To protect personal data, the United Arab Emirates' federal government promulgated Decree-Law No. 45 of 2021 on September 20, 2021. As a result, the UAE's regulatory framework has undergone a significant shift, paving the way for the modernization of the economy and the digitalization of growing sectors.
Federal Law 44 of 2021 mandates the establishment of the Emirates Data Office (the "Data Office"), which will serve as the new data regulator. The Data Office will also be responsible for implementing the law and drafting supporting laws and recommendations.
It effected on January 2, 2022, and its executive regulations, which elaborate on essential themes, will be issued no later than six months after that date (currently May 28 2022). The Data Officer has the authority to extend the six-month deadline for controllers and processors to comply with the Law if it deems it essential to do so.
Applicability of Data Protection Law
According to Article 2(1) of the UAE Personal Data Protection Law (PDPL), it has an extraterritorial application, meaning it will apply to both UAE-based controllers and processors and those based outside the UAE and handle personal data of UAE residents.
Notably, the Data Protection Law's scope includes significant exceptions, such as those relating to:
- Government Data and "public bodies that exercise control over or handle personal data";
- Where appropriate regulation controls the protection and processing of personal health data". Health information, particularly its transmission outside the UAE, is already tightly controlled in the UAE by the ICT Health Law and several emirate-level regulations, rules, and procedures (including those governing telemedicine);
- "Personal banking and credit data and information, to the extent that relevant law controls their protection and processing." It is a critical exception for the financial industry, which must be further studied in light of the Executive Regulations; and
- Entities located in free zones already have personal data protection legislation (namely the Dubai International Financial Centre, Abu Dhabi Global Market, and, potentially, Dubai Healthcare City).
Rights of Data Subjects
The new PDPL establishes a new set of rights for data subjects in the UAE, granting them increased control over how their personal data is used. The law establishes the following rights for data subjects:
- Information Access Right
Each data subject has the right to know what data or information has been gathered about them by a company. Similarly, the data subject has the right to obtain information on why their data was acquired, where it is kept, what safeguards are in place to secure their data, and what steps would be taken in the case of a data breach.
- Data Portability
Data subjects have the right to receive all their information in a simple format to read and transferable across all major platforms and media, similar to the right to access their information.
- Right to Process Restrictions
All data subjects have the right to request that any enterprise processes no more data relating to them. Once the company has exercised its claim, the business must ensure that no additional data is collected on the data subject.
- Right to request removal of personal data
Any data subject has a right to seek the erasure of any or all personal data stored about them.
- Right to Object to Automated Processing
Each data subject has the right to object to a business's use of any or all data acquired about them to help automated decision-making that may impact them.
- Rectification Right
If data collected on data subjects is outdated, incomplete, or incorrect, all data subjects have the right to request that the data handler change, amend, or modify it.
You may want to know: How does Intellectual Property protect a mobile App?
Essential Requirement for Processing Data
To be more specific, personal data may only be processed if the individual whose personal data has permission. The following are, however, some notable exceptions:
- To safeguard the public interest;
- To protect personal data that has been made public and known to everyone by the data owner; or
- The data must be processed to carry out any legal processes and rights.
Other essential aspects of the law
As a result of the new regulations, data controllers are required to:
- conduct impact assessments,
- report security breaches,
- designate a data protection officer, and
- Make cross-border transfers of personal data. Data controllers will also be required to track how their data is used.
Data processors will also have to adhere to a slew of new regulations, including those relating to their connections with data controllers.
Who is responsible for enforcing the Law?
According to the new legislation, the UAE Data Office would be tasked with formulating policy, drafting legislation, and giving instructions for the practical application of data protection laws.
This article aims to provide a general overview of the subject. The information included herein may not be appropriate in all circumstances and should not be relied upon without seeking specialized legal counsel based on specific cases.
For more information on Data Protection Law, please don't hesitate to contact HHS Lawyers in Dubai today.