To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in the jurisdiction of UAE? If yes, is it implemented? If no, what laws are relied on?)
UAE Federal Law
The United Arab Emirates (‘UAE’) implemented Federal data protection legislation which came into effect at the beginning of January 2022. There are two Decrees:
The UAE Federal Decree Law No 45 of 2021, Regarding the Protection of Personal Data (“the PPD Law”). Executive Regulations are expected in March 2022. There is a six month window from March for compliance.
The UAE Federal Decree Law No 44 of 2021, Creation of the UAE Data Office which establishes the Data Protection Office to issue guidance and oversee compliance.
UAE Free Zones
Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are free zones which have also enacted their own data protection laws - Data Protection DIFC Law No 5 of 2020 and the Data Protection Regulations 2021 (ADGM). These laws only apply to companies and establishments located in those free zones. It is understood that the PPD Law will operate alongside but not replace these laws.
The Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Healthcare (‘ICT Health Law’) regulates the use of ICT in the healthcare sector throughout the UAE including in the free zones.
Central Bank of UAE Consumer Protection Regulation
The Central Bank of the UAE issued the Consumer Protection Regulation (Circular No. 8/2020) (CPR) on 31 December 2020. The CPR and the associated Consumer Protection Standards (CPS) established consumer data requirements for licensed financial institutions regulated by the Central Bank (Financial Institutions).
For the purposes of this article, we will discuss the PPD Law.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
The Executive Regulations to the PPD Law are expected in March 2022. These will provide guidance on how to implement the legislation.
Who does the PPD Law apply to?
The law applies to both Controllers and Processors. A Controller is any entity which is processing Personal Data. It can be an individual or an organisation. The entity determines the method and criteria for processing the Personal Data and the purpose. A Processor is any third party who is processing personal data on the instruction of the Controller.
The law applies to Personal Data of individuals residing or working in the UAE (‘UAE Personal Data’).
It applies to all Controllers and Processors located in the UAE regardless of where the individual lives or works, in the UAE or abroad; and all Controllers or Processors located outside of the UAE who are processing UAE Personal Data.
Who is not included in the PPD Law? Governmental authorities, security and judicial authorities and entities which fall within the DIFC and ADGM free zones which have separate data protection laws.
Who are the relevant regulatory and enforcement authorities in the UAE with regards to personal data protection?
The PPD Law is under the supervision of the Emirates Data Office established by UAE Federal Decree Law No 44 of 2021, Creation of the UAE Data Office.
How is personal data defined in the UAE?
Personal Data includes any data relating to a specific natural person or relating to a natural person that can be identified directly or indirectly by linking the data or through the use of identification elements such as names, voices, pictures, identification numbers, electronic identifiers, geographical locations, or one or more of physical, physiological, economic, cultural or social characteristics, including Sensitive Personal Data and Biometric data.
Is there a distinction between personal data and sensitive data under the laws?
Yes. Sensitive Personal Data is defined within the legislation as any data that directly or indirectly discloses the family or ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data of a natural person, or any data relating to a person’s health.
Biometric data is defined as personal data resulting from processing using a specific technology relating to the physical, physiological, or behavioural characteristics of the individual, which allows the identification or confirmation of the unique identification of the individual, such as facial image or fingerprint data.
The PPD Law requires a Controller to appoint a Data Protection Officer if it conducts high risk data processing activities which are: 1. implementing new technologies that cause a high level of risk to the confidentiality and privacy of the Personal Data 2. standardized or automated processing of Sensitive Data (i.e., processing with limited or no human involvement) and 3. processing large amounts of Sensitive Data.
The distinction is not discussed any further within the PPD Law and further guidance is expected to be issued in the Executive Regulations.
What is the consent requirement in the UAE?
Consent must be made through a positive action and not implied. The PPD Law describes it as specific, clear and unambiguous through a statement or a clear affirmative action. This means an individual must actively agree by signing a document or electronically tick a box. The individual must be made aware that they can withdraw consent at any time.
What restrictions are there for cross-border transfer of personal data?
Controllers must establish if any Personal Data is transferred out of the UAE. Under the PPD Law, Personal Data may be transferred to another country, provided the country has adequate levels of protection to safeguard the data. A list of countries is expected to be published.
If there is not an adequate level of protection in the relevant country, there are a number of exemptions which would allow a transfer. Data can be transferred with the express consent of the individual, or if the transfer is necessary for the conclusion or implementation of a contract between the Controller and the individual, or between the Controller and third parties to further the individual’s interest. Further guidance on these provisions is expected