Insights & Research
Adv. Drisya Raveendran
Senior Legal Associate
Adv. Arya A Y
The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data Protection (the PDPL), which came into force on 2nd January 2022, provides for the protection of information and privacy of personal data. Aside from the PDPL, the Constitution of the UAE as well as sector-specific regulations (such as the telecommunications, consumer protection, and cybercrime laws) also provide some limited data protection rights. Some of the free zones, such as the Dubai International Financial Centre ('DIFC'), the Abu Dhabi Global Market ('ADGM'), and the Dubai Healthcare City ('DHCC') have each enacted separate data protection laws applicable to businesses operating in the relevant zone.
The PDPL is the generally applicable federal data protection law and applies broadly to the processing of personal data.
The Data Protection Law in UAE adopts a concept similar to the GDPR and other similar data protection laws.
What constitutes Personal Data?
“Personal Data” is given a broad meaning, effectively capturing any information that can be used to identify a natural person either directly or indirectly by reference to an identifier such as a name, voice, photo, identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.
The PDPL also covers “sensitive data”, which includes information such as a natural person’s family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, health data, the sexual status of such person, etc, and “biometric data” obtained as a result of technical processing of a person’s physical, physiological or behavioral characteristics.
Data Controller & Data Processor
Data Controller – An entity or the natural person which determines the method, approach, criteria, and purpose of processing Personal Data
Data Processor - An entity or natural person that processes Personal Data on behalf of the Controller under the Controller’s direction and instruction
Scope of Application
The PDPL applies to every data controller or data processor
The supervising authority responsible for overseeing the enforcement of the PDPL is set to be the Data Office which is established under the separate Federal Decree-Law No. 44 of 2021 ('Law No. 44/2021') issued contemporaneously with the PDPL. However, up to two years of operation of the PDPL, the Telecommunications and Digital Government Regulatory Authority ('TDRA') will provide administrative and logistical support. The Data Office will be responsible for:
Key Principles of Data Privacy
There are certain seven key data privacy principles that form the fundamental conditions that one must follow when processing personal data, which are as follows:
Rights Of a Data Subject
A data subject shall have the following rights over their personal, non-personal, and sensitive data:
The PDPL does not apply to government data or government authorities. It is not entirely clear what “government data” means in this context. As it is referred to in its own right, separate from processing conducted by government authorities, so presumably it is intended to have a broader scope and to capture government data in the hands of third parties.
If a data breach is likely to result in a risk to the privacy, confidentiality, and security of personal data, then it must be communicated to the UAE’s Data Office as per Article 9 of the PDPL. The data controller must always notify the data subject of any breach of a data subject’s personal data. The timelines for breach notifications are yet to be determined in the executive regulations in relation to the PDPL.
Other data protection and privacy laws in the UAE
There are several other laws that contain express provisions in relation to privacy and the protection of personal data:
Article 31 of the Constitution is considered to represent the general right to privacy for citizens of the UAE, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under law.
A complaint may be filed with the cybercrime unit of the police in the respective emirate where:
The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect. The same procedure identified above is then followed before the Courts. The cybercrime laws include expressing penalties and punishment in respect of breaches of government data and for attempts to commit cybercrime as well. If found guilty of an offense under the Cyber Crime Law, the punishment would be either detention, imprisonment, and/or a fine ranging from AED 150,000 and AED 3 million (Articles 2, 3, 6,7, 8 21, and 22 of the Cyber Crime Law).
The TDRA (Telecommunications Development and Regulatory Authority) is responsible for overseeing the enforcement of the Telecoms Law.
Licensed operators/service providers are subject to a number of obligations, including taking all reasonable and appropriate measures to protect the privacy of subscriber (the data subject here) information, whether in paper or electronic form and prevent its unauthorized disclosure or use. In addition, where it is necessary for a licensed operator to provide subscriber information to a third party that is directly involved in the supply of telecommunication services, the operator must require the third party to take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information and use the subscriber information only to the extent required to provide the relevant telecommunication service.
Article 12 of the Consumer protection regulations issued by the TDRA seeks to ensure the protection of data relating to 'subscribers', or persons who contract with licensed operators for the supply of telecommunications services in the UAE. 'Subscriber information is defined as 'any information relating to a specific subscriber', which includes a person's personal details, service usage details, the content of communications, account status, and payment history.
In case of a breach, the “subscriber” must submit a complaint to the TDRA within 3 months from the last date of the action of the service provider. Upon examination of the said complaint, the TDRA may direct the service provider to undertake remedies as may be applicable under the consumer protection regulations issued by the TDRA.
The law provides that a person who intercepts the contents of telephone calls without prior permission by the competent judicial authorities may be punished with imprisonment for a period of not more than one year and/or a fine of not less than AED 50,000 and not more than AED 200,000.
Pursuant to Articles 431 & 432 of the Criminal Law, if the Courts find a suspect who by virtue of his profession, occupation, status, or specialization has access to a secret but discloses such secret in other than the cases permitted by Law, or who uses such secret for his own benefit or the benefit of another person or if data is collected by eavesdropping, recording or transmitting conversations done privately or through a phone unless such disclosure or use is authorized by the concerned person, may be penalized by a fine of at least UAE Dirhams 20,000 (the fine is determined by the Courts) and/or imprisonment for at least one year.
Where the unauthorized disclosure of data violates provisions of the penal code, The Public Prosecutor in the Emirate where:
If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be brought against the suspect and transferred to criminal courts. A civil claim may also be claimed along with criminal remedies.
The new UAE legal reforms on Data Protection are the comprehensive and integrated frameworks for ensuring data protection. The framework establishes the data processing officers and Controllers for ensuring safety from the basic level. If the concerned are not complying with the legal framework of Data Protection, the companies are not only inviting the risk of penalties but also losing the customer’s confidence in the companies. It is not only focusing on the companies inside the UAE but also the entities outside the UAE, who has their scope of services in UAE.
© 2023 Business Consultant & Law Firm - Legacy Partners. All Rights Reserved.
Designed by Nuewelle Digital Solutions LLP
We typically reply in a few minutes