The DP Act applies to the whole of the United Arab Emirates, with the exception of the financial free zones (which fall outside the scope of this article). The DP Act attempts to create a data protection framework for the UAE that complies with global “best practices” in data protection and data privacy, including the European General Data Protection Regulation ( GDPR). While the law entered into force on January 2 this year, entities controlling and processing data have a grace period of six months from the date of introduction of the regulations implementing the law on Data protection. As with many UAE laws, the DP Law provides a broad regulatory framework while relying on Executive Regulations to complete the details of how the law should operate in practice. The executive regulation was scheduled for March 2022 but in April 2022 it was still expected. The DP Act will be administered by the UAE Data Office, which was recently established under UAE Law Number 44 of 2021. The UAE Data Office is not yet fully operational.
The DP law has an “extraterritorial” scope similar to the GDPR. It applies to all companies that process personal data in the UAE (for data relating to data subjects inside and outside the UAE) or that are based outside the UAE but process personal data relating to data subjects who are located inside the UAE. . Data excluded from the application of the law includes health data, government data, banking and credit data. As shown below, the DP Act will work alongside certain industry-specific regulations that control discrete categories of data.
Article 4 of the DP Act establishes that the processing of data requires the consent of the data subject, unless one of the limited exceptions applies to allow the processing on another legal basis. Exceptions are similar to those covered by the GDPR and include processing that is necessary to protect the public interest, to protect the interests of the data subject or to perform a contract to which the data subject is a party. Interestingly, no exception allows processing on the basis of a legitimate interest. However, the law on the DP offers the possibility of introducing other grounds within the framework of the executive regulation. As such, we can see these grounds expanded to include this relatively more flexible basis for valid processing of personal data.
As with the GDPR and other similar legislation, international data transfers can take place without consent under the DP law if the country to which the data is transferred has an adequate level of protection. This requirement will be met when the country has enacted special personal data legislation or has entered into a bilateral or multilateral data protection agreement with the UAE. It is expected that the UAE Data Office will be able to provide additional guidance on these jurisdictions once it is fully operational. Data may be transferred internationally, whether or not the recipient jurisdiction has an adequate level of protection, provided that the data subject has consented to such transfer and that it does not conflict with the interests public and security services of the UAE.
The path to protection
Historically, UAE-based residents have enjoyed very little protection when it comes to the collection and use of their personal data. While the UAE Constitution includes the right to privacy as a fundamental principle and the UAE Penal Code prohibits the publication of an individual’s private or family life, these are totally insufficient to give individuals real control over how their data is used, especially in an increasingly digital age. As any resident can attest, this is reflected in the alarming number of unsolicited marketing calls, text messages, emails and even WhatsApp messages received regularly from local businesses.
More recently, the Electronic Transactions Act prohibits unauthorized access and disclosure of electronic records or communications, while the Cybercrime Act was introduced to address hacking/identity theft issues. The Telecommunications Regulatory Authority has also introduced an anti-spam policy, albeit with limited effectiveness as it places the enforcement responsibility on the telecom operators (i.e. Du and Etisalat) without impose penalties on companies generating spam.
Industry-specific data protection regulation has also increased, particularly in healthcare and finance. On the other hand, the DP law also closely followed a new consumer protection law in 2020. The consumer protection law establishes the right of consumers to the protection of their data. The law also prohibits the use of this data for marketing purposes without an individual’s consent. However, as with the DP Act, we have yet to see the Consumer Protection Act Implementing Regulations, which should provide more detail on how these principles will be implemented.
Impact in practice?
The introduction of significant regulatory controls in this area is a welcome change for a country striving to consolidate its position in the global economy. However, the question remains how effective these legal reforms will be and what impact, if any, will be felt by individuals in terms of control over personal data. While these changes lay an important foundation for adequate personal data protection in the UAE, further legislative development must be prioritized before individuals see a noticeable impact in practice.
As mentioned above, the DP law will only be applied in practice six months after the introduction of the executive regulation. Also, no specific timeline has been given as to when the UAE Data Office (as a key regulator) will be fully operational. Coupled with the delay in consumer protection law enforcement regulations, these issues provide a very uncertain timeline as to when we can see these developments implemented in a meaningful way. The far-reaching nature of these reforms will ensure that developments will be watched and analyzed with great interest by many. In the meantime, residents of the United Arab Emirates will unfortunately have to continue to screen these unsolicited marketing calls and delete unwanted spam.