The UAE’s latest law on Private data Protection is primarily intended to protect private information concerned with individuals. The said law was operated from 2nd January 2022. However, further executive regulations are expected to be enacted in time to come. According to various government sources, such regulations are likely to be implemented at least by 20th March 2022.
The primary aim of the newly enacted law is to harmonise with the global “best practice” private data protection principle, as stipulated by the European General Data Protection Regulation (hereinafter sometimes referred to as GDPR) which is based on seven important principles concerned with the information which attracts privacy.
They are;
1. Lawfulness, fairness and transparency
This is to ensure that, nothing is hidden. In order to comply, it must be stated in the privacy policy the type of data collected and the reasons behind such collection.
2. Purpose limitation
This means that the data should be collected only for a specific purpose and also that only the necessary data will be collected.
3. Data Minimization
According to this principle, the data will be collected and stored only to the extent which is minimum required to achieve the purpose of such collection. Complying with this rule confers two major benefits.
- In case of a breach of data, unauthorized individuals will only have access to a limited amount of data.
- With having minimum data, having access to such data would be more convenient.
4. Accuracy
This is considered an integral part of data protection. This supports the policy of erasing or rectifying inaccurate or incomplete data within thirty (30) days of such collection of data.
5. Storage Limitation
This is to delete data when such data is no longer required.
In this context, an interesting question can be raised as to “How Long should an Individual be considered as a customer?”
The answer to the question can vary, considering the business relationship. However, the “Controller” and the “Processor” of the data ought to ensure that, the collected data would be destroyed as soon as the individual ceases to become “the customer”.
6. Integrity and Confidentiality
The threshold of meeting this requirement would depend on the circumstance of each situation. Therefore the measurement of compliance could be very much vague.
7. Accountability
This is to ensure that, those who are responsible for collecting and controlling the personal data collected ought to account for what has been collected.
As briefly articulated at the inception of this article, The Federal law on Private Data Protection was decreed as part of the UAE’s massive legal reform project ever. The announcement came during the 50th anniversary of the UAE, as part of the government’s ‘towards the next 50’ national strategy. The New Law on Private Data Protection Law applies to two main categories namely,
- Controller
- Processor
The Controller is considered to be the entity or person who would determine the criteria for processing data. The Processor on the other hand is considered as the person or entity which processes data on behalf of the Controller.
According to the New Law, Personal Data was identified as any data relating to a natural person, or any natural person who can be identified directly or indirectly by linking data. Such data would cover
- Voice
- Picture(s)
- Identification number
- Electronic Identifier
- Geographical Location or
- Natural Person’s Physical, physiological, economic, cultural or Social Characteristics.
The New Law also refers to a special category of Data Called “Sensitive Personal Data”. Such “Sensitive Personal Data” would include data that directly/indirectly reveal family or ethnic origin, or matters related to Political or Philosophical opinion or religious benefits or criminal record or biometric data or any data relating to health.
Furthermore, the New Law covers data protection concerning controllers and processors inside UAE as well as Outside UAE, adding an extraterritorial element. This provision is very much similar to provisions relating to the same contained in the GDPR.
The New Law also provides categories of data that are excepted from protection
- Government Data
This would include personal data which are processed or controlled by government authorities including but not limited to Judicial Authorities.
2. Data concerning wealth, personal banking and credit data when collected from government entities such as government companies even though in general covered by the New Law.
Moreover, one of the key features of the New Law is to insist on the consent of the concerned individual prior to obtaining data from the individual. Such consent shall be clear, simple, unambiguous and easily accessible. Further, the concerned individual shall be provided with an option to withdraw the consent given. The method of withdrawal shall also be simple.
When it is required to transfer data internationally, the New Law permits the international transfer of data to countries that are approved by the UAE Data Office. However, the provisions concerning the function of the UAE Data Office are yet to be enacted and implemented.
Obligations of the Controller – Key Obligations
- Appropriate technical and Organizational Measures to safeguard personal data shall be implemented.
- Ought to maintain a “Special Record” of personal data. This shall be made available to the “Data Office” on request.
- Shall ensure the Processors provide sufficient Guarantees and implement organizational and technical measures necessary to comply with the New Law.
Obligations of the Processor – key Obligations
- Shall Process data in accordance with the instructions of the Controller.
- Shall apply appropriate technical and organizational measures to protect personal data.
- Shall maintain a special record of personal data.
Furthermore, both controller and processor shall adopt technical and organizational measures as required in accordance with best international standards. Also, adequate measures shall be taken to ensure appropriate levels of data security. Such measures would include “encryption, pseudonymization and anonymization.
In the event of any breach of privacy of the individual is concerned,
- in case of a breach that would prejudice the privacy, confidentiality and security of the concerned individual’s personal data, the same shall be informed to the data office without delay and investigations shall be conducted regarding such breach.
- The Controller shall notify the “data subject” (the individual concerned” of the breach.
It is also featured in the New Law the requirement to appoint a Data Protection Officer who would be responsible for handling Private Data.
You may also like – Do Copyright protect Web Content?
Rights of the Data Subject/ Individual Concerned
1. Data Subject’s Access Rights
- Right to request information. It is noteworthy that such request may be rejected by the controller only on limited circumstances such as, it would not be required to be submitted by the Controller.
- If the Data Subject is over – repetitively asking for such information.
2. Other rights of the Data Subject
- To data portability – this would be to move data from different applications (eg: move data from Facebook to TikTok.
- To have the errors rectified.
- To have the data erased or forgotten.
- To restrict personal data processing.
- To object to personal data processing.
In conclusion, it could be stated that the new law brings the UAE in harmony with the global need to protect personal data, which is in line with the GDPR. It would make the individuals and corporations more confident and comfortable when dealing with UAE in the time to come. For more details contact our legal consultant.
