Impact of the GDPR in the United Arab Emirates

1. Applicable legislation governing data protection in UAE

  • National legislation
    • The UAE Penal Code (Federal Law No. 3 of 1987)
    • The Law on Combatting Cybercrimes (Federal Law No. 5 of 2012)
    • The Law on the use of Information and Communication Technology in the Health Sector (Federal Law No. 2 of 2019)
    • The Consumer Protection Law (Federal Law No 15 of 2020)
    • Policies and regulations issued under the Telecommunications Law (Federal Law No 3 of 2003)
    • UAE Central Bank Consumer Protection Regulation and accompanying Standards
  • Freezone legislation
    • Dubai International Financial Centre (“DIFC”) Data Protection Law 2020 (DIFC Law No 5 of 2020) and accompanying Data Protection Regulations 2020
    • Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021
    • Dubai Healthcare City Authority (“DHC”) Health Data Protection Regulation 2013

Note: There are many other freezones in the UAE, however the ones identified above are the ones with specific data protection legislation. In the other freezones, the position will be governed by the national legislation. In this guide, we refer to the areas outside the freezones identified above as “Onshore”.

2. Comparison of the national data protection legislation with the GDPR

2.1 Categories of data

Onshore

The national legislation adopts sector-specific approaches to defining the data it is seeking to protect (for example, personally identifiable information relating to medical procedures conducted in the UAE, in the case of Federal Law No 2 of 2019) or where more generalised, such as under the Penal Code, refers to concepts such as “secret” personal information, which is not defined further. It is therefore necessary for “onshore” business in the UAE to consider risks specific to the categories and uses of personal data involved in their day-to-day operations.

Freezones

The freezone legislation in DIFC and ADGM adopts a definition of personal data which is very similar to that found in the GDPR and, indeed both laws are heavily influenced by GDPR. The DHC Regulation also uses a similar concept of personal data but is limited in scope to patients of DHC-licensed organisations.

2.2 Data Controller and Processor Obligations

Onshore

To the extent that the patchwork of national legislation governs data protection, it generally commands a consent-based approach to processing in order to mitigate risk. The general principle is that organisations (and, in the case of some of the laws, such as the Law on Combatting Cybercrimes, individual natural persons) should not take actions which infringe the privacy of individuals without consent or a legal requirement to do so (such as a court order). The concept of “controller” and “processor” is not generally adopted but in some of the sector-specific laws it is clear that the principal business being regulated (such as a bank, a healthcare operator, a telecoms operator) is responsible for managing its supply chain appropriately. Many business-to-business contracts may not typically contain data protection provisions that would be considered adequate by businesses subject to GDPR.

Certain Onshore legislation (such as the Abu Dhabi Department of Health Patient Data Standard made under Federal Law 2 of 2019 and the UAE Central Bank Consumer Protection Regulation) mandates that the regulated entity takes specific compliance steps in relation to organisational oversight and accountability, policies and procedures, security measures, breach identification and so on.

Freezones

The controller and processor obligations in the freezone legislation are very similar to those under GDPR.

2.3 Data subjects’ rights

Onshore

The Onshore laws do not generally grant specific exercisable rights to data subjects, although we expect the law to develop further in this regard.

Freezones

The freezone legislation affords similar rights to the GDPR (access, rectification, erasure, restriction, portability, objection etc.). No specific controls exist regulating direct marketing as a distinct activity, other than a requirement to respect objections to the use of data for direct marketing. Controllers would therefore need to assess whether they have a lawful basis to use personal data for direct marketing, but it is possible that such a basis could be legitimate interests, for example, rather than consent.

2.4 Protection granted

Onshore

There is no general data protection regulator onshore. Under non-sector-specific laws, such as the Penal Code or the Law Combatting Cybercrimes, an affected data subject would need to raise a police complaint and it would then be up to the police to investigate accordingly and determine whether evidence can be put to the public prosecutor.

Under the sector-specific laws it may be possible for a data subject to complain to a regulator, such as the Central Bank.

Freezones

The DIFC and ADGM have established Commissioners of Data Protection, which are responsible for monitoring and enforcing the respective data protection legislation.

In DHC, a Consumer Protection Unit has been established and a data subject may complain to the unit if they believe the law has been infringed.

2.5 Data protection officer/Representative

Onshore

There is no singularly defined concept of Data Protection Officer or Representative, however some of the sector-specific laws require organisations to appoint a person or function to oversee compliance.

Freezones

The DIFC and ADGM legislation both include the concept of a data protection officer. Appointment of a DPO is mandatory for public bodies within the freezone, other than courts. For controllers and processors, a DPO is required based on a qualitative assessment as to the nature of the processing activities in question, similar to the GDPR. The role of the DPO is similar to the role under the GDPR.

The concept of representative does not exist under either law, although it is possible that an organisation based outside the freezone could be subject to the laws and would then need to register with the Commissioner in the freezone.

2.6 Remedies

Onshore

A criminal case would not result in a direct award in favour of a data subject (but could result in prison or a fine against the offender). However, a data subject might be able to bring a civil claim against the offender under contract or under tort, seeking damages for any harm suffered (in addition to a criminal complaint).

Offshore

The freezone regulators have the ability to award large fines against violators and to issue reprimands and make directions, and data subjects have the right to seek damages directly against violators for damage suffered, in the courts of the freezone. Controllers or processors who receive fines or other sanctions have the right to seek judicial review in the courts of the freezone.

2.7 Fines

Onshore

Criminal and regulatory fines may be issued and there are various maximum limits defined, depending on the law in question and the specific article of the law in question. In addition, certain offences (typically the more general offences under the Penal Code and the Law Combatting Cybercrimes) can be punishable by imprisonment.

Freezones

Under the DIFC law, administrative fines can be up to USD 100,000. Non-administrative fines (i.e. fines for serious breaches) are not subject to a defined cap, but will be assessed depending on the severity of the breach.

Under the ADGM regulations, the maximum fine that can be imposed is USD 28,000,000, and will be assessed depending on the severity of the breach.

It is not clear what scale of penalties applies under the DHC regulations, but the regulations do provide a mechanism for the definition and issuing of penalties to violators.

2.8 Other major differences

The Onshore legal environment in the UAE does not have any legislation of general application similar to GDPR, however we are seeing the influence of GDPR-style concepts increasingly in new laws.

3. The GDPR impact

3.1 On existing legislation and prospective rules

The GDPR has had a clear impact on the two special financial freezones in the UAE (the DIFC and ADGM) which have been heavily influenced by it in their adoption of new laws (they each previously had briefer data protection laws based on the European Data Protection Directive).

Onshore, we are seeing increasing regard paid to data protection principles in new laws and sector-specific regulations and it would not be a surprise if a national data protection law was introduced soon. In the wider region, we have seen national data protection laws introduced in recent times in Bahrain, Egypt, Lebanon and Qatar and all such laws employed some concepts familiar from the GDPR to a greater or lesser degree. Interim data protection regulations have also been published in Saudi Arabia, however their legal status is currently unclear, although the relatively new Saudi Arabia e-commerce law also contains data protection requirements. It is likely that any national UAE law would include concepts broadly analogous to “controller”, “processor”, “data subject” and “personal data” and core compliance requirements relatively similar to those under GDPR, such as controls around the legal basis for processing personal data and the granting of certain rights to data subjects.

3.2 In practice

There is increasing recognition amongst UAE businesses, particularly those that deal with international suppliers and customers, that data protection is commercially important. Indeed, tourism is a key sector in the UAE, and a number of businesses involved in this sector, for example, may be directly subject to GDPR under the tests set out in Article 3.

However, amongst the wider business community – particularly SMEs - compliance with international best practice, or even strict compliance with local laws, when it comes to data protection can probably be fairly categorised as quite low.

4. Conclusions/expectations/commentary

The data protection landscape in the special financial free zones in the UAE is well-established. Further regulation may follow, such as specific regulation of direct marketing, for example.

Onshore UAE, the legal position appears to be going through a period of rapid change where the very general basic criminal laws regarding privacy are being supplemented with more nuanced and specific data protection rules for certain industries. So far, the industries receiving the most attention have been the medical, financial and telecoms sectors, however the new Consumer Protection Law (“CPL”) issued in 2020 looks set to dramatically broaden the data protection landscape in the UAE. The CPL currently contains only very high-level statements in relation to data protection and is not in force (there is a one year grace period), however before the expiry of the enforcement grace period, additional executive regulations under the law should be published. These regulations should provide much more detail as to the data protection requirements that will apply to any business dealing with consumers. Clearly, consumer-facing businesses will represent a large chunk of the business community (much larger than the sector-specific communities targeted by data protection legislation so far), so the CPL could represent a new paradigm for data protection in the UAE. Regulations may be published with little prior warning or consultation and with relatively limited time to achieve compliance, so any organisation handling consumer data at scale in the UAE would be well advised to consider its current data protection and information security practices, perhaps using the GDPR or the freezone laws as a sensible baseline.

Portrait ofBen Gibson
Ben Gibson
Partner
Dubai
Victoria Noto