Introduction

Context - towards global competitiveness

Waterman told OneTrust DataGuidance, "The UAE places digital transformation at the heart of the evolving national strategy and the concept of becoming a digital nation is a key priority […] There is a clear national aspiration to look beyond the UAE, and even the GCC, and to compete globally. The country's competitiveness will be dependent on an ability to adopt new technologies, such as AI, blockchain and IoT, and a key element in the successful adoption of those new technologies – particularly as organisations increasingly collect and reason over personal data to offer improved products, services, and experiences – will be trust. In an era where customers and consumers and governments increasingly care more about privacy or the use and protection of personal data, the Law becomes an important foundational building block if the UAE wants to participate in a global digital economy."

Overview

The Law provides a framework to ensure the confidentiality and security of personal information outlining the rights and duties of all concerned parties. In particular, central to the Law is the requirement of consent for lawful processing of a data subject's personal information. Furthermore, the Law stipulates controller and processor obligations related to data processing, including general principles, such as purpose specification and data minimisation, as well as specific requirements, such as appointment of data protection officers ('DPOs') and maintaining records of processing activities ('ROPAs').

Notably, the Law makes reference to the Executive Regulations throughout and notes that they will be published by the Prime Minister within six months of the Law's date of issuance, i.e. 20 March 2022. Furthermore, the Law makes particular reference to the establishment of the UAE Data Office ('the Office') pursuant to Federal Decree-Law No. 44 of 2021³, which shall be responsible for a wide range of tasks including:

• the preparation and proposal of policies and legislation related to data protection;
• monitoring the application of such federal legislation regulating the field of data protection;
• the preparation and approval of systems for complaints and grievances; and
• issuing the necessary guidelines and instructions for the implementation of data protection legislation.

Scope

Article 2(1) of the Law provides that the Law is applicable to the processing of personal data, by wholly or partly automated means, or any other means, by every data controller or data processor in the UAE processing the personal data of data subjects within or outside the UAE. Moreover, the Law also applies to every data controller or data processor established outside the UAE carrying out processing activities in relation to data subjects in the UAE.

Notably, however, Article 2(2) of the Law provides that the Law does not apply to government data, public entities, the processing of personal data for personal use, health or credit data governed by their own respective legislation, and organisations and entities established in free zones with their own personal data protection laws.

Key data protection principles

Article 5 of the Law outlines principles for the lawful processing of personal data and notes that the processing of personal information should be carried out in accordance with the following:

• processing must be carried out in a fair, lawful, and transparent manner;
• collection of personal information must be for a specified and clear purpose, and should not be processed at any time in a manner that is incompatible with such purpose unless for a purpose closely related or similar to the original purpose;
• processing should be confined to the personal information necessary according to the purpose for which it was collected;
• personal information must be accurate, correct, and up to date;
• measures should be made available to allow the erasure or rectification of personal information;
• personal information must be kept in a secure manner and protected from any interference and unauthorised access or processing by implementing appropriate technical and organisational measures in accordance with the Law;
• personal information must not be kept after the purpose of its processing has been exhausted, unless the personal information is anonymised; and
• any further provisions outlined by the Executive Regulations to the Law.

Legal basis for processing

Article 4 of the Law provides that personal information should not be processed without the consent of the data subject, unless:

• the processing is necessary for reasons of public interest;
• the processing related to personal information that has been made publicly available by the data subject;
• the processing is necessary for the establishment or defence of legal claims, or relates to judicial or security measures;
• the processing is necessary for medical purposes, those related to the evaluation of the competence of employees, or medical diagnosis, provision of medical or social care, public health insurance, or management of public health systems;
• the processing is necessary for public health purposes, including the guarantee of healthcare, drugs, and medical equipment;
• the processing is necessary for archiving, or scientific, historic, or statistical research;
• the processing is necessary for the protection of the data subject's interests;
• the processing is necessary for the controller's compliance with legal obligations;
• the processing is necessary for the execution of a contract to which the data subject is party or to take procedures necessary thereto at the data subject's request;
• the processing is necessary for the controller's compliance with obligations under other laws in the UAE; and
• any other circumstances determined by the Executive Regulations to the Law.

Requirements for valid consent

Moreover, Article 6(1) of the Law further provides the necessary conditions for obtaining valid consent for the processing of personal information and lists the following:

• the controller must be able to prove the data subject's consent if consent is relied upon as a legal basis for processing of his/her personal data;
• the consent must be obtained in a clear, simple, unambiguous, and accessible manner whether obtained electronically or in writing; and
• the method for obtaining consent should include information on how the data subject may withdraw their consent and the procedure for doing so must be easy for them.

Notably, Article 6(2) of the Law provides that data subjects have the right to withdraw their consent at any time, though noting that consent withdrawal does not impact the legality of the processing carried out prior to the withdrawal.

Overview of controller and processor obligations

Controller obligations

Article 7 of the Law provides that controller must adhere to, among others, the following obligations:

• adopt technical and organisational measures to implement appropriate data security standards for personal information, safeguarding their confidentiality and guaranteeing its integrity, bearing in mind the nature and purpose of the processing and the possible risks to the security of the information;
• implement appropriate measures either during determination of the means of processing or during the processing itself, to comply with the provisions of the Law, including the principles outline in Article 5 of the Law and pseudonymisation measures;
• implement technical and organisational measures appropriate to ensure that the processing of personal information is confined to its purpose;
• maintain a ROPA that must be made available to the Office upon request and includes the following:
  • details of the controller and DPO;
  • a description of the categories of personal data it processes;
  • information in relation to the persons authorised to access the personal information;
  • the time periods and limits of the processing;
  • the manner of erasing or rectifying the information;
  • the purpose(s) of processing;
  • any information related to the transfer or processing of information across borders; and
  • information related to the technical and organisational measures used to secure personal information; and
• appoint a processor(s) with sufficient guarantees for the implementation of technical and organisational measures in compliance with the provisions of the Law and its Executive Regulations.

Processor obligations

Article 8 of the Law specifies particular obligations for data processors, including to:

• conduct processing activities according to the instructions of the controller and the agreement between both parties that determines the particulars of the processing including its scope, purpose(s), nature, and types of personal information;
• implement technical and organisation measures appropriate for the protection of personal information at the design stage (i.e. Privacy by Design) either when determining the means of processing or during the processing itself, taking into account the cost of such measures, their scope, and purpose(s);
• conduct the processing subject to its purpose(s), and ask the controller for guidance in the event that the processing has continued after the purpose(s) had been exhausted;
• erase the personal information once the processing has ended or send it back to the controller;
• refrain from disclosing the personal information or the information processed, unless authorised by law;
• maintain a ROPA of the processing conducted on behalf of the controller, that must be made available to the Office upon request, and includes the following:
• details of the controller, processor, and DPO;
• description of the categories of personal information it processes;
• information in relation to the persons authorised to access the personal information;
• the time periods and limits of the processing;
• the manner of erasing or rectifying the information;
• the purpose(s) of processing;
• any information related to the transfer or processing of information across borders; and
• information related to the technical and organisational measures used to secure personal information;
• provide evidence of its compliance with the provisions of the Law upon the request of the controller or the Office;
• conduct the processing in compliance with the provisions of the Law and its Executive Regulations; and
• ensure, in the event that more than one processor is engaged in the processing activity, that the processing is subject to a contract or written agreement that determines the roles and responsibilities in relation to the processing.

Article 8(11) of the Law further provides that the Executive Regulations to the Law will determine the conditions and procedures in connection with the above obligations.

Moreover, Article 9(3) of the Law outlines the processor's obligation to inform the controller as soon as they become aware of any breach of personal information so that the controller may thereafter carry out their obligation to notify the Office as per Article 9(1) of the Law.

Data security

Technical and organisational measures

Article 20 of the Law provides that the controller and processor must implement technical and organisational measures to maintain a high standard of data security appropriate to the level of risk, which may include, among others, the following:

• encryption of personal information and pseudonymisation of the same;
• implementation of technical and organisation measures that guarantee the retrieval of personal information in the event that any technical failures or errors; and
• implement measures for testing and assessing the effectiveness of implemented measures.

Data breach notification

Article 9(1) of the Law outlines controllers' obligation to notify the Office upon becoming aware of any breach of personal information and the results of any investigation of the breach subject to provisions outlined in the Executive Regulations. In this regard, Article 9(1) of the Law provides that the notification shall include the following:

• the nature of the breach, cause(s), and extent of the breach;
• details of the appointed DPO;
• the possible or expected risks of the breach;
• the measures taken to mitigate the consequences of the breach;
• documentation of the breach and the mitigating measures taken; and
• any other requests from the office.

Furthermore, Article 9(2) of the Law specifies that, in any event, the controller should notify the data subject in the event of a breach in accordance with conditions set out by the Executive Regulations, where the breach infringes his/her privacy.

In this regard, Article 9(4) of the Law details that after receiving a notification, the Office shall investigate the causes of the breach to assess the effectiveness of the controller's data security measures, and determine whether a breach has occurred as well as appropriate sanctions, if any, in accordance with Article 26 of the Law.

DPOs

DPO appointment

Article 10(1) of the Law outlines the controller's and processor's obligation to appoint a DPO equipped with the skills and know-how for safeguarding personal information in the following circumstances:

• if conducting processing of a high risk, highly confidential or private in nature, to the data subject, due to the implementation of new technology or the volume of the information concerned;
• if processing consists of a systematic evaluation of sensitive personal information, such as profiling or automated processing; and/or
• if processing is done on a large scale and consists of sensitive personal information.

In this regard, Article 10(2) of the Law further provides that the DPO can be an employee of the controller or processor, or another individual appointed by the organisation, either within or outside of the UAE.

Further to this, Article 10(3) of the Law provides that the controller or processor must determine a contact address for the DPO and inform the Office the same. Article 10(4) further notes that the Executive Regulations will outline the measures and procedures in relation to the implementation of this Article.

Moreover, Article 12 of the Law outlines controller and processor obligations towards DPOs and notes that resources should be made available to the DPO to guarantee that they are able to carry out their responsibilities under the provisions of the Law, and particularly outlines the following requirements:

• the DPO must be included at a convenient time in all matters relation to the protection of personal information;
• the DPO must be provided with the resources and support necessary to execute their role;
• the DPO must not be penalised for carrying out any of their duties in accordance with the Law; and
• the DPO must not be placed in a position that leads to a conflict of interest in their role within the organisation.

DPO roles and responsibilities

Article 11(1) of the Law outlines the DPOs responsibility for ensuring the controller or processor's compliance with the Law and its Executive Regulations. In particular, Article 11(1) of the Law details the roles and tasks of the DPO, which include the following:

• check the existence and effectiveness of the measures implemented by the controller or processor;
• receive data subject requests under the provisions of the Law and its Executive Regulations;
• provide guidance for assessing the effectiveness of measures in place, conducting periodic assessments, and documentation of the results of such assessments, and provide appropriate advice in relation to the same, including impact assessments of processing;
• be the point of contact between the controller or processor and the Office for compliance with the provisions of the Law; and
• any other roles and responsibilities outlined by the Executive Regulations to the Law.

Notably, Article 11(2) of the Law outlines the DPO's obligation to maintain the confidentiality of personal information in conducting their role subject to the provisions of the Law.

DPIAs

Article 21(1) of the Law outlines the controller's obligation to conduct a Data Protection Impact Assessment ('DPIA') prior to processing in the event of use of new technologies that introduce high risk to the protection of personal information. In particular, Article 21(2) of the Law notes that the obligation to conduct a DPIA applies in the following circumstances:

• if conducting automated processing of personal information that relies on profiling and highly impacts data subjects; or
• if the processing is conducted on a large scale and includes sensitive personal data.

Furthermore, Article 21(3) of the Law prescribes what should be included in a DPIA and provides that, as a minimum, it should include the following:

• a clear explanation of the nature of the processing activity concerned and the purpose(s) thereof;
• an assessment of the necessity of the processing in relation to its purpose;
• an assessment of the potential risks on the protection of personal information of data subjects; and
• the suggested measures to mitigate the potential risks of such processing activities.

Moreover, Article 21(5) of the Law specifies that the controller must review the outcomes of DPIAs regularly to ensure that processing activities are conducted in accordance with the assessment in the event that the level of risk changes.

Notably, Article 21(6) of the Law provides that the Office must make available through its website a list of the types of processing activities that do not require DPIAs.

Data subject rights

Articles 13 to 18 of the Law provide for data subject rights and comprise of the following:

• right to information and access (Article 13 of the Law);
• right to data portability (Article 14 of the Law);
• right to rectification or erasure (Article 15 of the Law);
• right to restriction of processing (Article 16 of the Law);
• right to object to processing (Article 17 of the Law); and
• right to object to automated processing, including profiling (Article 18 of the Law).

In this regard, Article 19 of the Law provides that the controller is required to make available the means and procedures for data subjects to exercise their rights under the Law.

Furthermore, Article 24(1) of the Law provides that data subjects may submit complaints arising from breaches of the Law and the Executive Regulations to the Office, which shall receive and investigate such complaints as per Article 24(2) of the Law.

Data transfers

Cross-border transfers to countries with adequate levels of protection

Article 22 of the Law outlines that cross-border data transfers are permitted in the following circumstances, as determined by the Office:

• the country or the organisation to which the information is being transferred has its own data protection legislation inclusive of the most important provisions and conditions for data protection of data subjects, their ability to exercise their rights, as well as rules imposing obligations on controllers and processors by regulatory or judicial bodies; or
• the country is party to bilateral or multilateral agreements for the protection of personal information with the countries to which the personal information shall be transferred.

Cross-border transfers to countries with inadequate levels of protection

Article 23 of the Law provides that cross-border data transfers are permitted in such instances in the following circumstances:

• in countries without data protection legislation, organisations may transfer personal information through a contract or agreement that obliges the organisation established in such a country to implement the measures and conditions provided for in the Law, inclusive of the rules imposing obligations on controllers and processors, to be enforceable by regulatory or judicial bodies, and outlined in such contract or agreement; or
• the express consent of the data subject is obtained for the transfer of their personal information to another country as long as it does not conflict with the public interest or security of the UAE;
• if the transfer is necessary in the exercise or defence of legal claims;
• if the transfer is necessary for the conclusion or execution of a contract between the controller and the data subject, or between the controller and a third party in the interests of the data subject;
• if the transfer is necessary to the execution of a procedure relating to international judicial cooperation; or
• if the transfer is necessary for the protection of public interest.

Notably, Article 23(2) of the Law provides that the Executive Regulations will specify the conditions and procedures relevant to Article 23(1) of the Law.

Conclusions and implementation

Breach of the Law and sanctions

Article 26 of the Law notes that the Cabinet, based on suggestions of the Director of the Office ('the Director'), will issue decisions to determine whether actions constitute a breach of the Law, based on the Law and its Executive Regulations, and determine the appropriate sanctions thereof.

Notably, Article 25 of the Law provides that interested parties may appeal to the Director in relation to any decision or administrative action undertaken within 30 days from the date of issuance of such a decision or action to which a response shall be provided within 30 days from the date of appeal.

Implementation

The Law provides for an implementation period of six months from the publication of the Executive Regulations, i.e. by around 20 September 2022, for entities governed by the same. However, this date may be extended at the discretion of the Cabinet.

Privacy moves to the boardroom

Waterman continued , "The Law introduces much needed data subject rights, controller and processor obligations and several operational requirements such as the need to adopt and implement technical and organisational measures, appoint a DPO, maintain an evergreen consent registry and a record of processing activities. However, what the Law really does beyond the world of privacy and compliance professionals, is that it alters the risk equation in the boardroom in relation to accountability for the governance and protection of personal data. Data breaches are a good example. The Law includes an obligation to notify the regulator and potentially the data subject/s. "

Ultimately, Waterman concluded, "The Middle East is a proverbial hotbed of geo-political and criminal cyberattack activity, with some of the highest bad actor and malware infection rates globally. There is a strong awareness of this risk in the C-suite, but organisations have tended to approach cybersecurity from the perspective of protecting their confidential business data and safeguarding business continuity. There is far less emphasis on protecting the personal data of customers or consumers and being transparent about the loss of personal data as part of the remediation process. Those of us involved in the industry know that breaches with "pink ticket" credential access to data are commonplace in the region, but we never hear about them. We only read about notable incidents elsewhere. The requirement for notification has changed that. It introduces significant risks to brand and reputation, and the erosion of the trust established with customers and partners over time. Privacy might not be a boardroom priority (yet), but brand and reputation certainly are."

Alice Muasher Privacy Analyst
[email protected]

Comments provided by:
Dale Waterman Managing Director, Middle East & North Africa
[email protected]
Breakwater Solutions, Dubai