Considering the demands of contemporary digital culture, the UAE has passed the Federal Decree Law no. 45 of 2021, otherwise known as the Federal Personal Data Protection (“PDP”/“Law”). This is in line with Article 31 of the Constitution which guarantees the general right to privacy for citizens of the UAE. The Law which came into effect on January 2nd, 2022, was accompanied by Executive Regulations, issued within six months of being promulgated. The entities were given an additional six months from the date of issuance of execution regulation to ensure compliance with the law. It is the first federal law written in collaboration with significant technology companies in the private sector. This article shall focus on 10 key points to be considered to ensure compliance with the Law and draws a comparison with the EU data privacy framework i.e., the Global Data Protection Regulation (“GDPR”)

Scope, Applicability and Exemptions

The primary objective behind PDP is to change how businesses approach data security and privacy regulations by protecting and empowering UAE citizen’s and residents’ rights to privacy in their personal information. It aims to bring the country into compliance with the best global practices for data privacy.

The PDP Law has both territorial and extraterritorial reach. Territorial applicability of the law covers individuals residing in or who have a place of business in the UAE that processes personal data and organizations established in the UAE that process personal data of individuals located within or outside the UAE. On the other hand, extra-territorial applicability extends to Organizations established outside the UAE that process the personal data of individuals located within the UAE.

However, the law does not apply to i) government data; ii) government agencies controlling or processing personal data; iii) businesses operating in Free-Zones which are already governed by data protection laws like DIFC and ADGM; iv) personal data with security and judicial authorities v) personal health information covered by data privacy laws vi) People who process personal data for personal purposes vii) Data related to banking and credit governed by data privacy laws.[1] The office shall also exempt some establishments that do not process a large volume of personal data from meeting all the requirements and provisions provided under the Law.[2]

10   Key Points to be considered under the Law:

1.     Privacy Principles: Key privacy principles include data minimization, storage limitation, data quality, security etc. Article 5 provides that personal data shall be processed in a fair, transparent, and legitimate manner. Secondly, the personal data collected should be accurate and subject to updating necessary. All data collected should be securely preserved and protected from any violation, illegal or unauthorized proceedings.

2.     Consent for processing: By Article 4, PDPL makes it illegal to process personal data without the consent of its owner. However, exceptions are made when such processing is necessary to protect the public interest, protect public health, for the performance of a contract, carry out legal obligations etc.

3.     Individual Privacy rights: The “right to information and access”, “right to rectification”, and right to object are some of the rights that data subjects have over their personal data under the UAE PDP Law. This implies that data subjects can ask for copies of all their personal data held by organizations or request for their rectification or deletion. Businesses should uphold these individuals’ privacy rights by establishing standard operating procedures to manage such requests from data subjects. 

4.     Record of Processing: As per Article 7, the controller is required to maintain a special record of personal data that includes the data of each of the controller and the data protection officer and a description of the categories of personal data he has, details of persons authorized to access such data, restrictions and scope of processing, a mechanism for erasing or rectification, purpose of processing, etc.

5.     Third-party management: Prior to sharing personal data with third-party vendors (“Data Processors”), businesses are required to take additional precautions. These include undertaking data privacy and security due diligence before working with such third parties.

6.     Cross Border Data transfer obligations: As per article 22 of the PDP Law, no personal data shall be transferred to a country outside UAE unless such country ensures an “adequate level of protection” for the rights of data subjects in connection with the processing of personal data. In cases where an adequate level of protection is absent, article 23 provides for derogations that permit the authorized cross-border transfer of personal data. For instance, the requirement of Standard Contractual Clauses (“SCCs”). Thus, in order to ensure compliance, businesses are required to adopt adequate protection measures for cross-border transfers.

7.     Obligation of Data Processors: Article 8 provides that data processors shall not perform any activity that would disclose personal data, except in cases authorized by law. It shall carry out the processing only in accordance with the instructions of the controller. Further, once the processing period has expired, the data processor shall erase the data from its records.

8.     Privacy Impact Assessments: Article 21 presses for evaluating the impact of proposed data processing operations by the Controller before the actual processing. The evaluation must consider the nature, scope, and purpose of processing. Further, it must provide a clear and systematic explanation of the processing operations, necessity, and suitability as well as potential risks to the privacy and confidentiality of data subjects’ personal data.

9.     Breach Notification: As per article 9, the data subject should be notified of any event of breach or violation of the data subject’s personal data affecting the privacy, confidentiality, and security of such data.

10. Appointment of a Data Protection Officer – Article 10 provides for the appointment of a data protection officer. The Controller and processor shall collectively appoint a data protection officer who shall be skilled in the protection of personal data. Such an officer may be a citizen or foreign national authorized by the controller/processor.

Comparison with GDPR

As discussed, the law is heavily inspired by the EU-GDPR. Thus, the Law has several similarities to the GDPR. The following are some of the similarities:

1.     Scope/Applicability: Both GDPR and the Law have extra-territorial Scope. However, PDP is broader than GDPR as it automatically applies to organizations outside UAE but processes the personal data of individuals located within the UAE. Extra-territorial applicability of GDPR on the other hand is conditional. By virtue of Article 3 of GDPR, it applies only to data processing related to certain specified activities.[3]

2.     Consent: Both Laws require that consent should be specific, clear, and unambiguous.

3.     Rights of Data Subjects: The PDP Law guarantees the following rights to its data subjects namely-

a.     Right to obtain information (Article 13)

b.     Right to request transfer of personal data (Article 14)

c.     Right to rectify or erase personal data (Article 15)

d.     Right to restrict processing (Article 16)

e.     Right stop processing (Article 17)

f.      Automated Processing and Processing Right (Article 18)

These rights are provided by GDPR under articles 15, 16, 17, 18, 20, and 21. However, Article 23 provides that these rights may be restricted where necessary to safeguard national security, defence, public security, etc. PDP law can restrict these rights if the information is not covered under the law or if the request is overly repetitive.

4.     Processing of children’s data- Article 8 of GDPR provides that the processing of the personal data of a child shall be lawful only where the child is at least 16 years old. In all other cases, processing shall be lawful only to the extent consent or authorization is given by the parents of such child. On the other hand, PDP contains no specific provisions for the processing of data relating to children.

5.     Record Maintenance: Both laws mandate the maintenance of records of processing activities.

6.     Legal basis for Processing-: GDPR provides for six legal grounds for processing data whereas, under PDPL, consent is the sole ground, unless an exception applies.

7.     Data Protection Authority- Enforcement of PDPL is the responsibility of the Data Office established by law.

8.     Penalties: Penalties that will be applicable for violations are not clearly stated in the law. Further, there are no notable enforcement decisions regarding the same. However, as per article 25 of PDP, the Council of Ministers can impose administrative fines upon receiving a complaint from a data subject to the Data Office.

Conclusion:

Several companies have appreciated the UAE government’s consultation with the private sector for framing this legislation. They have welcomed the enactment of PDP. The law does not diverge from other globally well-known data protection regimes. This is a reassurance to companies looking forward to expanding or establishing new businesses in the country. 

Bibliography:

1.     Adil Shafi, Devvrat Periwal, UAE Personal Data Protection Law, MONDAQ, (2022) available https://www.mondaq.com/data-protection/1167096/uae-personal-data-protection-law (Last visited in March 2023)

2.     https://www.consultancy-me.com/news/5393/uae-data-protection-law-the-requirements-and-ensuring-compliance#:~:text=On%202%20January%202022%2C%20the,and%20privacy%20of%20personal%20information. (Last visited in March 2023)

3.     Herbert Smith Freehills, New Data Protection Law introduced in the UAE – 10 key Takeaways, (2021)

4.     UAE Personal Data Protection Law- Insights into the new federal legislation, available at https://tsaaro.com/wp-content/uploads/2023/03/UAE-Personal-Data-Protection-Law.pdf ( Last accessed in March 2023)

5.     UAE Data Protection Overview, available at https://www.dataguidance.com/notes/uae-data-protection-overview ( Last accessed in March 2023)

6.     Personal Data Protection Law, available at https://ai.gov.ae/personal-data-protection-law/ (Last accessed in March 2023)

7.     GDPR Legislation, available at https://gdpr-info.eu/ (Last accessed in March 2023)

[1] Article 2 of the Law

[2] Article 3

[3] Article 3 of GDPR