On September 20, 2021, the federal government of the United Arab Emirates issued Decree-Law No. 45 of 2021 to protect personal data. As a result, the UAE’s regulatory environment has shifted dramatically, opening the way for the modernization of the economy and the digitization of emerging industries.
The Emirates Data Office (the “Data Office”), which will function as the new data regulator, is required under Federal Law 44 of 2021. The Data Office will also be in charge of enforcing the law as well as creating supporting legislation and suggestions.
It went into force on January 2, 2022, and its executive regulations, which expand on key themes, will be released no later than six months later (currently May 28, 2022). If the Data Officer thinks it necessary, the Data Officer has the right to extend the six-month deadline for controllers and processors to comply with the Law.
Data Protection Law’s Applicability
The UAE Personal Data Protection Law (PDPL) has extraterritorial applicability, which means it will apply to both UAE-based controllers and processors as well as those headquartered outside the UAE who handle personal data of UAE residents, according to Article 2(1).
Notably, the scope of the Data Protection Law includes important exclusions, such as those about:
- Where relevant regulation oversees the protection and processing of personal health data, government data, and “public bodies that exercise control over or handle personal data”.
- The ICT Health Law and several emirate-level regulations, rules, and procedures (including those governing telemedicine) already tighten controls on health information, particularly its transmission outside the UAE; “Personal banking and credit data and information, to the extent that relevant law controls their protection and processing.”
- It is a significant exception for the financial industry, which should be investigated further in light of the Executive Regulations; and entities operating in free zones already have personal data protection regulations (namely the Dubai International Financial Centre, Abu Dhabi Global Market, and, potentially, Dubai Healthcare City).
Data Subjects’ Rights
The new PDPL gives data subjects in the UAE a new set of rights, giving them more control over how their data is handled. Data subjects have the following rights under the law:
- Right of access to information
Every data subject has the right to know what data or information a corporation has collected about them. Similarly, the data subject has the right to know why their data was collected, where it is kept, what protections are in place to protect their data, and what steps would be taken if a data breach occurred.
- Portability of data
Data subjects have the right to get all of their data in an easily readable and shareable manner.
- Restrictions on the Right to Process
Any data subject has the right to request that any company stop processing its data. After the corporation has exercised its claim, it must ensure that no new data about the data subject is gathered.
- Right to request that personal data be erased
Any data subject has the right to have any or all personal data about them erased.
- Objecting to Automated Processing is a legal right.
Each data subject has the right to object to a company’s use of any or all data collected on them to aid automated decision-making that may affect them.
- Right Rectification
All data subjects have the right to request that data collected on them be updated, completed, or corrected if it is outdated, incomplete, or erroneous.
Essential Data Processing Requirement
To be more specific, personal data may only be treated with the consent of the person whose data is being processed. There are, however, a few noteworthy exceptions:
- To protect the public’s interest;
- To protect personal data that the data owner has made public and accessible to all; or
- To carry out any legal actions or rights, the data must be processed.
Aspects of the law that aren’t as important
Data controllers must now comply with the following requirements as a result of the new regulations:
- Carry out impact analyses
- Security violations should be reported,
- Appoint a data privacy officer, and
- Personal data should be sent across borders. Data controllers will also have to keep track of how their information is used.
Data processors will also be required to follow several rules, including those relating to their data controller links.
Who is in charge of executing the laws?
The UAE Data Office will be in charge of establishing policy, drafting legislation, and issuing directions for the practical application of data protection regulations, according to the proposed legislation.
The purpose of this article is to give a broad overview of the topic. The information provided herein may not be applicable in all situations and should not be relied upon without seeking specialist legal advice in each matter.