In today’s day and age where the world is moving towards conducting trade through e-commerce and online transactions, foremost requirement for enabling such digitized transaction/s is to register subjects as users with one’s personal data. Resultantly, such personal data has become a valuable intangible asset for any commercial venture/s which has its online presence. It is being maintained and stored in digitized formats with the data controllers/processors. Therefore, it becomes paramount for establishments to safeguard and protect such data.
Accordingly, the UAE Federal Government has formulated much anticipated Federal Decree-Law No. 45 of 2021 which provides for provisions relating to data protection of individual’s personal data, its control and processing. This is the first time that the UAE Federal Government has issued any such Decree.
Some of the salient features of this law are enlisted below:
1. The scope of law applies to both the data controller and the data processor. It primarily applies to cases which involve processing of personal data of data subjects residing within or outside the UAE.
2. It has extra-territorial application as well i.e., it even applies to the data controller/s or the data processor/s who are established outside of the UAE but are engaged in processing of the data of the data subjects based in the UAE.
3. Formation of the UAE Data Office – This office becomes the nodal regulatory authority to govern personal data protection regime in the UAE. The main objective of this authority will be to:
- Propose and devise policy framework.
- Propose and approve monitoring mechanism and personal data.
- Prepare and approve complaints and grievance mechanism.
- Issue guidelines for implementation of the law.
4. The law provides for definition of personal data which is:
a. Any data relating to either an identified natural person or the one who can be identified, directly or indirectly through:
- Linking of the data, or
- By reference to an identifier such as name, voice, picture, identification number, electronic, identifier, geographical location, or one or more physical, physiological, cultural or social characteristics.
5. The law also provides for definition of sensitive personal data as:
a. Any information that directly or indirectly reveals person’s:
- Race
- Ethnicity
- Political
- Philosophical views
- Religious beliefs
- Criminal record
- Biometric data
- Health data including any information relating to such a person’s health
- Sexual data
6. The law does not apply to entities/institutions which have their own data protection laws such as:
a. Government data
b. Public entities
c. Personal data for personal use
d. Health and Credit
7. Further, the law provides that personal data can only be processed with the consent of the data subject. The law provides for necessary conditions under which a valid consent can be obtained by the data controller from the data subjects for the processing of his/her personal data and these are as follows:
a. If consent is relied upon as a lawful basis such as implementation of a contract with the data subject or to amend or terminate it or to protect the legitimate interest of the data subject.
b. Consent could be obtained electronically or in writing but in clear, simple, unambiguous and accessible manner which can also be in the form of ticking the box.
c. The method of obtaining consent should include information how the data subject may withdraw their consent, and the procedure for doing so must be easy.
8. However, there are certain exceptions provided, as enumerated below, when no such consent is necessary such as:
a. for claiming legal rights or as a part of judicial or security procedures.
b. for medical purposes or matters of public health.
c. for archival purposes or for scientific, historical and statistical studies.
d. for any public interest.
e. for data controller’s compliance with legal obligations.
f. any other circumstances specified by the Executive Regulations issued under the law.
9. A controller is also required to give notice to the data subject before processing the information, the purpose of it, details of any third parties with whom the information will be shared with and the safeguards put in place to protect the information so obtained.
10. Before the information is processed, there should be security measures in place conforming to the international standards which should cover:
a. Encryption.
b. Implementing measures involving data pseudonymization. This is in line with the European Union’s (EU) General Data Protection Regulation (GDPR) whereby any information identifying subject is replaced by pseudonyms or other covered up coding. It helps in prevention of the data from being specifically indicative of the user.
c. Implementing measures which will guarantee long term confidentiality, integrity, safety along with processing systems and services flexibility.
d. Implementing measures which will ensure retrieval of access to personal data in case of any actual or technical failure.
11. The data controller, after becoming aware of any data breach which might result in risk to privacy, confidentiality, and security of his/her data, shall immediately notify to the Office and the data subjects of such a breach. regulations. The data processor shall also notify the data controller if it becomes aware of any such breach.
12. Article 10 of the Federal law provides for appointment of Data Protection Officer (DPO) by both the data controller and the data processor where:
a. Processing may give rise to a high risk to the privacy and confidentiality of personal data of the data subject.
b. Processing involves a systematic and overall assessment of sensitive personal data as a part of profiling or automated processing.
c. Processing involves large volumes of sensitive personal data.
13. The law also provides for certain rights which are accorded to the data subject and these are as follows:
a. To receive information from the controller.
b. To port or transfer the data.
c. To cancel or rectify the data.
d. To restrict the data processing.
e. To object the data processing in certain circumstances i.e., for marketing purposes or scientific and statistical research etc.
f. To object to automated processing or profiling which may result in seriously affecting the data subject.
14. An interesting aspect which is covered under the new law is the Data Protection Impact Assessment (DPIA). According to Article 21, data controllers should conduct DPIA prior to the processing that involves new technologies which could pose a high risk to security and privacy of the personal data of the data subjects especially where it covers automated processing/profiling and/or large volume of sensitive personal information.
15. The law further provides for transfer of personal data to countries which are approved by the Data Office. These countries are approved based on them having an adequate level of protection as they either have data protection
laws in place or where specific country have signed up international agreement/s pertaining to protection of personal data. For countries which are not approved, the law does provide for options to enable such transfer. These are as follows:
a. where transfer takes place under a contract which is in conformation with the UAE data protection law.
b. transfer takes pursuant to the express consent of the data subject.
c. transfer is necessary for the execution of a contract between the controller and the data subject or as part of a contract between the controller and a third party that achieves the interests of a data subject.
d. transfer is necessary for international judicial cooperation.
e. transfer is necessary to protect the public interest.
16. The Federal law does not yet contain the penalties which are likely to apply in case of its breach though a complaint can be lodged with the UAE Data Office. Additionally, one can look at the provisions of Article 378 of the UAE Penal Code which provides for liability in case of violation of the private or familial life of individuals committed by one of the following acts, unless authorised by law, or without the victim’s consent:
a. If he lends his ears, records or transmits, through a device of any kind, conversations that took place in a private place or through the telephone or any other device.
b. Captures or transmits, through any kind of device, the picture of a person in a private place.
If these acts were done during a meeting in front of the attending persons, their consent shall be presumed.
Conclusion
It is interesting that the UAE now has a new codified law in place as regards securing and protecting personal data. The law clearly states provisions vis-a-vis setting up of the UAE data office, data controller and data processor’s obligations including appointment of data protection officer, applicability of law, data protection impact assessments, the rights that are enjoyed by the data subject etc. The move is a significant step towards showing the UAE Federal Government’s commitment to align themselves with the international laws and guidelines for data protection and thus adopt best practices of governance regulating collection, use and dissemination of personal data.
If you have any questions about this or any other query related to Corporate & Commercial, Intellectual Property and Trademarks Law, please get in touch with the author Rajiv Suri directly on r.suri@alsuwaidi.ae
Rajiv Suri is a senior associate in the intellectual property and corporate and commercial team at Alsuwaidi & Company. Rajiv advises clients on strategies involving a wide range of intellectual property matters and has been involved in managing corporate portfolios across various industries.