UAE confident to safeguard privacy with its first Data Protection Law
Sunil Ambalavelil
- at Technology, Media and Telecommunications
- on Feb 2, 2022 - 18:33
- on Updated: Feb 3, 2022 - 09:17
By Kopal Bhargava
An emerging need for Data and Privacy Protection Laws globally has led to several Nations introducing their version of the law. In a bid to prevent unauthorised, careless processing of personal data and putting that data at risk, the UAE has introduced its first comprehensive Data Protection Law.
This law is considered by the residents to be a historic step towards modernising UAE’s economy while protecting the data and privacy of the people.
In November 2021, as a part of the Ten strategic principles called “Principles of 50”, His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE, approved laws that protect data and privacy. The Federal Decree Law No. 45 of 2021 on Personal Data Protection Law (PDPL) along with the Federal Decree Law No. 44/2021 that will establish the new UAE Data Office.
The Personal Data Protection Law which came into force on 02 January 2022, is the first comprehensive and unified law on Data Protection and Privacy in the country’s history.
However, the executive regulations are yet be issued and their publication is expected before March 2022. Thereafter, the controllers and processors will have 6 months from the date of issuance of Executive Regulations to comply with the Law.
A British entrepreneur, Clive Humby once quoted, “Data is the new oil”. While data has become an immensely valuable asset, proper and fair Data Management is now a necessity. Careless, unauthorised or ignorant processing of personal data can pose a threat to people and companies by breaching their rights and privacy which can be curtailed with proper legislation.
The UAE’s new Data Protection Law is aimed to give individuals the power to control the usage, storage, and transmission of their personal data in order to ensure confidentiality of information as well as the privacy of individuals in the UAE. It defines rights and duties of all parties concerned and limits entities’ use of personal data as well.
Delving Deeper with Key Provisions Under the New Law
- Personal Data
The UAE’s Data Protection Law regulates processing (collection, storage, sharing, alteration etc.) of personal data through electronic systems.
‘Personal Data’ includes the data that is related to a person or one who can be identified directly or indirectly by linking existing data. Identifiers like voice, name, identification number, picture, geographic location account to personal data. Certain special features that reveals the psychological, cultural, physical, economic or social identity of a person come under the same category.
‘Sensitive Personal Data’ like natural person’s family, religious beliefs, criminal records and any health data among others as well as ‘Biometric Data’ like fingerprints or facial images are also included.
- Territorial Application:
Processing personal data of people having a business or residing in the UAE will be restricted according to the new Data Protection Law.
Data controllers and processors in the UAE that process personal data belonging to subjects inside or outside the UAE will be advised to keep the data confidential.
Data controllers and processors who are located outside UAE while processing data of subjects who are within the UAE will have a special provision for data security. As per sources, such cases will come under extra-territorial provision on the lines of the European Union General Data Protection Regulation (GDPR).
- Data Protection Controls:
Article 5 of the new Data Protection Law provides for personal data processing ‘controls’ which includes transparent, fair and lawful processing; Accurate and correct personal data which should be up to date; Collection of personal data for clear and defined objectives; Adoption of relevant measures for correction and erasure of incorrect data; Keeping Personal Data secured and protected by adopting required organisational and technical measures consistent with the legislations; and Deleting personal data after achieving the purpose of processing or keeping it only by anonymising the identity of the Data Subject.
- Legal Basis for processing:
Article 4 provides for the prerequisite consent of the data subject in processing his/her personal Data. However, there are certain exemptions to which the taking of consent is not a precondition. Limited circumstances like protection of the interest of public or data subject, to perform a contract, protection of public health, for occupational and preventive medical purposes will be considered.
The consent of the Data Subject must be clear-cut and specifically indicated through a clear affirmative action either written or given electronically. The consent can be revoked at any time by the Data Subject.
- Controllers’ and Processors’ Obligations:
Article 7 and 8 of the Personal Data Protection Law (PDPL) state about the controllers’ and processors’ obligations which are in similar lines with the GDPR.
- Data Protection Officer:
For the purposes of looking after the compliance of Data protection Law, PDPL requires controllers and processors to appoint a DPO (Data Protection Officer) as suggested by Article 10 and 11.
- Rights of Data Subjects:
Various rights have been provided like ‘Right to Obtain Information’ that deals with data access under Article 13, ‘Right to Request Personal Data Transfer’ or data portability under Article 14; ‘Right to Correction or Erasure’ under Article 15; ‘Right to Restriction of Processing’ under Article 16; ‘Right to Stop Processing’ under Article 17; The ‘Right not to be Subject to Automated Decision Making’ under Article 18.
- Breach Notification:
Under Article 9 of the PDPL, if the controller becomes aware of any breach or infringement of personal data of the data subject, he/she must immediately report such a breach and present the result of investigation to the Data Office. The period and procedure shall be notified in the upcoming Executive Regulation.
- Penalty:
There is no explicit mention of penalties in the Law but is presumed to be notified via the Executive Regulations in March 2022. As of now however, administrative fines can be imposed by the council of minister for any breach of PDPL. Data subjects can also file a complaint in the data office against the controllers or processors for such Data breach.
- Exceptions:
The new Data Protection Law is not applicable to-
- Government data.
- Personal Data controlled or processed by Government authorities.
- Personal Data that is processed by Security and Judicial authorities.
- Personal Data which includes personal banking and credit data or health data, which is subject to a separate legislation.
- Free Trade Zones of the UAE like the ‘Abu Dhabi Global Market (ADGM)’ and the ‘Dubai International Financial Centre (DIFC)’ which have their own data protection laws.
- Personal Data being used by a data subject for personal purposes.
A unified law on Privacy and Data Protection did not exist in the UAE till the new one was announced. Few general laws touched upon Data Protection and Privacy before PDPL like Consumer Protection Law, Cybercrimes Law, Internet Access and Management Policy, Electronic Commerce and Transactions Law, Article 378 of UAE Penal Code and Article 31 of UAE’s Constitution among others.
This Data Protection Law of UAE is a much-awaited development that is in accordance to the international practices like GDPR relating to privacy and data protection. The law is expected to contribute in the digitization of the country’s growth sectors.
With the emerging need and introduction of Data and Privacy Protection laws globally, UAE’s first comprehensive Data Protection Law is a landmark step. Now, accordingly, the relevant establishments or persons need to make arrangements for the compliance with this law.
(Author is a Research Internee at The Law Reporters)
Photo Coutesy : ITPro
For any legal queries or information, contact info@thelawreporters.com or call us on +971547928720
Popular Posts
Related News
Media's Role In Securing Justice
Media is said to be the fourth pillar of democracy after legislature, executive and judiciary. The term "fourth pillar of democracy" was coined by Thomas Carlyle. Media plays a crucial role in the operation of democracy as it holds power and the capacity to manipulate the public at large. For many people, the construction of reality is based either on their direct experiences or symbolic reality....
- By, Sunil Ambalavelil
- Share
Sharjah: Smart Traffic Control Project Gets Council Nod
In view of facilitating smooth traffic flow, the Sharjah’s Executive Council has approved a smart traffic control project. The project which emphasises on Intelligent traffic control will improve journey times and facilitate traffic flows by checking and identifying traffic jams, giving traffic priority and reduce waiting time. It will also provide greater traffic flow, increase traffic safety...
- By, Sunil Ambalavelil
- Share
Social Media Regulations In The UAE : Laws You Must Know
By Rajat R The great rise in social media users in the past decade has given rise to many concerns regarding privacy, breach of trust and derogatory remarks among others. Apart from protection of users, the regulations are put in place to encourage positive growth and development of social media by mitigating participation of anti-social elements. Malpractices with regard to information technology...
- By, Sunil Ambalavelil
- Share
Emirate Reinforces Blockchain Strategy To Curb Frauds In...
The blockchain based cryptocurrency trend has caught on across the globe and UAE is no exception. Unlike the fiat currencies that are regulated by a single entity within the respective countries, cryptocurrencies are a part of a decentralized system where individuals or companies can make transactions autonomously. With major countries contemplating their entry into the crypto market, security concerns...
- By, Sunil Ambalavelil
- Share
Submit Pleadings Online
The UAE has rolled out a 'virtual digital pleading' service that allows all parties in a lawsuit to present their arguments, evidence and other requests remotely at any time. The Ministry of Justice on Monday announced the launch of the "Virtual digital pleading" initiative. It allows the plaintiff to access the system and record his statements and requests in the lawsuit. At the same time, the defendant...
- By, Sunil Ambalavelil
- Share
Saudi Arabia: Personal Data Protection Law Approved in...
To attain the objectives of personal data protection while enabling a data-based digital economy, the Saudi Arabian Cabinet has now given nod to their Data Protection Law. The law will take effect 180 days from passing date to come into effect. The digital shift empowers the private sector, produces a regulatory framework that encourages company growth, and may even attract international investment....
- By, Sunil Ambalavelil
- Share