By Kopal Bhargava

An emerging need for Data and Privacy Protection Laws globally has led to several Nations introducing their version of the law. In a bid to prevent unauthorised, careless processing of personal data and putting that data at risk, the UAE has introduced its first comprehensive Data Protection Law.

This law is considered by the residents to be a historic step towards modernising UAE’s economy while protecting the data and privacy of the people.

In November 2021, as a part of the Ten strategic principles called “Principles of 50”, His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE, approved laws that protect data and privacy. The Federal Decree Law No. 45 of 2021 on Personal Data Protection Law (PDPL) along with the Federal Decree Law No. 44/2021 that will establish the new UAE Data Office.

The Personal Data Protection Law which came into force on 02 January 2022, is the first comprehensive and unified law on Data Protection and Privacy in the country’s history.

However, the executive regulations are yet be issued and their publication is expected before March 2022. Thereafter, the controllers and processors will have 6 months from the date of issuance of Executive Regulations to comply with the Law.

A British entrepreneur, Clive Humby once quoted, “Data is the new oil”. While data has become an immensely valuable asset, proper and fair Data Management is now a necessity. Careless, unauthorised or ignorant processing of personal data can pose a threat to people and companies by breaching their rights and privacy which can be curtailed with proper legislation.

The UAE’s new Data Protection Law is aimed to give individuals the power to control the usage, storage, and transmission of their personal data in order to ensure confidentiality of information as well as the privacy of individuals in the UAE. It defines rights and duties of all parties concerned and limits entities’ use of personal data as well.

Delving Deeper with Key Provisions Under the New Law

1. Personal Data

The UAE’s Data Protection Law regulates processing (collection, storage, sharing, alteration etc.) of personal data through electronic systems.

‘Personal Data’ includes the data that is related to a person or one who can be identified directly or indirectly by linking existing data. Identifiers like voice, name, identification number, picture, geographic location account to personal data. Certain special features that reveals the psychological, cultural, physical, economic or social identity of a person come under the same category.

‘Sensitive Personal Data’ like natural person’s family, religious beliefs, criminal records and any health data among others as well as ‘Biometric Data’ like fingerprints or facial images are also included.

2. Territorial Application:

Processing personal data of people having a business or residing in the UAE will be restricted according to the new Data Protection Law.

Data controllers and processors in the UAE that process personal data belonging to subjects inside or outside the UAE will be advised to keep the data confidential.

Data controllers and processors who are located outside UAE while processing data of subjects who are within the UAE will have a special provision for data security. As per sources, such cases will come under extra-territorial provision on the lines of the European Union General Data Protection Regulation (GDPR).

3. Data Protection Controls:

Article 5 of the new Data Protection Law provides for personal data processing ‘controls’ which includes transparent, fair and lawful processing; Accurate and correct personal data which should be up to date; Collection of personal data for clear and defined objectives; Adoption of relevant measures for correction and erasure of incorrect data; Keeping Personal Data secured and protected by adopting required organisational and technical measures consistent with the legislations; and Deleting personal data after achieving the purpose of processing or keeping it only by anonymising the identity of the Data Subject.

4. Legal Basis for processing:

Article 4 provides for the prerequisite consent of the data subject in processing his/her personal Data. However, there are certain exemptions to which the taking of consent is not a precondition. Limited circumstances like protection of the interest of public or data subject, to perform a contract, protection of public health, for occupational and preventive medical purposes will be considered.

The consent of the Data Subject must be clear-cut and specifically indicated through a clear affirmative action either written or given electronically. The consent can be revoked at any time by the Data Subject.

5. Controllers’ and Processors’ Obligations:

Article 7 and 8 of the Personal Data Protection Law (PDPL) state about the controllers’ and processors’ obligations which are in similar lines with the GDPR.

6. Data Protection Officer:

For the purposes of looking after the compliance of Data protection Law, PDPL requires controllers and processors to appoint a DPO (Data Protection Officer) as suggested by Article 10 and 11.

7. Rights of Data Subjects:

Various rights have been provided like ‘Right to Obtain Information’ that deals with data access under Article 13, ‘Right to Request Personal Data Transfer’ or data portability under Article 14; ‘Right to Correction or Erasure’ under Article 15; ‘Right to Restriction of Processing’ under Article 16; ‘Right to Stop Processing’ under Article 17; The ‘Right not to be Subject to Automated Decision Making’ under Article 18.

8. Breach Notification:

Under Article 9 of the PDPL, if the controller becomes aware of any breach or infringement of personal data of the data subject, he/she must immediately report such a breach and present the result of investigation to the Data Office. The period and procedure shall be notified in the upcoming Executive Regulation.

9. Penalty:

There is no explicit mention of penalties in the Law but is presumed to be notified via the Executive Regulations in March 2022. As of now however, administrative fines can be imposed by the council of minister for any breach of PDPL. Data subjects can also file a complaint in the data office against the controllers or processors for such Data breach.

10. Exceptions:

The new Data Protection Law is not applicable to-

1. Government data.
2. Personal Data controlled or processed by Government authorities.
3. Personal Data that is processed by Security and Judicial authorities.
4. Personal Data which includes personal banking and credit data or health data, which is subject to a separate legislation.
5. Free Trade Zones of the UAE like the ‘Abu Dhabi Global Market (ADGM)’ and the ‘Dubai International Financial Centre (DIFC)’ which have their own data protection laws.
6. Personal Data being used by a data subject for personal purposes.

A unified law on Privacy and Data Protection did not exist in the UAE till the new one was announced. Few general laws touched upon Data Protection and Privacy before PDPL like Consumer Protection Law, Cybercrimes Law, Internet Access and Management Policy, Electronic Commerce and Transactions Law, Article 378 of UAE Penal Code and Article 31 of UAE’s Constitution among others.

This Data Protection Law of UAE is a much-awaited development that is in accordance to the international practices like GDPR relating to privacy and data protection. The law is expected to contribute in the digitization of the country’s growth sectors.

With the emerging need and introduction of Data and Privacy Protection laws globally, UAE’s first comprehensive Data Protection Law is a landmark step. Now, accordingly, the relevant establishments or persons need to make arrangements for the compliance with this law.

(Author is a Research Internee at The Law Reporters)

Photo Coutesy : ITPro

For any legal queries or information, contact info@thelawreporters.com or call us on +971547928720