UAE’s Data Protection Law: Between Exceptions and Exemptions

Like Bahrain and Saudi Arabia, the United Arab Emirates has recently issued a comprehensive federal law for the protection of personal data, the “PDPL,” which entered into force on the 2nd of January 2022. 

While this step highlights the increasing awareness around privacy matters in the region and the need for overarching frameworks to govern them, some weaknesses persist. Broad carve-outs show a remaining reluctance from local authorities to expand the scope of personal data protection and completely align it with international standards. 

In the absence of an express reference to a fundamental right to privacy, or the incorporation of international declarations that provide for this right in its Constitution, the UAE needed a framework for the protection of personal data. Unfortunately, as highlighted below, the latter does NOT provide a solid protection against misuses and abuses of personal information by governmental authorities. 

Concepts and Definitions 

At first glance, this recent law seems to have adopted very similar terms to those used in the European General Data Protection Regulation 2016/679 (GDPR) (e.g. data subject, processing, controller and processor) and gives them broadly similar definitions. 

Under the UAE law, “personal data” expressly includes an individual’s name, voice, picture, identification number, electronic identifier, and geographical location. It also defined biometric and sensitive personal data. General principles are also highlighted in the PDPL including, principles of lawfulness, fairness, and transparency (as set forth in Article 5), as well as those of accuracy (from which derives the right to erase and correct inaccurate data mentioned in Article 16), confidentiality (Article 7) and security (Article 9). 

These key principles are broadly similar to those set out in the GDPR as well as other international texts such as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as Convention 108 as well as its modernized version, i.e. Convention 108+). However, as highlighted above, broad carve outs reduce the scope of protection offered by the UAE law, drawing it away from well recognized texts in the field.

Extraterritoriality

The PDPL seems to have adopted an extraterritorial approach to its applicability. In comparison, however, while the EU GDPR applies to non-EU entities, prerequisites such as the targeting or monitoring of EU-based data subjects need to be present to trigger this extraterritorial application. 

Under the UAE’s PDPL and, particularly, Article 2, the territorial scope of applicability seems broader since offshore data controllers or data processors can automatically be subject to the law if they process personal data of subjects who are present in the UAE. Indeed, data protection provisions will apply, under the PDPL, whenever the processing involves:

• The data subject who resides or has a place of business within the UAE;

• the controller or processor is inside the UAE, irrespective of whether the processing of personal data is carried out inside or outside of the UAE; or
• the controller or processor is located outside the UAE and processes personal data of data subjects that are inside the UAE.

Exceptions and Exemptions
One of the major issues of the UAE’s PDPL is that there is an important number of carve outs which weaken its scope of protection and create room for function creep.

Government data
Among the most significant exceptions is the fact that the law excludes government data and does not apply to government entities that control or process personal data. Indeed, Article 2 provides that the provisions of the PDPL “shall not apply” to the following:

1. government data
2. government authorities that control or process Personal Data 
3. personal Data held with security and judicial authorities 
4. a data subject who processes his/her data for personal purposes 
5. health personal data that is subject to legislation regulating the protection and Processing thereof
6. banking and credit personal data and information that is subject to legislation regulating the protection and Processing thereof. e.g. companies and institutions located in the free zones of the State and are subject to special legislation on Personal Data Protection

This, therefore, implies that a large chunk of personal data processing from being will NOT be subject to privacy compliance. Further, by excluding public sector entities from the provisions of this law, the PDPL leaves room for surveillance and function creep.

Other important exclusions 

• Personal health data where applicable legislation regulates the protection and processing of such data. Health information, in particular the transfer of health information outside of the UAE, is already heavily regulated in the UAE under the ICT Health Law and various emirate level laws, policies, and procedures (including those in relation to telemedicine);
• banking and credit data and information where applicable legislation regulates the protection and processing of such data; and
• entities in free zones where sectoral laws in relation to personal data are in place (namely the Dubai International Financial Centre, Abu Dhabi Global Market and, potentially, Dubai Healthcare City).

This will likely make compliance harder on organizations as they will need to navigate through the provisions of the PDPL, the existing sectoral law, and free-zone specific laws.

Finally, another striking exemption is that the PDPL grants the UAE Data Office (Established by Federal Decree-Law No. 44/2021), as a data protection authority, power to exempt establishments which do not process a “large” amount of personal data.

While this likely includes small and medium size businesses, the law does not clearly define what “large” amounts truly means. Such ambiguity will have to be clarified by executive regulations. While the EU GDPR, for instance, exempts small organizations from some obligations such as appointing a Data Protection Officer, this UAE provision might spare certain entities compliance with any of these obligations.

Once again, this creates another layer of imbalance among entities to whom privacy obligations shall apply and further restrains the intended scope of protection.

Data subject rights

In line with international best practices, the UAE law sets out in Articles 13 through 18, a broad range of individual data subject rights including, the right to access personal data (“Right to Obtain Information”), the right to portability of personal data (“Right to Personal Data Transfer”), the right to rectification, the right to be forgotten (“Right to Erasure”), the right to restrict the processing, as well as the right to object to both automated and non-automated processing. 

One important gap identified in these provisions is the fact that the PDPL does not provide for a specific timeline for a controller to respond to a data subject access request. This should also be included in the expected implementing regulation to allow fair implementation of the law.

Lawful Basis

The PDPL presents consent as the primary lawful basis to be used. Such prioritization contradicts the EU GDPR to the extent that the latter considers consent as one among six lawful bases for processing personal data.

Indeed, the PDPL prohibits the processing of personal data without the consent of the individual unless an exception applies. Further, while alternatives to consent include bases such as the performance of a contract and the performance of a legal obligation, the PDPL fails to include legitimate interests as a legal basis for processing personal data. This may complicate compliance for many private sector entities which, quite often, resort to “legitimate interest” as a catch-all category. 

Cross-border Data Transfers

The PDPL allows for cross-border transfers of personal data which will have to be approved by the Data Office provided certain conditions are met. Under Article 22, international transfers would be primarily approved based on either adequacy or other means that could justify the transfer (which are set out in Article 23).

Article 22 provides that adequacy would be established either by (i) the existence of a data protection legislation that contains most important provisions pertaining to the protection of personal data or (ii) by bilateral/multilateral agreements. While the latter case is clear, the criteria for assessing third countries’ data protection legislation to approve international transfers remains ambiguous. A list of “adequate” jurisdiction would still need to be established.

Further, reciprocity and bilateral adequacy may be harder to establish when the UAE law itself contains this many carve outs. Aside from adequacy, the PDPL also allows cross-border transfers on different grounds such as explicit consent of the data subject, public interest, or the necessity to perform a contractual obligation that binds the data subject and the data controller.

Oversight and Enforcement

The law refers to the establishment of a Data Office (established by Federal Decree-Law No. 44/2021) that would serve as a national data protection authority to handle data breach notifications, complaints from data subjects, approve cross-border transfers and adequacy, suggest policies and strategies to foster protection of personal data, and issue guidance and instructions.

A striking provision is Article 27 which grants the possibility to delegate some of the Office’s powers to local government authorities. While involving governmental authorities may not be shocking considering the law excludes the public sector from the scope of its applicability, delegation of oversight in the realm of data protection is certainly not a common legal provision, particularly, since ensuring independent oversight is a key issue.

Finally, while administrative rather than criminal penalties that would be imposed by the Office are anticipated, the law does not specify their nature nor determine any amounts. It seems that, once more, such a provision would need to be clarified by executive regulation.

Conclusion

To conclude, while the UAE’s issuance of a data protection law is a commendable step towards providing safeguards to individuals in the digital space, some critical gaps persist. Indeed, the large carve-outs in the law and, particularly, the exclusion of public sector authorities as well as government data from the scope of application of the law, undermine its effectiveness and leave a wide room for function-creep.

If the intent behind adopting such a text is to align the UAE’s data protection legal framework with international standards and facilitate data flow in and out of the country, critical amendments must be introduced to reduce the scope of exemptions in the law and provide sufficient independence and capacity to the Data Office to achieve its mission of overseeing compliance with and sanctioning violations of data protection obligations.

In a country where digitization has penetrated the public and private sectors and where digital transactions are undertaken on a daily basis, having a solid protection of personal data is key and must apply to everyone, equally.