As part of the UAE’s Project of the 50, a series of new projects and initiatives aimed at boosting UAE’s development, the UAE has enacted, among other laws, a new federal law on personal data protection – Federal Decree-Law No. 45 of 2021 (the “Law”).
Generally aligned with the GDPR, the Law is the first comprehensive personal data privacy law at a federal level ever issued in the UAE.
The Law will enter into force on 02 January 2022, while its Executive Regulations are set to be published by March 2022.
The Emirates Data Office (“Data Office”), a new office created by virtue of Federal Decree-Law No. (44) of 2021, shall oversee the implementation of the Law, acting as the UAE federal data protection regulatory authority.
The Law has an extraterritorial application. It is set to apply, subject to certain exclusions, to the processing of personal data (i) of data subjects who reside or have a place of business in the UAE; (ii) by data controllers or data processors who are located in the UAE, irrespective of the location of the data subjects; and (iii) by data controllers or data processors located outside the UAE processing personal data of data subjects that are in the UAE.
Excluded from the application of the Law are public entities and governmental data; entities incorporated within UAE free zones that have their own data protection legislation; personal data in the possession of security and judicial authorities; and health and credit/banking related personal data that are subject to special regulations governing their processing.
Consent is set as the main lawful basis for processing personal data. However, several exceptions apply setting alternative legal basis for processing. These exceptions include public interest, performance of a contract and legal requirement. The Law also sets out the main conditions for obtaining valid consent from the data subject and gives the data subject the right to withdraw its consent.
Data controllers and data processors shall ensure that any processing of personal data is fair, transparent and lawful. They shall additionally abide by the principles of purpose limitation (personal data must be collected for a clear and specific purpose and shall not be later processed in a manner contrary to such purpose); data minimization (personal data shall be adequate and restricted to what is necessary in relation to the purpose for which they are processed); accuracy (personal data must be correct, accurate and where necessary kept up to date) storage limitation (personal data must not be stored following the conclusion of the purpose for their processing unless the identification of the data subject is anonymized); integrity and confidentiality (personal data must be safely stored and protected from unlawful or unauthorized access). Data controllers and data processors shall also put in place measures and actions to ensure erasure or rectification of incorrect personal data. It is expected that Executive Regulations set forth additional controls applicable to processing of personal data.
The Law also sets general obligations for both the data controllers and data processors. such as the implementation of appropriate technical and organizational measures for the protection and the security of personal data; and maintaining records of the details of their processing of personal data including the categories of data, purpose of processing, and persons authorized to access personal data.
Data controllers are also obliged to notify the Data Office and the respective data subject when they become aware of any data breach which is likely to result in a risk to the privacy, confidentiality or security of such data. Executive Regulations shall set forth the procedures and timeframes for such notifications.
Aligned with most of other jurisdictions data protection laws, in relation to their personal data, data subjects are granted the right to access, right to request portability, right to rectification and, under certain conditions specified under the Law, the right to request erasure of their personal data, restricting and halting of processing, and to object to profiling.
Cross-border transfer of personal data is allowed under the law to countries which are approved by the Data Office as having personal data protection regulations in place or to countries that are parties to bilateral or multilateral agreements on the protection of personal data.
Transfer of personal data to countries that do not have an adequate level of data privacy protection is however permitted by the Law under certain circumstances, including when the express consent of the data subject is obtained (provided that such consent does not conflict with the public and security interests of the State); when the transfer of personal data is necessary for the execution of a contract between the date controller and the data subject; if the transfer is necessary for the purposes of international judicial cooperation, and when such transfer is necessary to protect public interest. Additional details and requirements applicable to cross-border transfer of personal data are expected to be set forth by the Executive Regulations.
Data subjects have the right to lodge complaints with the Data Office in case they believe that a contravention of the law or the Executive Regulations has been committed by a data controller or data processor.
The Law establishes that the Office may impose administrative sanctions in case of contravention of the Law or the Executive Regulations. Such administrative penalties are yet to be specified pursuant to a decision by the Council of Ministers and upon the proposal from the Director General of the Data Office.
Organizations that fall under the provisions of the Law are granted six months following the publication of the related Executive Regulations to adjust their operations for compliance and therefore, should begin to assess and adjust their data processing procedures accordingly.
Leila Laila, Partner