UAE - Data Protection Overview
1. Governing Texts
The United Arab Emirates ('UAE') published its first federal level data protection law Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection ('the PDPL') on 20 September 2021. The PDPL will be enforceable six months after the associated executive regulations ('the Executive Regulations') are issued. The Executive Regulations (which we expect to set out a lot of the practical and operational detail of the PDPL) were stated to be issued within six months from the date of issuance of the PDPL (i.e., by 20 March 2022), meaning enforcement was intended to commence after 20 September 2022. Notably, however, that the UAE Data Office ('the Data Office') reserves the right to extend the enforcement date and there has also been a delay to the issuance of the Executive Regulations. For now, therefore, this overview has been prepared based on our own current interpretation and understanding of the PDPL. However, it is important to note that this overview will be revisited and revised once the Executive Regulations have been published.
Aside from the PDPL, the Constitution of the UAE (only available in Arabic here) ('the Constitution') gives citizens a general right to privacy, and provisions of the Federal Law No. 5 of 1985: The Civil Code (only available in Arabic here) ('the Civil Code') is also relevant when considering privacy related issues. Elsewhere, sector specific regulation (such as the telecommunications, consumer protection, consumer finance, and cybercrime laws) also provide some limited data protection rights in certain circumstances and contexts.
The UAE plays host to a number of special economic zones known as 'free zones', which offer tax, customs, and other benefits to businesses. Of these free zones, the Dubai International Financial Centre ('DIFC'), the Abu Dhabi Global Market ('ADGM'), and the Dubai Healthcare City ('DHCC') have each enacted separate data protection laws applicable to businesses operating in the relevant zone.
The PDPL is the generally applicable federal data protection law and applies broadly to the processing of personal data. Thus, unless expressly excluded from its application, all controllers and processors (as each term is defined below) of personal data must comply with the provisions of the PDPL.
Article 31 of the Constitution is considered to represent the general right to privacy for citizens of the UAE, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under law.
The Civil Code is also relevant. The Civil Code sets out certain obligations on employers when dealing with employee information, particularly on the termination of an employee's employment (Article 913 of the Civil Code) and, separately, provisions on the basis for non-competition agreements where employees have access to their employer's confidential information and/or client information (Article 909 of the Civil Code).
Telecommunications Law and Consumer Protection Regulations
Article 72(6) of the Federal Law by Decree No. 3 of 2003 Regarding the Organisation of the Telecommunication Sector ('the Telecommunications Law') provides that a person who intercepts the contents of telephone calls without prior permission by the competent judicial authorities may be punished with imprisonment for a period of not more than one year and/or a fine of not less than AED 50,000 (approx. €12,397) and not more than AED 200,000 (approx. €49,590). If a licensed operator reasonably believes that equipment is being used for the interception of telephone calls contrary to Article 72(6) of the Telecommunications Law, it may place the equipment under surveillance (Article 75 of the Telecommunications Law). Orders may also be issued for the seizure or destruction of the relevant equipment (Article 76 of the Telecommunications Law).
There are also requirements which derive from the Telecommunications Law with which only licensed operators are required to comply. 'Licensed operator' in the context of the Telecommunications Law means a business with a specific operator licence from the Telecommunications and Digital Government Regulatory Authority ('TDRA'), the authority which oversees the telecommunications sector in the UAE.
Under powers granted to it by the Telecommunications Law, the TDRA has issued the Consumer Protection Regulations ('CPR'). Article 12 of the CPR seeks to ensure the protection of data relating to 'subscribers', or persons who contract with licensed operators for the supply of telecommunications services in the UAE. 'Subscriber information' is defined as 'any information relating to a specific subscriber', which includes a person's personal details, service usage details, the content of communications, account status, and payment history.
Licensed operators are subject to a number of obligations, including to take all reasonable and appropriate measures to protect the privacy of subscriber information (whether in paper or electronic form) and prevent its unauthorised disclosure or use (Articles 12.1 and 12.3 of the CPR). In addition, where it is necessary for a licensed operator to provide subscriber information to a third party which is directly involved in the supply of telecommunication services, the operator must require the third party to:
- take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information; and
- use the subscriber information only to the extent required to provide the relevant telecommunication service (Article 12.8 of the CPR).
Article 2 of the Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumors and Cybercrime (only available in Arabic here) ('the Cybercrime Law') provides that anyone who hacks a website, electronic information system, information network or information technology method shall be sentenced to detention (the period is not specified) and/or a fine not less than AED 100,000 (approx. €24,820) and not in excess of AED 300,000 (approx. €74,462). There are also higher monetary penalties and mandatory minimum imprisonment sentences where:
- the hacking creates damage, destruction, disruption, interruption of website, electronic information system, information network or information technology method, or removes, deletes, destroys, discloses, damages, modifies, copies, publishes or republishes, captures or breaches confidentiality of any data or information; or
- the purpose of hacking is capturing data or information to fulfil an illegitimate purpose.
Article 6 of the Cybercrime Law provides that any person who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, copies, publishes or re-publishes electronic personal data or information without authorisation by using information technology or information technology method shall be sentenced to detention for a period of not less than six months and/or to pay fine of not less than AED 200,000 (approx. €49,660) and not more than AED 100,000 (approx. €24,820). Further, an offence under Article 6 of the Cybercrime Law relates to information concerning medical examinations, diagnoses, treatment, care or records, or bank accounts or data and information of e-payment methods, concerned with aggravating circumstances. Further, it is an offence to employ information technology to collect, keep, or process personal data and information of the nationals or the residents of the UAE in violation UAE law and such offence is punishable by detention (detention period not specified) and/or a fine of not less than AED 50,000 (approx. €12,405) and not more than (AED 500,000 (approx. €124,064).
Where a person takes prohibited actions with respect to government data and information or the data of financial, commercial, or electronic establishments, the Cybercrime Law mandates stricter penalties:
- Article 7 of the Cybercrimes Law provides that anyone who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, copies, publishes or re-publishes confidential government data or information without authorisation shall be sentenced to provisional imprisonment for a period of not less than seven years and to pay fine of not less than AED 500,000 (approx. €124,064) and not more than AED 3 million (approx. €744,288).
- Article 8 of the Cybercrimes Law provides that anyone who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, alters, copies, or publishes or re-publishes confidential data or information of financial, commercial, or economic establishment without authorisation by using information technology or an information technology method shall be sentenced to provisional imprisonment for a period of not less than five years and/or a fine of not less than AED 500,000 (approx. €124,064) and not more than AED 3 million (approx. €744,288).
Commercial Transactions Law
Articles 26 to 38 of the Federal Law No. 18 of 1993: Commercial Transactions Law ('the Commercial Transactions Law') set out detailed provisions relating to the maintenance of commercial books. For instance, Article 30 of the Commercial Transactions Law, requires the trader to keep exact copies of the originals of all correspondence telegrams and invoices sent or issued by them for the purpose of their business activities, as well as all incoming correspondence (originals), telegrams, invoices, and other documents related to their trade, for a minimum period of five years from the date of issue or receipt.
Health Data Law
In the UAE, UAE Federal Law No. 2 of 2019 (only available in Arabic here) ('the Health Data Law') was enacted in May 2019, introducing noteworthy obligations around the collection, processing, and transfer of health data (as defined below) by a broad range of entities, including healthcare providers, medical insurance providers, healthcare IT providers, and providers of direct and/or indirect services to the healthcare sector (for example outsourced services, including cloud services) located onshore, in the DHCC, and in the free zones ('Health Service Providers').
The Health Data Law seeks to protect health data in line with international best practice, as well as enabling the UAE's Ministry of Health both greater control over the sensitive data of its residents (as opposed to potentially putting it at risk in other jurisdictions) and a greater ability to collect and analyse health data in order to improve public health initiatives.
Following its enactment in May 2019, the Health Data Law has since been supplemented by additional regulations concerning the use of technology in the UAE healthcare sector in the form of Cabinet Resolution No. 32 of 2020 Concerning the Executive Regulation of the Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Areas of Health ('the Resolution'). The focus of the Resolution is on the Central Healthcare IT System ('the System') – one of the key changes introduced by the Health Data Law. While the Resolution sets out control requirements that are to be complied with for the security and accuracy of health data stored electronically, restrictions on disclosure of health data without prior approval, and instils rights to patients to withdraw from the System, gaps in the Health Data Law still remained due to which, the UAE community still sought for further clarity on issues introduced in the Health Data Law.
In May 2021, the UAE Federal Government issued Ministerial Decision No. 51/2021 on the Case of Allowing the Storage and Transfer of Medical Data and Information Out of the State (only available in Arabic here) ('the Decision') to clarify concepts of the Health Data Law relating to restrictions on the collection, processing, and transfer of health data by a broad range of entities across the UAE. The Decision introduces exceptions to the general restriction on extraterritorial data transfers with related conditions and obligations attached. The Decision therefore provides further clarity to businesses in relation to the storage and transfer of health data and signifies a further step taken by the UAE to regulate personal data in accordance with the best international standards.
There are no relevant guidelines in this area at present.
1.3. Case law
There is no relevant case law in this area at present.
2. Scope of Application
The PDPL applies to identified or identifiable natural persons.
The PDPL has extra-territorial effect and applies to:
- every data controller or data processor in the UAE who processes personal data of data subjects inside or outside the UAE; and
- every data controller or data processor established outside the UAE carrying out processing activities in relation to data subjects located within the UAE.
The PDPL applies to the processing of personal data. 'Processing' is defined broadly as any operation or set of operations which are performed on personal data including the collection, storage, recording, organisation, adaptation, modification, circulation, alternation, retrieval, exchanging, sharing, use, characterisation, disclosure by transmission, dissemination, distribution, or otherwise making available, alignment or combination, restriction, withholding, erasure, destruction, or creating models of personal data.
3.1. Main regulator for data protection
The supervising authority responsible for overseeing the enforcement of the PDPL is set to be the Data Office which is established under the separate Federal Decree-Law No. 44 of 2021 ('Law No. 44/2021') issued contemporaneously with the PDPL. However, for the first two years of its operation, we understand that the TDRA will provide administrative and logistical support.
Article 3 of the Law No. 44/2021 sets out the powers and duties of the Data Office which include:
- proposing and preparing the policies, strategies, and legislations related to the affairs of data protection and supervising their implementation;
- conducting the investigations necessary for ensuring compliance with data protection law;
- receiving complaints and grievances concerning data protection; and
- verifying them with all competent bodies.
The Data Office shall also appoint a director general whose mandate will include certain duties related to the daily operation of the Data Office.
4. Key Definitions
Data processor: A processor is the entity that processes personal data on behalf of the controller, where such processing is being carried out under the supervision of, and as directed by, the controller.
Personal data: Personal data is any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, voice, photo, an identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.
Sensitive data: Sensitive data is any information that reveals, either directly or indirectly, a natural person's family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, or any information concerning the health of such person, including the physical, psychological, mental, genetic, or sexual status of such person, including the provision of health care services, which reveals information about his or her health status.
Health data: The PDPL does not define health data, however, health data is defined broadly under the Health Data Law to include all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results, and names of patients.
Biometric data: Biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a data subject, which allow or confirm the unique identification of that data subject, such as facial images or dactyloscopic data.
Pseudonymisation: Pseudonymisation is the processing of personal data in such a manner that the personal data processed as such can no longer be attributed to the data subject without the use of additional information, provided that such additional information is kept separately and safely and is subject to the technical and organisational measures provided for herein to ensure that the personal data are not attributed to an identified or identifiable natural person.
Data protection officer: A natural or legal person appointed by the controller or processor to monitor the compliance of such officer's employer with the controls, requirements, procedures, and rules of the processing and protection of personal data provided for in the Law, and to ensure the integrity of the systems and procedures to ensure compliance with the provisions thereof.
5. Legal Bases
Consent of the data subject is the primary legal basis for processing personal data under the PDPL.
A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject for entering into, amending or terminating a contract (Article 4 of the PDPL).
A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the performance by the controller of specific obligations prescribed by UAE law (Article 4 of the PDPL).
A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary to protect the interest of the data subject (Article 4 of the PDPL).
A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the protection of the public interest (Article 4 of the PDPL).
Legitimate interest does not currently feature as a lawful basis for processing personal data under the PDPL.
Article 4 of the PDPL provides several additional legal bases for processing personal data, including where processing is necessary for:
- the exercise of legal rights or relates to judicial or security measures;
- assessing the working capacity of the employee or the provision of health or social care; and/or
- archiving or scientific or historical research purposes.
A controller or processor may also process personal data without the consent of the data subject to which the data relates where the data has been made public by the data subject (Article 4 of the PDPL).
While the PDPL does not explicitly reference the principles of data protection, the law nonetheless codifies several of the most commonly recognised principles. For example, Article 5 of the PDPL provides that personal data must be processed in accordance with the following rules:
- processing shall be performed lawfully, fairly, and in a transparent manner (i.e., the principle of lawful, fair and transparent processing);
- personal data must be adequate and limited to what is necessary in relation to the purpose for which it is processed (i.e., the purpose limitation principle); and
- personal data shall be accurate and, where necessary, kept up to date (i.e., the adequacy principle).
7. Controller and Processor Obligations
Article 22 of the PDPL prohibits the transfer of personal data to country or territory outside the UAE unless that country ensures an 'adequate level of protection' for the rights and freedoms of data subjects in relation to the processing of personal data. Where this is not the case, Article 23 of the PDPL provides various exemptions/derogations through which personal data can lawfully be transferred across borders, including:
- creating adequate protection through appropriate safeguards (for example by using Standard Contractual Clauses ('SCCs')); and
- the data subject has explicitly consented (and the transfer does not conflict with the public and security interests of the UAE).
Further information relating to cross border transfers, including potentially a list of jurisdictions deemed as providing an 'adequate level of protection', is expected to be included in the Executive Regulations once issued.
The currently issued version of the PDPL is silent on data processing records, however, additional information regarding the subject may be included in the Executive Regulations.
Under Article 21 of the PDPL, where a type of processing using new technologies that is likely to result in a high risk to the privacy and confidentiality of the personal data of a data subject, the controller is required to conduct a Data Protection Impact Assessment ('DPIA') prior to the processing.
In particular, the PDPL notes in Article 21(2) of the PDPL that the obligation to conduct a DPIA applies in the following circumstances:
- if conducting automated processing of personal information that relies on profiling and highly impacts data subjects; or
- if the processing is conducted on a large scale and includes sensitive personal data.
Where required, the DPIA shall contain, amongst other things an assessment of:
- a clear explanation of the nature of the processing activity concerned and the purpose(s) thereof;
- an assessment of the necessity of the processing in relation to its purpose;
- an assessment of the potential risks on the protection of personal information of data subjects; and
- the suggested measures to mitigate the potential risks of such processing activities.
Furthermore, controllers must review the outcomes of DPIAs regularly to ensure that processing activities are conducted in accordance with the assessment in the event that the level of risk changes (Article 21(5) of the PDPL).
Pursuant to Article 10 of the PDPL, a controller and processor must designate a data protection officer ('DPO') where:
- a type of processing that is using new technologies (or based on the scale of data) is likely to result in a high risk to the confidentiality and privacy of the personal data of a data subject;
- processing includes systematic and extensive evaluation of sensitive personal data, including profiling and automated processing; and/or
- processing is performed on a large scale of sensitive personal data.
In addition, the appointed DPO must be equipped with the skills and know-how for safeguarding personal data (Article 10(1) of the PDPL). In this regard, the DPO can be an employee of the controller or processor, or another individual appointed by the organisation, either within or outside of the UAE (Article 10(2) of the PDPL).
The controller or processor must determine a contact address for the DPO and inform the Data Office of the same (Article 10(3) of the PDPL).
Moreover, controllers and processors must include details of the DPO in their record of processing activities ('ROPAs') as required by Articles 7(4) and 8(7) of the PDPL.
The DPO shall, amongst other things, ensure compliance by the controller or the processor with the provisions of the PDPL, its Executive Regulations, and any instructions issued by the Data Office.
More specifically, the PDPL outlines the DPO's responsibility for ensuring the controller or processor's compliance with the PDPL and its Executive Regulations, and details the roles and tasks of the DPO, which include the following (Article 11(1) of the PDPL):
- check the existence and effectiveness of the measures implemented by the controller or processor;
- receive data subject requests under the provisions of the PDPL and its Executive Regulations;
- provide guidance for assessing the effectiveness of measures in place, conducting periodic assessments, and documentation of the results of such assessments, and provide appropriate advice in relation to the same, including impact assessments of processing;
- be the point of contact between the controller or processor and the Data Office for compliance with the provisions of the PDPL; and
- any other roles and responsibilities outlined by the Executive Regulations to the PDPL.
Furthermore, the PDPL outlines the DPO's obligation to maintain the confidentiality of personal information in conducting their role subject to the provisions of the PDPL and the Executive Regulations (Article 11(2) of the PDPL). Additionally, the PDPL states that data subjects may directly contact the DPO with regard to all issues related to the processing of their personal data so they can exercise their rights under the Law (Article 12(2) of the PDPL).
Notably, the PDPL outlines controller and processor obligations toward DPOs and notes that resources should be made available to DPOs to guarantee they are able to carry out their responsibilities under the provisions of the PDPL, and particularly notes the following requirements (Article 12 of the PDPL):
- the DPO must be included at a convenient time in all matters in relation to the protection of personal information;
- the DPO must be provided with the resources and support necessary to execute their role;
- the DPO must not be penalised for carrying out any of their duties in accordance with the Law; and
- the DPO must not be placed in a position that leads to a conflict of interest in their role within the organisation.
In the case of a data breach that would prejudice the privacy, confidentiality and security of the personal data of a data subject, Article 9 of the PDPL requires that, the controller, immediately upon becoming aware of such breach, notify the Data Office of such data breach. The required notification must include details such as:
- the nature, category, reasons, approximate number and records of the data breach
- a description of the likely consequences of the data breach; and
- a description of the measures and remedial action taken by the controller to address the data breach.
Organisations must not store personal data after the completion of the purpose for which such data was processed unless the identity of the data subject is no longer identifiable through the use of anonymisation techniques.
There are no specific provisions in the PDPL regulating the processing of children's data.
In certain instances, the PDPL mandates a heightened level of protection for sensitive personal data. For example, Articles 10 and 21 of the PDPL provide that where processing is carried out on a large scale of sensitive personal data, the controller and/or processor must complete a DPIA and designate a DPO.
Article 8 of PDPL requires that the processor perform and implement the processing of personal data based on the instructions of the controller and in accordance with the contracts and agreements entered into between them, which shall specifically set out the scope, subject-matter, purpose and nature of the processing, the type of personal data, and categories of data subjects.
8. Data Subject Rights
Article 13 of the PDPL requires that a controller, prior to the start of processing activities, provide the data subject with at least the following information:
- the purposes of the processing;
- the sectors or entities inside or outside the UAE with whom their personal data will be shared; and
- the appropriate safeguards used by the controller in the context of cross-border processing.
Data subjects also have the right, under Article 13 of the PDPL, to obtain additional information upon their request, including:
- the types of personal data of the data subject being processed;
- the decisions taken on the basis of automated processing;
- the rules and criteria of the periods for which the personal data will be stored and kept; and
- the measures to be taken upon the occurrence of a data breach.
Under Article 14 of the PDPL, data subjects have the right to receive the personal data they have provided to a controller for processing, in a structured and machine-readable format where the processing is based on the consent of the data subject, or is necessary to fulfil a contractual obligation and implemented by automated means.
Data subjects have the right under Article 15 of the PDPL to obtain from the controller the rectification of inaccurate personal data concerning them, and to have incomplete personal data completed.
Article 15 of the PDPL provides data subjects with the right to request that a controller delete personal information concerning them in the following circumstances:
- the personal data is no longer necessary in relation to the purposes for which it was collected or processed; and/or
- the data subject withdraws their consent or objects to processing and there are no legitimate grounds for the controller to continue the processing.
Under the PDPL, data subjects have the right to object to and suspend to the processing of their personal data where the:
- the processing is performed for direct marketing purposes; and
- the processing is performed for statistical survey purposes.
Under the PDPL, data subjects have the right pursuant to Article 14 to have their personal data transmitted to another controller, where technically feasible.
Article 18 of the PDPL provides data subjects with the right to object to decisions based on automated processing.
Article 24 of the PDPL provides that data subjects may lodge a complaint with the Data Office if they have reason to believe that a violation of the provisions of the PDPL is committed.
The current draft of the PDPL provides that information setting out the administrative sanctions shall be included in the Executive Regulations.
There are no notable enforcement decisions at present.