UAE: Data privacy oversight on the rise
It is a common misconception that the United Arab Emirates ('UAE') lacks data protection and data privacy laws. This has led to many organisations operating as though they have free reign over the data they hold, no matter the extent of personal information contained within it. Whilst there is not yet a single, sweeping data protection law in the UAE, the reality of data privacy obligations for organisations operating in the country is often grossly underestimated. Ben Crew and Nick Athanasi, from FTI Consulting, Inc., provide insight into the current and upcoming laws regulating data protection and privacy in the UAE.
On 7 September 2021, the UAE Minister of Artificial Intelligence announced that a new federal Data Law would be passed as part of the '50 Projects of the 50th'—a series of programs designed to stimulate and grow the economy in celebration of the nation's 50th anniversary—later in 2021. Details of this new law have yet to be made public, but the announcement used terminology consistent with those used within the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Privacy Act of 2018 ('CCPA'), suggesting the law will likely align with global privacy best practices. Regardless of what the final federal Data Law entails, there are numerous existing laws that carry privacy and data protection implications for individuals as well as organisations of all sizes.
At the federal level, Article 31 of the Constitution of the UAE guarantees the right of all citizens and residents to a private life and imposes an obligation on organisations to keep all data and communication private and secure. Since its initial drafting in 1971, the additional laws addressing data protection have been adopted. These include:
- The Consumer Protection Law provides numerous rights to consumers similar to those under GDPR, whilst placing additional obligations on organisations. For the first time, consumers' data is considered confidential and should not be disclosed by the supplier, and organisations are obligated to protect the consumer's information and refrain from circulating or sharing related information for the purpose of trading and/or marketing.
- The Penal Code Articles 378 (as amended) and 379 suggest that any person breaching the privacy of another person will be punished with imprisonment and a fine; the punishment is aggravated if the perpetrator is a public employee.
- The Civil Transactions Law Article 90 codifies the rights of individuals to require that rectification of any wrongs done to them under the constitution, together with compensation for any damage done. This is particularly pertinent in the event of a data breach.
- The Cyber-Crime Law Articles 21 and 22 punish with imprisonment any individual who uses cyber networks to violate the privacy of another individual or to disclose confidential information obtained in the course of work.
- The UAE Labour Law provides an obligation on employers to keep their employees' personal data confidential and provide data access only to individuals with the correct authorisations.
- The UAE Internet of Things ('IoT') Regulatory Framework contains terms and concepts drawn from established and accepted international best data protection practices and principles including GDPR. These include purpose limitation, data minimisation, storage limitation and data classification requirements.
The UAE's complex legislation landscape also includes laws covering specific geographic or jurisdictional areas, which are among the strictest data privacy and protection requirements in the country, and the closest to the scope and application of global standards. In the free zones, the following laws have been enacted:
- DIFC Data Protection Law 2020 emulates GDPR in many ways, including extensive protections for data subjects and obligations on data controllers and processors. The DIFC regulator issued 88 fines in the first year of this law taking effect.
- ADGM Data Protection Law 2021 also reflects GDPR-like data protections and also has significantly higher sanctions than those in the DIFC. This law is currently active for new companies, while companies founded before it was enacted have until 14 February 2022 to become compliant.
- Dubai Healthcare City (DHCC) Health Data Protection Regulation provides a series of "Health Data Protection Principles" that address the manner and purpose of collecting patient health information, the source of such information, the storage and security of such information, access and correction, retention and limits on use and disclosure. Licensed entities are required to identify one or more individuals to act as Data Protection Officers.
Each emirate also has the right to pass laws applicable to entities within its jurisdictions. Dubai has been the most active in this, with the addition of two key privacy rules:
- Law on Data Dissemination and Exchange in the Emirate of Dubai states that the 'Concerned Authority' shall, when performing its tasks and competences, adopt policies, mechanisms, rules and standards related to the dissemination of data, specifically, 'confidential data protection policy, attributed to the Data Providers such as data related to the individuals, institutions and companies'.
- Dubai Statistics Centre Law Article 9 expressly considers personal data, collected from statistic activities or research, to be confidential. Any exchange or transfer of this data is permissible only exclusively through the Centre provided that it obtained a prior consent from the data subject.
In addition to the various federal and free zone regulations, the UAE has created several laws targeting specific sectors. It's important to note that these industry-specific laws may regulate businesses in those industries, as well as types of data relating to them (such as healthcare data). For example, a hotel, while not in a regulated sector, would be impacted by the healthcare-focused data protection law if the hotel was collecting health information for its employees and/or guests (as many companies are currently doing during the pandemic). This category of laws includes:
- The UAE Central Bank Law Article 120 requires all financial institution to ensure that all information relating to customers and their assets be kept confidential and appropriate controls put in place to safeguard their data. Failure to do so could result in revocation of the operating licence of the financial institution and potential fines and imprisonment against the leadership.
- The UAE Central Bank Consumer Protection Regulation Article 6 implements concepts and controls taken from global industry standards such as accountability, purpose limitation, breach reporting, transparency, consent to usage and limits on duration of data retention.
- The Telecoms Consumer Protection Regulation Article 13 provides strict rules on the collection, protection and use of consumer data by any telecoms related entity.
- The Law Regulating the Telecommunication Sector Article 14 identifies the jurisdiction of the Telecommunications Regulation Authority (TRA), among which is the implementation of regulations concerning the use of customer data, whilst Article 72 calls for punishment of any person who discloses the content of a call or message sent through the network.
- UAE Health Data Law/ICT Health Law applies to all methods and uses of information and communication technology (ICT) in the UAE healthcare sector, including free zones. It covers both mainland and free zone entities and contains many of the same concepts and controls as other healthcare legislation in the EU, U.S. and the U.K.
- DOH Standards on Healthcare Data Privacy 2020 is relevant to entities in the Emirate of Abu Dhabi only and strictly defines how data can be used, stored, shared and protected.
- UAE Stored Value Facilities Regulation was the first law in the UAE to specifically mention information minimization as a mandatory requirement. The legislation also specifically outlines requirements for purpose limitation, data retention timelines, information classification, data transfer technologies and mandatory penetration and cyber-attack simulation risk assessments and training and testing.
Contrary to common misconceptions, privacy regulation is a significant business consideration in the UAE, with a wide range of existing laws requiring various data protection controls and practices and more on the horizon. The ramifications for organisations that choose not to comply could result in fines, imprisonment and the revocation of a company's right to do business. It is simply not a chance worth taking to ignore the mounting requirements to take data privacy seriously. More, organisations that embrace data protection as a strategic objective will realize new opportunities to foster consumer trust and add value to their business.