Organisations subject to the law should carry out a gap analysis of their current compliance position against the new requirements.
The United Arab Emirates (UAE) has issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the Data Protection Law), alongside a law establishing the new UAE Data Office (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).
The issuance of the Data Protection Law follows a trend of new data protection laws in the Middle East, including a data protection law in Saudi Arabia that will come into force on 23 March 2022.
Who does the Data Protection Law apply to?
The Data Protection Law has extraterritorial effect and will apply to both controllers and processors that are located in the UAE and those located outside the UAE that process the personal data of individuals in the UAE.
Notably, the scope of the Data Protection Law contains significant exclusions, such as in relation to:
- Government data and authorities
- The processing of health, banking, and credit data which is subject to sector-specific legislation
- Companies and institutions located in free zones which have specific data protection laws, such as the Dubai International Finance Centre (DIFC) and the Abu Dhabi Global Market (ADGM)
Many organisations will therefore need to navigate both sectoral and free zone-specific data protection laws alongside the Data Protection Law.
Is the Data Protection Law similar to international data protection laws?
Much of the Data Protection Law will be familiar to those who are experienced with the General Data Protection Regulation (GDPR), which includes core concepts such as personal data; controllers, processors, and processing; the data protection principles; data protection officer (DPO) requirements; and subject rights.
Areas of divergence include:
- More limited legal basis, with a focus on consent as the primary legal basis, and no legitimate interest ground, which is commonly relied on under the GDPR and allows organisations to balance their interests against those of the data subject
- Less onerous transparency requirements (only certain limited information will be required to be provided prior to processing) and no specific privacy notice requirement
- More detailed record of processing requirements
Are international data transfers permitted?
International transfers of personal data are permitted to countries that are approved by the UAE Data Office (forthcoming Executive Regulations are expected to set out these countries), to countries that have a data protection agreement with the UAE, or where certain exceptions apply, such as where data transfer clauses are in place, the data subject has provided consent, or the transfer is necessary for a contract with a data subject
When does the Data Protection Law come into force?
The Data Protection Law will come into force on 2 January 2022. Some of the finer details will be set out in Executive Regulations, to be published by the Cabinet by the end of March 2022. Controllers and processors will have six months from the issuance of the Executive Regulations to comply with the Data Protection Law (around September 2022, depending on when the Executive Regulations are published).
The Data Protection Law does not set out any violations or penalties (these are expected to be issued by the Cabinet).
What should organisations do next?
Organisations subject to the Data Protection Law should review their current personal data processing activities and carry out a gap analysis of their current compliance position against the new requirements.
Organisations that already comply with the GDPR in relation to the data processing that is in scope of the Data Protection Law will be able to take fewer additional compliance steps. However, these organisations still need to consider the nuances of the Data Protection Law and take steps, including the below, to comply:
- Review the scope of processing subject to sector or free zone-specific data protection laws
- Establish another legal basis for processing that relies on legitimate interests under the GDPR
- Update the record of processing activities to comply with the specific requirements of the Data Protection Law
- Ensure the organisation can comply with data breach reporting requirements
- Appoint a DPO for the UAE, if the organisation carries out certain high-risk processing
- Review data transfers from the UAE to determine if an exception can be relied on or if the recipient is located in a country approved by the UAE Data Office (once such countries are identified)
Organisations that have not already developed a compliance framework in line with the GDPR or have not extended it to their UAE-related data processing activities will need to carry out a more comprehensive data protection compliance program. These organisations should take the steps listed above and additional steps, including the below, to comply:
- Put in place a legal basis for each processing activity, including reviewing and updating current methods of collecting consent to ensure they meet the specific requirements of the Data Protection Law
- Establish measures to comply with the data protection principles as well as data subject rights requests
- Create a record of processing activities
- Review processing activities carried out by data processors, and situations in which the organisation acts as a data processor on behalf of others
- Ensure appropriate technical and organisational measures are in place to secure data
- Prior to processing, provide data subjects with transparency information on the purposes of processing, data sharing, and data transfers
- Carry out data protection impact assessments in relation to certain high-risk processing
Latham & Watkins will continue to monitor developments related to data protection laws in the Middle East, including the forthcoming Executive Regulations.