The Constitution of the United Arab Emirates (“the Constitution” provides that safety and security for all citizens shall be the pillars of the society. The Constitution further provides that freedom of corresponding through post, telegraph or other means of communication, and the secrecy thereof, is guaranteed in accordance with the law and that dwellings are inviolable. These constitutional provisions serve as the foundational guidelines to respect privacy.
The statutory regime concerning data protection is chiefly found in the following laws/regulations.
Apart from the above, sector-specific regulations govern data protection in their respective sectors, as follows:
The above-mentioned laws/regulations provide for matters related to offences, penalties and enforcement in their respective sphere.
The UAE Data Office is the regulator for the purposes of the UAE Law.
The Commissioner administers the DIFC Law.
The Commissioner of Data Protection is responsible for the monitoring and enforcement of the ADGM Regulations.
The Central Bank of the UAE and Telecommunications and Digital Government Regulatory Authority (TDRA) are the regulators concerning banking and telecommunications sectors, responsible for (among others) the protection of their respective consumers data.
Health authorities (federal or local government) are entrusted to protect patients’ data.
The above-mentioned authorities have the powers to conduct investigations and handle complaints in their respective spheres.
The Data Office is competent to receive complaints by data subjects regarding contravention of provisions of the UAE Law. The Data Office also has the authority to impose administrative sanctions on contravention of provisions of the UAE Law. A person aggrieved by any decision, administrative sanction or any action of the Data Office may file a grievance with the Director General of the Data Office. The grievance must be filed within 30 days of the date of the decision, administrative sanction or action by the Data Office. The Director General of the Data Office must determine such grievance within 30 days of its filing. The executive regulations to be issued pursuant to the UAE Law will specify the procedural aspects for filing and deciding the grievances.
The Commissioner (under the DIFC Law) is competent to receive complaints from data subjects concerning contravention of the DIFC Law or any breach of the rights of data subjects. The Commissioner has the authority to investigate the complaints and to issue direction or a declaration. The Commissioner is empowered to impose fines in the event of non-compliance with a direction they issue. The Commissioner, concerning a complaint lodged with the Commissioner, may follow such practices and procedures that – in their view –will lead to the most timely, fair and effective resolution of the claim in the complaint. The controller or processor or data subject being aggrieved by the decision of the Commissioner may appeal to the DIFC Court within 30 days.
A data subject may lodge a complaint, on contravention of the ADGM Regulations, with the Commissioner of Data Protection under the ADGM Regulations. Following an assessment, the Commissioner of Data Protection may dismiss the complaint, uphold the complaint, uphold the complaint but with no further action, or take any further action. The controller, processor or data subject being aggrieved may refer the matter to the court for review. The court may make any orders that the court thinks just and appropriate in the circumstances, within three months following the penalty notice, direction, or the date of complaint.
The UAE Law, the DIFC Law and the ADGM Regulations conceptually follow the basic principles of the EU’s GDPR. The UAE Law is a federal-level law and there are no subnational (emirate)-level laws concerning personal data protection.
There are no NGOs or industry self-regulatory organisations (SROs) concerning data protection.
The UAE Law follows a hybrid system, which is not applicable to free zones, banks, and health-related personal data. Apart from these exceptions, the UAE Law is applicable to all sectors. Further, the Data Office is empowered to exempt certain establishments that do not process personal data on a large scale from any or all requirements of the UAE Law, in accordance with the standards and controls to be specified by the executive regulations.
The DIFC Authority Board of Directors is empowered to make regulations to exempt controllers (within DIFC jurisdiction) from compliance with the DIFC Law or any part of the DIFC Law.
The ADGM Regulations do not apply to the processing of personal data by public authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. This includes processing data for the purposes of safeguarding against and preventing threats to national security.
The UAE Law was issued on 20 September 2021 and came into effect on 2 January 2022.
The executive regulations were to be issued by the Cabinet of the UAE within six months of the date of issuance of the UAE Law. However, the executive regulations have not been issued so far. The controllers and processors must comply with the provisions of the UAE Law within a period of six months following the issuance of executive regulations. The referred period of six months may be extended by the Cabinet for additional similar periods.
General Requirements
The general requirements (general principles) regarding processing of personal data under the UAE Law, the DIFC Law and the ADGM Regulations are:
Data Protection Officers
The requirements for appointment of a Data Protection Officer (DPO) are as follows.
UAE Law
Under the UAE Law, a DPO is required to be appointed where:
The executive regulations will specify the kinds of technologies and standards of determination related to the foregoing.
DIFC Law
A DPO is required to be appointed by:
A controller or processor (other than the aforementioned) may be required to designate a DPO by the Commissioner.
ADGM Regulations
Under the ADGM Regulations, a DPO is required to be appointed where:
Responsibilities of a DPO
Among other things, the DPO is responsible for:
Consent
The UAE Law provides certain exceptions where processing may be carried out without consent. These include circumstances where:
However, in case of the DIFC Law and the ADGM Regulations, consent is one of the “lawful” bases to process the personal data.
Privacy by Design and Privacy by Default
The UAE Law does not specifically mention the concept of “privacy by design” or “privacy by default”. However, the DIFC Law and the ADGM Regulations provide that a controller protects the privacy by design and by default. The DIFC Law imposes this requirement on a processor as well.
Data Protection Impact Assessment
Controllers are required to undertake a “data protection impact assessment” before carrying out processing that is likely to result in a high risk to the rights of natural persons. In addition, the DIFC Law imposes a mandatory requirement for a data protection impact assessment in cases where:
Data Protection Policy
The UAE Law does not require the adoption of any internal or external data protection policy. The DIFC Law and the ADGM Regulations do require that a data protection policy is put in place and implemented.
Rights of data subjects
Data subjects enjoy the following rights (under the UAE Law, the DIFC Law and the ADGM Regulations):
Data breach notification
The data controller is required to notify a data breach to the Data Office/Commissioner/Commissioner of Data Protection when the breach is likely to result in a risk to the privacy, confidentiality, security or rights of the data subjects. The processor must notify any such breach to the controller without delay.
The UAE Law requires immediate notification of the breach. The DIFC Law requires the breach to be notified as soon as practicable in the circumstances. The ADGM Regulations provide that breach notification be made within 72 hours of becoming aware of the breach and, if the notification is not reported within 72 hours, then reasons of delay must accompany the breach notification.
The breach notification must contain at least the following information:
Where a breach is likely to result in a high risk to the security or rights of a data subject, the controller is required to also notify the data subject of the breach.
Anonymisation/pseudonymisation
The UAE Law requires a controller to implement appropriate measures during the identification of means of processing or during processing for the purposes of compliance with the UAE Law. Such measures include pseudonymisation.
In the context of “cessation of processing”, the DIFC Law and the ADGM Regulations require the controller to ensure that all personal data (including personal data held by the processor) is anonymised and pseudonymised.
Automated decision-making
The data subject has the right to object to automated decision-making (including profiling) that has legal implications or consequences affecting a data subject.
Injury/harm
The UAE Law does not provide for any concept of injury/harm (nor compensation thereof) in relation to a grievance suffered by a data subject, whereas the DIFC Law and the ADGM Regulations provide that a data subject who suffers material or non-material damage as a result of contravention of the applicable law/regulations is entitled to compensation. The claim for compensation is to be brought before the court. The compensation will not limit or affect any fine to be imposed on a controller or a processor for contravention of any provision of the applicable law/regulations.
Banking Sector
Federal Law No 14 of 2018 (the “Central Bank Law”) requires that all data and information related to customers should be considered confidential in nature. The Central Bank of the UAE has published its Consumer Protection Regulations, which apply to all financial institutions licensed by the Central Bank of the UAE. These regulations require that licensed financial institutions are to collect the minimum amount of consumer data and information required in relation to the licensed financial institution’s activities. Under these regulations, licensed financial institutions must:
Telecommunications Sector
The TDRA’s consumer protection regulations require telecommunications service providers to take all reasonable measures to prevent the unauthorised disclosure or unauthorised use of subscriber information. Telecommunications service providers are further required to take all reasonable measures to protect the privacy of subscriber information.
Health Sector
Federal Law No 2 of 2019 (on the use of information and communication technology in health fields) was issued to collect, analyse and keep health information and to ensure the safety and security of health data and information. This law requires that information related to patients is kept confidential and is not used for any non-health purpose without obtaining the written approval of the patient, except for:
Under Federal Law No 2 of 2019, health information and data may not be stored, processed, generated or transferred outside the UAE except on a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention. Health information and data must be kept for a period commensurate with the need provided; it may not be less than 25 years from the date of the last health procedures provided to the concerned person.
Sensitive Personal Data/Special Categories of Personal Data
“Sensitive personal data”, under the UAE Law, refers to:
“Special categories of personal data”, under the DIFC Law, means personal data revealing or connecting (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal records, trade union membership and health or sex life, including genetic and biometric data where it is used for the purpose of uniquely identifying a natural person.
The ADGM Regulations have a similar definition of special categories of personal data to the DIFC Law.
The UAE Law states that a personal data protection impact assessment is a necessity where processing involves large amounts of sensitive personal data.
The DIFC Law and the ADGM Regulations permit processing of special categories of personal data in certain specified situations, including:
The UAE Law confers on the data subject a “right to stop processing” where personal data is processed for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.
The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and that the data subject must be expressly offered the right to object to direct marketing. The data subject has the right to object to personal data processing for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.
The ADGM Regulations carry the same provisions as in the DIFC Law when it comes to direct marketing. The ADGM Regulations, in addition, provide that personal data must not be processed for direct marketing purposes if a data subject objects to direct marketing.
Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, provides that a worker must maintain the confidentiality of information and data to which they have access by virtue of their work.
The UAE Law, the DIFC Law and the ADGM Regulations do not contain any provisions concerning the role of labour organisations, whistle-blowing or e-discovery.
The executive regulations pursuant to the UAE Law have not yet been issued. The executive regulations will provide for the procedural aspects concerning enforcement and litigation arising out of the UAE Law.
The DIFC Law requires that the Commissioner, for the purposes of issuing any direction pursuant to a complaint or on the basis of other information within their knowledge, may undertake reasonable and necessary inspections or investigations.
The ADGM Regulations require that, before a penalty notice is given to a controller or processor, the Commissioner of Data Protection must give a written “Notice of Intent” to the controller or processor concerned. The Notice of Intent must provide:
The executive regulations to be issued under the UAE Law will specify the penalties/administrative sanctions to be imposed for contravention of the UAE Law.
Schedule 2 to the DIFC Law sets the administrative fines for contravention of provisions of the DIFC Law. The maximum fine is USD100,000.
The ADGM Regulations provide that the maximum administrative fine must not exceed USD28 million.
No details are available with regard to any enforcement cases.
The DIFC Law and the ADGM Regulations do allow class actions. However, where multiple data subjects are affected by the same alleged contravention, they may raise a collective complaint. In addition, the Commissioner/Commissioner of Data Protection may choose to deal collectively with multiple allegations that relate to the same contravention, whether or not such allegations are brought collectively.
Federal Law No 20 of 2018 governs anti-money laundering and combating the financing of terrorism. Under this law, the supervisory authorities, financial intelligence unit, law enforcement authorities and designated non-financial businesses and professions are exempted from criminal, civil or administrative responsibility in relation to the following:
The above-mentioned exemption, however, is not available if the disclosure is made in bad faith or with the intent to cause damages to others.
Federal Law No 7 of 2014 governs the combating of terrorism offences. Under this law, the Central Bank of the UAE, financial institutions and other financial, commercial and economic institutions are not held responsible (criminally or civilly) upon violation of restrictions imposed for guaranteeing the confidentiality of the information in relation to implementation of the provisions of the law in question. This immunity, however, is not available in the case of procedures adopted by these institutions in bad faith.
This law also provides that all the authorities (concerned with the implementation of the law in question) must undertake to keep all the information obtained in connection with the implementation of said law confidential and not disclose such information unless to the extent necessary for evidence-gathering or for investigation.
The laws (the UAE Law, the DIFC Law and the ADGM Regulations) do not provide for a foreign government access request to be a legitimate basis for transferring personal data outside the jurisdiction. The situations in which personal data may be transferred outside UAE are discussed in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.
Currently, free zones (except for DIFC and ADGM, which have their own legal framework concerning personal data protection) do not have any law or regulation by which to govern and protect the collection and processing of personal data. It is likely that free zones will issue their respective laws or regulations in this respect.
The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction that has a law in place covering various aspects concerning the protection of personal data (ie, adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.
The DIFC Law provides that personal data may be transferred to a third country or to an international organisation on the basis of an adequate level of protection, as determined by the Commissioner. A list of adequate jurisdictions is issued through DIFC Data Protection Regulations.
The ADGM Regulations allow the transfer of personal data outside ADGM or to an international organisation where the Personal Data Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection.
In the absence of adequate protection, under the UAE Law, personal data may be transferred outside the UAE in the following cases (subject to the controls to be specified by the executive regulations):
In the absence of an adequate level of protection, personal data may be transferred to a third country under the DIFC Law and the ADGM Regulations on the basis of “appropriate safeguards”, which include:
In the absence of an adequate level of protection and appropriate safeguards, the data may be transferred outside the jurisdiction where the following derogations apply:
The DIFC Law permits the following further modes of international transfer of personal data (when transfer could not be made under any of the above-discussed modes):
No government notifications or approvals are required to transfer data internationally, except in the case of health data (see4.4 Data Localisation Requirements for further discussion).
There are no data localisation requirements, apart from in relation to health information and data. Under Federal Law No 2 of 2019, health information and data may not be stored, processed, generated or transferred outside the UAE, except following a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention.
There are no such requirements to share any software code, algorithms or similar technical details with the government.
The limitations or considerations concerning international transfer of personal data are those discussed at 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.
There are no blocking statutes in the UAE.
The Central Bank of the UAE, the Securities and Commodities Authority, DIFC’s Dubai Financial Services Authority, and ADGM’s Financial Services Regulatory Authority have issued Bank Guidelines on the application of the key principles in the use of:
The Bank Guidelines require that all APIs should be designed on a “privacy by design” basis ‒ ie, in a way that only exposes relevant data elements to any party in order to fulfil the purpose of the API. The Bank Guidelines further require that financial institutions should ensure that personal data being transmitted or stored is in encrypted form so as to enable privacy and integrity.
Unmanned Aircraft Systems/Drones
The General Civil Aviation Authority (GCAA) of the UAE is the regulatory body concerning the registration of Unmanned Aircraft Systems (UAS)/drones in the UAE. GCAA registers the following two types of users of UAS/drones:
Under the relevant regulations issued by the GCAA, use of aerial photographic apparatus installed on UAS/drones will not be permitted without prior authorisation by the GCAA.
There is no requirement with regard to digital governance or fair data practice review boards or committees.
No details are available concerning any regulatory enforcement or litigation.
There is no uniform process concerning due diligence in corporate transactions. The entities perform due diligence based upon their individual risk appetite and underlying circumstances with regard to the nature and complexity of a particular transaction.
There is no requirement for making public disclosure regarding an organisation’s cybersecurity risk profile or experience.
Law No 4 of 2022 regulating virtual assets in the Emirate of Dubai has been issued. Pursuant to this law, the Dubai Virtual Assets Regulatory Authority (DVARA) has been established. The DVARA regulates the operation of virtual asset platforms in the Emirate of Dubai (including all special development zones and free zones except DIFC).
Federal Decree Law No 46 of 2021 on electronic transactions and trust services (the “Electronic Transactions Law”) came into effect on 2 January 2022 and has repealed Federal Law No 1 of 2006 on electric commerce and transactions. As regulator, the TDRA will implement this law. The Electronic Transactions Law provides means for regulating electronic identification systems and trust services. Executive regulations to implement the new law are to be issued. The Electronic Transactions Law fully recognises electronic signatures and electronic documents as having full legal validity and enforceability. Trust service providers must be licensed by the TDRA to render electronic signatures services.
D 3–4
Office 302
Al Sarab Tower
Level 15
ADGM Abu Dhabi
UAE
+971 52 914 1118
Saeed.hasan@bizilancelegal.ae www.bizilancelegal.aeUAE Data Protection Law Framework: Mainland, DIFC and ADGM
Overview
This article provides a bird’s eye view of the legal frameworks governing personal data in three distinct jurisdictions within the UAE, namely the UAE mainland, the Abu Dhabi Global Market (ADGM), and the Dubai International Financial Centre (DIFC). Further, it sheds light on the interaction between these regulatory instruments inter se on data protection.
UAE
On 20 September 2021, the UAE published its first federal data protection legislation titled Federal Decree Law No 45 of 2021 on the protection of personal data (PDPL). It became effective on 2 January 2022. Among many other notable steps, the PDPL established the UAE Data Office as the federal personal data protection authority. The UAE Data Office is entrusted with the responsibility for managing complaints from data subjects, issuing rules and guidance on the PDPL, and enforcing the PDPL. Notably, the PDPL stipulates that the UAE Data Office shall release executive regulations to outline standards and controls for its enforcement. These executive regulations are yet to be issued and the enforcement of the PDPL will commence six months after their issuance.
Interestingly, several distinct laws governed personal data protection and confidentiality before the PDPL. Here is a snapshot of these laws:
DIFC
In DIFC, personal data protection is governed by the DIFC Law No 5 of 2020 (the “DIFC DP Law”). It is supported by the DIFC Data Protection Regulations (the “DIFC DP Regulations”), which were issued on 21 May 2020 and became effective on 1 July 2020. The DIFC DP Law and the DIFC DP Regulations are not only applicable to companies established in DIFC but also apply to any controller or processor (as defined in the DIFC DP Law), irrespective of their place of incorporation, who regularly process personal data in DIFC through means and personnel located in DIFC. Therefore, the DIFC framework has extraterritorial effect.
The DIFC DP Law draws from both the EU’s General Data Protection Regulation (the “EU GDPR”) and the UK data protection principles. It establishes the Office of the Commissioner of Data Protection (“the Commissioner”) as the relevant personal data protection regulator. The Commissioner enforces compliance with the DIFC DP Law and the DIFC DP Regulations, acts on complaints from data subjects, and encourages public understanding of data protection.
Pertinently, the DIFC DP Regulations were recently amended on 1 September 2023. The key points concerning the amendments are provided here.
ADGM
The ADGM Data Protection Regulations (the “ADGM DP Regulations”) govern personal data protection in the financial free zone of ADGM. The ADGM DP Regulations were published on 14 February 2021 and came into force on 14 February 2022 after a 12-month transition period. The ADGM DP Regulations are enforced by the Office of Data Protection run by the Commissioner. The ADGM DP Regulations also have extraterritorial applicability. Processors and controllers processing personal data outside ADGM might be subject to the ADGM DP Regulations if:
Territorial application
The data protection laws of the UAE, DIFC and ADGM have extraterritorial effect. The conditions under which such extraterritorial effect is applicable are as follows.
Analysis
The PDPL takes a broad stance on the extraterritorial effect, indicating a comprehensive approach to regulate the processing of personal data of individuals within its borders, regardless of the location of the controller or processor. Such expansive extraterritorial application also brings tourists within its purview.
The DIFC DP Law, on the other hand, carves its own niche and presents a unique form of extraterritorial effect. Its extraterritorial effect is reliant on the use of means and personnel being physically located in DIFC, instead of the data subjects being located in the said jurisdiction.
In contrast, the ADGM DP Regulations take a more nuanced approach, requiring a stronger nexus between the foreign entity and the ADGM establishment (including a significant link in terms of services and revenue). This suggests a more selective application of extraterritorial regulations, considering both business activities and financial ties.
Non-consent-based legal basis for processing of data
“Consent” is perhaps the only legal basis for processing of personal data that keeps the data subject at the centre of its operation. Controllers/processors remain at the behest of the data subject and must mandatorily obtain their consent before they can start processing their personal data. The PDPL, the DIFC DP Law and the ADGM DP Regulations also add separate qualifiers for such consent to be considered valid under the said laws.
The PDPL requires the data subject’s consent to be “specific”, “informed” and “unambiguous”. These requirements imply that:
Meanwhile, the DIFC DP Law and the ADGM DP Regulations also require consent to be “freely given”, which suggests that the data subject must not be under any influence while they are providing such consent.
However, consent may not always be the most appropriate legal basis for processing. Accordingly, the data protection frameworks in the three jurisdictions provide for the following circumstances where processing of personal data does not require the data subject’s consent.
Analysis
The legal bases for data collection outlined in the PDPL, the DIFC DP Law, and the ADGM DP Regulations reveal several common principles and distinctions. Across all frameworks, legal bases such as protecting the vital interests of data subjects and fulfilling contractual/legal obligations emerge as central pillars for lawful data processing. Such legal basis underlines the significance of prioritising the interests of the data subject as well as commitment to contractual/legal responsibilities.
Both the DIFC DP Law and the ADGM DP Regulations recognise the importance of legitimate interests, suggesting a balanced approach that considers business interests alongside data protection requirements. In contrast, the PDPL does not allow for processing of personal data based on “legitimate interest”. Additionally, the PDPL takes a unique approach by emphasising the use of public interest and health-related purposes.
Overall, these frameworks collectively demonstrate a nuanced understanding of diverse data processing scenarios, emphasising the need for legal compliance, individual rights protection, and a careful balance between business interests and public welfare.
Whether “consent” is a valid basis for processing of data in the case of an employee
Consent is a valid legal basis for the processing data under the PDPL. There is no requirement for consent to be “freely given” and neither does the present law consider the imbalance of power between the employer and employee, which might result in consent that may not be freely given. However, the executive regulations may address and clarify this aspect.
Both the DIFC DP Law and the ADGM DP Regulations clarify the above-mentioned issue in guidance issued by their respective data protection authorities. According to the guidance, both the DIFC and ADGM personal data protection frameworks must be interpreted in conjunction with the UK and EU laws, which explicitly mandate the data subject’s consent to be “freely given”. This implies that the data subject must have genuine choice and should not be put in a situation whereby they are compelled to give consent.
Analysis
Under the PDPL, consent is recognised as a valid legal basis for data processing without explicitly requiring that it be “freely given”. Notably, the PDPL does not address the potential power imbalance between employers and employees that could lead to coerced consent. Meanwhile, both the DIFC DP Law and the ADGM DP Regulations deviate from the above-mentioned approach and mandate that consent must be “freely given”. This distinction reflects a more comprehensive approach, aligning with international standards and addressing concerns related to consent in situations where power dynamics may influence the voluntariness of the agreement.
Data subject rights
The common data subject rights granted under the PDPL, the DIFC DP Law and the ADGM DP Regulations are:
The following rights in relation to data subjects are specific to the DIFC DP Law:
Analysis
The PDPL, the DIFC DP Law and the ADGM DP Regulations provide for broadly the same set of data subject rights as available in the EU GDPR and are thereby in alignment with global standards. This will not only aid in preserving the privacy of personal data but also acts as an incentive for entities in advanced jurisdictions should they wish to transfer their data to the UAE, DIFC or ADGM ‒ safe in the knowledge that they will have access to the same suit of rights as they did in their native jurisdiction. Moreover, the DIFC DP Law goes a step further and explicitly recognises two additional data subject rights, which prevents unfair treatment and offers data subjects more channels to assert their rights.
Special provisions for processing personal data in relation to a minor
The PDPL does not specifically provide for the processing of personal data of minors. Therefore, they are treated at par with adult data subjects.
The DIFC DP Law provides minors an absolute right to object to automated processing. However, the exercise of this right for adult data subjects comes with certain caveats.
The ADGM DP Regulations prescribe a three-pronged proportionality test for exercising the “legitimate interest” basis for the processing of personal data. This is elaborated upon in the guidance issued by the Office of Data Protection. Significantly, the guidance suggests placing special emphasis on the question of whether the data subject is a minor while applying this test. Furthermore, the guidance states that when data subjects invoke their right to access information, such information must be shared in a concise, transparent and intelligible manner if the data subject is a minor.
Analysis
Although the PDPL treats minors similarly to adult data subjects, the DIFC DP Law and the ADGM DP Regulations take a more specific and protective approach. The DIFC DP Law grants minors an absolute right to object to automated processing and the ADGM DP Regulations introduce a proportionality test with a focus on the minor status when personal data is being processed on the basis of “legitimate interest”. These provisions reflect a growing awareness of the unique considerations and safeguards required when handling the personal data of minors in these jurisdictions.
Appointment of Data Protection Officer
The appointment of a Data Protection Officer is mandatory under the PDPL when:
Under the DIFC DP Law, the appointment of DPO is only necessary if the controller/processor is performing “high-risk activities” on a systemic or a regular basis. Such activities include:
Under the ADGM DP Regulations, the appointment of a DPO in ADGM is required if a controller/processor partakes in following kinds of processing activities:
Analysis
The criteria for appointing a DPO under the PDPL, the DIFC DP Law and the ADGM DP Regulations converge on situations involving heightened risks or the processing of personal data in a high volume. These provisions collectively highlight the need for the designation of a DPO in scenarios with inherent risks, where systematic evaluation is required, or where significant volumes of sensitive personal data/special categories of personal data are being processed.
International transfers
Under the PDPL, personal data may be transferred outside the UAE if:
In the absence of data protection legislation and a bilateral treaty, transfer of personal data can be initiated in the following cases.
Under the DIFC DP Law, personal data may be transferred outside DIFC in the following situations.
If the data transfer does not relate to any of the above-mentioned situations, such data transfer would have to adhere to the following restrictions to be considered a valid transfer under the DIFC DP Law:
Under the ADGM DP Regulations, personal data may be transferred outside ADGM if the jurisdiction to which such data is being transferred has a law encompassing personal data protection principles, measures, controls, requirements that provide adequate protection to the personal data of data subjects.
In the absence of data protection legislation, data transfer is only permitted in the following circumstances.
Analysis
The provisions concerning data transfer in all three jurisdictions provide for explicit circumstances in which data transfers beyond their jurisdiction are allowed, leaving no room for ambiguity. Such an approach reflects a practical and accommodating attitude towards data transfer practices while also ensuring confidentiality of personal data. The criteria allowing for personal data transfer in the absence of data protection laws and bilateral agreements in the receiving jurisdiction provide essential independence for data subjects, as well as controllers and processors ‒ thereby enabling them to manage their activities in accordance with their diverse legal and operational circumstances.
Conclusion
The UAE, DIFC and ADGM have made significant strides in establishing comprehensive data protection frameworks in recent years. While the UAE’s federal legislation (the PDPL) is awaiting the issuance of its executive regulations, both DIFC and ADGM have formulated their own robust data protection laws, which are modelled on the EU GDPR and offer adequate safeguards for the protection of personal data.
In brief, the data protection frameworks in these jurisdictions provide strong individual rights and accountability measures to preserve and protect the privacy and confidentiality of personal data. However, taking cues from the developments in DIFC, organisations must remain vigilant and adopt appropriate compliance strategies to navigate the dynamic regulatory landscape of personal data protection.
Floor 14
WeWork Hub71
Al Khatem Tower
ADGM Square
Al Maryah Island
Abu Dhabi
UAE
+971 55 369 2517
karmadmin@karmadv.com www.karmadv.com/