Critical guidelines awaited to clarify compliance requirements and strengthen data protection
In September 2021, the United Arab Emirates (UAE) introduced Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PPD), marking a significant advancement in data protection for the region.
As a pioneering standalone data privacy law, the PPD establishes a foundational framework for data protection. However, the law's effectiveness is hindered by the delayed issuance of its Executive Regulations (ER), creating uncertainty for data controllers and processors.
The Critical Role of Executive Regulations
The PPD consists of 31 articles, many of which defer to the ER for essential details and clarity. Initially expected within six months of the PPD's enactment, the ER's delay leaves critical data privacy principles, controls and conditions undefined.
Anticipated Focus Areas of the ER
Exemptions: The UAE Data Office may exempt certain establishments from some or all PPD requirements based on their data processing volumes. The ER will specify the conditions and procedures for these exemptions.
Additional Legal Basis: The ER might introduce additional legal grounds for data processing, such as legitimate interest, which provides flexibility for activities like marketing. This flexibility, however, must be regulated to prevent potential misuse.
Data Breaches: While the PPD requires reporting data breaches to the UAE Data Office and affected individuals, it lacks specifics on the timeline and severity levels of breaches that must be reported. The ER is expected to clarify these obligations.
Data Transfers: The PPD permits personal data transfers to countries with adequacy decisions and through mechanisms like explicit consent or safeguards. The ER should list adequate countries and detail whether standard contractual clauses will be used.
Penalties: The PPD does not outline penalties for non-compliance. The ER may adopt a structured penalty system similar to the GDPR, specifying fines for various violations and granting the UAE Data Office additional corrective powers.
Influence of Potential Fines on Compliance
The prospect of significant fines is a strong motivator for compliance. Globally, hefty fines have heightened awareness of data privacy's importance.
In the UAE, even without stringent enforcement, the rise in data privacy concerns reflects the operational and reputational risks, encouraging stakeholders to adhere to the PPD.
Enforceability and Compliance Preparation
Effective January 2, 2022, the PPD provided a six-month grace period post-ER issuance for compliance. While the ER delay offers time for preparation, it also leaves vital data privacy principles unaddressed, possibly complicating a smooth transition.
Proactive Steps for Stakeholders
Despite the current uncertainty, stakeholders should proactively establish robust data privacy systems. Key steps include familiarising with the PPD, setting up compliance frameworks, and preparing for the ER. This proactive approach will ensure readiness and mitigate non-compliance risks once the ER is released.
For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels
More From TLR
Dubai Court Rejects $100 Million Copyright Claim, Rules in Favour of Gaming Firm
Construction Project Halted on Abu Dhabi’s Yas Island for Water Pollution
UAE Strengthens Authority Over Religious Rulings with Fatwa Council
Related News
How to Check Medical Insurance Status Using Emirates ID?
UAE's Tougher Residency Laws: Deportation Risks Starting September 1, 2024
Legal Clash Over AI Training Data: OpenAI Faces Copyright Lawsuits from Authors
We use cookies and similar technologies that are necessary to operate the website. Additional cookies are used to perform analysis of website usage. By continuing to use our website, you consent to our use of cookies. For more information, please read our Cookies Policy.
Closing this modal default settings will be saved.