Data privacy has always been every society’s main concern, especially with the development of technology. Within the 4.0 era, as data can be accessed with ease with just a few clicks of a button, data protection is focused heavily by the government of each country and accordingly, they have imposed many strict regulations in order to protect one of human’s most important features – data privacy. In the United Arab Emirates (UAE), this is also taken into special consideration. So, what is the regulations on data protection in the UAE?
To promote data protection and create more boundaries and protection in the privacy of the people of the United Arab Emirates, the government of UAE has passed two federal laws for data protection recently.
This act will introduce key principles of international best practices for the protection of personal data to the people of the UAE.
UAE Federal Decree-Law No. 45 of 2021 stipulating the Protection of Personal Data (“PPD Law”) came into effect on 2 January 2022.
The Executive Regulations are expected to be issued shortly in March 2022. After the publication of the Regulations, there will be a six-month timeframe counting from March for compliance. This time is also known as the ‘compliance window’.
The Data Protection Office, established by the UAE Federal Decree-Law No 44 of 2021, will issue guidance and oversee compliance.
The law applies to the Personal Data of individuals residing or working in the UAE. All Controllers and Processors located in the UAE regardless of where the individual lives or works, in the UAE or abroad, and all Controllers or Processors located outside of the UAE who are processing UAE Personal Data is subjected to follow and comply with the Law on the Protection of Personal Data of the UAE.
Background knowledge on types of data in the UAE
Personal Data includes any data relating to a specific natural person or relating to a natural person that can be identified directly or indirectly by linking the data or through the use of identification elements such as names, voices, pictures, identification numbers, electronic identifiers, geographical locations, or one or more of physical, physiological, economic, cultural or social characteristics, including Sensitive Personal Data and Biometric data.
Sensitive Personal Data is any data that directly or indirectly discloses the family or ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data of a natural person, or any data relating to a person’s health. In certain circumstances, this could include anything from someone’s name to their physical appearance. Sensitive data is considered in many societies as one of the most important data as this is the core of the human’s right to be privacy.
Biometric data is personal data resulting from processing using a specific technology relating to the physical, physiological, or behavioral characteristics of the individual, which allows the identification or confirmation of the unique identification of the individual. Biometric data is one of the most important data that needs to be protected as if this data gets breached it might not just cause individual harm but also impacts the organizations where that individual is key personnel.
Although the new legislation of the UAE has covered a wide variety of data, there are still some important features left to be further amended and supplemented, such as personal health data and information, or personal banking and credit data. This type of data is covered under separate legislation and could be supplemented to the PPD in the future.
Data processing and Data Controller & Data Processor
Data processing is, generally, “the collection and manipulation of items of data to produce meaningful information.”In this sense, it can be considered a subset of information processing, “the change (processing) of information in any manner detectable by an observer.”
On the method principle, data processing is any operation or set of operations performed on Personal data using any means, including manual, automatic, electronic, etc. with the purpose of handling data, including collection, storage, recording, organizing, adapting, modifying, circulating, recovering, exchange, sharing, using, characterizing or disclosing of personal data by broadcasting, transmitting, distributing, making available, formatting, merging, limiting, hiding, erasing, destroying, or creating forms for these data.
Data Process may involve many processes within, such as:
- Validation – Ensuring that supplied data is correct and relevant.
- Sorting – Arranging items in some sequence and/or in different sets.
- Summarization(statistical) or (automatic) – Reducing detailed data to its main points.
- Aggregation – Combining multiple pieces of data.
- Analysis – The collection, organization, analysis, interpretation, and presentation of data.
- Reporting – List detail or summary data or computed information.
- Classification – Separation of data into various categories.
Regarding data controller and data processor:
A Controller is any entity that is processing Personal Data. It can be an individual or an organization. The entity determines the method and criteria for processing the Personal Data and the purpose.
A Processor is any third party who is processing personal data on the instruction of the Controller.
The Controller must identify Processor and the identification must be based on a signed written agreement in place clearly determining the Processor’s obligations, responsibilities and roles.
Accordingly, the processors must apply appropriate technical and security procedures. In addition, they must also ensure that the information is accurate, specific for the purpose, and deleted or returned to the Controller when appropriate as when there are requests from the subject of the data.
Processers must also save a record of the Personal Data processed. When requested, the Processor must be able to provide details of the processing and the securities in place.
Any business operating with employees, clients, and/or an online presence must strictly follow the new legislation of the UAE on data protection.
However, there are some exceptions.
Governmental authorities, security, and judicial authorities, and the entities which fall within the UAE free zones – Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC) will have their own separate data protection law.
The basic principle of data protection
When processing data, it is crucial that the processer of data complies with the law on Data Protection of the UAE.
Not only data processors but the individuals with the data being processed should also know about his/her rights to best protect their interests, prevent other organizations to abuse their data and their rights.
According to this legislation, the personal data of individuals in the UAE must be processed in a fair, transparent, and legal manner. It must also be collected and processed for a specific purpose.
The data collected must be accurate and regularly updated. If, upon request from the owner of those data, the data processor needs to delete or anonymized the data immediately upon request to ensure the rights of citizens in the UAE are protected.
However, the law itself can’t make the related parties place the user’s interests at the top of their concern.
The organizations who conducted data processing activities themselves need to make the protection of the data as their most important feature when performing these activities, not just what they gain from and how they do the data processing process.
There must be active, ongoing restrictions in place to ensure that the regulations set out above are met.
As an example of the regulations to ensure that data is well-protected in the UAE, organizations conducted data processing process should use the following methods to ensure that the data is protected:
- Identify the Personal Data within the organization.
- Identify how the data is obtained and processed.
- Identify any third parties who process data on the organization’s behalf. This party is known as the Processors or Data Processors.
- Identify any international data transfers.
- Establish internal procedures to protect personal data and manage individual personal data requests.
As part of the internal procedures, the organizations should appoint a Data Protection Officer to oversee that all the regulations on Data Protection in the UAE have been strictly followed through.
The consent of the owner of data in the UAE
When collecting and processing the data of any individual in the UAE, one of the key rules of the Law on the Protection of Personal Data in the UAE is that the consent of the owner of data must be taken into consideration at all times.
This means that the data owner must acknowledge and give their consent towards the data processing process and they have the right to withdraw, cancel the process at any given time.
The consent could be in the form of a written agreement or a ticking box, etc. The right to cancel the data processing must be fully explained to the data owner and there must be no miscommunication on the matter.
Upon receiving the request to cancel the process of data processing, the data processor, data controller as well as any related parties must fulfill the request of the data owner.
There are only some exceptions to which a data might be used without consent, including when:
- The matter is related to public interest concerns.
- The data has been made public by the data owner.
- The processing of data is essential to protect the interests of the Data Subject or data owner.
- The processing of data is essential to carry out obligations and duties relating to employment or social protection.
- The processing of data is essential to enforce a contract to which the Data Subject is a party or to take measures at the request of the Data Subject to conclude, amend or terminate a contract.
- The processing of data is essential to carry out specific obligations in other laws.
You can see a list of UAE IP firms here.