On 27 November 2021, the UAE published the long awaited UAE Personal Data Protection Law, Federal Law 45 of 2021 on Personal Data Protection ("Law"). The development signifies a landmark in the evolution of the UAE's regulatory framework and lays the foundation for the modernization of the economy and digitization of the country's growth sectors.
The Emirates Data Office ("Data Office") will act as the new data regulator and will be established by virtue of Federal Law 44 of 2021. Amongst other responsibilities, the Data Office will be responsible for enforcing the Law and for issuing supporting legislation and guidance.
The Law will come into force on 2 January 2022 with its Executive Regulations, which will expand on key topics, to be published within six months of the Law entering into effect (currently 28 May 2022). Controllers and processors will have six months from the date the Executive Regulations are issued to achieve compliance with the Law, although the Data Office has the ability to extend this period if necessary.
In this alert, we set out 10 key aspects of the Law with a view to helping businesses to understand its impact and to prepare for its entry into force.
- The Law will be effective from 2 January 2022 but companies will have until November 2022 at a minimum to adapt their operations to achieve compliance with the Law.
- The Law borrows heavily from the EU General Data Protection Regulation (GDPR), reflecting many of its key concepts including the data protection principles (i.e., the core principles that underpin all personal data processing such as a need to ensure that processing is fair, transparent and lawful; that the personal data processed is adequate and relevant for the purpose; and that the personal data is kept secure and protected against unauthorized processing using appropriate organizational and technical measures).
- The Law has extra-territorial application and imposes obligations on both controllers and processors (as those terms are commonly understood under EU data protection law) although the obligations imposed directly on processors are more limited.
- The default position under the Law is that consent of the data subject must be obtained to conduct processing, subject to certain exemptions, such as where the processing is necessary to perform a contract to which the data subject is a party or where the processing is necessary to comply with the controller's legal obligations.
- Under the Law, there is no legal basis for processing personal data that is equivalent to the legitimate interests legal basis contained in Article 6(1)(f) of the GDPR. Companies which currently rely on this legal basis or an equivalent legal basis under foreign laws will need to legitimize their processing in reliance on an alternative legal basis under the Law.
- The Law introduces a requirement for controllers and processors to appoint a Personal Data Protection Officer (DPO) in similar scenarios to those set out in the GDPR, including where the processing presents a high-level of risk to the confidentiality and privacy of the data subject as a result of the adoption of new technologies or the volume of personal data under processing.
- The Law contains a personal data transfer mechanism that varies depending on whether the receiving country affords or does not afford an adequate degree of protection to personal data. Further requirements for transfers made to non-adequate jurisdictions will be set out in the Executive Regulations.
- The Law imposes a duty on controllers to report details of any breach that compromises the privacy, confidentiality or security of data subjects' personal data to the Data Office as well as to the affected data subjects in certain circumstances.
- The Law does not prescribe any penalties for breach of its requirements but provides that the UAE Cabinet will issue a decision specifying the acts that constitute a breach of the Law and the associated administrative penalties based on a proposal of the Director General of the Data Office.
Companies should monitor for the publication of the Executive Regulations, which will provide further detail on certain requirements under the Law, including the timescales for reporting data breaches and the requirements for transferring personal data to non-adequate jurisdictions.
In the meantime, given that the majority of the Law's requirements are entirely new, we recommend that companies take full advantage of the grace period to assess the Law’s impact and to reflect the requirements in their compliance programs.
Click here to access the full alert.
This client alert was issued by BM Habib Al Mulla, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.