Support Centre

UAE

Summary

Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law')

Regulator: UAE Data Office

Summary: On 28 November 2021, the UAE Cabinet announced that it had enacted the Law regarding the protection of personal data, as issued on 20 September 2021. The Law covers the processing of personal data belonging to data subjects within the UAE, regardless of the location of the data controller or data processor. In addition, the Law outlines the conditions for consent, several data subject rights, as well as comprehensive requirements for controllers and processors, such as mandatory breach notification, the appointment of data protection officers, and the implementation of technical and organisational measures to support data security.

The Law entered into force on 2 January 2022 and the Executive Regulations were expected within six months from the Law's date of issuance (March 2022). Notably, companies must comply with the Law six months from the publication of the Executive Regulations. However, the Law does not apply to public entities or free zones in the UAE with their own data protection legislation (notably the DIFC and ADGM), nor does it apply to health or credit data governed by existing sectoral legislation. Furthermore, the Law repeals all laws which conflict with its provisions.

Notably, the supervisory authority responsible for overseeing the enforcement of the Law, the UAE Data Office, was established by Federal Decree-Law No. 44 of 2021 ('Law No. 44/2021'), issued contemporaneously with the Law on 20 September 2021. Article 9 of Law No. 44/2021 provides that for the first two years of the office's operation, the Telecommunications and Digital Government Regulatory Authority ('TDRA') will provide it with administrative and logistical support. Furthermore, Article 7 of Law No. 44/2021 states that the office's first financial year shall commence from the effective date of the Law No. 44/2021, i.e. 21 September 2021 (as per Article 11 of Law No. 44/2021).

Insights

In light of the global developments around data protection, specifically on the cross-border transfer of data, the Dubai International Financial Centre ('DIFC') seeks to provide enhanced tools to equip businesses and ensure compliance with both the DIFC, as well as international standards. Being a global business hub, the DIFC is home to international players that undertake both an inward and outward data flow, these businesses being at the crossroads of multiple jurisdictions when it comes to data compliance.

The DIFC has recently proposed updates to its data transfer guidance materials namely, the Standard Contractual Clauses ('SCCs'), the Ethical Data Management Risk Index ('EDMRI'), and the Data Export and Sharing Handbook ('DES Guide'). Dr. Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultants, provide an overview of the proposed updates and evaluates its impact in meeting the goals of the Data Protection Law, DIFC Law No.5 of 2020 ('the Law').

On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') was enacted, came into effect on 1 July 2020, and became enforceable from 1 October 2020, in addition to the Data Protection Regulations 2020 ('the Regulations'), (collectively, 'the DIFC Legislation'). More recently, on 8 March 2022, the DIFC enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 20221 ('the Amendment Law'), which incorporates amendments to several DIFC laws, including the Data Protection Law. This Insight article provides a summary of the key changes introduced by the amendments to the Data Protection Law following the enactment of the Amendment Law.

The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part two of this series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, discuss some of the data subject rights under the Law, as well as its provisions on the role of a data protection officer ('DPO') and cross-border data transfers.

The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part one of this two-part series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, provide an introduction to the provisions and scope of the Law, as well as the establishment of the UAE Data Office.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020, in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). Furthermore, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

As part of the UAE's comprehensive 'Year of the 50th' legislative reform1, which either amends or enacts over 40 further laws with the aim of boosting the economic competitiveness of the UAE, the UAE Cabinet ('the Cabinet') issued, on 20 September 2021, its awaited Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law'). Marked as one of the first projects of its legislative reform, the Law will come into effect and be published in the Official Gazette2 on 2 January 2022 as outlined in Article 31 of the Law, kicking off the transition period for organisations. This Insight article aims to provide a breakdown of the key obligations under the Law, with accompanying analysis on the impact of the Law for key stakeholders in the UAE from Dale Waterman, Managing Director for the Middle East and North Africa at Breakwater Solutions.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

The Central Bank of the United Arab Emirates ('CBUAE') announced1, on 1 February 2021, that it had issued the Consumer Protection Regulation ('CPR')2, as part of its Financial Consumer Protection Regulatory Framework and under its mandate to establish regulations for the protection of customers of all licensed financial institutions ('LFIs') under the Decretal Federal Law No. 14 of 2018 Regarding the Central Bank and Organisation of Financial Institutions and Activities. The CPR is supported by the Consumer Protection Standards3 ('the Standards') which define regulatory requirements to ensure consistent interpretation and implementation of the CPR principles.

This Insight will outline some of the data protection and privacy related requirements included within the CPR and the Standards which LFIs will need to comply with before 31 December 2021.

It is a common misconception that the United Arab Emirates ('UAE') lacks data protection and data privacy laws. This has led to many organisations operating as though they have free reign over the data they hold, no matter the extent of personal information contained within it. Whilst there is not yet a single, sweeping data protection law in the UAE, the reality of data privacy obligations for organisations operating in the country is often grossly underestimated. Ben Crew and Nick Athanasi, from FTI Consulting, Inc., provide insight into the current and upcoming laws regulating data protection and privacy in the UAE.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation.  The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

Nearly six months after the enactment of the Data Protection Regulations 2021 ('the 2021 Regulations') within the Abu Dhabi Global Market ('ADGM') , and teasing the release of updated guidance on the same, the newly established Office of Data Protection ('ODP') released, on 11 August 2021, eight detailed guides, accompanied by compliance tools, to aid establishments in compliance with the range of new data protection requirements.

For an overview of the new guidance and further resources, see Part 1 of this Insight series: ADGM: What You Need to Know: Part 1 - ODP updates guidance under Data Protection Regulations 2021. This Insight article outlines and summarises the accountability-related obligations of processors and vendor management requirements addressed in the guides.

For an overview of controller accountability-related obligations, see Part 2 of this Insight series: ADGM: ODP updated guidance under Data Protection Regulations 2021 – Controller accountability and obligations.

Nearly six months after the enactment of the Data Protection Regulations 2021 ('the 2021 Regulations') within the Abu Dhabi Global Market ('ADGM') , and teasing the release of updated guidance on the same, the newly established Office of Data Protection ('ODP') released, on 11 August 2021, eight detailed guides, accompanied by compliance tools, to aid establishments in compliance with the range of new data protection requirements.

For an overview of the new guidance and further resources, see Part 1 of this Insight series: ADGM: What You Need to Know: Part 1 - ODP updates guidance under Data Protection Regulations 2021. This Insight article outlines and summarises the accountability-related obligations of controllers addressed in the guides.