United Arab Emirates: Personal Data Protection Law coming into force on 2 January 2022

In brief

On 27 November 2021, the UAE published the long awaited UAE Personal Data Protection Law, Federal Law 45 of 2021 on Personal Data Protection ("Law"). The development signifies a landmark in the evolution of the UAE's regulatory framework and lays the foundation for the modernization of the economy and digitization of the country's growth sectors.

The Emirates Data Office ("Data Office") will act as the new data regulator and will be established by virtue of Federal Law 44 of 2021. Amongst other responsibilities, the Data Office will be responsible for enforcing the Law and for issuing supporting legislation and guidance.

The Law will come into force on 2 January 2022 with its Executive Regulations, which will expand on key topics, to be published within six months of the Law entering into effect (currently 28 May 2022). Controllers and processors will have six months from the date the Executive Regulations are issued to achieve compliance with the Law, although the Data Office has the ability to extend this period if necessary.

In this alert, we set out 10 key aspects of the Law with a view to helping businesses to understand its impact and to prepare for its entry into force.


Contents

Key takeaways

  • The Law will be effective from 2 January 2022 but companies will have until November 2022 at a minimum to adapt their operations to achieve compliance with the Law.
  • The Law borrows heavily from the EU General Data Protection Regulation (GDPR), reflecting many of its key concepts including the data protection principles (i.e., the core principles that underpin all personal data processing such as a need to ensure that processing is fair, transparent and lawful; that the personal data processed is adequate and relevant for the purpose; and that the personal data is kept secure and protected against unauthorized processing using appropriate organizational and technical measures).
  • The Law has extra-territorial application and imposes obligations on both controllers and processors (as those terms are commonly understood under EU data protection law) although the obligations imposed directly on processors are more limited.
  • The default position under the Law is that consent of the data subject must be obtained to conduct processing, subject to certain exemptions, such as where the processing is necessary to perform a contract to which the data subject is a party or where the processing is necessary to comply with the controller's legal obligations.
  • Under the Law, there is no legal basis for processing personal data that is equivalent to the legitimate interests legal basis contained in Article 6(1)(f) of the GDPR. Companies which currently rely on this legal basis or an equivalent legal basis under foreign laws will need to legitimize their processing in reliance on an alternative legal basis under the Law.
  • The Law introduces a requirement for controllers and processors to appoint a Personal Data Protection Officer (DPO) in similar scenarios to those set out in the GDPR, including where the processing presents a high-level of risk to the confidentiality and privacy of the data subject as a result of the adoption of new technologies or the volume of personal data under processing.
  • The Law contains a personal data transfer mechanism that varies depending on whether the receiving country affords or does not afford an adequate degree of protection to personal data. Further requirements for transfers made to non-adequate jurisdictions will be set out in the Executive Regulations.
  • The Law imposes a duty on controllers to report details of any breach that compromises the privacy, confidentiality or security of data subjects' personal data to the Data Office as well as to the affected data subjects in certain circumstances.
  • The Law does not prescribe any penalties for breach of its requirements but provides that the UAE Cabinet will issue a decision specifying the acts that constitute a breach of the Law and the associated administrative penalties based on a proposal of the Director General of the Data Office.

Companies should monitor for the publication of the Executive Regulations, which will provide further detail on certain requirements under the Law, including the timescales for reporting data breaches and the requirements for transferring personal data to non-adequate jurisdictions.

In the meantime, given that the majority of the Law's requirements are entirely new, we recommend that companies take full advantage of the grace period to assess the Law’s impact and to reflect the requirements in their compliance programs.

Click here to access the full alert.

LOGO_UAE_BM Habib Al Mulla_Abu_Dhabi_Dubai

This client alert was issued by BM Habib Al Mulla, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.