UAE: What the new data protection law means for companies within the UAE - Part two
The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part two of this series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, discuss some of the data subject rights under the Law, as well as its provisions on the role of a data protection officer ('DPO') and cross-border data transfers.
Technical and organisational measures
The Law requires both controllers and processors to implement appropriate technical and organisational measures. Whilst the Law, like the GDPR, steps short of prescribing precise measures, and adopts a proportionality based, risk based assessment, the Law suggests encryption and pseudonymisation as technical measures. Moreover, it is required that appropriate measures and procedures must be in place to ensure erasure or correction of incorrect personal data. Personal data must be kept secure and protected from any breach, infringement, or illegal or unauthorised access by establishing and applying appropriate technical and organisational measures and procedures. The Law also requires controllers to carry out a Data Protection Impact Assessment ('DPIA') when using any modern technologies that pose a high risk to the privacy or rights of data subjects, and sets out the procedures and the information that must be included and disclosed to the UAE Data Office following such a DPIA.
The Law imposes an obligation separately on both controllers and processors to implement appropriate technical and organisational measures. The Law follows the GDPR approach in adopting a risk-based approach, as controllers/processors must make a proportionality assessment when implementing technical or organisational measures, taking into account the cost of implementation and the risk associated with the processing at hand, which can include the risk of damage, loss, accidental or illegal modification disclosure, or unauthorised access to the personal data.
The relationship between controllers and processors is also regulated. Where a controller who comes under the territorial scope of the Law engages a processor, they must make sure that the processor provides sufficient assurances and is going to integrate suitable security measures into their processing.
While the Law requires that there is a contract between the controller and processor, it does not specify what must be stipulated in the contract with the level of detail seen in Article 28 of the GDPR.
Processors must themselves maintain a special record of personal data processed on behalf of the controller.
It needs to be noted that the Executive Regulations to the Law, due to be issued within six months of the date of issuance of the Law (i.e. by 20 March 2022), are to address the obligations of controllers and processors.
Transparency and the right to obtain information from a controller
While the Law adopts a general principle of transparency, it is less prescriptive regarding what information the controller must provide the data subject before processing their data. The Law only specifies the following information must be provided:
- the purposes of processing; and
- the targeted sectors or establishments with which their personal data is to be shared, whether inside or outside the State.
However, as drafted under the Law, data subjects have a right to request to be informed about and to obtain information about the processing of their personal data.
Despite the general principle of transparency and the right to obtain information, the Law creates certain exemptions which allow controllers the right to reject a data subject's right to obtain information, if the request:
- is excessively repetitive;
- conflicts with judicial procedures or investigations made by the competent authorities; and
- if the request may adversely affect the effect or efforts of the controller to protect information security, or where the request affects the privacy and confidentiality of the personal data of others.
Other data subject rights
Data subjects have a number of rights under the Law, which are heavily influenced by and similar to data protection laws, such as the GDPR. Data subject rights under the Law with respect to personal data include the right to rectification and erasure, the right to restrict processing, the right to stop, and the right to object.
The Law includes the right to rectification and the right to erasure (i.e. right to be forgotten), which is also found in other data protection laws worldwide. The data subject has the right to request the correction or completion of their inaccurate personal data held with the controller without undue delay. However, this is not an absolute right and restricted to circumstances, such as if: (i) their personal data is no longer required for the purposes for which it is collected or processed; (ii) the data subject withdraws their consent on which the processing is based; (iii) if the data subject objects to the processing or if there are no legitimate reasons for the controller to continue the processing; (iv) their personal data is processed in violation of the provisions hereof and the legislation in force; and (v) the erasure process is necessary to comply with the applicable legislation and approved standards in this regard.
The data subject has the right to oblige the controller to restrict and stop processing: (i) if the processing contravenes the Law; or (ii) if the data subject objects to the processing of their personal data, in which case the processing shall be restricted to a specific period allowing the controller to verify accuracy of the data. This is similar to the concept of 'cessation of processing' under the Dubai International Financial Centre ('DIFC') Data Protection Law No. 5 of 2020 ('the DIFC Data Protection Law') and the Data Protection Regulations 2021 in the Abu Dhabi Global Market ('ADGM'), which requires the controller to stop processing where the purpose for processing changes.
Notwithstanding, the controller may proceed with the processing of the personal data of the data subject without their consent in any of the following cases if: (i) the processing is limited to storing personal data; (ii) the processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial procedures; (iii) the processing is necessary to protect the rights of third parties in accordance with the legislation in force; or (iv) the processing is necessary to protect the public interest.
Like the GDPR, the data subject has the right to object to and stop processing if processing is being used for direct marketing purposes, including profiling related to direct marketing, if the processing is for the purposes of conducting statistical surveys, unless the processing is necessary to achieve the public interest, or if it is in violation of Article 5 of the Law.
There is a specific right to human involvement in data processing in a HR context, and there is a right to restrict automated processing. The data subject has an express right to object to decisions issued with respect to automated processing, if such decisions have legal consequences or seriously affect the data subject. The only instances where the data subject cannot object to such processing is if they have provided valid consent to automate decision making or if it is necessary according to other legislation in the state.
In a recruitment context, the Law provides that data subjects have a right to request to engage human resources when reviewing automated processing decisions. This is a welcome development in light of the increase of automated screening in the recruitment process, whereby machine learning algorithms and predictive coding may sometimes lead to biased results, and a 'black-box' effect, can mean that the underlying logic of the algorithm can make it difficult to inform candidates of the underlying logic used in the recruitment process.
The DPO role under the Law is somewhat different from other data protection laws in the UAE, such as the DIFC Data Protection Law, and also differs from privacy laws elsewhere, such as the GDPR. For example, unlike the DIFC Data Protection Law, there is no need for a 'Controller assessment/annual assessment'. Further, under the Law, the DPO must:
- handle the complaints from data subjects;
- provide 'technical advice' related to evaluation procedures, intrusion prevention systems, and provide appropriate recommendations - note, this requirement is absent from the GDPR or the DIFC Data Protection Law as they do not require the DPO to have technical cybersecurity knowledge but rather to treat a DPO role as a general compliance officer (legal); and
- under the Law, the DPO must 'act as a link' between the controller and the processor, which is not a requirement under the DIFC Data Protection Law or the GDPR (this provision is also absent from the DIFC Data Protection Law, the ADGM Regulations, and the GDPR).
Cross-border transfer of personal data and data sharing
The provision for exporting personal data under the Law and conducting international data transfers is similar to that under the GDPR. The Law distinguishes between data transfers to jurisdictions which are deemed adequate by the Data Office, and those which are deemed inadequate, unless an appropriate safeguard is provided.
The Data Office is yet to publish a list of countries deemed to have sufficient degree of data protection. It is unclear whether the Data Office will approve/reject data transfer requests on a case by case basis, or if a list will be published by the Data Office at a later stage. We expect the Executive Regulations to provide further guidance and details in this regard.
Implementation in practice remains to be seen but it seems that the Data Office will allow transfer to any country that has a data protection law. Therefore, the approach seems more lenient than the GDPR based approach.
If the receiving party does not have a data protection law in place, then the transfer may take place if:
- there is a contract which obliges the receiving entity in the receiving country to adopt certain safeguards;
- the express consent of the data owner/data subject is given for the transfer;
- the transfer is necessary for the implementation or obligations and the establishment, exercise, or defence of rights before judicial authorities;
- the transfer is necessary for the conclusion of a contract in the data subject's interest; and/or
- the transfer is necessary to protect public interest.
Divergence from other laws
Having noted that there are similarities between the Law and other data protection legislation, such as the GDPR, there are a number of key differences between the Law and the GDPR. In addition to differences already described above, these also include:
- the records of processing requirements under the Law are less detailed than those found under the GDPR; and
- controllers relying on Standard Contractual Clauses ('SCCs') or Binding Corporate Rules ('BCRs') under the GDPR for data transfers and relying on the EU Commissioner's list of adequacy decisions will need to reassess their data transfers under the awaited Executive Regulations of the new Law.
Being the first specific data protection law at the federal level in the UAE, the Law is a welcome development towards harmonisation and global convergence of data protection standards in the world. However, there are a number of data protection principles within the Law which did not previously apply to UAE companies. Accordingly, companies must assess their compliance with the Law, and ensure that they are meeting all of the requirements imposed on controllers/processors before the transition period ends.
Due to the similarities that exist between the new Law and other data protection legislations in the world such as the GDPR, multinational companies who are GDPR compliant should be at a significant advantage whilst preparing to comply with the Law. Nonetheless, GDPR compliance on its own is not sufficient as there are a number of points of divergence between the Law and the GDPR.