by Maha Dagher

In today’s digital world, personal information is everywhere, from the applications we use to the services we depend on. Keeping that information safe has never been more important, and the United Arab Emirates (UAE) is marking its place in this field. With Federal Decree-Law No. 45 of 2021, known as the UAE Data Protection Law, the country has implemented a modern and comprehensive system to safeguard personal information.

The UAE’s data protection law represents a strategic move toward modernization by implementing digital regulatory practices which take direction from the European Union’s General Data Protection Regulation (GDPR). The UAE Data Protection Law however establishes its unique standards and features regarding its legal approach for the acquisition, storage and transfer of personal data across national and international borders.

Companies, entrepreneurs, and residents in the UAE need to comprehend this law better as it increasingly affects their operations. Data privacy has evolved beyond the tech sector because it now shapes how people conduct business and live their lives. Let us now discover the essential regulations which the UAE Data Protection Law establishes.

 Scope of the UAE Data Protection Law

The UAE Data Protection governs activities related to personal data across national and international borders. The law protects personal data processing that takes place through automated systems and through other methods while especially safeguarding three specific groups: all data subjects who are residents of the UAE or have business headquarters there; all controllers or processors working in the UAE who handle data subjects’ information regardless of their worldwide locations, and all controllers or processors outside the UAE who process data of individuals who live within the country.

The Requirement for Consent and Exceptions 

Consent represents the fundamental basis for appropriate data processing according to the UAE Data Protection Law. Consent must be clear, specific, distinct, and voluntary given by the person whose data is being processed (data subject), either in writing or by electronic means. The data processor must implement straightforward systems that allows individuals to easily withdraw their consent whenever they choose to do so[1]. The GDPR implements standards for obtaining consent that are similar to these requirements. The GDPR[2] requires data controllers to prove that individuals gave clear authorization for their personal data processing. Data processing consent requests must be easy to find and understand while maintaining a separate presentation from other information.

The entity that controls personal data has the complete responsibility to validate consent authentication during processing activities.

The UAE Data Protection Law establishes specific conditions where obtaining consent is not a mandatory requirement. For instance, data can be processed without consent if it is necessary to protect public interests, perform contractual obligations, comply with legal requirements, or if the individual whose data is being processed has voluntarily made their personal data public[3].

 The Protection of High-Risk Data and the Call for DPOs in the UAE

The UAE Data Protection Law sets specific responsibilities for all organizations which process high-risk data. Any organization that manages extensive sensitive data or uses advanced technologies needs to designate a Data Protection Officer (DPO)[4]. The DPO plays an important role in ensuring legal compliance while supervising data operations and assists organizations in reducing their data protection exposures[5].

The term Sensitive Personal Data, as defined under the UAE Data Protection Law includes information that vary across several categories. The definition encompasses any data which contains information about a person’s family background, racial background, religious or political affiliations, past criminal offenses, biometric data, and health data which includes genetic testing results as well as mental health conditions. Given the delicate nature of this information, companies which process such data must meet numerous legal standards and inspection requirements because this type of data requires special treatment.

The UAE law states that businesses must appoint DPOs when dealing with high-risk processes, yet it provides no specific definitions for “large volume of personal data” and “new technologies”. Although Article 10 of the law stipulates that further clarity will be addressed through executive regulations, businesses must independently determine these concepts. Generally, the term “large volume” describes the comprehensive personal data collection, storage, or processing across multiple systems or platforms. As for the term “New technologies” it describes modern technological tools such as artificial intelligence (AI) and machine learning and blockchain and other digital tools that could significantly affect data privacy.

On the other hand, the GDPR does not define “large scale” processing, however Article 29 Data Protection Working Party established “Guidelines on Data Protection Officers (‘DPOs’)” to provide helpful guidance. Businesses need to evaluate multiple factors before determining if their operations constitute “large scale” processing including the number of people affected, the amount and types of data processed, the processing time and the geographical range of the operation[6].

Businesses operating in the UAE should evaluate their activities to determine DPO requirements and other compliance demands of the UAE Data Protection Law.

Cross-Border Transfer of Personal Data

Companies operating in the UAE must show caution when they want to move personal data beyond the UAE borders. Transfers can happen only between countries that have data protection regulations which have similar standard protection of the UAE or through official UAE agreements. Companies who do not meet these criteria must implement alternative protection methods including obtaining data subject consent and using UAE-sanctioned contract terms.

This framework shares similarities with global practices, particularly the GDPR. Transferring personal data outside the UAE is regulated to ensure that personal information remains secure after crossing national borders. Transfer of personal data is permitted where the destination country provides a level of protection equivalent to that of the UAE, or where a bilateral or multilateral treaty concerning data protection exists between the UAE and the receiving country[7].

UAE Data Protection Law establishes different methods for legally transferring personal data across borders. One method involves using contractual clauses to guarantee data protection while another requires explicit and informed consent from the data subject unless it violates UAE public or security interests. Personal data can be transferred internationally when there is a need to fulfill legal or contractual responsibilities or for international judicial cooperation or to address important public interests[8].

The Intersection with Cybercrime Law

The UAE further protects personal data through Federal Law No. 34 of 2021 (the Cybercrime Law), which criminalizes and restrict unauthorized access to personal data as well as digital privacy breaches, and other cyber-related crimes. he combination of Data Protection Law with Cybercrime Law establishes a robust legal framework which enforces digital security measures and imposes punishment on violators.

Conclusion

The UAE has established strong data protection measures to support its goal of becoming the world’s top digital innovation and economic development center. Every business that works within the UAE or engages with it has the responsibility to comprehend and follow the rules in the UAE Data Protection Law. Compliance with the law enables companies to achieve their legal responsibilities and establishes confidence among their customers  and business partners during the growing data economy.

[1] Article 6: Federal Decree-Law No. 45 of 2021

[2] Article 7 of the GDPR

[3] Article 4: Federal Decree-Law No. 45 of 2021

[4] Article 10: Federal Decree-Law No. 45 of 2021

[5] Article 11: Federal Decree-Law No. 45 of 2021

[6] Article 29 Data Protection Working Party (‘WP29’) section 2.1.3 Large Scale

[7] Article 22: Federal Decree-Law No. 45 of 2021

[8] Article 23: Federal Decree-Law No. 45 of 2021