One of the most notable legislative changes introduced is the UAE’s first standalone Federal Decree Law 45 of 2021 concerning data protection (“Data Protection Law”).
This Law governs the Processing of Personal Data. Personal Data is any information than can identify an individual. This can be names, emirates I.Ds, passports, visas, email addresses and phone numbers. It can also be unique identifiers such as staff numbers, device I.Ds and biometrics. If you collect, store or use personal information, you must comply with this Data Protection Law.
Non-compliance with these laws carries both financial and criminal sanctions, the extent of which are to be determined by forthcoming implementing regulations.
This law shall be applicable to any such establishment that collects personal data such as hospitals, hotels, schools, consultancy firms etc.
Basic principles of the Data Protection Law
The Data Protection Law adopts similar concepts to the European General Data Protection Regulation (GDPR) (and the other data protection laws around the globe that have also adopted such principles). As is the case in the GDPR, “Personal Data” is given a broad meaning, effectively capturing any information that can be used to identify a natural person either directly or indirectly (by combining with other data). For practical purposes, businesses should assume that all data relating to their customers, prospects, staff, directors and shareholders and suppliers is personal data for the purposes of the Data Protection Law, unless it is stored in a format which renders it anonymized.
The law also uses the concepts of “data subject” (i.e. the natural person identified by the data), “controller” (i.e. the legal entity or person who specifies the method, criteria and purpose of processing) and “processor” (i.e. a legal entity or person who processes data in accordance with the instructions of the controller). “Processing” is a very wide concept under this law which encompasses any operation performed on the personal data. According to the definition of “processing”, the Data Protection Law only appears to apply to processing carried out using electronic means.
Who does the Data Protection Law apply to?
The law applies to:
- Entities that do the processing of personal data of people residing in the UAE
- Entities outside the UAE who carries out activities of individuals who are located in the UAE
- Any Controller or Processor located in the UAE (regardless of the location of the data subjects whose data are being processed)
In other words, if your organization collects or uses personal information of individuals residing in the UAE then the Data Protection Law applies to you whether or not you are located in the UAE. For organisations in the UAE, the rights and protections under the law applies irrespective of the location of the individual.
The scope of the Data Protection Law contains significant exclusions, such as in relation to:
- Government data and authorities
- The processing of health, banking, and credit data which is subject to sector-specific legislation
- Companies and institutions located in free zones which have specific data protection laws, such as the Dubai International Finance Centre (DIFC) and the Abu Dhabi Global Market (ADGM)
What happens in case of a breach?
In the event of a data breach, the Data Protection Law requires the controller to notify data subjects if the breach is likely to be “high risk” to the relevant individuals’ rights and freedoms.
While strictly speaking the Data Protection Law came into effect on 2 January 2022, it will only practically be enforced once the implementing regulations are issued at which point UAE domiciled organizations will have six months to ensure compliance.
What should you do?
All businesses that are covered by the Data Protection Law will need to audit their existing data use in order to update processes, contracts, notices and employee awareness to ensure compliance with the Data Protection Law.
For any business with a global privacy program, it should be expanded to include the UAE Data Protection Law and we would strongly recommend companies, establishments, and business groups to take appropriate steps to ensure compliance as soon as possible.