Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

The UAE Data Protection Law – Key Takeaways

Data Privacy Big Data 15 December 2021

As part of the major legal reforms implemented on the occasion of the UAE's 50th anniversary, the UAE published the highly anticipated Federal Data Protection Law (Law No: 45 of 2021). The new Law will come into force on 2 January 2022 and provides companies approximately a year (unless extended) to regulate their personal data activities before enforcement begins.

In this article, we discuss the key aspects of the new DP Law and some practical steps companies should be considering.

Whom does it apply to?

The DP Law has extra-territorial reach and applies to:

  • individuals residing in or who have a place of business in the UAE who process personal data 
  • organisations established in the UAE that process personal data of individuals located inside or outside the UAE 
  • organisations established outside the UAE that process personal data of individuals located inside the UAE 

What or whome does it not apply to? 

  • government data 
  • government authorities that control or process personal data 
  • free zone companies who are already subject to data protection legislation
  • security and judicial authorities who process personal data 
  • health personal data that is already subject to data protection legislation
  • banking and credit personal data subject to legislation regulating data processing and protection
  • Individuals who process data related to them for personal purposes 

In addition, the new data regulator (the "UAE Data Office") can exempt companies that do not process a large amount of personal data from the application of some or all of the DP Law. The UAE Telecommunications and Regulatory Authority would support the UAE Data Office in its first two years.

What data is affected?

The DP Law regulates the processing of personal data, which is “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. This includes an individual’s name, voice, image, identification number, electronic identifier, and geographical location. It also includes sensitive personal data and biometric data, as well as any information that can reveal the identity of a person's family (which is arguably wider than the GDPR).

Basis for processing personal data

In line with the previous position under the UAE Penal Code, the DP Law maintains the requirement to obtain a data subject's consent in order to process their personal data. Such consent should be clear, simple, and unambiguous and indicate the data subject's right to withdraw consent and that such withdrawal must be easily made. Companies that did not provide this information to data subjects previously will need to update their consent forms and policy documents.

The DP Law envisages that Executive Regulations would be published by the UAE Data Office within six months (unless extended) which would provide further details on various aspects of the law. It is to be seen if the Executive Regulations stipulate additional requirements as to the form of consent. However, consent is not the only basis for processing personal data.

The DP Law permits processing in other circumstances including:

  • where processing is necessary for the performance of a contract to which the individual is a party, or to take actions at the request of the individual with the aim of concluding, amending or terminating a contract 
  • commencement or defence of a legal claim or judicial or security procedures 
  • processing personal data which is necessary for the fulfilment of the organisation’s obligations under applicable UAE laws 
  • processing personal data which is necessary for the purposes of carrying out the obligations and exercising the rights of the organisation or of the individual in the field of employment and social security and social protection law 
  • protection of public interest and also public health including protection from epidemics (e.g., COVID-19) 
  • processing personal data made public by the individual 

However, unlike the GDPR or the DIFC and ADGM data protection laws, the DP Law does not include "legitimate interest" as a valid basis for an organisation to process personal data. It is to be seen if this is introduced in the Executive Regulations.

International data transfers 

The DP Law's approach to international data transfers is similar to the GDPR and the ADGM and DIFC data protection laws. Personal data may be transferred outside the UAE if:

  • the receiving jurisdiction has a data protection law that has appropriate protections for data subjects or has a bilateral or multilateral data protection agreement with the UAE– it is anticipated that the UAE Data Office may provide further guidance on such jurisdictions 
  • express consent of the data subject provided the transfer does not conflict with the public and security interest of the UAE 
  • the transfer is pursuant to a contract that requires the recipient to comply with the DP Law – this is similar to the concept of standard contractual clauses under the GDPR or DIFC and ADGM laws. The DP Law notes that the Executive Regulations will provide further details 
  • if the transfer is necessary to enter into or perform a contract with a data subject or with a third party in the data subject's interest 
  • it is necessary for international judicial cooperation or exercising / defending rights before judicial authorities 

Appointment of Data Protection Officer (DPO) / performing a data protection impact assessment 

Similar to the GDPR and the ADGM and DIFC data protection laws, the DP Law requires a company to appoint a DPO if it conducts high risk data processing activities which are: 

  • implementing new technology that causes a high level of risk to the confidentiality and privacy of the personal data
  •  automated processing (i.e., processing with limited or no human involvement) including for profiling of data subjects 
  • processing large amounts of sensitive personal data 

The DPO can be an employee or contractor and need not be based in the UAE – which may help international groups with a centralised DPO function. The DP Law also requires companies to perform a data protection impact assessment before processing personal data in accordance with the points noted in 2 and 3 above.

Contracts with processors?

The DP Law envisages there being a contract between a data controller and a data processor that sets out the scope of processing and other details. It is not clear if this contract is a mandatory requirement like it is in the GDPR and the DIFC and ADGM data protection laws, and further guidance is required. In cases of co-processing, the processors need to clearly divide their roles and obligations in a contract or would otherwise be subject to joint liability. The DP Law does not appear to expressly cover sub-processors and the Executive Regulations might provide some clarification.

Rights of data subjects

Similar to the GDPR, the DP Law provides data subjects with various rights including the right to access their data, transfer their data, withdraw consent to their data being processed, object to automated data processing and stop processing for marketing and surveys. It is to be seen if this leads to an increase in data subject access requests as has been the case in the EU and the DIFC. It will also be interesting to see if the practice of marketing 'cold-calls' may reduce in light of these new data subject rights. Data subjects have to be provided information in relation to their rights which is typically done through privacy policies. Companies may therefore need to create new privacy policies or update their existing privacy policies.

Data security / breach reporting

Organisations who process personal data are obliged to implement appropriate technical measures to ensure security levels in line with international standards and best practice. In the event of a data breach that could prejudice the privacy, confidentiality and security of the individuals’ data, organisations are required to notify the UAE Data Office and the affected data subjects.

The requirement to notify affected data subjects is subject to a lower threshold than the GDPR and is therefore likely to apply in more cases. The data controller must notify the UAE Data Office immediately. Further details around timing/notification process is expected in the Executive Regulations.

Conclusion

The DP Law has created a standalone data protection law and regulator in the UAE which is in line with privacy developments worldwide and is a welcome development. The DP Law reflects some of the key concepts and principles from the GDPR and DIFC and ADGM data protection laws but with some key differences as highlighted in this briefing.

While it is anticipated that the impending Executive Regulations would provide further guidance including information on fines and other penalties, companies should start the process of compliance now to get a head start.

Toolkits & Client Log-in