UAE's Pioneering Data Privacy Law Faces Major Setbacks Amid Prolonged Delayed Rules

In September 2021, the United Arab Emirates (UAE) introduced Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PPD), marking a significant advancement in data protection for the region.

As a pioneering standalone data privacy law, the PPD establishes a foundational framework for data protection. However, the law's effectiveness is hindered by the delayed issuance of its Executive Regulations (ER), creating uncertainty for data controllers and processors.

The Critical Role of Executive Regulations

The PPD consists of 31 articles, many of which defer to the ER for essential details and clarity. Initially expected within six months of the PPD's enactment, the ER's delay leaves critical data privacy principles, controls and conditions undefined.

Anticipated Focus Areas of the ER

Exemptions: The UAE Data Office may exempt certain establishments from some or all PPD requirements based on their data processing volumes. The ER will specify the conditions and procedures for these exemptions.

Additional Legal Basis: The ER might introduce additional legal grounds for data processing, such as legitimate interest, which provides flexibility for activities like marketing. This flexibility, however, must be regulated to prevent potential misuse.

Data Breaches: While the PPD requires reporting data breaches to the UAE Data Office and affected individuals, it lacks specifics on the timeline and severity levels of breaches that must be reported. The ER is expected to clarify these obligations.

Data Transfers: The PPD permits personal data transfers to countries with adequacy decisions and through mechanisms like explicit consent or safeguards. The ER should list adequate countries and detail whether standard contractual clauses will be used.

Penalties: The PPD does not outline penalties for non-compliance. The ER may adopt a structured penalty system similar to the GDPR, specifying fines for various violations and granting the UAE Data Office additional corrective powers.

Influence of Potential Fines on Compliance

The prospect of significant fines is a strong motivator for compliance. Globally, hefty fines have heightened awareness of data privacy's importance.

In the UAE, even without stringent enforcement, the rise in data privacy concerns reflects the operational and reputational risks, encouraging stakeholders to adhere to the PPD.

Enforceability and Compliance Preparation

Effective January 2, 2022, the PPD provided a six-month grace period post-ER issuance for compliance. While the ER delay offers time for preparation, it also leaves vital data privacy principles unaddressed, possibly complicating a smooth transition.

Proactive Steps for Stakeholders

Despite the current uncertainty, stakeholders should proactively establish robust data privacy systems. Key steps include familiarising with the PPD, setting up compliance frameworks, and preparing for the ER. This proactive approach will ensure readiness and mitigate non-compliance risks once the ER is released.

For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels