The UAE’s latest law on Private data Protection is primarily intended to protect private information concerned with individuals. The said law was operated from 2nd January 2022. However, further executive regulations are expected to be enacted in time to come. According to various government sources, such regulations are likely to be implemented at least by 20th March 2022.
The primary aim of the newly enacted law is to harmonise with the global “best practice” private data protection principle, as stipulated by the European General Data Protection Regulation (hereinafter sometimes referred to as GDPR) which is based on seven important principles concerned with the information which attracts privacy.
They are;
This is to ensure that, nothing is hidden. In order to comply, it must be stated in the privacy policy the type of data collected and the reasons behind such collection.
This means that the data should be collected only for a specific purpose and also that only the necessary data will be collected.
According to this principle, the data will be collected and stored only to the extent which is minimum required to achieve the purpose of such collection. Complying with this rule confers two major benefits.
This is considered an integral part of data protection. This supports the policy of erasing or rectifying inaccurate or incomplete data within thirty (30) days of such collection of data.
This is to delete data when such data is no longer required.
In this context, an interesting question can be raised as to “How Long should an Individual be considered as a customer?”
The answer to the question can vary, considering the business relationship. However, the “Controller” and the “Processor” of the data ought to ensure that, the collected data would be destroyed as soon as the individual ceases to become “the customer”.
The threshold of meeting this requirement would depend on the circumstance of each situation. Therefore the measurement of compliance could be very much vague.
This is to ensure that, those who are responsible for collecting and controlling the personal data collected ought to account for what has been collected.
As briefly articulated at the inception of this article, The Federal law on Private Data Protection was decreed as part of the UAE’s massive legal reform project ever. The announcement came during the 50th anniversary of the UAE, as part of the government’s ‘towards the next 50’ national strategy. The New Law on Private Data Protection Law applies to two main categories namely,
The Controller is considered to be the entity or person who would determine the criteria for processing data. The Processor on the other hand is considered as the person or entity which processes data on behalf of the Controller.
According to the New Law, Personal Data was identified as any data relating to a natural person, or any natural person who can be identified directly or indirectly by linking data. Such data would cover
The New Law also refers to a special category of Data Called “Sensitive Personal Data”. Such “Sensitive Personal Data” would include data that directly/indirectly reveal family or ethnic origin, or matters related to Political or Philosophical opinion or religious benefits or criminal record or biometric data or any data relating to health.
Furthermore, the New Law covers data protection concerning controllers and processors inside UAE as well as Outside UAE, adding an extraterritorial element. This provision is very much similar to provisions relating to the same contained in the GDPR.
This would include personal data which are processed or controlled by government authorities including but not limited to Judicial Authorities.
2. Data concerning wealth, personal banking and credit data when collected from government entities such as government companies even though in general covered by the New Law.
Moreover, one of the key features of the New Law is to insist on the consent of the concerned individual prior to obtaining data from the individual. Such consent shall be clear, simple, unambiguous and easily accessible. Further, the concerned individual shall be provided with an option to withdraw the consent given. The method of withdrawal shall also be simple.
When it is required to transfer data internationally, the New Law permits the international transfer of data to countries that are approved by the UAE Data Office. However, the provisions concerning the function of the UAE Data Office are yet to be enacted and implemented.
Furthermore, both controller and processor shall adopt technical and organizational measures as required in accordance with best international standards. Also, adequate measures shall be taken to ensure appropriate levels of data security. Such measures would include “encryption, pseudonymization and anonymization.
It is also featured in the New Law the requirement to appoint a Data Protection Officer who would be responsible for handling Private Data.
You may also like – Do Copyright protect Web Content?
In conclusion, it could be stated that the new law brings the UAE in harmony with the global need to protect personal data, which is in line with the GDPR. It would make the individuals and corporations more confident and comfortable when dealing with UAE in the time to come. For more details contact our legal consultant.