The United Arab Emirates has issued for the first time a federal law for the protection of personal data, namely the 'Federal Decree-Law no. 45/2021 on the Protection of personal data' ('Personal data protection law'). The provisions of the personal data protection law apply to the Processing of personal data in the UAE, whether done automatically through electronic systems or via other means. Apart from the newly introduced Law, there exists separate data protection laws applicable for the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM) and for the Dubai Health care city respectively.
Applicability:
The personal data protection law is wide-reaching in its applicability and takes into account data processing activities either carried out inside the UAE or carried out outside the UAE when it applies to any natural person residing or carrying out a business activity in the UAE.
The said Law takes into account what is termed as a 'data subject', which refers to any natural person who is the subject of the Personal Data and in its applicability encompasses any:
1. A data subject who resides or carries out business in the UAE;
2. Any controller or processor or data located in the UAE who carries out activities involving Processing of data or data subjects whether residing inside or outside the UAE; and
3. A controller or processor of data located outside the UAE, but carries out activities encompassing the Processing of personal data of data subjects inside the UAE.
'Personal data' defined:
The personal data protection law clearly defines ‘personal data’ into two types: 'Personal Data' and 'Sensitive personal data'.
Wherein, 'Personal Data' refers to 'Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data'.
Whereas, 'Sensitive Data', refers to 'Any data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such people, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.
What constitutes a breach:
Article 5 of the UAE personal data protection law lays out the legal parameters for the Processing of personal data and states that the personal data must be collected only for a specific and clear purpose and should not be processed at any given time period in a manner that is incompatible with the provisions of this Law. Further, the personal data should be stored securely with adequate technical protections included in place, and it should be stored only with the identity of the data subject anonymized. The controller of the personal data should obtain the consent of the data subject either in writing or in an electronic format, and the consent letter should clearly indicate the right of the data subject to withdraw such consent at a later date.
A data breach may comprise of breach of information security and personal data by illegal or unauthorized access, including copying, sending, distributing, exchanging, transmitting, circulating or processing data in a way that leads to disclosure thereof to third parties, or damage or alteration thereof during the processes of storage, transmission and Processing. The UAE personal data protection law does not specify the scope and level of penalties for breach of its provisions. However, based on a proposal of the Data Office, as established under this Law, the UAE government is expected to issue a list of administrative penalties by March 2022 stating the penalties that are to be imposed, as part of the executive regulations governing the said Law.
The new personal data protection law is currently in force from 2 January 2022. The government has termed it as one of the first federal laws drafted on this subject matter in partnership with the major technology companies in the private sector. One of the main objectives of this law has been to ensure that strict controls are in place for the Processing of personal data, in order to maintain its security, confidentiality and privacy. The rights of the data subject have been clearly defined, including the right to object to and stop the Processing of his or her personal data whether if the Processing is for direct marketing purposes, including profiling related to direct marketing or whether if the Processing is for the purposes of conducting statistical surveys unless the Processing is necessary to achieve the public interest.