller’s “legitimate interests”.
5. Data subject rights
Under the new Law, data subjects will have a number of rights including the right: (i) to receive information from a controller (i.e. right to access); (ii) to request the transfer of their personal data; (iii) to restrict the processing of personal data in certain cases; (iv) to have their personal data corrected or erased (i.e. the right to be forgotten); (v) to object to certain types of data processing (for example, if it is intended for the purpose of direct marketing or scientific and statistical research); and (vi) to object to automated processing.
Whilst the Law refers to the principle of transparency, it does not expressly require controllers to provide information notices to data subjects at the time of collecting their personal data, unlike the GDPR.
7. Data Protection Officer (DPO)
In certain circumstances, companies will be required to appoint a DPO who is responsible for monitoring an organisation's data protection compliance. Companies may already have DPO's for compliance with the GDPR; the same individual may fulfil the UAE role, however it is recommended that DPOs are suitably trained to understand the local requirements.
Organisations may only use personal data for marketing purposes with the consent of the data subject. They must also provide opt-out mechanisms to allow data subjects to withdraw their consent or object to receiving marketing communications.
9. International transfers
Transfer of personal data outside of the UAE is subject to the approval of the UAE Data Office (which has been established under the Law) and permitted only where the transfer is to states or territories that offer an adequate level of protection. It is not yet known whether the UAE Data Office will release guidance designating approved countries for data transfers.
10. Penalties for non-compliance
It is expected that the ensuing Executive Regulations will contain details of the penalties which will apply for breaches of the Law; penalties are not specified in the Law itself. It is not yet confirmed as to whether the regulations will contain a schedule of fines (and other sanctions) for different violations, or simply specify a maximum amount with more discretion available to the UAE Data Office and the Courts.
The introduction of the Law is a welcome addition to the statute books and codifies in one place the rules governing the protection of personal data in the UAE.