His Highness Sheikh Khalifa bin Zayed Al Nahyan, the President of the United Arab Emirates, approved Federal Decree-Law on Protection of Personal Data (PDPL) in November 2021. It complies with several other data protection laws that have been drafted and enacted in other countries. The law governs the data privacy and the rights of UAE citizens over how they choose to share their data with others.
The law is intended to protect any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data.
The UAE Personal Data Protection Law applies to:
- an individual who resides or has a place of business in the UAE
- any business in the UAE which processes the Personal Data of individuals, whether those individuals are located inside or outside the UAE
- any business located outside the UAE that processes the Personal Data of individuals who are located inside the UAE.
Certain entities are exempted from the provisions of the new law, such as government data, public entities’ data, health and credit data subject to their own dedicated legislation, and most importantly, entities established within the free zones such as the DIFC (Dubai International Financial Center) and ADGM (Abu Dhabi Global Market), which have their own data protection laws.
Businesses that are part of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) free zones but process data on behalf of companies that are not a part of the DIFC and ADGM are also covered by the law in limited cases.
Data covered under the law
The PDPL protects all collected personal and sensitive data, of data subjects. The following data is covered under the UAE’s new data protection law:
Name, Voice, Picture, Identification number, Race, Ethnicity, Religion, Sexual preference, Biometric data, Criminal record, Health records and Geographical location.
Rights of data subjects
Under the new PDPL, all users, or data subjects in the UAE have certain rights that a person watching the data is required to keep in mind under all circumstances.
These include:
All data subjects have the right to know what data or information has been collected on them. The data subject can also request to know why the data was collected, where the data is stored, what safety precautions are being taken to protect their data, and what actions will be taken in the event of a data breach.
All data subjects have the right to receive all information in a format that is easy to read and can be easily accessed on all major platforms and mediums
All data subjects have the right to restrict the processing of any further data related to them.
All data subjects have the right to request any business (the processor of data), to delete all data that may have been collected on him.
All data subjects have the right to request a data handler (processor) to change, amend or modify data collected on data subjects in case it is outdated, incomplete or incorrect.
The PDPL is not explicit about penalties on companies that are found to be non-compliant with the provisions of the new law.
The Council of Ministers and the courts will impose fines for any business found breaching any of the provisions. Standardized penalties for such breaches apply via Executive Regulation that has been imposed by the UAE Data Office after the law came into effect on January 2, 2022. It will also be applicable to sensitive personal data, like race and philosophical beliefs and biometric data such as fingerprints.
Like GDPR, the DPL will prohibit the processing of personal data without the specific, clear and unambiguous consent of data subjects, given in the form of a clear positive statement or action.
Exceptions to the consent rule, if the processing is necessary to fulfil a contract with a data subject, to comply with legal obligations, or to protect the public interest.
An organisation will have to make clear to data subjects why their personal data is being collected and processed, and will only be able to use personal data for marketing purposes with the consent of data subjects.
Additionally, a new ‘UAE Data Office’, which will regulate and update the DPL, will have the power to exempt other organisations that do not process large amounts of personal data. The office will be responsible for preparing data protection policies, monitoring the application of federal legislation regulating personal data and approving systems for complaints and grievances. It will also issue guidelines for authorities on how to implement the data protection law.
From 2 January, data controllers and processors will have six months to ensure their operations comply with the new law.
Penalties for breaches are not included in the current legislation but will be specified in future executive regulations. It is not yet clear whether the regulations will give the UAE Data Office and courts power to impose fines and other sanctions at their discretion.