January 12, 2022. With the continuing influence of the Covid pandemic, in many ways 2021 was quieter than what we presumably were all hoping for. However, the same cannot be said in the context of legal and regulatory developments in the Middle East – and in particular regarding the regional hot topic that is data protection and privacy law.
In this series of blog posts, we set out a brief overview of some relevant developments for certain key countries.
Part 2 (Saudi Arabia) is accessible here.
Part 3 (Qatar) is accessible here.
Part 4 (Kuwait) is accessible here.
United Arab Emirates
At the end of November, the UAE Cabinet announced the enactment of Law No. (45) of 2021 on Protection of Personal Data(“UAE DP Law”). This was a development that had been eagerly anticipated for many years (until this time, the privacy law framework in the UAE was rather fragmented – with relevant provisions scattered across other federal laws and certain economic free zones having their own comprehensive data protection regimes – but the UAE DP Law marked the advent of a specific federal level privacy law). The UAE DP Law came into effect on 2 January 2022.
Being broadly predicated on General Data Protection Regulation (GDPR) principles, the general requirements promulgated by the UAE DP Law should be familiar to those accustomed to dealing with privacy and data protection compliance matters at a multi-national organizational level (think processing principles of fairness/transparency, necessity, accuracy/relevancy, erasure/rectification, implementation of adequate safeguards, and storage limitations). Some of the elements of the new framework worth highlighting include:
- The UAE DP Law will be administered by a federal data protection regulatory authority, which will be supported operationally for the first two years by the UAE telecoms regulatory authority, the Telecommunications and Digital Government Regulatory Authority (formerly known as the TRA).
- The primary basis for establishing grounds for processing is consent, which is to be “specific, informed and unambiguous,” and which may be withdrawn.
- The scope of the UAE DP Law is extra-territorial and applies to data subjects who are based in the UAE, entities based in the UAE that are undertaking processing activities (regardless of the location of the data subject), and entities outside of the UAE that process data of data subjects inside the UAE.
- The UAE DP Law does not apply to certain categories of personal data, including data that is separately regulated by another legal framework (such as the economic free zones noted above, the most well-known being the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM)).
- The UAE DP Law requires that regulated entities appoint a data protection officer where certain criteria are met, who may be an employee of the regulated entity or someone that they authorize to act in this capacity, whether inside or outside the UAE, so long as they have the appropriate knowledge and professional skills. Since many organizations captured by this new framework are unlikely to be large enough to warrant appointing a dedicated individual to fulfil this role, it is likely that much demand will ensue for external service providers to satisfy this requirement.
The UAE DP Law expressly contemplates the issuance of a series of pending Executive Regulations, which will shed additional light on the various compliance requirements ushered in by the new law. These are expected to be enacted by the end of March 2022, following which a six-month compliance grace period will begin. Also interesting is that, although the UAE DP Law states (as noted above) that it ought not to apply in economic free zones such as DIFC and ADGM, it also requires that any provision that is contrary to its provisions is to be repealed. As such, and although it is not presently clear, it is possible that free zone entities may need to assess if this is going to impact their operations in the event of any such conflict, and it may be worthwhile to conduct a conflict/gap analysis of the UAE DP Law with the relevant free zone regime.
The long-awaited UAE DP Law was issued as part of a much wider legal and regulatory reform undertaken by the UAE government as part of the 50th Year National Day celebrations, and there are also dozens of other laws that are currently being ushered in (this touches on subject areas including electronic transactions, intellectual property, criminal and cybercrimes laws, and companies laws). The UAE DP Law contemplates that an enforcement regime, including administrative fines, will be issued as part of the pending Executive Regulations; however, the newly issued UAE Cybercrimes Law (Law No. 34 of 2021 Concerning the Fight Against Rumors and Cybercrime) actually criminalizes non-compliant processing and contemplates the possibility of additional monetary penalties and even imprisonment for infractions.
Whether, when, and to what extent these potential criminal avenues of recourse will be sought remains to be seen, but of course this further underscores the need to start thinking about prioritizing compliance and taking any related organizational steps that might be needed to ensure compliance with the newly established letter of the UAE DP Law. Although it is not possible to say precisely when the time for compliance will officially arrive (as this depends on the issuance date of the Executive Regulations), it is likely to occur in or around September of this year – meaning that data protection and privacy assessments, audits, and analysis should be at the forefront of near-term action items for any organization which may be subject to the new UAE DP Law.