In early September, the UAE announced the introduction of a new federal data protection law, which is a step towards establishing a data protection regime in the country that would provide an adequate level of protection for data transfers from the European Union and other regulated jurisdictions.
The new Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.
At present, there is no unified set of privacy or data protection laws at the federal level and there is no single national data privacy regulator. The UAE has three different data laws protecting companies in the Dubai International Financial Centre (DIFC), Dubai Healthcare City (DHA), and Abu Dhabi Global Market (ADGM). In addition, the country has general rights to privacy in the Constitution.
Omar Al Olama, the UAE Minister of State for Digital Economy, AI and Remote Working System, has given some clues as to what data subject rights we can expect from the Data Law: It would include the right to be forgotten, right to access, and the right to information.
There is also mention of consent obligations where marketing is concerned. All of these are features of other gold-standard data protection regulations, including Europe’s GDPR (General Data Protection Regulation), the UK’s Data Protection Act, the DIFC’s Data Protection Regulation and the ADGM’s Data Protection Regulation.
The minister said that the Data Law is being drafted in partnership with, and with the input of, major technology companies.
He mentioned that the Data Law has been designed to achieve following ends:
- have a low cost of compliance, so as not to burden SMEs.
- work effectively in the global data marketplace, allowing international companies based in the UAE to operate data transfers effectively across borders.
- protect the privacy of individuals, particularly from private enterprises seeking to monetise consumers’ personal data for profit.
- subject to certain controls, enable businesses to extract value from the personal data of their customer.
- The Data Law seeks to find harmony between privacy, cost, compliance and commerce.
Although the UAE Minister has assured that the cost of compliance will be minimal considering the SMEs, there might be collateral damages. There will be an extra cost to modify and enhance the IT infrastructure, appoint someone or train the existing staff, and engage a legal consultant.
TRENDS spoke to a couple of industry leaders and lawyers to solicit their views on the new Data Law. They appreciated the new law saying that it will provide further protection and bring more privacy. At the same time, they expect that the cost of compliance is expected to be on the lower side to facilitate small businesses as the UAE is home to more than 90 percent of SMEs.
When contacted, the Eros Group executive vice-chairman Deepak Babani said the Data Protection Law will bring uniformity in consumer data aspects of decision making in the UAE and globally.
“It will help us work effectively in global markets for cross border data transfers within the defined data privacy policies designed to adequately balance compliance, privacy, trade and costs,” Babani said.
Anthony Peter, Director Customer Service, Panasonic Marketing MEA FZE, said, “It’s a good initiative to protect the privacy of individuals as most of the sensitive information is available online due to the increasing push towards digitization.”
Claude Schuck, Regional Director, Middle East at Veeam Software, termed it “a good sign,” that protecting the privacy of individuals is finally getting legal standing and recognition in the Middle East.
“General Data Protection Regulation in Europe has become a standard, but it was never really adopted in this region up to now. So it’s refreshing to see that the UAE is the first to look at those laws to protect individuals,” Schuck said.
“We now have the option of opting out, we can ensure that our data is being handled in a correct way. We can make sure that we are not targeted by organizations. But more importantly international corporations that are based in the UAE and the Middle East can be assured that policies are being applied when it comes to data in-country – whether it be in terms of the way data is stored, IP is managed etc,” he added.
Sajith Kumar, General Manager – Enterprise at Cloud Box Technologies, said: “We operate more and more in a digital world these days and the UAE’s initiative for protecting data is a step in the right direction. This is also more relevant where much of the data is stored in the cloud”.
Kumar added: “We expect it to be designed to protect the privacy of the people and limit the use by data collection entities. It will empower people to control how their data is being used, stored and shared with third parties for financial gain. It will provide full visibility of personal data.”
Talking about the benefits of the new law, Deepak Babani said that individuals’ can ensure personal data protection with the privacy norms that would be established where enterprises seek to monetise such data. “At the same time, businesses would be able to extract value for consumers business transactions and personal information within the boundaries and controls of the framework being established,” Babani added.
Babani said the cost of compliance is expected to be minimal, especially taking into consideration the SMEs in the country.
On his part, Peter mentioned that every compliance objective needs to be oriented and systems enhanced. “This will lead to some additional cost which can be hidden as well as quantified depending on the size of the business,” he added.
Claude Schuck said: “The good thing for Veeam customers is that we incorporated GDPR when it came out in Europe. Therefore, Veeam customers are fully supported, nothing new to invest in and they can fully comply from day one.”
Kumar believes that since the UAE is home to many start-ups, SME and SMB companies, the cost of compliance should be minimum and should not burden these companies.
Imran Khan, a lawyer at the Dubai-based Bin Eid Advocates, said that the UAE’s data laws such as DIFC and ADGM are based on the gold standard data protection regulations (European Union’s GDPR).
Khan warned that breach of the Data Law will impose criminal and civil liability that make it more protective to users of services as it will stop misuse of information, and increase transparency.
Existing data protection laws in UAE
There is no unified set of privacy or data protection laws at the federal level but there are three different data protection laws in the country.
Abu Dhabi Global Market
In February, the ADGM announced it has enacted the Data Protection Regulations 2021 (ADGM DP Regulations), which will replace the existing ADGM Data Protection Regulations 2015. The purpose of the ADGM DP Regulations is to align the ADGM’s legal framework for the processing of personal data.
FINES: The Commissioner may impose administrative fines in respect of the contravention of the ADGM DP Regulations of such amount as he determines to be appropriate but without exceeding US$ 28,000,000.
Dubai International Financial Market
In July 2020, Dubai International Financial Centre moved to adopt its most recent DIFC Data Protection Law No. 5 of 2020 (DIFC DP Law) in a similar effort to adapt its data protection legal framework to the GDPR. The DIFC DP Law became fully enforceable after a 3-month transition period on 1 October 2020.
FINES: Administrative fines, non-exhaustively listed in the DIFC DP Law, vary between USD 10,000 and USD 100,000. However, the Commissioner may issue a general fine for contravention of the DIFC DP Law outside this range, in an amount he considers appropriate and proportionate.
Dubai Healthcare City
The DHA has its own law, ‘Health Data Protection Regulation’. The purpose of this law is to promote and protect Patient Health Information.