UAE confident to safeguard privacy with its first Data Protection Law
- Sunil Ambalavelil
- at Technology, Media and Telecommunications
- on Feb 2, 2022 - 18:33
- on Updated: Feb 3, 2022 - 09:17
By Kopal Bhargava
An emerging need for Data and Privacy Protection Laws globally has led to several Nations introducing their version of the law. In a bid to prevent unauthorised, careless processing of personal data and putting that data at risk, the UAE has introduced its first comprehensive Data Protection Law.
This law is considered by the residents to be a historic step towards modernising UAE’s economy while protecting the data and privacy of the people.
In November 2021, as a part of the Ten strategic principles called “Principles of 50”, His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE, approved laws that protect data and privacy. The Federal Decree Law No. 45 of 2021 on Personal Data Protection Law (PDPL) along with the Federal Decree Law No. 44/2021 that will establish the new UAE Data Office.
The Personal Data Protection Law which came into force on 02 January 2022, is the first comprehensive and unified law on Data Protection and Privacy in the country’s history.
However, the executive regulations are yet be issued and their publication is expected before March 2022. Thereafter, the controllers and processors will have 6 months from the date of issuance of Executive Regulations to comply with the Law.
A British entrepreneur, Clive Humby once quoted, “Data is the new oil”. While data has become an immensely valuable asset, proper and fair Data Management is now a necessity. Careless, unauthorised or ignorant processing of personal data can pose a threat to people and companies by breaching their rights and privacy which can be curtailed with proper legislation.
The UAE’s new Data Protection Law is aimed to give individuals the power to control the usage, storage, and transmission of their personal data in order to ensure confidentiality of information as well as the privacy of individuals in the UAE. It defines rights and duties of all parties concerned and limits entities’ use of personal data as well.
Delving Deeper with Key Provisions Under the New Law
- Personal Data
The UAE’s Data Protection Law regulates processing (collection, storage, sharing, alteration etc.) of personal data through electronic systems.
‘Personal Data’ includes the data that is related to a person or one who can be identified directly or indirectly by linking existing data. Identifiers like voice, name, identification number, picture, geographic location account to personal data. Certain special features that reveals the psychological, cultural, physical, economic or social identity of a person come under the same category.
‘Sensitive Personal Data’ like natural person’s family, religious beliefs, criminal records and any health data among others as well as ‘Biometric Data’ like fingerprints or facial images are also included.
- Territorial Application:
Processing personal data of people having a business or residing in the UAE will be restricted according to the new Data Protection Law.
Data controllers and processors in the UAE that process personal data belonging to subjects inside or outside the UAE will be advised to keep the data confidential.
Data controllers and processors who are located outside UAE while processing data of subjects who are within the UAE will have a special provision for data security. As per sources, such cases will come under extra-territorial provision on the lines of the European Union General Data Protection Regulation (GDPR).
- Data Protection Controls:
Article 5 of the new Data Protection Law provides for personal data processing ‘controls’ which includes transparent, fair and lawful processing; Accurate and correct personal data which should be up to date; Collection of personal data for clear and defined objectives; Adoption of relevant measures for correction and erasure of incorrect data; Keeping Personal Data secured and protected by adopting required organisational and technical measures consistent with the legislations; and Deleting personal data after achieving the purpose of processing or keeping it only by anonymising the identity of the Data Subject.
- Legal Basis for processing:
Article 4 provides for the prerequisite consent of the data subject in processing his/her personal Data. However, there are certain exemptions to which the taking of consent is not a precondition. Limited circumstances like protection of the interest of public or data subject, to perform a contract, protection of public health, for occupational and preventive medical purposes will be considered.
The consent of the Data Subject must be clear-cut and specifically indicated through a clear affirmative action either written or given electronically. The consent can be revoked at any time by the Data Subject.
- Controllers’ and Processors’ Obligations:
Article 7 and 8 of the Personal Data Protection Law (PDPL) state about the controllers’ and processors’ obligations which are in similar lines with the GDPR.
- Data Protection Officer:
For the purposes of looking after the compliance of Data protection Law, PDPL requires controllers and processors to appoint a DPO (Data Protection Officer) as suggested by Article 10 and 11.
- Rights of Data Subjects:
Various rights have been provided like ‘Right to Obtain Information’ that deals with data access under Article 13, ‘Right to Request Personal Data Transfer’ or data portability under Article 14; ‘Right to Correction or Erasure’ under Article 15; ‘Right to Restriction of Processing’ under Article 16; ‘Right to Stop Processing’ under Article 17; The ‘Right not to be Subject to Automated Decision Making’ under Article 18.
- Breach Notification:
Under Article 9 of the PDPL, if the controller becomes aware of any breach or infringement of personal data of the data subject, he/she must immediately report such a breach and present the result of investigation to the Data Office. The period and procedure shall be notified in the upcoming Executive Regulation.
There is no explicit mention of penalties in the Law but is presumed to be notified via the Executive Regulations in March 2022. As of now however, administrative fines can be imposed by the council of minister for any breach of PDPL. Data subjects can also file a complaint in the data office against the controllers or processors for such Data breach.
The new Data Protection Law is not applicable to-
- Government data.
- Personal Data controlled or processed by Government authorities.
- Personal Data that is processed by Security and Judicial authorities.
- Personal Data which includes personal banking and credit data or health data, which is subject to a separate legislation.
- Free Trade Zones of the UAE like the ‘Abu Dhabi Global Market (ADGM)’ and the ‘Dubai International Financial Centre (DIFC)’ which have their own data protection laws.
- Personal Data being used by a data subject for personal purposes.
A unified law on Privacy and Data Protection did not exist in the UAE till the new one was announced. Few general laws touched upon Data Protection and Privacy before PDPL like Consumer Protection Law, Cybercrimes Law, Internet Access and Management Policy, Electronic Commerce and Transactions Law, Article 378 of UAE Penal Code and Article 31 of UAE’s Constitution among others.
This Data Protection Law of UAE is a much-awaited development that is in accordance to the international practices like GDPR relating to privacy and data protection. The law is expected to contribute in the digitization of the country’s growth sectors.
With the emerging need and introduction of Data and Privacy Protection laws globally, UAE’s first comprehensive Data Protection Law is a landmark step. Now, accordingly, the relevant establishments or persons need to make arrangements for the compliance with this law.
(Author is a Research Internee at The Law Reporters)
Photo Coutesy : ITPro
For any legal queries or information, contact email@example.com or call us on +971547928720
Facial Recognition Technology to Replace ID Card Readers...
The Federal Authority for Identity and Citizenship (ICA) has launched an enhanced version of its facial recognition system for the digital certification portal. The ID card reader will be replaced by the facial recognition system that is used for digital certification services. This comes as a part of the UAE’s ‘Year of the 50’ and ‘Go Digital’ campaign which intends...
Child Digital Safety Initiatives in UAE
The UAE government recently launched ‘Child Digital Safety Initiatives’ on Emirati Children’s Day on March 15. The project was jointly unrolled by the Ministry of Interior and the National Programme for Happiness and Wellbeing in the year 2018. This initiative was launched in a collaborative effort to raise awareness of online hazards and problems among children and school students,...
- By, yugakshi
Elon Musk Finally Buys Twitter For 44 Billion Dollars
Tech billionaire Elon Musk has fully acquired Twitter which is the largest social networking platform in the world in a deal of about 44 billion dollars and finalized it in an all-cash. Twitter will now be owned by him and each share is valued at 54.20 dollars. This historic deal which is the third biggest tech acquisition in history is expected to close by the end of this year. This transaction is...
- By, pavitra2612
Dubai Municipality Announces Plans to Enter Metaverse
The Dubai Municipality will work with private sector companies and investors to create a futuristic, human-centred version of the city that capitalises on opportunities thrown up by the metaverse, according to Dawood Abdul Rahman Al Hajri, Director-General of Dubai Municipality. Al Hajri introduced the One Human Reality concept to delegates during a plenary session, entitled ‘Operating Cities...
PM Modi Launches e-RUPI
“This will help everyone in targeted, transparent, and leakage-free delivery … e-RUPI is a symbol of how India is progressing by connecting people’s lives with technology,” PM Modi said, as he introduced the new electronic voucher-based digital payment system. This digital platform helps ensure the effective and safe transaction of any amount that is sent for a specific purpose....
UAE Launches Coders HQ Initiative to Spearhead Digital...
A new programme which is based in Dubai's Emirates Towers, intends to develop a new generation of coders across the UAE. In collaboration with more than 40 companies in the UAE and around the world, the UAE government has launched ‘Coders HQ’, a new project that redefines local coding communities. The project intends to develop a new generation of coders, improve their capacities and skills...