The DP Law applies throughout the UAE with the exception of the financial free zones (which are beyond the scope of this article). The DP Law attempts to create a data protection framework for the UAE which is in line with “best practice“ global data protection and data privacy standards, including Europe's General Data Protection Regulation (GDPR). Whilst the law took effect from 2 January this year, entities controlling and processing data have a grace period for compliance of six months from the date the Executive Regulations to the DP Law are introduced. As with many UAE laws, the DP Law provides a broad framework of regulation whist deferring to the Executive Regulations to supplement on the detail of how the law is to operate in practice. The Executive Regulations were anticipated for March 2022 but as of April 2022 were still awaited. The DP Law will be administered by the UAE Data Office, which has been recently established under UAE Law Number 44 of 2021. The UAE Data Office is not yet fully operational.
The DP Law has "extra-territorial" reach similar to the GDPR. It applies to all businesses that are processing personal data in the UAE (for data that relates to data subjects both inside and outside the UAE) or that are based outside the UAE but are processing personal data relating to data subjects that are located inside the UAE. Data excluded from the application of the law includes health data, government data, and banking and credit data. As referenced below, the DP Law will operate alongside certain industry specific regulations which control discrete categories of data.
Article 4 of the DP Law establishes that processing of data requires the consent of the data subject unless one of the limited exceptions apply to permit processing on another lawful basis. Exceptions are similar to those covered under the GDPR and include processing that is necessary to protect the public interest, to protect the interests of the data subject, or to perform a contract to which the data subject is a party. Interestingly there is no exception which permits processing on the basis of legitimate interest. However, the DP Law provides scope for further grounds to be introduced under the Executive Regulations. As such we may see these grounds expanded to include this relatively more flexible basis for valid processing of personal data.
As with the GDPR and other similar legislation, international transfers of data may occur without consent under the DP Law if the country to which the data is being transferred has an adequate level of protection. This requirement will be satisfied where the country has enacted special legislation on personal data or has a bilateral or multilateral data protection agreement with the UAE. It is anticipated that the UAE Data Office may provide further guidance on such jurisdictions once it becomes fully operational. Data can be transferred internationally regardless of whether the receiving jurisdiction has an adequate level of protection provided that the data subject has consented to such transfer and it does not conflict with the public and security interests of the UAE.
The path to protection
Historically, UAE-based residents have been afforded very little protection when it comes to collection and use of their personal data. Whilst the UAE constitution includes a right to privacy as a foundational principle and the UAE Penal Code prohibits the publication of an individual’s private or family life, these are wholly inadequate in giving individuals any real control as to how their data is used, especially in an increasingly digital age. As any resident can attest, this is reflective in the alarming number of unsolicited marketing calls, texts, emails, and even WhatsApp messages received from local businesses on a regular basis.
In more recent times, the Electronic Transactions Law outlaws the unauthorised access and disclosure of electronic records or communications whilst the Cyber Crimes Law was introduced to address hacking/identity theft issues. The Telecommunications Regulatory Authority has also introduced an anti-spam policy albeit with limited effectiveness as it places the onus of enforcement on the telecom operators (i.e., Du and Etisalat) without imposition of penalty on those businesses generating spam.
Sector specific data protection regulation has also been increasing especially in the areas healthcare and finance. Separately, the DP Law has also followed on closely from a new Consumer Protection Law in 2020. The Consumer Protection Law establishes the right of consumers to have their data protected. The law also prohibits the use of such data for marketing purposes without an individual’s consent. However, as with the DP Law, we are yet to see the Executive Regulations for the Consumer Protection Law, which should provide greater detail on how these principles will be implemented.
Impact in practice?
The introduction of substantial regulatory controls in this area represents a welcome change for a country striving to cement its position in the global economy. However, the question remains as to how effective these legal reforms will be and what, if any, impact will be felt by individuals when it comes to controlling personal data. Whilst these changes lay important groundwork for adequate protection of personal data in the UAE, further legislative development must be prioritised before individuals see any noticeable impact in practice.
As mentioned above, the DP Law will not be enforced in practice until six months after the Executive Regulations are introduced. In addition, no clear timeline has been given on when the UAE Data Office (as key regulator) to be fully operational. Coupled with the delay in Executive Regulations for the Consumer Protection Law, these issues provide a very uncertain timeline as to when we can see these developments implemented in a meaningful way. The wide-reaching nature of these reforms will ensure that developments are monitored and analysed with great interest by many. In the meantime, UAE residents will unfortunately need to keep screening those unsolicited marketing calls and deleting unwanted spam.
Authored by Erin Kiem.