The UAE's new data protection law.
In an increasingly tech-savvy world, in which the average person produces 1.7 Mb of data per second, and 306.4 billion e-mails are sent out each day (according to Forbes), it is evident that the output and consumption of data are rapidly inflating. The UAE’s preceptive and dynamic leadership initiated the highly anticipated Federal Decree-Law No (45) of 2021 Regarding the Protection of Personal Data (PDPL) which came into effect on the 2nd of January 2022. The aim of the legislation, essentially, is to provide a legal framework that ensures the security and confidentiality of personal information and to establish proper governance for data management while clearly outlining the rights and obligations of enterprise organizations and the average person alike.
What Constitutes Personal Data?
As analyzed above, the PDPL provisions aim to provide confidential and sensitive personal data protection. Under the PDPL, “sensitive information” contains any details that can directly or indirectly reveal a person’s:
- Philosophical views
- Religious beliefs
- Biometric data
- Health data
- Sexual state
- Political views
- Any information related to such a person’s health.
- Criminal record
Most significantly, such personal information is lawful to process only through the data subject’s consent. There are, however, exceptions to this rule in certain legal circumstances set under the provisions of the PDPL. Business organizations must adhere to the technical and security standards while processing and controlling private information.
The gravity of Non-Compliance.
The PDPL’s provisions have not explicitly laid out the fines and penalties to be imposed on the organizations found to have breached the regulations of the PDPL. However, it is anticipated that the PDPL will adopt similar heavy fines and penalties to those implemented under the General data protection law (GDPL) of the EU. The 11.5 million Euros fine imposed on Eni Gas e Luce in 2020 by the Italian Supervisory for the breach in articles 6 & 13 of the GDPL can serve as an early caution to organizations in the UAE.
Sphere of Influence.
The PDPL provisions will apply to subjects residing or working in the UAE. Notably, they will also apply to data processors and data controllers in the UAE processing personal data of people within or outside the UAE. Furthermore, individual data processors and controllers established outside the UAE processing data of people in the UAE are subject to the provisions of the PDPL.
However, the PDPL provisions do not encompass and apply to public entities, personal data for personal use, health, and credit data as their respective legislations govern them. The same can be said about entities and organizations in the UAE Freezone areas that established their own personal data protection law (i.e., the DIFC & ADGM).
Comparison with International Data Protection Laws.
Having adopted a similar framework to the GDPR, the PDPL Law uses a controller/processor scheme with similar obligations for protecting personal data. Moreover, The PDPL Law prohibits cross-border transfers of personal data unless the transferee is in a country with adequate protections, is under a contract to provide adequate protection, or has express approval with the data subject. The PDPL Law prohibits processing personal data without the support of the data unless an exception applies. While many exceptions are the same, notable exceptions under the GDPR differ from those incorporated by PDPL in the UAE. The differences are observed during personal data processing made available and known to all by an average person and the workplace.
Final Opinions and Recommendations:
In conclusion, it is evident that the UAE’s wise leadership has emphasized the right to privacy of its citizens through the implementation of the PDPL regulations that follow the international standards adopted. Doing so will significantly enhance the sense of security to the average person when accessing websites and dealing with corporations in the UAE. As such, it is highly recommended that establishments that fall under the provisions of the PDPL take all the necessary actions to fulfill the applicable compliance standards.
By: Abdallah Aws Al-Nassiry