Legal Consultant
As part of the 50th anniversary of the United Arab Emirates, which marks the Golden Jubilee, the UAE announced a set of 50 new projects and initiatives ('Principles of the 50') which aim is to accelerate the development of the United Arab Emirates and to consolidate them into a complete pole in all sectors as well as attract talent and investors from around the world. Indeed, the UAE has always believed in shaping its own path to success and is yet again demonstrating to the world how a country can be at the forefront of diversifying and strengthening its own economy. This article will consider the impact that the newly enacted personal data protection law will have on individuals and organisations as part of the country's new era of political, economic and social development.
In unveiling the new data law, Omar Al Olama, Minister of State for Artificial Intelligence, stated that the purpose of such a move was to ensure the privacy of individuals and international businesses. Indeed, the aim of the new law is to give individuals the freedom to control how their personal information is used, stored and shared in a way that supports the preservation of the privacy of individuals and institutions in the country.
To begin with, it is worth mentioning that the UAE did not have a data protection law at the federal and national level before, and there was no single national data protection regulator. Personal Data protection was found in different legislations without being unified into one single decree. The Constitution of the UAE gives citizens a general right to privacy under article 31, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under law. Moreover, provisions of the Federal Law No 5 of 1985: the Civil Code as amended by Federal Law No. 1 of 1987 and the Federal Law No. 3 of 1987: The Penal Code ('the Penal Code') are relevant when considering privacy-related issues. For instance, the Civil Code sets out certain obligations on employers when dealing with employee information, particularly on the termination of an employee's employment (Article 913 of the Civil Code. Likewise, sector specific regulations (such as telecommunications, consumer protection, and cybercrime laws) provide some limited data protection rights in certain circumstances.
Additionally, to overcome the absence of a federal and national data protection law, different free zones such as the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Healthcare City (DHCC) have had each to enact separate data protection laws applicable to businesses operating in the relevant zone.
Therefore, it is undeniable that the enactment of Federal Decree-Law No. 45 of 2021 regarding the protection of personal data ('PPD' law) which is going to be the main data protection legislation in the UAE mainland and the free zones (with limited exceptions) has been welcomed by many.
The Law is stated to apply to i) individuals who reside or have a place of business in the UAE, ii) locally established businesses that process data of data subjects located in or outside the UAE, and iii) any businesses outside the UAE that process personal data of individuals inside the UAE. It is highlighted how the new law does not apply to organisations established in free zones that have their own data protection legislation (for example, the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM)), or some specific categories of data, for example, health data or banking and credit data that are subject to their own data protection legislation.
It is interesting to note that many of the obligations of the new law are in line with international practices, therefore, rendering the whole transition period smoother for both the companies and the individuals involved. Indeed, some aspects of the law include:
Moreover, a national data privacy regulator, the UAE Data Office, will be established under a separate statute to regulate the implementation of the Data Protection Law. The UAE Data Office will be responsible for a wide range of tasks that include:
It is important to note that organisations must carry out an impact assessment when using any modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of data subjects.
Lastly, the new law will enter into effect on January 2, 2022 and the executive regulations, which will give further information on certain aspects of the law, are stated to be issued within six months from the date of promulgation of the law. Indeed, organisations that will have to comply with the new law, will have a cooling period of six months from the date of issuance to comply with the requirements of the law. It is advised that such organisations should already commence conducting an assessment of their processing activities in order to implement the appropriate compliance measures.
In a significant move by Abu Dhabi Global Market (ADGM) pursuant to UAE Cabinet Resolution No.41 of 2023, by expanding its jurisdiction from Al Maryah Island to...
The growth of digital assets has fundamentally transformed the landscape of wealth management. As the value of cryptocurrencies, non-fungible tokens (NFTs), and...
Introduction Artificial intelligence is the ability of machines to carry out tasks like intelligent individuals. Arbitration, like many fields of work, has bee...
Stay updated with the latest legal news, events, and expert insights from The Jurist.