The United Arab Emirates (“UAE”) has enacted its long awaited federal level data protection law. This article examines some of its key features.
As part of its 50th anniversary, the UAE has issued a set of sweeping legal reforms, including the much anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”), which was issued on 26 September 2021.
The PDPL, and the other laws forming part of this package, are part an ambitious set of legal reforms intended to place the UAE at the forefront of digitization in the Middle East, and indeed to become a world leader in technology and digitization.
Reassuringly, the PDPL does not contain any major divergences from other well-known data protection regimes, including the GDPR. In this regard we expect it will be welcomed by local, regional and international businesses, in particular those that rely heavily upon personal data and international personal data flows. International businesses with global privacy compliance programs should seek to expand those to cover the UAE and achieve some synergies. However, businesses that are not used to compliance with laws like the GDPR may find some of the new obligations challenging, for example, the PDPL introduces rights for individuals to access; rectify; correct; delete; restrict processing; request cessation of processing or transfer of data; and object to automated processing. There are also new requirements around transfers of data outside of the UAE and requirements to keep data secure, and to notify the new data protection regulator, and in some circumstances data subjects, of data breaches. The requirements regarding keeping data secure, and new data breach obligations, will definitely up the ante for businesses in the UAE to take cyber security seriously.
With that said, the PDPL keeps intact existing laws within the UAE’s financial free zones, as well as applicable laws regulating health data and banking and credit data. For this reason the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.
When do businesses need to take action?
While the PDPL will not be effective immediately, we recommend that businesses take compliance steps as soon as possible.
The executive regulations to the PDPL (“Executive Regulations”) are expected to be published before March 2022. Thereafter organisations have a further six months from the date of the issuance of the Executive Regulations in which they can adjust operations to ensure compliance with the PDPL. This gives businesses approximately 10 months from the date of this article in which to arrange their compliance. While this may sound like a long lead time, it is not as long as other jurisdictions have had (notably the EU). Our experience tells us that the task of assessing the data protection obligations and implementing compliance programs of a businesses can take considerably longer than businesses initially anticipate.
What does the PDPL cover and who does it apply to?
Definitions. Fortunately the definitions of personal data, processing, data subject, data controller and data processor, have been kept relatively generic.
Notably, while the definition of personal data relates to a “natural person”, there does not appear to be an exclusion of the law from applying to deceased individuals.
Territoriality. The PDPL applies to:
- processing of personal data of people residing in the UAE, or people having a business within the UAE;
- each data controller or data processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE;
- each data controller or data processor located outside the UAE, who carries out processing activities of data subjects that are inside the UAE.
The PDPL therefore has extraterritorial application.
Exceptions. There are a number of key carve outs to the PDPL. Notably, those include:
- “government data”, which is undefined;
- “government entities that control or process personal data”;
- “personal health data where applicable legislation regulates the protection and processing of such data”. Health information, in particular the transfer of health information outside of the UAE, is already heavily regulated in the UAE under the ICT Health Law and various emirate level laws, policies and procedures (including those in relation to telemedicine);
- “Personal banking and credit data and information where applicable legislation regulates the protection and processing of such Data”. This is a key carve out for the financial sector, which and will need to be considered further in light of the Executive Regulations; and
- Entities in free zones where there are already laws in relation to personal data in place (namely the Dubai International Financial Centre, Abu Dhabi Global Market and, potentially, Dubai Healthcare City).
Finally, the PDPL allows the regulator to exempt some establishments that do not process a large volume of personal data from a part or all of the PDPL. Further details regarding this exception are expected in the Executive Regulations, however it would appear that the intention is to exempt small and medium sized businesses that do not process large volumes of data in the course of their business.
The Data Protection Office
The PDPL will be overseen by the Emirates Data Office (“Data Office”), pursuant to Federal Decree-Law No. (44) of 2021. The Data Office will be the first dedicated “onshore” national personal data protection regulator in the UAE and will, amongst other things:
- handle any data breach notifications;
- handle complaints from data subjects (and develop processes in this regard);
- approve jurisdictions as having an adequate level of protection for international transfers;
- impose administrative penalties in the event of infringements (such amounts to be determined in the Executive Regulations);
- propose and develop policies, strategies and legislation related to data protection affairs; and
- issue guidance and instructions in relation to the PDPL.
Key features of the PDPL
Consent is the primary lawful bases for processing. Consent is the starting point for the processing of personal data however, there are various exceptions to this rule which are effectively alternative legal bases for processing.
These alternatives include:
- processing personal data which is necessary for the performance of a contract to which the data subject is a party, or to take actions at the request of the data subject with the aim of concluding, amending or terminating a contract,
- public interest,
- defense of a legal claim,
- processing personal data made public by the data subject,
- processing personal data which is necessary for fulfillment of the data controller’s obligations under applicable UAE laws, and
- processing personal data which is necessary for the purposes of carrying out the obligations and exercising rights of the data controller or of the data subject in the field of employment and social security and social protection law.
The form and use of consents should be considered carefully. For example, consents must be clear, simple, unambiguous and in an easily accessible form, whether in writing or electronically. Importantly, consents must also be “specific” and represent a “clear positive statement or action” (excluding opt-out style consents). The requirement for consent to be “specific” and how narrowly this is interpreted by the Data Office will be key. It may mean that businesses can no longer rely on “catch all” consents, which have to date been commonly used by UAE businesses. Data subjects must also be granted a right to revoke consent (subject to certain limitations).
Notably, there is no broad “legitimate interests” style lawful basis for processing, as is found in the GDPR.
An alternative lawful basis which may prove useful is where the “data processing is necessary to perform a contract to which the Data Subject is a party or to take actions at the request of the Data Subject with the aim of concluding, amending or terminating a contract”. The key here will be in understanding just how “necessary” the processing must be.
Transparency. The PDPL contains a broad obligation to process personal data in a transparent manner. This obligation is not placed specifically on either data controllers or data processors, so it can be assumed that it is intended to apply to both. Under other data protection laws, the general transparency obligation is often tied to a clear obligation to provide a privacy notice to data subjects which meets prescriptive content requirements. The PDPL does not (yet) have an express provision regarding this (although it is possible that the Executive Regulations may do). However, the PDPL does give data subjects a detailed right of access (without charge) to the types of information which would ordinarily be contained in a privacy notice. Moreover, the data controller is required to, in all cases and prior to the commencement of processing, provide data subjects with information regarding:
- the purposes of the processing;
- the targeted sectors or establishments with whom the personal data will be shared, both within and outside the UAE; and
- the protection measures for cross-border processing.
Therefore, in practice, data controllers may ultimately consider publishing privacy notices that contain, at least in broad terms, the information that the data subject is entitled to seek under the PDPL.
Limitations on processing.
Personal data must be processed for specified and explicit purposes and must not be processed in a manner that is incompatible with those purposes.
Personal data that is collected must also be “adequate and limited to what is necessary in relation to the purposes for which they are processed”.
As well as an obligation to keep personal data accurate and up to date, there is a requirement that personal data isn’t processed for any longer than is necessary for the purpose for which it was collected.
Appointment of Data Processors. Data controllers appear to be required to enter into contracts with data processors which “specify the scope, subject, purpose and nature of Data Processing, type of Personal Data, and categories of Data Subjects”. Data controllers are also required to appoint data processors which provide sufficient guarantees to implement technical and organizational measures such that their processing meets the requirements of the PDPL. The PDPL is not more prescriptive around the content of such agreements (for example, as per Article 28 of the GDPR), but instead imposes a series of direct legislative obligations on data processors which largely reflect those which data processors are typically required to comply with contractually.
Records of processing activities (“ROPA”). Data controllers and data processors are both separately required to keep records with respect to the personal data they process. The content requirements for such records are largely aligned with the equivalent requirements under the GDPR, but with some additional points. For example, data controllers are required to include in the ROPA “the data of the persons authorized to access the Personal Data”. It’s not clear yet if this requires that each and every individual who may have access to a particular data set must be listed, or if it is sufficient for a category of employees or the team that has access to be named.
Data protection officers (“DPO”). Data processors and data controllers who are: (a) conducting data processing which would cause a high risk to the confidentiality and privacy of the data subject’s personal data as a consequence of adopting new or data size-based technologies; (b) conducting data processing which involves a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing; or (c) processing large volumes of sensitive personal data, will need to appoint a DPO. Interpreting these requirements is something which organisations will need to consider carefully. The DPO can be a staff member or someone working on a service contract and does not necessarily need to be located in the UAE.
Data security. The PDPL imposes strict requirements around data security. Data controllers and data processors are required to put in place sufficient technical and organisational measures to protect and secure personal data, preserve its confidentiality and privacy, and ensuring that such personal data is not breached, destroyed or altered. The measures which must be taken need to take into account the nature, scope and purposes of processing and the possibility of risks to the confidentiality and privacy of the data subject’s personal data. Put simply, this means the higher the risk of harm to the data subject and/or the higher the likelihood of a breach, the greater the steps to secure personal data that need to be taken.
Data breaches. Data controllers must notify the regulator and data subjects in the event of a data breach “which would prejudice the privacy, confidentiality and security of his/her Data”. There are prescriptive requirements around the contents of such a notification in each case, although the timeline for notifying will be set by the Executive Regulations.
Data subject rights. A major change under the PDPL is the introduction of data subject rights. These include rights of access, objection, deletion, transfer, rectification and a right to object to automated processing decisions being made. Whilst those familiar with the GDPR may recognize many of these rights, the rights under the PDPL are nuanced and subject to various exceptions which do not fully align with the GDPR. Businesses will need to carefully prepare policies, procedures and processes to align with these rights and exceptions.
Data protection impact assessments (“DPIA”). The PDPL introduces a requirement on data controllers to perform DPIAs when using any modern technology that would pose a high risk to the privacy and confidentiality of the Personal Data of the Data Subject, with prescriptive requirements around how to conduct a DPIA. The Data Office will prepare a list of the kind of processing operations for which no personal data protection impact assessment is required, and will make the same available to the public through its website.
International transfers. The PDPL imposes limitations on the international transfer of personal data to outside of the UAE. Similar to the concept of the “adequate jurisdictions” in the EU, the Data Office is expected to approve certain territories as having sufficient provisions, measures, controls, requirements and rules for protecting privacy and confidentiality of personal data. There are also various other exceptions which exporters can rely on, although further details are awaited from the Data Office.
Penalties. It is not yet clear what the penalties for non-compliance with PDPL will be. The Executive Regulations are expected to clarify this.
How can your organization prepare now?
There are fundamental things that businesses can do now, even before the PDPL becomes fully effective, and before the Executive Regulations are published. Taking these steps now will prevent a rush as the deadline for compliance approaches.
Conduct a data mapping exercise. A data mapping exercise will provide an organisation with a snapshot of how its data is collected and managed. It is the process by which an organisation identifies, amongst other things:
- the personal data that it collects, processes, stores and transfers;
- where the personal data comes from;
- why it is collected;
- where it is stored and transferred; and
- who the personal data is shared with.
A data mapping exercise will allow for an honest identification of the gaps that must be closed in order to comply with any applicable data protection law, including the PDPL.
Develop a Record of Processing Activity (ROPA). The data mapping exercise will be the first step in the generation of the ROPA. The ROPA is the backbone in any data protection compliance program. It will feed directly into developing data protection policies, data subject rights processes, data processing agreements, data transfer processes and policies. A ROPA is not a static document, and will need to be built upon and amended at regular intervals.
Develop appropriate consent language. Consider the means by which consent is currently obtained, and the language that is used to collect and record this consent. If consent cannot be obtained, then consider if the other alternative bases for personal data processing under the PDPL are suitable.
Develop appropriate personal data protection policies that reflect the organisations approach to personal data management, explaining the data subject’s rights and how your organisation will work with data subjects around these.
Develop processes for managing data subject requests. Consider how your organisation will respond to data subject requests for access, objection, deletion, transfer, rectification and objections to how your organization processes personal data.
Review your contracts. Review both the contracts from your suppliers and the contracts with your customers to identify what, if any, data protection clauses exist, or if any new clauses need to be added. While amendments may not need to be made at this stage, conducting an audit now will identify which contracts need amendment and possible renegotiation at the right time.
Review and consider existing technical and organisational measures and controls around data security including the services and technologies used to protect personal data, and also personal data access policies for staff and contractors.
Develop a data breach and cyber-attack response process. Given the new breach notification requirements of the PDPL, consider how your organisation will respond to data breaches, including processes around who within your organisation should be involved in the response team, identifying when notifications need to be made, identifying whether and how you notify your insurers, or press, and fire-testing breach scenarios to ensure that the processes work.
Training and stakeholder buy-in. Raise awareness of personal data protection issues within your organisation, including why it is important, how data protection can be a differentiator for your business and the possible risks when it goes wrong.
How we can help
Our dedicated Dubai based data protection team has in depth experience working with clients from around the world and regionally to assess and develop their data protection compliance frameworks across a range of sectors from finance, government, aerospace, transport, technology, media, events and sports.
Please feel free to contact us to discuss how we can assist you.
Eamon Holley, Partner, Dubai, Alex Mackay, Associate, Dubai