UAE: What the new data protection law means for companies within the UAE - Part one
The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part one of this two-part series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, provide an introduction to the provisions and scope of the Law, as well as the establishment of the UAE Data Office.
Ever since the enactment of the GDPR, which has been recognised as representing the highest watermark of data protection, there have been an influx of data protection laws emerging across the Middle East and North Africa (MENA) region. In the United Arab Emirates ('UAE') alone, we have seen three data protection laws in the past three years, including the Dubai International Financial Centre ('DIFC') Data Protection Law No. 5 of 2020 ('the DIFC Law'), and the Abu Dhabi Global Market ('ADGM') Data Protection Regulations 2021 ('the ADGM Law'). This convergence is in part attributable to the GDPR's extraterritorial impact, which has lead legislators in the Middle East and elsewhere to enact data protection laws, which are similar to and inspired by the GDPR in many ways, and which enhance convergence and harmonisation in data protection standards. As a result, the UAE now has strong data protection principles, which hopefully bring the UAE close to receiving an adequacy decision from the EU.
The Law is the first federally applicable data protection law in the UAE. Previously enacted 'GDPR' style data protection laws in the region were only applicable in so-called 'financial free zones', such as the DIFC and the ADGM. There has also been some sector-specific regulation, such as the UAE Central Bank Consumer Protection Standard which, under Article 6, requires financial institutions licensed by the Central Bank of the United Arab Emirates ('CBUAE') to adopt GDPR-type protections for consumer data.
The Law creates a framework to protect the general privacy of individuals in the UAE and to ensure that their personal data is protected by companies in the UAE who process it, by requiring companies to implement appropriate governance for the protection and management of such personal data.
Although the Law came into effect at the start of the 2022, it is currently subject to a transition period. Executive regulations were due to be issued within six months of the date of issuance of the Law (i.e. by 20 March 2022). UAE companies then have six months from the issuance of the executive regulations to comply with the Law (although the Cabinet can extend that period). As with many UAE laws, the executive regulations will contain a great deal of additional detail on the provisions of the Law and assist UAE companies in understanding their compliance requirements under the Law.
Establishment of the UAE Data Office
The UAE has also inaugurated its first national data protection regulator for all data protection related issues. The UAE Data Office was launched separately, through a separate statute, through the enactment of the UAE Federal Decree-Law No.44 of 2021 on the Creation of the UAE Data Office, which was also issued on 20 September 2021, in tandem with the issuance of the new Law. The UAE Data Office will act as the data protection regulatory authority, operationalising the Law's requirements.
The UAE Data Office has the role of enforcing the Law in practice, and monitoring compliance for companies in the UAE. Its responsibilities include:
- the issuance of instructions and guidelines to assist companies in implementing data protection legislation in practice;
- proposing and enacting standards to monitor how the Law is applied in practice;
- preparing and enacting data protection related policies and legislations; and
- imposing administrative penalties for non-compliance and monitoring the compliance of companies.
Application and scope
In order to understand the extent of the application of the Law, a brief background needs to be set of the UAE's legal system. The UAE comprises of seven emirates, and has a unique multi-tier legal system, with various judicial and legislative authorities.
At the federal level, the UAE cabinet issues laws, which are federally applicable. Each Emirate also has its own laws and authorities, which apply within each Emirate. Moreover, each Emirate has its own legislative bodies, which also issue laws and which are applicable at the Emirate level, and free zone authorities enact legislations which are only applicable to each respective free zone.
The Law applies generally at the federal level but does not apply within so-called 'free zones' which have their own data protection laws, such as the ADGM and the DIFC, as explained above. Moreover, the Law excludes application to certain sectors which have their own data protection laws, and specifically excludes application to health data, and personal banking and credit data from its scope as these laws have sectoral federal regulations applying to them.
The Law does not apply to government data (which is not a defined term), or to government authorities that control or process personal data or personal data held with security and judicial authorities.
The territorial scope of the Law is twofold. Firstly, its direct territorial scope can be said to apply to every company established in the UAE, at the onshore level that processes the personal data of data holders residing inside or outside the UAE. In this sense, the Law can be said to have normal territorial impact, as it applies to personal data processing in the context of any establishment in the UAE, regardless of where such data is stored or otherwise processed.
Secondly, like other data protection laws, such as the GDPR, the Law's broad territorial scope features extraterritorial impact. As such, the Law applies to 'every Controller or Processor located outside the country that carries out the activities of processing Personal Data for data owners in the country', meaning that, similar to the concept of extraterritorial impact within other GDPR-based data protection laws, controllers or processors located outside the national, geographical scope of the UAE may still fall under the scope and application of the Law, and therefore be held liable for compliance. Accordingly, multinational companies based outside the UAE who otherwise store or process any personal data with a UAE link must assess their compliance position carefully. Like the GDPR, the key test is the geographical location of the data subjects rather than their nationality or residency.
The Law is designed to protect personal data, which is defined as 'any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data'. This definition of personal data within the Law is in line with other data protection laws, and it is broad enough to encompass any direct or indirect identifier such as IP number, voice, image, location, or other electronic identifiers. The definition also includes sensitive personal data and biometric data. A key point to note with this definition of personal data is that, unlike the definition found in the GDPR, it omits reference to 'living natural person', meaning that the Law potentially includes data protection rights post-mortem.
The breadth of the definition of personal data in the law is broad enough to encompass pseudonymised data, or aggregate data. There are now advanced statistical reconstruction methods and various numerical forms of aggregation that can be used to reconstruct original data from aggregate data, and to make a person identifiable. Accordingly, organisations relying on aggregation methods as a technical or organisational measure may need to consider how the Law applies to them, as the breadth of the definition of personal data means that the only exemption is for synthetic data.
This is a positive interpretation of the definition of personal data, and goes a step further than other data protection laws, which still consider aggregated data as non-personal data.
The UAE Data Office is also empowered to exempt establishments that do not process a large amount of personal data from all or some of the requirements of the Law, in accordance with standards and controls to be set by the executive regulations. This appears to indicate that there may be some relief for small businesses from the Law's compliance requirements.
Introducing data protection principles into UAE Law
Prior to the enactment of the Law, and in the absence of a federally applicable GDPR-style law, there were only laws of general application relating to privacy. For instance, at the federal level, there was the general constitutional right to privacy, engraved in the UAE constitution. There were also provisions relating to secrets and secrecy in the penal code and cybercrimes laws which restricted disclosures of secrets (i.e. anything that would normally be kept private) without consent or without other legal rights. Lastly, at the federal level, there are information assurance standards in the UAE which only apply to government data. These laws of general application are still applicable and it will be interesting to see the interplay with the new Law. However, the new Law introduces core GDPR-style data protection principles which were previously absent as it looks to align the UAE's Federal law with global 'best practice' in data protection principles.
For starters, it introduces the core concepts of controller, processor, and personal data. Like other data protection laws, both controllers and processors have compliance obligations under the Law, however there are more obligations that apply to controllers than to processors.
Transparency, and accountability concepts are at the heart of the law, as well as core data protection principles such as purpose limitation and data minimisation. Specifically, the Law requires that all processing be made in a fair, transparent, and lawful manner, that personal data must be collected for a specific and clear purpose, and that organisations may not process personal data at any subsequent time in a manner incompatible with that purpose. It follows that the Law embeds the principles of purpose limitation and data minimisation, however, a difference between the Law and other data protection laws, such as the GDPR, is that personal data may be processed if the purpose of processing is similar or close to the purpose for which such data is originally collected. Therefore, the principle of purpose limitation may perhaps be applied less strictly than it is applied under the GDPR.
Lawful basis for processing
Unlike the GDPR, the Law relies on consent as the primary lawful basis for processing. Where consent of the data subject cannot/is not obtained, then personal data may not be processed, except and unless one of the exceptions to consent laid out in the Law arises.
The Law provides exceptions to the requirement to obtain consent where, for example, processing is necessary for the performance of a contract to which the data subject is already subject to, but not for entering into a contract. Other exceptions include to comply with a legal obligation, to protect public interest, or necessity for an employer or a data subject to exercise their rights in the field of employment or social security, or necessity to protect the vital interests of the data subject, or if processing is necessary to fulfil obligations imposed by other laws of the State (UAE) on controllers.
Unlike most other GDPR style laws, there is no legitimate interest lawful basis, meaning that consent would have to be relied on in lieu of legitimate interest. It is possible that this may be addressed in the executive regulations.
The approach of the Law has been to merge the lawful grounds for processing personal data without the need for consent, with some grounds that in other data protection laws only apply to sensitive or special categories of personal data (such as processing that is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or data subject in the field of employment law).
The Law sets out the conditions for consent, which must be met if consent is to be valid, and if a controller is to be able to rely on such consent. These conditions include that consent must be unambiguous, clear, easy to withdraw, and that the data subject should be informed of their right to such withdrawal. The Law does not expressly require that consent is freely given, which is a divergence from the GDPR approach.