UAE legal reforms – new UAE data protection law

Introduction - 2021 Reforms

In Q4 2021, as part of its 50th Year Anniversary, the UAE announced some of the broadest changes to its legal landscape in many years. It also introduced major practical changes, not least announcing the change of the working week for the public sector from Sunday-Thursday to Monday-Friday – a move that we expect the private sector will follow. In this series of articles, we summarise some of the key changes introduced in the Q4 2021 reforms.

A table listing out the key new or updated laws can be downloaded here.

This article discusses Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (the DPL).

The DPL comprehensively regulates the processing of personal data in the UAE (and potentially overseas) at a nation-wide and cross-sectoral scale for the first time. The DPL operates alongside Federal Decree Law No. 44 of 2021 Establishing the UAE Data Office (the Data Office Law). The UAE Data Office will be the regulator charged with overseeing, implementing and enforcing the DPL and has a wide-ranging mandate under the Data Office Law. The DPL imposes numerous obligations on a vast swathe of UAE businesses for the first time and will present a compliance challenge, in particular, for those businesses dealing with large amounts of customer and employee data.

UAE Protection of Personal Data Law

We have seen a raft of new data protection laws in the Middle East over recent years. The UAE has, until now, regulated processing of personal data in key industries such as healthcare and banking. Additionally, the two special financial free zones – the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) – have had their own data protection laws and regulations modelled on European data protection law for some time. There are also various articles of the general criminal law in the UAE which are concerned with violations of privacy and breach of confidence. However, it is only now that all businesses operating in the UAE will need to carefully consider data protection compliance in detail at an enterprise-wide level, and ensure that appropriate data protection practices are implemented in their business arrangements.

Basic principles of the DPL

The DPL adopts similar concepts to the European General Data Protection Regulation (GDPR) (and the other data protection laws around the globe that have also adopted such principles). As is the case in the GDPR, “Personal Data” is given a broad meaning, effectively capturing any information that can be used to identify a natural person either directly or indirectly (by combining with other data). It is not clear whether the DPL continues to apply to data identifying deceased natural persons or not. For practical purposes, businesses should assume that all data relating to their customers, prospects, staff, directors and shareholders and suppliers is personal data for the purposes of the DPL, unless it is stored in a format which renders it anonymised.

The law also uses the concepts of “data subject” (i.e. the natural person identified by the data), “controller” (i.e. the legal entity or person who specifies the method, criteria and purpose of processing) and “processor” (i.e. a legal entity or person who processes data in accordance with the instructions of the controller). “Processing” is a very wide concept which captures any operation performed on the personal data. According to the definition of “processing”, the DPL only appears to apply to processing carried out using electronic means.

Effective date

The DPL is in effect from 2 January 2022, however it will not be enforced until six months after the publication of further executive regulations. We do not know exactly when the executive regulations will be published but six months is not a huge period of time to prepare, so businesses should start considering and planning for the DPL sooner rather than later. Businesses in Europe had years to prepare for the GDPR, against the backdrop of already having to comply with data protection legislation implementing the European Data Protection Directive since the 1990s, but even then, many were late in completing GDPR compliance programmes.

Scope of the DPL

The DPL applies to processing conducted by:

• any data subject residing in or having a place of business in the UAE
• any controller or processor located in the UAE (regardless of the location of the data subjects whose data are being processed)
• any controller or processor located outside the UAE who processes the personal data of data subjects inside the UAE

The second point means that UAE businesses must maintain the same high-standards even if handling data related to overseas persons. The third point, however, has extremely wide scope. Consider a (heavily simplified) scenario where a UAE-based consumer orders a product online from a business based in Thailand, which uses a cloud service provider located in Indonesia to process online orders and engages with an Indian logistics company to fulfil orders. Taken at face value, the Thai e-commerce business becomes subject to the DPL as a controller and the Indonesian and Indian suppliers become subject to the DPL as processors. This is unworkable in practice; it is not possible for all these businesses to be ready to comply with the DPL on the off-chance that a UAE-based person’s data are submitted to them. The GDPR also has extra-territorial reach but it is nuanced by reference to tests; under GDPR, the Thai e-commerce company, the Indonesian could service provider and the Indian logistics company would only be subject to GDPR if they were targetting their services at Europe-based consumers or were monitoring the behaviour of individuals in Europe. Incidental processing of the data of a person based in Europe is not enough to determine applicability of GDPR. The DPL does not contain such nuance; hopefully this will be developed further when the executive regulations are published to avoid any businesses based outside the UAE, but with only incidental dealings with UAE-based persons, from taking the view that they should block all transactions with UAE-based persons.

Exemptions

The DPL does not apply to government data or government authorities. It is not entirely clear what “government data” means in this context. As it is referred to in its own right, separate from processing conducted by government authorities, so presumably it is intended to have a broader scope and to capture government data in the hands of third parties. Some further clarification under the executive regulations or guidance issued by the UAE Data Office would be welcome.

Security and judicial services are also exempted from the DPL.

As with GDPR, processing conducted for personal purposes (i.e. non-business domestic purposes) is exempt.

The DPL also states that health and banking data are not subject to the DPL to the extent they are already regulated. However, healthcare companies and banks will also process data which are not subject to existing regulations, with respect to their employees, suppliers, prospects and so on, so we assume that those businesses will need to operate dual-compliance regimes; complying with the industry-specific data that relates to their patients/clients, but also complying the DPL with respect to all other personal data.

The law confirms that it does not apply to companies and institutions located in UAE free zones which have special data protection legislation. This currently covers the DIFC and ADGM and also Dubai Healthcare City, which has a Patient Personal Data Regulation. It will be interesting to see whether any other free zones which do not currently have a data protection law seek to boost their attractiveness as a low-cost-of-compliance territory by implementing their own data protection laws which operate to a lower standard than the DPL.

Interestingly, the DPL also states that the UAE Data Office may introduce de minimis exemptions, so that establishments that process a minimal amount of personal data may be exempted from the DPL.

Lawful processing and consent

Unless data subject consent has been obtained, personal data may only be lawfully processed in accordance with the following bases, plus any other bases set out in the executive regulations, when published:

• if the processing is necessary to protect the public interest
• if the processing is for personal data that has become available and known to the public by an act of the data subject
• if the processing is necessary to initiate or defend against any claims to legal rights or legal proceedings, or related to judicial or security procedures
• if the processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the state
• if the processing is necessary to protect public health or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the state
• if the processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the state
• if the processing is necessary to fulfil obligations imposed by other laws of the state on controllers
• if the processing is necessary to protect the interests of the data subject
• if the processing is necessary for the controller or data subject to fulfil his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws
• if the processing is necessary to perform a contract to which the data subject is a party or to take, at the request of the data subject, procedures for concluding, amending or terminating a contract

For most businesses, the latter three bases will be the most commonly relevant. It is interesting to observe that there is no “legitimate interests” basis (this is a feature in common with the new personal data protection law in Saudi Arabia), unlike in GDPR and various other data protection laws. This is likely to create a broader reliance on consent to justify non-“necessary” processing. There are practical problems with relying on consent, particularly in relation to a processing activity which is a crucial business activity. In particular, consent can be withdrawn at any time.

It remains to be seen how “necessary” will be interpreted by the UAE Data Office. For example, an employer may wish to outsource its payroll function to a specialist provider. It is clearly necessary for the performance of the employment contract and to protect the interests of the employees that payroll is diligently and accurately managed, however it is not clear that outsourcing such processing to a third party is “necessary” in any common understanding of the word. Under GDPR, an employer may be able to balance the efficiencies and other benefits of outsourcing against the rights of the data subjects and conclude that it is in its legitimate interests to conduct the outsourcing, however such a route is not available under the DPL. Under GDPR, European guidance and jurisprudence establishes clearly that consent is not appropriate in an employer/employee relationship, because under GDPR consent must be freely given and it is considered that there is a power imbalance in the relationship between the parties which means that consent cannot be “freely” given by the employee. The DPL is silent on this topic, so it is possible, perhaps, that an employer can build a broad consent into its staff onboarding procedures, however this does not address the difficulty related to the potential withdrawal of consent.

The DPL sets out conditions for consent, namely:

• the controller must be able to prove it has obtained consent (in practice, this means having systems in place to document and maintain a record of consents)
• the consent must be given in a clear, simple, unambiguous and easily accessible manner
• the consent must indicate the right of the data subject to withdraw it an easy manner

The legitimate interests basis under GDPR can be relied upon by a third party to whom the controller discloses the personal data. The lack of legitimate interests basis in the DPL is also, therefore, potentially problematic for processors, which do not hold a direct relationship with the data subjects whose data are processed and so cannot verify if consent is in place or if the processing fulfils one of the other lawful grounds. Processors dealing with UAE-based controllers will therefore carefuilly want to address the contractual terms on which they provider their services to ensure that appropriate commitments are given by the controller and will also want to consider provisions related to the liability of the controller for ensuring there is a lawful basis in place for the processor to process the personal data.

Controller and processor contracts

The DPL does not specify mandatory provisions for inclusion in contracts between controllers and processors, however it is in all parties’ interests to consider the risks associated with the processing activity occurring under a contractual relationship and to build in appropriate protections and obligations. We recommend that all businesses review their standard contract templates accordingly, including terms of sale, terms of supply, terms of engagement with service providers, employment contracts and more.

Personal data controls

The DPL requires that the following controls must be implemented when personal data are processed. Note that these controls must be implemented by both controllers and processors.

• Processing must be made in a fair, transparent and lawful manner.
• Personal data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose, however, personal data may be processed if the purpose of processing is similar or close to the purpose for which such data is collected.
• Personal data must be sufficient for and limited to the purpose for which the processing is made.
• Personal data must be accurate and correct and must be updated whenever necessary.
• Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect personal data.
• Personal data must be kept securely and protected from any breach, infringement, or illegal or unauthorized processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
• Personal data may not be kept after fulfilling the purpose of processing thereof. it may only be kept in the event that it is anonymized.
• Any other controls set by the executive regulations of the DPL.

These controls map closely to the key principles of the GDPR. To comply with the controls, businesses need to understand the sources of personal data ingested into the business, the processes used to collect data, the information provided to the data subjects, what happens to the data once it is collected, how long it is stored, how it is kept secure and so on. This is a broader initiative than a “legal” initiative and, in any large business, requires the buy-in of various business units. Many businesses may conclude that their current practices need to change. For example, it is common practice in the UAE for retailers to ask customers for their name, mobile number and/or email address “over the counter” at the point of purchase; in order for such data collection to be lawful once the DPL is in force, the customer needs to be informed of the specific and clear purpose of such collection in order for the first of the two controls listed above to be complied with.

Information to be provided to data subjects

Before commencing processing, the controller must notify the data subject of:

• the purposes of data processing
• any sectors or establishments with which the personal data is to be shared
• any measures employed to protect the personal data un any cross-border transfers

All controllers must therefore have a privacy notice which contains, at a minimum, the above information and must consider how the provision of such information can be incorporated into the data collection processes it undertakes.

Record keeping

Both controllers and processors must keep a detailed personal data record and make the same available to the UAE Data Office on request. In order to maintain an accurate and complete record, businesses will need to conduct an audit exercise covering data ingestion, data handling and data processing by third parties.

Personal data breaches

Controllers must immediately report data breaches to the UAE Data Office unless the breach would not prejudice the privacy, confidentiality and security of the data. In such circumstances, the controller must also contact the affected data subjects; this is a matter which requires careful handling in order to manage reputational risk whilst complying with the law. All controllers should have a clear policy or procedure for responding to data breaches ensuring that the breach is escalated rapidly to the appropriate decision makers. Controllers may wish to consider whether such policy requires engagement of third party specialists such as forensic IT security consultants, legal advisors, PR consultants and so on.

Data Protection Officer

Controllers and Processors must appoint a data protection officer (DPO) in any of the following cases.

• If their processing activity would cause a high-risk to the confidentiality and privacy of the personal data or data subject as a result of adopting technologies that are new or are associated with the volume of data in question.
• If the processing will involve a systematic and comprehensive assessment of Sensitive Personal Data, including profiling and automated processing (processing carried out without human intervention or with limited human supervision and intervention).
• If the processing involves a large amount of Sensitive Personal Data.

“Sensitive Personal Data” means any data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

The executive regulations of the law should provide further detail in relation to the DPO trigger thresholds mentioned above. If a DPO is needed, they can be employed or “authorised” by the controller or processor, which implies that third party DPO service providers will be permitted. The DPO may be located inside or outside the UAE. The contact details of the DPO must be provided to the UAE Data Office.

The DPO needs to be engaged in a timely manner in relation to all processing matters and given the necessary resources to perform the role. The DPO is protected against disciplinary actions for a reason related to the performance of his/her duties in accordance with the DPL and must not be assigned duties which create a conflict of interest with the duties of the DPO. The DPO’s contact details should be made available to data subjects who have the right to communicate directly with the DPO in order to exercise their rights (see below).

Data subject rights

Data subjects have the following rights.

• Right to request the controller to provide information on the personal data of the data subject that is being processed, including details of sharing of the personal data with third parties, decisions made based on automated processing and profiling, controls and standards for the storage of the personal data, procedures for maintaining the accuracy of the personal data, the method employed to protect personal data in cross-border transfers and procedures for responding to a data breach. Controllers will want to have a clear process for responding to such requests to ensure that responses are appropriately structured and drafted and the information provided is consistent. Controllers may wish to develop template responses for various types of information requests. The controller can refuse a request in certain circumstances.

Please note that there is no express right to receive a copy of the personal data being processed. This therefore seems to make this right somewhat different to the “DSAR” requests that can be made under GDPR. However, the DSAR is captured, subject to more limited circumstances, under the right to request personal data transfer described below.

• If the processing is based on consent or is necessary to fulfil a contract obligation and based on automated means, the data subject has the right to obtain his/her personal data in a structured and machine readable format and/or, if technically feasible, to request the transfer of such data to another controller. This right is therefore a mix of the portability and DSAR rights under the GDPR. Again, controllers need to have a policy detailing how they will comply with such requests.
• Right to correction and completion of personal data.
• Right to erasure of personal data if no longer required for the processing purposes, if consent is withdrawn (if consent is the basis for processing), if the data subject objects or there are no legitimate reasons for the controller to continue processing or if the data is being processed in violation of the law. There are exceptions to the right to erasure where the data is needed for public health reasons, if the data is needed for legal or investigatory procedures or if the deletion would contravene other laws.
• Right to restrict processing (i.e. require the controller to stop processing whilst addressing the concerns) if the data subject objects to the accuracy of the data, if the data subjects objects that processing is in violation of the specified purpose, if the processing is in violation of the law. There are exceptions to the right that the controller may be able to rely on.
• Right to stop processing if the processing is for direct marketing or profiling related to direct marketing, if the processing is for the purpose of conducting statistical surveys (unless such surveys are necessary for the public interest), if the processing is in violation of the processing controls set out in Article 5 of the DPL.
• Right to object to decisions based on automated processing that have legal consequences or seriously affect the data subject. The right does not apply if the automated processing is included in the terms of a contract between the controller and data subject, is necessary in accordance with laws in force in the UAE or if the data subject has already given his/her consent (in accordance with the DPL) to the automated processing.

No timescales are provided for in which data subject requests must be complied with and no sanctions are specified for non-compliance. We assume that the executive regulations of the law will address these subjects.

Controllers should ensure that they have a procedure/policy in place for addressing data subject rights requests. This is particularly important when responding for requests to disclose personal information, where there is a risk of disclosing personal data relating to a third party, or where the party making the request is not who they claim to be. Wrongful disclosure in such circumstances will be a breach of the DPL but could also trigger criminal liability under other laws in the UAE.

Data security and impact assessments

Like most data protection laws, the DPL is not prescriptive as to specific data security standards that must be met, however both controllers and processors are responsible for establishing and taking appropriate technical and organisational measures to protect the data to a level commensurate with the risk. This will be a different standard for a small local shop and a multinational sophisticated IT service provider.

Given that a risk-based approach is mandated, controllers and processors will need to assess the risks associated with their activities and respond accordingly. Further, the DPL mandates that controllers must undertake an impact assessment before conducting any new processing using technologies that could pose a high risk to the privacy and confidentiality of the personal data. The DPL specifies that such circumstances include where the processing involves a systematic and comprehensive assessment of the personal aspects of the data subject based on automated processing, including profiling, which would have legal consequences or would seriously affect the data subject, or if the processing will be made on a large amount of Sensitive Personal Data.

There are minimum content requirements for an impact assessment. Controllers should have in place a process to enable its business units and compliance stakeholders to assess when an impact assessment is necessary and to properly conduct such assessment, and should have templates for such assessments and a process for logging and retaining the assessments.

Cross-border data transfer

Article 22 of the DPL suggests that the UAE Data Office will designate certain territories as adequate for the purposes of data transfers from the UAE and that the UAE may enter into bilateral or multilateral agreements for such purposes.

In the absence of such decisions and agreements, Article 23 of the DPL provides further grounds on which international data transfers may be lawfully implemented. The grounds are:

• a contract or agreement is in place between the transferer and transferee which obliges the transferee to implement provisions equivalent to those required under the DPL and which make the controller or processor subject to the jurisdiction of a competent supervisory or judicial authority in the country of the transferee. It is not entirely clear what is required under this provision to ensure compliance. It may be that the UAE Data Office publishes a set of “model” clauses in order for UAE-based entities to demonstrate this provision is satisfied. Such model clauses would be useful to give certainty to businesses in this regard.
• the express consent of the data subject has been obtained, provided that this cannot be relied on if the transfer could conflict with national security or public interests. Presumably this consent can be withdrawn, therefore consent may not be appropriate for large-scale business-as-usual transfers.
• the transfer is necessary to fulfil obligations and establish, exercise or defend rights before judicial authorities.
• the transfer is necessary to enter into or execute a contract between the controller and data subject, or between the controller and a third party to achieve the data subject’s interest. Further guidance on how to assess the data subjects’ interest would be useful, in relation to this provision.
• the transfer is necessary to perform a procedure relating to international judicial cooperation.
• the transfer is necessary to protect the public interest.

It is worth noting that the relevant provisions of the DPL apply to transfers out of the State. It can therefore be inferred that transfers from “mainland” UAE into the DIFC or ADGM are not subject to the rules relating to transfers in the DPL. This is in contrast with the positions adopted in DIFC and ADGM for the reverse transfer; transfers of personal data out of those freezones to other parts of the UAE are treated in the same way as international transfers (although each of those two financial free zones recognises the other as adequate for transfer purposes).

Violations and penalties

Complaints can be filed with the UAE Data Office by any data subject. We assume the UAE Data Office will also conduct proactive investigations and audits, however the way it will discharge it functions under the Data Office Law, and how quickly it will be in a position to do so, remains to be seen. The Data Office Law provides that the Telecommunications and Digital Government Regulatory Authority in the UAE will provide assistance to the UAE Data Office during its infancy.

The DPL does not specify the penalties for violation. It states that the Federal Cabinet will take account of proposals made by the UAE Data Office and will then issue a decision specifying the administrative penalties for violations of the DPL. It is therefore hard for controllers or processors to assess the likely financial impact of violating the law at this time, however it is important to understand that regulatory sanctions are often a relatively small part of the cost of a data breach. A serious data breach will require a controller or processor to incur material costs in investigating and managing the breach. Other costs may include damage to, or inaccessibility of, hardware or demands for ransom payment. Of course, if data is lost or destroyed then that represents loss of a valuable business asset (such as a marketing database or HR information). Further, if a data breach becomes public knowledge – and bear in mind that data breaches will frequently need to be reported to the UAE Data Office and to data subjects – then there are costs associated with harm to business reputation and consumer confidence.

Also, the DPL does not repeal other provisions of the UAE’s law which deal with violations of privacy or confidence and which impose criminal penalties. Such laws include the UAE’s cybercrime laws, which have recently been repealed and replaced by Federal Law No. 34 of 2021 Concerning the Fight Against Rumours and Cybercrimes. We have published a separate update on this law, but it is potentially a significant law which includes criminal liability for violating personal data laws in the UAE and its practical intersection with the DPL remains to be seen.

Summary and next steps

The DPL introduces a comprehensive data regime, similar in scope to regimes such as the GDPR, and brings the UAE in-line with numerous international norms applicable to data protection. The risks under the DPL are commensurate to the volume and sensitivity of data held by businesses in the UAE (and potentially overseas businesses processing UAE-related personal data). Businesses that process a material volume of personal data or are conducting high-risk activities should carefully consider how to approach compliance. Typical compliance programmes will need to involve: understanding and mapping of data ingestion and data transfers; audit of current procedures; audit of current information security processes; development of new procedures, policies, information notices and data processing records; staff training; documenting and potentially improving IT security controls and organisational security controls; reviewing third party contracts and revising contract templates; appointment of a DPO, amongst other things.

We will publish a compliance checklist for the DPL and are very happy to discuss any of the issues covered, or how to approach compliance. Please reach out.