Data Protection & Privacy 2024

Last Updated February 13, 2024

UAE

Law and Practice

Authors



Bizilance Legal Consultants practises trade remedy laws, privacy and data protection, taxation, and antitrust and competition, among other areas. The firm is backed by the rich experience of its partners, spread over two decades. The partners have served clients in multiple jurisdictions, including the UAE, the USA, the UK, Switzerland, Singapore, China, Malaysia, Indonesia, Korea, Thailand and Pakistan. In the personal data and privacy space, Bizilance Legal Consultants is strategically well placed in Abu Dhabi Global Market to serve multi-jurisdictional clients in an era when laws related to personal data protection have either just been implemented or are in the process of being implemented.

The Constitution of the United Arab Emirates (“the Constitution” provides that safety and security for all citizens shall be the pillars of the society. The Constitution further provides that freedom of corresponding through post, telegraph or other means of communication, and the secrecy thereof, is guaranteed in accordance with the law and that dwellings are inviolable. These constitutional provisions serve as the foundational guidelines to respect privacy.

The statutory regime concerning data protection is chiefly found in the following laws/regulations.

  • Federal Decree Law No 45 of 2021 on personal data protection (the “UAE Law”) – the UAE Law is a federal-level law applicable across the UAE, except for the following:
    1. governmental data;
    2. government authorities which control and process personal data;
    3. security and judicial authorities;
    4. health-related personal data;
    5. banking and credit personal data; and
    6. companies and organisations incorporated in free zones.
  • Dubai International Financial Centre (DIFC) Law No 5 of 2020 (the “DIFC Law”) – DIFC is a free zone and the DIFC Law applies in the jurisdiction of DIFC.
  • Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 (the “ADGM Regulations”) – ADGM is a free zone and the ADGM Regulations apply in the context of the establishment of a controller or a processor in ADGM.

Apart from the above, sector-specific regulations govern data protection in their respective sectors, as follows:

  • Federal Law No 14 of 2018 (concerning the Central Bank of the UAE) governing data protection of customers of the banks;
  • Federal Law No 3 of 2003 (concerning telecommunications) governing data protection of telecommunications consumers; and
  • Federal Law No 2 of 2019 (concerning use of information and communication technology in health fields) governing confidentiality of the patients’ information.

The above-mentioned laws/regulations provide for matters related to offences, penalties and enforcement in their respective sphere.

The UAE Data Office is the regulator for the purposes of the UAE Law.

The Commissioner administers the DIFC Law.

The Commissioner of Data Protection is responsible for the monitoring and enforcement of the ADGM Regulations.

The Central Bank of the UAE and Telecommunications and Digital Government Regulatory Authority (TDRA) are the regulators concerning banking and telecommunications sectors, responsible for (among others) the protection of their respective consumers data.

Health authorities (federal or local government) are entrusted to protect patients’ data.

The above-mentioned authorities have the powers to conduct investigations and handle complaints in their respective spheres.

The Data Office is competent to receive complaints by data subjects regarding contravention of provisions of the UAE Law. The Data Office also has the authority to impose administrative sanctions on contravention of provisions of the UAE Law. A person aggrieved by any decision, administrative sanction or any action of the Data Office may file a grievance with the Director General of the Data Office. The grievance must be filed within 30 days of the date of the decision, administrative sanction or action by the Data Office. The Director General of the Data Office must determine such grievance within 30 days of its filing. The executive regulations to be issued pursuant to the UAE Law will specify the procedural aspects for filing and deciding the grievances.

The Commissioner (under the DIFC Law) is competent to receive complaints from data subjects concerning contravention of the DIFC Law or any breach of the rights of data subjects. The Commissioner has the authority to investigate the complaints and to issue direction or a declaration. The Commissioner is empowered to impose fines in the event of non-compliance with a direction they issue. The Commissioner, concerning a complaint lodged with the Commissioner, may follow such practices and procedures that – in their view –will lead to the most timely, fair and effective resolution of the claim in the complaint. The controller or processor or data subject being aggrieved by the decision of the Commissioner may appeal to the DIFC Court within 30 days.

A data subject may lodge a complaint, on contravention of the ADGM Regulations, with the Commissioner of Data Protection under the ADGM Regulations. Following an assessment, the Commissioner of Data Protection may dismiss the complaint, uphold the complaint, uphold the complaint but with no further action, or take any further action. The controller, processor or data subject being aggrieved may refer the matter to the court for review. The court may make any orders that the court thinks just and appropriate in the circumstances, within three months following the penalty notice, direction, or the date of complaint.

The UAE Law, the DIFC Law and the ADGM Regulations conceptually follow the basic principles of the EU’s GDPR. The UAE Law is a federal-level law and there are no subnational (emirate)-level laws concerning personal data protection.

There are no NGOs or industry self-regulatory organisations (SROs) concerning data protection.

The UAE Law follows a hybrid system, which is not applicable to free zones, banks, and health-related personal data. Apart from these exceptions, the UAE Law is applicable to all sectors. Further, the Data Office is empowered to exempt certain establishments that do not process personal data on a large scale from any or all requirements of the UAE Law, in accordance with the standards and controls to be specified by the executive regulations.

The DIFC Authority Board of Directors is empowered to make regulations to exempt controllers (within DIFC jurisdiction) from compliance with the DIFC Law or any part of the DIFC Law.

The ADGM Regulations do not apply to the processing of personal data by public authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. This includes processing data for the purposes of safeguarding against and preventing threats to national security.

The UAE Law was issued on 20 September 2021 and came into effect on 2 January 2022.

The executive regulations were to be issued by the Cabinet of the UAE within six months of the date of issuance of the UAE Law. However, the executive regulations have not been issued so far. The controllers and processors must comply with the provisions of the UAE Law within a period of six months following the issuance of executive regulations. The referred period of six months may be extended by the Cabinet for additional similar periods.

General Requirements

The general requirements (general principles) regarding processing of personal data under the UAE Law, the DIFC Law and the ADGM Regulations are:

  • fairness, transparency and lawfulness;
  • purpose specification;
  • adequacy and relevance; and
  • safety and security.

Data Protection Officers

The requirements for appointment of a Data Protection Officer (DPO) are as follows.

UAE Law

Under the UAE Law, a DPO is required to be appointed where:

  • the processing is likely to result in a high risk to the privacy and confidentiality of personal data, owing to the adoption of new technologies or owing to the amount of data; and
  • the processing involves a systematic and overall assessment of sensitive personal data, including profiling and automated processing.

The executive regulations will specify the kinds of technologies and standards of determination related to the foregoing.

DIFC Law

A DPO is required to be appointed by:

  • the Commissioner, the DIFC Authority and the Dubai Financial Services Authority; and
  • a controller or processor performing high-risk activities on a systematic or regular basis.

A controller or processor (other than the aforementioned) may be required to designate a DPO by the Commissioner.

ADGM Regulations

Under the ADGM Regulations, a DPO is required to be appointed where:

  • processing is carried out by a public authority except for courts acting in their judicial capacity;
  • the core activities of controller or processor require (on the basis of the nature, scope and purposes of processing) regular and systematic monitoring of data subjects on a large scale; and
  • the core activities of the controller or processor consist of large-scale processing of special categories of personal data.

Responsibilities of a DPO

Among other things, the DPO is responsible for:

  • monitoring the compliance of controller or processor within the applicable legal framework;
  • informing and advising the controller, processr, and their respective employees (who carry out personal data processing) about their obligations under the applicable legal framework; abd
  • acting as contact point for the regulator concerned.

Consent

The UAE Law provides certain exceptions where processing may be carried out without consent. These include circumstances where:

  • processing is necessary for reasons of public interest;
  • processing relates to personal data made publicly available by the data subject;
  • processing is necessary to initiate or defend proceedings related to legal actions and claims of rights or in relation to judicial or security procedures;
  • processing is necessary for the purposes of medical diagnosis, occupational or preventive medicine, to assess working capacity of employee, etc (in accordance with the applicable law);
  • processing is necessary for the protection of public health (in accordance with the applicable law);
  • processing is necessary for archiving, scientific, historical or statistical studies (in accordance with the applicable law);
  • processing is necessary to protect the interests of the data subject;
  • processing is necessary for the performance of obligations and the establishment of rights related to recruitment or social security (in accordance with the applicable law);
  • processing is necessary for the performance of a contract to which the data subject is a party or for taking actions at the request of the data subject for the purpose of concluding, amending or terminating a contract;
  • processing is necessary for compliance with obligations prescribed under laws of the UAE to which the controller is subject to; or
  • situations specified by the executive regulations.

However, in case of the DIFC Law and the ADGM Regulations, consent is one of the “lawful” bases to process the personal data.

Privacy by Design and Privacy by Default

The UAE Law does not specifically mention the concept of “privacy by design” or “privacy by default”. However, the DIFC Law and the ADGM Regulations provide that a controller protects the privacy by design and by default. The DIFC Law imposes this requirement on a processor as well.

Data Protection Impact Assessment

Controllers are required to undertake a “data protection impact assessment” before carrying out processing that is likely to result in a high risk to the rights of natural persons. In addition, the DIFC Law imposes a mandatory requirement for a data protection impact assessment in cases where:

  • processing involves systematic and extensive evaluation of personal aspects of the data subject, which is based on automated processing (including profiling) having legal effects that significantly impact the data subject; and
  • processing involves large amounts of sensitive personal data.

Data Protection Policy

The UAE Law does not require the adoption of any internal or external data protection policy. The DIFC Law and the ADGM Regulations do require that a data protection policy is put in place and implemented.

Rights of data subjects

Data subjects enjoy the following rights (under the UAE Law, the DIFC Law and the ADGM Regulations):

  • rights of access, rectification and erasure;
  • the right to withdraw consent;
  • the right to restrict processing;
  • the right to object to processing;
  • the right not to be subjected to automated decision-making, including profiling; and
  • the right to data portability.

Data breach notification

The data controller is required to notify a data breach to the Data Office/Commissioner/Commissioner of Data Protection when the breach is likely to result in a risk to the privacy, confidentiality, security or rights of the data subjects. The processor must notify any such breach to the controller without delay.

The UAE Law requires immediate notification of the breach. The DIFC Law requires the breach to be notified as soon as practicable in the circumstances. The ADGM Regulations provide that breach notification be made within 72 hours of becoming aware of the breach and, if the notification is not reported within 72 hours, then reasons of delay must accompany the breach notification.

The breach notification must contain at least the following information:

  • description of nature of the breach;
  • details of the DPO;
  • likely effects/consequences of the breach;
  • description of measures taken or proposed to be taken by the controller to rectify/remedy the breach, as well as the measures to mitigate its effects; and
  • any requirement of the Data Office (only in case of the UAE Law).

Where a breach is likely to result in a high risk to the security or rights of a data subject, the controller is required to also notify the data subject of the breach.

Anonymisation/pseudonymisation

The UAE Law requires a controller to implement appropriate measures during the identification of means of processing or during processing for the purposes of compliance with the UAE Law. Such measures include pseudonymisation.

In the context of “cessation of processing”, the DIFC Law and the ADGM Regulations require the controller to ensure that all personal data (including personal data held by the processor) is anonymised and pseudonymised.

Automated decision-making

The data subject has the right to object to automated decision-making (including profiling) that has legal implications or consequences affecting a data subject.

Injury/harm

The UAE Law does not provide for any concept of injury/harm (nor compensation thereof) in relation to a grievance suffered by a data subject, whereas the DIFC Law and the ADGM Regulations provide that a data subject who suffers material or non-material damage as a result of contravention of the applicable law/regulations is entitled to compensation. The claim for compensation is to be brought before the court. The compensation will not limit or affect any fine to be imposed on a controller or a processor for contravention of any provision of the applicable law/regulations.

Banking Sector

Federal Law No 14 of 2018 (the “Central Bank Law”) requires that all data and information related to customers should be considered confidential in nature. The Central Bank of the UAE has published its Consumer Protection Regulations, which apply to all financial institutions licensed by the Central Bank of the UAE. These regulations require that licensed financial institutions are to collect the minimum amount of consumer data and information required in relation to the licensed financial institution’s activities. Under these regulations, licensed financial institutions must:

  • establish a function in their respective organisations responsible for data management and protection, thereby maintaining policies, procedures, systems and controls to protect the personal data of consumers;
  • have policies specifying time duration or record-keeping and retention in accordance with the applicable laws, regulations and business;
  • have appropriate security and monitoring measures to detect and track unauthorised internal access to or use of consumer information;
  • notify all significant breaches of consumer data to the Central Bank of the UAE and notify the consumer without delay where a breach may have risk to the financial and personal security of the consumer; and
  • ensure that consumers are able to make informed choices regarding their consent to sharing of their data with third parties and within the licensed financial institution.

Telecommunications Sector

The TDRA’s consumer protection regulations require telecommunications service providers to take all reasonable measures to prevent the unauthorised disclosure or unauthorised use of subscriber information. Telecommunications service providers are further required to take all reasonable measures to protect the privacy of subscriber information. 

Health Sector

Federal Law No 2 of 2019 (on the use of information and communication technology in health fields) was issued to collect, analyse and keep health information and to ensure the safety and security of health data and information. This law requires that information related to patients is kept confidential and is not used for any non-health purpose without obtaining the written approval of the patient, except for:

  • health information or data required by health insurance companies or by any health services funding entity;
  • scientific and clinical research purposes, provided that the identity of the patients is not disclosed and that ethics and rules of scientific research are respected;
  • to take preventive and curative measures related to public health;
  • on the request of the competent judicial entities; and
  • on the request of the Health Authority for the purposes of control, inspection and protection of public health.

Under Federal Law No 2 of 2019, health information and data may not be stored, processed, generated or transferred outside the UAE except on a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention. Health information and data must be kept for a period commensurate with the need provided; it may not be less than 25 years from the date of the last health procedures provided to the concerned person.

Sensitive Personal Data/Special Categories of Personal Data

“Sensitive personal data”, under the UAE Law, refers to:

  • any information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, or criminal record;
  • biometric data;
  • or any data related to a person’s health, such as physical, psychological, mental, corporal, genetic or sexual state (including information concerning the provision of healthcare services to the person if it reveals their health condition).

“Special categories of personal data”, under the DIFC Law, means personal data revealing or connecting (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal records, trade union membership and health or sex life, including genetic and biometric data where it is used for the purpose of uniquely identifying a natural person.

The ADGM Regulations have a similar definition of special categories of personal data to the DIFC Law.

The UAE Law states that a personal data protection impact assessment is a necessity where processing involves large amounts of sensitive personal data.

The DIFC Law and the ADGM Regulations permit processing of special categories of personal data in certain specified situations, including:

  • with the explicit consent of the data subject;
  • where processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or data subject concerning employment;
  • where processing is necessary to protect vital interests of the data subject;
  • processing by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities;
  • processing related to personal data that has been made public by the data subject;
  • where processing is necessary for the establishment, exercise or defence of legal claims; or
  • where processing is necessary for compliance with a specific requirement of a law applicable to the controller.

The UAE Law confers on the data subject a “right to stop processing” where personal data is processed for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.

The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and that the data subject must be expressly offered the right to object to direct marketing. The data subject has the right to object to personal data processing for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.

The ADGM Regulations carry the same provisions as in the DIFC Law when it comes to direct marketing. The ADGM Regulations, in addition, provide that personal data must not be processed for direct marketing purposes if a data subject objects to direct marketing.

Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, provides that a worker must maintain the confidentiality of information and data to which they have access by virtue of their work.

The UAE Law, the DIFC Law and the ADGM Regulations do not contain any provisions concerning the role of labour organisations, whistle-blowing or e-discovery.

The executive regulations pursuant to the UAE Law have not yet been issued. The executive regulations will provide for the procedural aspects concerning enforcement and litigation arising out of the UAE Law.

The DIFC Law requires that the Commissioner, for the purposes of issuing any direction pursuant to a complaint or on the basis of other information within their knowledge, may undertake reasonable and necessary inspections or investigations.

The ADGM Regulations require that, before a penalty notice is given to a controller or processor, the Commissioner of Data Protection must give a written “Notice of Intent” to the controller or processor concerned. The Notice of Intent must provide:

  • the reasons for issuing a penalty notice;
  • an indication of the amount of the penalty;
  • the time within which controller or processor may make written representations to the Commissioner of Data Protection (at least 21 days from the date of Notice of Intent); and
  • whether the Commissioner of Data Protection considers it appropriate to provide an opportunity to make oral representation.

The executive regulations to be issued under the UAE Law will specify the penalties/administrative sanctions to be imposed for contravention of the UAE Law.

Schedule 2 to the DIFC Law sets the administrative fines for contravention of provisions of the DIFC Law. The maximum fine is USD100,000.

The ADGM Regulations provide that the maximum administrative fine must not exceed USD28 million.

No details are available with regard to any enforcement cases.

The DIFC Law and the ADGM Regulations do allow class actions. However, where multiple data subjects are affected by the same alleged contravention, they may raise a collective complaint. In addition, the Commissioner/Commissioner of Data Protection may choose to deal collectively with multiple allegations that relate to the same contravention, whether or not such allegations are brought collectively.

Federal Law No 20 of 2018 governs anti-money laundering and combating the financing of terrorism. Under this law, the supervisory authorities, financial intelligence unit, law enforcement authorities and designated non-financial businesses and professions are exempted from criminal, civil or administrative responsibility in relation to the following:

  • providing any requested information; or
  • violating any obligation under legislative, contractual and administrative directives aimed at securing confidentiality of information.

The above-mentioned exemption, however, is not available if the disclosure is made in bad faith or with the intent to cause damages to others.

Federal Law No 7 of 2014 governs the combating of terrorism offences. Under this law, the Central Bank of the UAE, financial institutions and other financial, commercial and economic institutions are not held responsible (criminally or civilly) upon violation of restrictions imposed for guaranteeing the confidentiality of the information in relation to implementation of the provisions of the law in question. This immunity, however, is not available in the case of procedures adopted by these institutions in bad faith.

This law also provides that all the authorities (concerned with the implementation of the law in question) must undertake to keep all the information obtained in connection with the implementation of said law confidential and not disclose such information unless to the extent necessary for evidence-gathering or for investigation.

The laws (the UAE Law, the DIFC Law and the ADGM Regulations) do not provide for a foreign government access request to be a legitimate basis for transferring personal data outside the jurisdiction. The situations in which personal data may be transferred outside UAE are discussed in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.

Currently, free zones (except for DIFC and ADGM, which have their own legal framework concerning personal data protection) do not have any law or regulation by which to govern and protect the collection and processing of personal data. It is likely that free zones will issue their respective laws or regulations in this respect.

The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction that has a law in place covering various aspects concerning the protection of personal data (ie, adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.

The DIFC Law provides that personal data may be transferred to a third country or to an international organisation on the basis of an adequate level of protection, as determined by the Commissioner. A list of adequate jurisdictions is issued through DIFC Data Protection Regulations.

The ADGM Regulations allow the transfer of personal data outside ADGM or to an international organisation where the Personal Data Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection.

In the absence of adequate protection, under the UAE Law, personal data may be transferred outside the UAE in the following cases (subject to the controls to be specified by the executive regulations):

  • in jurisdictions where data protection law does not exist, on the basis of a contract or agreement binding the establishment to which personal data is being transferred to follow the provisions, measures, controls and conditions of the UAE Law (and where said contract or agreement also specifies a supervisory or judicial entity in that foreign country for imposition of appropriate measures against the controller or processor in that foreign country;
  • with the express consent of the data subject, in such a manner that does not conflict with the public and security interest of the UAE;
  • where transfer is necessary for performing obligations and establishing rights before judicial entities;
  • where transfer is necessary for entering or performance of a contract between the controller and the data subject, or between the controller and a third party for the interests of the data subject;
  • where transfer is necessary for the performance of an act relating to international judicial co-operation; and
  • where transfer is necessary for the protection of public interests.

In the absence of an adequate level of protection, personal data may be transferred to a third country under the DIFC Law and the ADGM Regulations on the basis of “appropriate safeguards”, which include:

  • a legally binding instrument between the public authorities;
  • binding corporate rules;
  • standard data protection clauses;
  • an approved code of conduct; and
  • an approved certification mechanism.

In the absence of an adequate level of protection and appropriate safeguards, the data may be transferred outside the jurisdiction where the following derogations apply:

  • with the explicit consent of the data subject;
  • where transfer is necessary for the performance of a contract between data subject and controller;
  • where transfer is necessary for the conclusion or performance of a contract between a controller and a third party that is in the interest of data subject;
  • where transfer is necessary for reasons of public interest;
  • where transfer is necessary in accordance with an applicable law;
  • where transfer is necessary for the establishment, exercise or defence of a legal claim;
  • where transfer is necessary to protect vital interests of a data subject or of other persons where a data subject is physically or legally incapable of giving consent;
  • where transfer is made in compliance with applicable law and data minimisation principles to provide information to the public and is open for viewing by the public in general or by a person who can demonstrate a legitimate interest (under DIFC Law only);
  • where transfer is necessary for compliance with any obligation under an applicable law to which a controller is subject or where transfer is made at the reasonable request of a regulator, police or other government agency or competent authority (under DIFC Law only);
  • where transfer is necessary to uphold the legitimate interests of a controller (in international financial markets), subject to international financial standards, except where such interests are overridden by the legitimate interest of the data subject (under DIFC Law only); or
  • where transfer is necessary to comply with anti-money laundering or counter-terrorist financing obligations applicable to a controller or a processor (under DIFC Law only).

The DIFC Law permits the following further modes of international transfer of personal data (when transfer could not be made under any of the above-discussed modes):

  • transfer that is not repeating or part of a repetitive course of transfers;
  • transfer that concerns only a limited number of data subjects;
  • transfer that is necessary for the purposes of compelling legitimate interests pursued by the controller that are not overridden by the interests or rights of the data subject; and
  • transfer where the controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data.

No government notifications or approvals are required to transfer data internationally, except in the case of health data (see4.4 Data Localisation Requirements for further discussion).

There are no data localisation requirements, apart from in relation to health information and data. Under Federal Law No 2 of 2019, health information and data may not be stored, processed, generated or transferred outside the UAE, except following a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention. 

There are no such requirements to share any software code, algorithms or similar technical details with the government.

The limitations or considerations concerning international transfer of personal data are those discussed at 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.

There are no blocking statutes in the UAE.

The Central Bank of the UAE, the Securities and Commodities Authority, DIFC’s Dubai Financial Services Authority, and ADGM’s Financial Services Regulatory Authority have issued Bank Guidelines on the application of the key principles in the use of:

  • application programming interface (API);
  • cloud computing;
  • biometrics;
  • big data analytics and AI; and
  • distributed ledger technology.

The Bank Guidelines require that all APIs should be designed on a “privacy by design” basis ‒  ie, in a way that only exposes relevant data elements to any party in order to fulfil the purpose of the API. The Bank Guidelines further require that financial institutions should ensure that personal data being transmitted or stored is in encrypted form so as to enable privacy and integrity.

Unmanned Aircraft Systems/Drones

The General Civil Aviation Authority (GCAA) of the UAE is the regulatory body concerning the registration of Unmanned Aircraft Systems (UAS)/drones in the UAE. GCAA registers the following two types of users of UAS/drones:

  • individual/private (recreational);
  • organisation/operator (commercial and non-commercial).

Under the relevant regulations issued by the GCAA, use of aerial photographic apparatus installed on UAS/drones will not be permitted without prior authorisation by the GCAA.

There is no requirement with regard to digital governance or fair data practice review boards or committees.

No details are available concerning any regulatory enforcement or litigation.

There is no uniform process concerning due diligence in corporate transactions. The entities perform due diligence based upon their individual risk appetite and underlying circumstances with regard to the nature and complexity of a particular transaction.

There is no requirement for making public disclosure regarding an organisation’s cybersecurity risk profile or experience.

Law No 4 of 2022 regulating virtual assets in the Emirate of Dubai has been issued. Pursuant to this law, the Dubai Virtual Assets Regulatory Authority (DVARA) has been established. The DVARA regulates the operation of virtual asset platforms in the Emirate of Dubai (including all special development zones and free zones except DIFC).

Federal Decree Law No 46 of 2021 on electronic transactions and trust services (the “Electronic Transactions Law”) came into effect on 2 January 2022 and has repealed Federal Law No 1 of 2006 on electric commerce and transactions. As regulator, the TDRA will implement this law. The Electronic Transactions Law provides means for regulating electronic identification systems and trust services. Executive regulations to implement the new law are to be issued. The Electronic Transactions Law fully recognises electronic signatures and electronic documents as having full legal validity and enforceability. Trust service providers must be licensed by the TDRA to render electronic signatures services.

Bizilance Legal Consultants

D 3–4
Office 302
Al Sarab Tower
Level 15
ADGM Abu Dhabi
UAE

+971 52 914 1118

Saeed.hasan@bizilancelegal.ae www.bizilancelegal.ae
Author Business Card

Trends and Developments


Authors



KARM Legal Consultants was launched at the Global Legal Forum on 23August 2018 at the Peace Palace, The Hague – a mecca for the global legal community. Specialising in emerging technologies, KARM collaborates with clients across the full spectrum of law and policy, focusing on structuring, licensing, and regulatory aspects. The firm acts as a facilitator, assisting clients in incorporating compliance by design into their models. KARM’s team aids diverse clients (including government bodies, start-ups, and established companies) in navigating regulatory complexities related to virtual assets licensing, digital platforms, crypto exchange, open banking, retail payments, pay-later services, remittances, and payment gateways. Additionally, the firm assists regulators in developing robust, forward-looking legal and policy regimes.

UAE Data Protection Law Framework: Mainland, DIFC and ADGM

Overview

This article provides a bird’s eye view of the legal frameworks governing personal data in three distinct jurisdictions within the UAE, namely the UAE mainland, the Abu Dhabi Global Market (ADGM), and the Dubai International Financial Centre (DIFC). Further, it sheds light on the interaction between these regulatory instruments inter se on data protection.

UAE

On 20 September 2021, the UAE published its first federal data protection legislation titled Federal Decree Law No 45 of 2021 on the protection of personal data (PDPL). It became effective on 2 January 2022. Among many other notable steps, the PDPL established the UAE Data Office as the federal personal data protection authority. The UAE Data Office is entrusted with the responsibility for managing complaints from data subjects, issuing rules and guidance on the PDPL, and enforcing the PDPL. Notably, the PDPL stipulates that the UAE Data Office shall release executive regulations to outline standards and controls for its enforcement. These executive regulations are yet to be issued and the enforcement of the PDPL will commence six months after their issuance.

Interestingly, several distinct laws governed personal data protection and confidentiality before the PDPL. Here is a snapshot of these laws:

  • The Constitution of the UAE ensures the freedom of communication through mail, telegraph or other forms of communication and guarantees their confidentiality.
  • Federal Law No 15 of 2020 on consumer protection stipulates that consumers possess the right to the privacy and security of their data and can limit its utilisation for promotional and marketing activities.
  • Federal Law No 2 of 2019 concerning the use of information and communication technology (ICT) in health fields mandates the preservation of confidentiality and security of health data when using ICT in the health field.
  • Federal Decree Law No 34 of 2021 on combating rumours and cybercrimes provides a comprehensive legal framework covering criminal activities ranging from possession and tampering to collection/storage of data in an unauthorised manner. Higher penalties have been ascribed to such acts if the data so tampered with is in relation to government/state institutions and banking, media, health and scientific entities.

DIFC

In DIFC, personal data protection is governed by the DIFC Law No 5 of 2020 (the “DIFC DP Law”). It is supported by the DIFC Data Protection Regulations (the “DIFC DP Regulations”), which were issued on 21 May 2020 and became effective on 1 July 2020. The DIFC DP Law and the DIFC DP Regulations are not only applicable to companies established in DIFC but also apply to any controller or processor (as defined in the DIFC DP Law), irrespective of their place of incorporation, who regularly process personal data in DIFC through means and personnel located in DIFC. Therefore, the DIFC framework has extraterritorial effect.

The DIFC DP Law draws from both the EU’s General Data Protection Regulation (the “EU GDPR”) and the UK data protection principles. It establishes the Office of the Commissioner of Data Protection (“the Commissioner”) as the relevant personal data protection regulator. The Commissioner enforces compliance with the DIFC DP Law and the DIFC DP Regulations, acts on complaints from data subjects, and encourages public understanding of data protection.

Pertinently, the DIFC DP Regulations were recently amended on 1 September 2023. The key points concerning the amendments are provided here.

  • Inadvertently obtained information ‒ following the amendments, individuals accidentally receiving personal data are referred to as “temporary custodians”. The temporary custodian must reasonably attempt to notify the owner of such data or the Commissioner and delete such personal data. This would be required so as to avoid liability for unauthorised processing of personal data.
  • Marketing and communications ‒ the amendment emphasises informing data subjects about their right to restrict personal data processing for marketing purposes. It mandates using privacy preference options, advocating for transparent selection boxes, clear language, and user-friendly methods to ensure understanding of the purposes of collection of data by the data subject.
  • Processing via autonomous and semi-autonomous systems ‒ this amendment brought AI within the ambit of the DIFC DP Regulations and is meant to regulate the responsible use of AI. It requires entities that deploy or operate such technologies to process data to provide an explicit notice to the data subjects. Such notification must contain information about purposes of processing, the principles based on which the system has been developed, and any codes or certifications that have been used to design the system. The amendment elaborates on the principles to be observed when designing such technologies, including ethics, fairness, transparency, security and accountability.

ADGM

The ADGM Data Protection Regulations (the “ADGM DP Regulations”) govern personal data protection in the financial free zone of ADGM. The ADGM DP Regulations were published on 14 February 2021 and came into force on 14 February 2022 after a 12-month transition period. The ADGM DP Regulations are enforced by the Office of Data Protection run by the Commissioner. The ADGM DP Regulations also have extraterritorial applicability. Processors and controllers processing personal data outside ADGM might be subject to the ADGM DP Regulations if:

  • a direct nexus can be established between the processing activities of a non-ADGM entity and the entity physically present in ADGM; and
  • the revenue earned by the ADGM entity is proven to be inextricably linked to such processing outside ADGM.

Territorial application

The data protection laws of the UAE, DIFC and ADGM have extraterritorial effect. The conditions under which such extraterritorial effect is applicable are as follows.

  • PDPL ‒ a controller/processor that conducts processing of personal data of data subjects in the UAE must comply with the PDPL, regardless of whether or not the controller/processor is located in the UAE. The term “data subject” in the PDPL covers all natural persons and is limited to the citizens and residents of the UAE. Thus, the PDPL not will apply to all controllers/processors irrespective of their location as long as they are processing personal data of data subjects located in the UAE. Accordingly, a tourist visiting the UAE temporarily will also be a potential data subject for the purposes of the PDPL. 
  • DIFC DP Law ‒ the DIFC DP Law is applicable to a controller/processor regardless of their place of incorporation if the controller/processor processes personal data in DIFC. Processing in DIFC could be through means or personnel located in DIFC. If this is the case, it must comply with the DIFC DP Law.
  • ADGM DP Regulations ‒ extraterritoriality of the ADGM DP Regulaions is subject to certain conditions and thus has limited remit when compared to the UAE and DIFC. For the ADGM DP Regulations to apply to controllers and processors outside ADGM, there must be an inextricable link to the company providing services within ADGM. Additionally, the revenue generated by the ADGM company should be closely tied to the processing activities in question. In essence, the application of the extraterritorial law depends on a substantial and interconnected relationship between the ADGM establishment and thecontroller/processor outside ADGM.

Analysis

The PDPL takes a broad stance on the extraterritorial effect, indicating a comprehensive approach to regulate the processing of personal data of individuals within its borders, regardless of the location of the controller or processor. Such expansive extraterritorial application also brings tourists within its purview.

The DIFC DP Law, on the other hand, carves its own niche and presents a unique form of extraterritorial effect. Its extraterritorial effect is reliant on the use of means and personnel being physically located in DIFC, instead of the data subjects being located in the said jurisdiction.

In contrast, the ADGM DP Regulations take a more nuanced approach, requiring a stronger nexus between the foreign entity and the ADGM establishment (including a significant link in terms of services and revenue). This suggests a more selective application of extraterritorial regulations, considering both business activities and financial ties.

Non-consent-based legal basis for processing of data

“Consent” is perhaps the only legal basis for processing of personal data that keeps the data subject at the centre of its operation. Controllers/processors remain at the behest of the data subject and must mandatorily obtain their consent before they can start processing their personal data. The PDPL, the DIFC DP Law and the ADGM DP Regulations also add separate qualifiers for such consent to be considered valid under the said laws.

The PDPL requires the data subject’s consent to be “specific”, “informed” and “unambiguous”. These requirements imply that:

  • the consent of the data subject should be sought for a particular processing activity;
  • the data subject should be given complete information about the purposes of processing and the identity of controllers; and
  • consent can only be affected via an affirmative action by the data subject.

Meanwhile, the DIFC DP Law and the ADGM DP Regulations also require consent to be “freely given”, which suggests that the data subject must not be under any influence while they are providing such consent.

However, consent may not always be the most appropriate legal basis for processing. Accordingly, the data protection frameworks in the three jurisdictions provide for the following circumstances where processing of personal data does not require the data subject’s consent.     

  • PDPL ‒ the data subject’s consent is not required for the processing of personal data: 
    1. to protect public interests;
    2. where personal data has been made public by the data subject, to initiate or defend legal claims and judicial/security procedures;
    3. to facilitate healthcare, employee capacity assessment, or social care system management;
    4. to facilitate public health protection (from diseases and epidemics) and ensure the safety of medical products/medicines;
    5. to facilitate scientific/historical/statistical purposes as mandated by state legislation;
    6. to protect the interests of the data subject;
    7. to facilitate the fulfilment of legal obligations and exercise rights in relation to employment, social security and social protection, as permitted by relevant laws; or
    8. to facilitate the fulfilment of contractual obligations or to amend, conclude or terminate a contract at the request of the data subject.
  • DIFC DP Law ‒ the data subject’s consent is not required for the processing of personal data: 
    1. in the performance of a contract;
    2. to comply with legal obligations;
    3. to protect the vital interests of the data subject;
    4. in pursuance of a “legitimate interest” of the controller; or
    5. where processing is necessary for:
      1. performance of a task carried out by Dubai Financial Services Authority, DIFC courts, or the Commissioner in the interests of DIFC;
      2. the exercise of a DIFC body’s powers and functions; or
      3. the exercise of powers or functions vested by a DIFC body in a third party to whom personal data is disclosed by the DIFC body.
  • ADGM DPR ‒ the data subject’s consent is not required for the processing of personal data: 
    1. in the performance of a contract;
    2. to comply with legal obligations;
    3. to protect the vital interests of the data subject;
    4. in pursuance of a “legitimate interest” of the controller; or
    5. where processing is necessary for:
      1. the performance of a task carried out by a public authority in the interests of ADGM
      2. the exercise of the functions of ADGM, the Financial Services Regulatory Authority, the ADGM courts, or the Registration Authority; or
      3. the exercise of official authority vested in the controller under applicable law.

Analysis

The legal bases for data collection outlined in the PDPL, the DIFC DP Law, and the ADGM DP Regulations reveal several common principles and distinctions. Across all frameworks, legal bases such as protecting the vital interests of data subjects and fulfilling contractual/legal obligations emerge as central pillars for lawful data processing. Such legal basis underlines the significance of prioritising the interests of the data subject as well as commitment to contractual/legal responsibilities.

Both the DIFC DP Law and the ADGM DP Regulations recognise the importance of legitimate interests, suggesting a balanced approach that considers business interests alongside data protection requirements. In contrast, the PDPL does not allow for processing of personal data based on “legitimate interest”. Additionally, the PDPL takes a unique approach by emphasising the use of public interest and health-related purposes.

Overall, these frameworks collectively demonstrate a nuanced understanding of diverse data processing scenarios, emphasising the need for legal compliance, individual rights protection, and a careful balance between business interests and public welfare.

Whether “consent” is a valid basis for processing of data in the case of an employee

Consent is a valid legal basis for the processing data under the PDPL. There is no requirement for consent to be “freely given” and neither does the present law consider the imbalance of power between the employer and employee, which might result in consent that may not be freely given. However, the executive regulations may address and clarify this aspect.

Both the DIFC DP Law and the ADGM DP Regulations clarify the above-mentioned issue in guidance issued by their respective data protection authorities. According to the guidance, both the DIFC and ADGM personal data protection frameworks must be interpreted in conjunction with the UK and EU laws, which explicitly mandate the data subject’s consent to be “freely given”. This implies that the data subject must have genuine choice and should not be put in a situation whereby they are compelled to give consent.

Analysis

Under the PDPL, consent is recognised as a valid legal basis for data processing without explicitly requiring that it be “freely given”. Notably, the PDPL does not address the potential power imbalance between employers and employees that could lead to coerced consent. Meanwhile, both the DIFC DP Law and the ADGM DP Regulations deviate from the above-mentioned approach and mandate that consent must be “freely given”. This distinction reflects a more comprehensive approach, aligning with international standards and addressing concerns related to consent in situations where power dynamics may influence the voluntariness of the agreement.

Data subject rights

The common data subject rights granted under the PDPL, the DIFC DP Law and the ADGM DP Regulations are:

  • the right to information ‒ data subjects must be informed about the collection of their personal data, regardless of the data source, with specified details;
  • the right to access ‒ data subjects can confirm and obtain a copy of their processed personal data from the controller;
  • the right to erasure ‒ data subjects can request the erasure of their personal data;
  • the right to rectification ‒ data subjects can have inaccurate or incomplete personal data corrected;
  • the right to data portability ‒ data subjects can receive their personal data in a machine-readable format and transfer it to another controller;
  • the right to object to automated decision-making and profiling ‒ data subjects are protected from decisions based solely on automated processes, including profiling;
  • the right to object ‒ data subjects can object to the processing of their personal data, including for direct marketing;
  • the right to withdraw consent ‒ data subjects have the right to withdraw their consent at any time; and
  • the right to make a complaint ‒ a data subject has the right to file a complaint with the pertinent personal data protection authority in the event of any violation of the legal provisions in the PDPL, the DIFC DP Law, or the ADGM DP Regulations.

The following rights in relation to data subjects are specific to the DIFC DP Law:

  • non-discrimination ‒ data subjects who exercise their data subject rights under Part 6 of the DIFC DP Law cannot be discriminated against by the controller by denying said data subjects goods/services or subjecting them to differential pricing; and
  • communication methods to exercise data subject rights ‒ the controller must ensure that there are at least two communication methods (eg, telephone and website) that can be used by the data subjects to exercise their rights.

Analysis

The PDPL, the DIFC DP Law and the ADGM DP Regulations provide for broadly the same set of data subject rights as available in the EU GDPR and are thereby in alignment with global standards. This will not only aid in preserving the privacy of personal data but also acts as an incentive for entities in advanced jurisdictions should they wish to transfer their data to the UAE, DIFC or ADGM ‒ safe in the knowledge that they will have access to the same suit of rights as they did in their native jurisdiction. Moreover, the DIFC DP Law goes a step further and explicitly recognises two additional data subject rights, which prevents unfair treatment and offers data subjects more channels to assert their rights.

Special provisions for processing personal data in relation to a minor

The PDPL does not specifically provide for the processing of personal data of minors. Therefore, they are treated at par with adult data subjects.

The DIFC DP Law provides minors an absolute right to object to automated processing. However, the exercise of this right for adult data subjects comes with certain caveats.

The ADGM DP Regulations prescribe a three-pronged proportionality test for exercising the “legitimate interest” basis for the processing of personal data. This is elaborated upon in the guidance issued by the Office of Data Protection. Significantly, the guidance suggests placing special emphasis on the question of whether the data subject is a minor while applying this test. Furthermore, the guidance states that when data subjects invoke their right to access information, such information must be shared in a concise, transparent and intelligible manner if the data subject is a minor.

Analysis

Although the PDPL treats minors similarly to adult data subjects, the DIFC DP Law and the ADGM DP Regulations take a more specific and protective approach. The DIFC DP Law grants minors an absolute right to object to automated processing and the ADGM DP Regulations introduce a proportionality test with a focus on the minor status when personal data is being processed on the basis of “legitimate interest”. These provisions reflect a growing awareness of the unique considerations and safeguards required when handling the personal data of minors in these jurisdictions.

Appointment of Data Protection Officer

The appointment of a Data Protection Officer is mandatory under the PDPL when:

  • processing would cause a high-level risk to the confidentiality and privacy of the data subject’s personal data as a result of the adoption of new technologies or in connection with the volume of the data; or
  • processing involves a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing; or
  • processing is carried out on a large volume of sensitive personal data.

Under the DIFC DP Law, the appointment of DPO is only necessary if the controller/processor is performing “high-risk activities” on a systemic or a regular basis. Such activities include: 

  • processing a considerable amount of personal data via using novel technologies or methods resulting in a high risk to the data subject; or
  • automated processing (including profiling), where inferences from such processing will form the basis of legally binding decisions; or
  • processing a material amount of special categories of personal data.

Under the ADGM DP Regulations, the appointment of a DPO in ADGM is required if a controller/processor partakes in following kinds of processing activities:

  • large-scale processing or monitoring of data; and
  • processing activities that involve large amounts of special categories of personal data. 

Analysis

The criteria for appointing a DPO under the PDPL, the DIFC DP Law and the ADGM DP Regulations converge on situations involving heightened risks or the processing of personal data in a high volume. These provisions collectively highlight the need for the designation of a DPO in scenarios with inherent risks, where systematic evaluation is required, or where significant volumes of sensitive personal data/special categories of personal data are being processed.

International transfers 

Under the PDPL, personal data may be transferred outside the UAE if:

  • the jurisdiction to which such data is being transferred has a law encompassing personal data protection principles, measures, controls and requirements that provide adequate protection for personal data of data subjects; or
  • there is a bilateral treaty between the UAE and the transferee state.

In the absence of data protection legislation and a bilateral treaty, transfer of personal data can be initiated in the following cases. 

  • Data transfer can be initiated based on a binding contract between the establishments located in the UAE and the transferee state. Such contract must contain provisions in relation to measures, controls and requirements providing adequate protection to personal data of data subjects.
  • Other grounds for data transfer include the data subject’s explicit consent, fulfilment of legal obligations, and exercising/defending rights.
  • Transfers are also permitted for facilitating contract performance to achieve the data subject’s interest, performing procedures related to international judicial co-operation, and protecting public interests.

Under the DIFC DP Law, personal data may be transferred outside DIFC in the following situations.

  • Personal data transfer outside DIFC is allowed if the receiving jurisdiction has adequate personal data protection laws.
  • In the absence of such provisions, data transfer is permissible with appropriate safeguards, including legally binding instruments, approved binding corporate rules, standard data protection clauses, a code of conduct, or a certification mechanism.
  • Other valid grounds for transfer include explicit consent from the data subject, necessity for contract performance, protection of public interest, compliance with applicable law and data minimisation principles for public registers.
  • Transfers are also permitted for the establishment, exercise or defence of legal claims, the protection of vital interests, compliance with international financial standards, and adherence to AML/CFT obligations.

If the data transfer does not relate to any of the above-mentioned situations, such data transfer would have to adhere to the following restrictions to be considered a valid transfer under the DIFC DP Law:

  • the transfer is not repeating or part of a repetitive course of transfers; and
  • the transfer concerns only a limited number of data subjects;
  • the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller; and
  • the controller has completed a documented assessment of all the circumstances surrounding the data transfer and suitable safeguards.

Under the ADGM DP Regulations, personal data may be transferred outside ADGM if the jurisdiction to which such data is being transferred has a law encompassing personal data protection principles, measures, controls, requirements that provide adequate protection to the personal data of data subjects.

In the absence of data protection legislation, data transfer is only permitted in the following circumstances.

  • Personal data transfer outside ADGM is allowed if validated by appropriate safeguards, including legally binding instruments, corporate rules, standard clauses, a code of conduct, or a certification mechanism.
  • Other grounds for data transfer include explicit consent provided by the data subject, protecting public interests, compliance with applicable law, and protecting vital interests when the data subject is incapable of giving consent.
  • Transfer is also permitted for the establishment, exercise or defence of legal claims, facilitating contract performance or pre-contractual measures, and entering into contracts to pursue the interests of the data subject.

Analysis

The provisions concerning data transfer in all three jurisdictions provide for explicit circumstances in which data transfers beyond their jurisdiction are allowed, leaving no room for ambiguity. Such an approach reflects a practical and accommodating attitude towards data transfer practices while also ensuring confidentiality of personal data. The criteria allowing for personal data transfer in the absence of data protection laws and bilateral agreements in the receiving jurisdiction provide essential independence for data subjects, as well as controllers and processors ‒ thereby enabling them to manage their activities in accordance with their diverse legal and operational circumstances.   

Conclusion

The UAE, DIFC and ADGM have made significant strides in establishing comprehensive data protection frameworks in recent years. While the UAE’s federal legislation (the PDPL) is awaiting the issuance of its executive regulations, both DIFC and ADGM have formulated their own robust data protection laws, which are modelled on the EU GDPR and offer adequate safeguards for the protection of personal data.

In brief, the data protection frameworks in these jurisdictions provide strong individual rights and accountability measures to preserve and protect the privacy and confidentiality of personal data. However, taking cues from the developments in DIFC, organisations must remain vigilant and adopt appropriate compliance strategies to navigate the dynamic regulatory landscape of personal data protection.

Karm Legal Consultants

Floor 14
WeWork Hub71
Al Khatem Tower
ADGM Square
Al Maryah Island
Abu Dhabi
UAE

+971 55 369 2517

karmadmin@karmadv.com www.karmadv.com/
Author Business Card

Law and Practice

Authors



Bizilance Legal Consultants practises trade remedy laws, privacy and data protection, taxation, and antitrust and competition, among other areas. The firm is backed by the rich experience of its partners, spread over two decades. The partners have served clients in multiple jurisdictions, including the UAE, the USA, the UK, Switzerland, Singapore, China, Malaysia, Indonesia, Korea, Thailand and Pakistan. In the personal data and privacy space, Bizilance Legal Consultants is strategically well placed in Abu Dhabi Global Market to serve multi-jurisdictional clients in an era when laws related to personal data protection have either just been implemented or are in the process of being implemented.

Trends and Developments

Authors



KARM Legal Consultants was launched at the Global Legal Forum on 23August 2018 at the Peace Palace, The Hague – a mecca for the global legal community. Specialising in emerging technologies, KARM collaborates with clients across the full spectrum of law and policy, focusing on structuring, licensing, and regulatory aspects. The firm acts as a facilitator, assisting clients in incorporating compliance by design into their models. KARM’s team aids diverse clients (including government bodies, start-ups, and established companies) in navigating regulatory complexities related to virtual assets licensing, digital platforms, crypto exchange, open banking, retail payments, pay-later services, remittances, and payment gateways. Additionally, the firm assists regulators in developing robust, forward-looking legal and policy regimes.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.