Guarding Your Digital Footprint: How Data Breaches Are Handled Under the UAE’s Personal Data Protection Law
Understanding what happens when personal data is compromised and how UAE law seeks to safeguard residents’ digital lives.
In today’s hyper-connected world, personal information -- from facial recognition data to home addresses -- has become a valuable currency. But what happens when that information falls into the wrong hands? To protect citizens and residents, the UAE introduced a landmark “digital shield”: Federal Decree-Law No. (45) of 2021 Concerning the Protection of Personal Data.
This law is not meant only for lawyers or compliance professionals; it is a vital framework for every resident to understand how their digital life is protected. Below is a closer look at how data breaches are addressed and how UAE law works to keep personal information secure.
The data breach chain reaction
A data breach is defined as any unauthorised access, disclosure, alteration or destruction of personal data. When such a breach occurs, the law mandates a swift and structured response.
- Discovery: If a Processor -- the entity handling data on behalf of an organisation -- detects a breach, it must immediately notify the Controller.
- Bureau notification: Under Article (9), the Controller is required to inform the UAE Data Bureau of any breach that could compromise the privacy or security of personal data.
- Data subject alert: Crucially, the affected individual (the Data Subject) must be informed of the breach and the remedial steps being taken.
- Investigation: Once notified, the Bureau assesses the cause of the breach and examines whether the organisation’s security safeguards were adequate.
Administrative penalties
The UAE law does not merely encourage caution; it enforces compliance through a framework of administrative penalties. Where a violation is established, the Data Bureau is empowered to impose sanctions.
- Who defines violations? Article (26) assigns the Council of Ministers the task of issuing a decision that specifies violations and the corresponding fines or penalties.
• Accountability: Penalties may arise from failure to protect personal data, failure to report breaches, or processing data without a lawful basis.
• Right to object: The law also provides procedural fairness. Under Article (25), affected parties may submit a written grievance to the Bureau’s Director General within 30 days of the penalty decision.
Status of implementation
Although the Decree-Law was published and came into force on January 2, 2022, a key component remains outstanding: the Executive Regulations.
The law initially envisaged the issuance of these regulations within six months of its publication. However, to date, the Executive Regulations have not yet been implemented.
Why does this matter?
- Operational clarity: The Executive Regulations will outline technical standards, reporting timelines for data breaches and the precise schedule of administrative fines.
• Compliance window: Article (29) provides organisations with a six-month “regularisation” period to achieve compliance, but this period begins only once the Executive Regulations are officially issued.
Conclusion
The UAE has laid the foundation for a robust, world-class data protection regime. While the law itself is in force and the supervisory authority has been established, the system remains incomplete without the Executive Regulations. Once these regulations are issued, organisations will face a limited timeframe to comply or risk significant administrative penalties -- all aimed at safeguarding personal data and reinforcing trust in the digital ecosystem.
For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels.