The UAE enacts its first personal data protection law: what we know so far

As part of the 50th anniversary of the United Arab Emirates, which marks the Golden Jubilee, the UAE announced a set of 50 new projects and initiatives ('Principles of the 50') which aim is to accelerate the development of the United Arab Emirates and to consolidate them into a complete pole in all sectors as well as attract talent and investors from around the world. Indeed, the UAE has always believed in shaping its own path to success and is yet again demonstrating to the world how a country can be at the forefront of diversifying and strengthening its own economy. This article will consider the impact that the newly enacted personal data protection law will have on individuals and organisations as part of the country's new era of political, economic and social development. 

In unveiling the new data law, Omar Al Olama, Minister of State for Artificial Intelligence, stated that the purpose of such a move was to ensure the privacy of individuals and international businesses. Indeed, the aim of the new law is to give individuals the freedom to control how their personal information is used, stored and shared in a way that supports the preservation of the privacy of individuals and institutions in the country. 

To begin with, it is worth mentioning that the UAE did not have a data protection law at the federal and national level before, and there was no single national data protection regulator. Personal Data protection was found in different legislations without being unified into one single decree. The Constitution of the UAE gives citizens a general right to privacy under article 31, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under law. Moreover, provisions of the Federal Law No 5 of 1985: the Civil Code as amended by Federal Law No. 1 of 1987 and the Federal Law No. 3 of 1987: The Penal Code ('the Penal Code') are relevant when considering privacy-related issues. For instance, the Civil Code sets out certain obligations on employers when dealing with employee information, particularly on the termination of an employee's employment (Article 913 of the Civil Code. Likewise, sector specific regulations (such as telecommunications, consumer protection, and cybercrime laws) provide some limited data protection rights in certain circumstances.

Additionally, to overcome the absence of a federal and national data protection law, different free zones such as the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Healthcare City (DHCC) have had each to enact separate data protection laws applicable to businesses operating in the relevant zone. 

Therefore, it is undeniable that the enactment of Federal Decree-Law No. 45 of 2021 regarding the protection of personal data ('PPD' law) which is going to be the main data protection legislation in the UAE mainland and the free zones (with limited exceptions) has been welcomed by many. 

The Law is stated to apply to i) individuals who reside or have a place of business in the UAE, ii) locally established businesses that process data of data subjects located in or outside the UAE, and iii) any businesses outside the UAE that process personal data of individuals inside the UAE. It is highlighted how the new law does not apply to organisations established in free zones that have their own data protection legislation (for example, the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM)), or some specific categories of data, for example, health data or banking and credit data that are subject to their own data protection legislation. 

It is interesting to note that many of the obligations of the new law are in line with international practices, therefore, rendering the whole transition period smoother for both the companies and the individuals involved. Indeed, some aspects of the law include: 

• The requirement to process data in a fair, transparent and lawful manner; to collect personal data for specific and clear purposes and to ensure that data is sufficient for and limited to the purpose for which it is being processed, and to keep the data accurate, correct and updated.
• The requirement to obtain consent except in limited cases which include the performance of contracts, compliance with legal obligations and protecting the data subject's vital interests. 
• The requirement for consent to be given in a clear, simple, unambiguous and easily accessible manner, and the requirement for consent and an opt-out option in relation to the use of personal data for marketing purposes.
• The prohibition of the transfer of personal data (outside the UAE) to jurisdictions that do not offer an adequate level of protection without the data subject's consent, subject to specific derogations, including transfers necessary for the performance of contracts or to fulfil an obligation, protection of the data subject's vital interests, or preparing, pursuing or defending a legal claim. The Law allows the transfer of personal data to jurisdictions that offer an adequate level of protection; however, the same is subject to the approval of the UAE Data Office – the UAE national data privacy regulator. 

Moreover, a national data privacy regulator, the UAE Data Office, will be established under a separate statute to regulate the implementation of the Data Protection Law. The UAE Data Office will be responsible for a wide range of tasks that include:

• proposing and preparing policies relating to data protection;
• proposing and approving the standards for monitoring the application of federal legislation regulating personal data;
• preparing and approving systems for complaints and grievances; and
• issuing guidelines and instructions for the implementation of data protection legislations.

It is important to note that organisations must carry out an impact assessment when using any modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of data subjects. 

Lastly, the new law will enter into effect on January 2, 2022 and the executive regulations, which will give further information on certain aspects of the law, are stated to be issued within six months from the date of promulgation of the law. Indeed, organisations that will have to comply with the new law, will have a cooling period of six months from the date of issuance to comply with the requirements of the law. It is advised that such organisations should already commence conducting an assessment of their processing activities in order to implement the appropriate compliance measures. 

Meskerem Taverna    

Legal Consultant