UAE’s new data protection legislation overflowed with exceptions and exemptions

Like Bahrain and Saudi Arabia, the United Arab Emirates has recently issued a comprehensive federal law for the Personal Data Protection Law, the “PDPL,” which entered into force on the 2nd of January 2022. 

While this step highlights the increasing awareness around privacy matters in the region and the need for overarching frameworks to govern them, some weaknesses persist. Broad carve-outs show a remaining reluctance from local authorities to expand the scope of personal data protection and completely align it with international standards. Among the most striking gaps: the exemption of public sector agencies and government data from the scope of the law. 

In the absence of an express reference to a fundamental right to privacy, or the incorporation of international declarations that provide for this right in its Constitution, the UAE needed a framework for the protection of personal data. Unfortunately, as highlighted below, the latter does NOT provide a solid protection against misuses and abuses of personal information by governmental authorities. 

The absence of a safe and trusted data protection framework is particularly alarming for a country like the UAE which has been prioritizing digitization of various sectors for the past years. Indeed, emirates like Dubai and Abu Dhabi have invested heavily in the fintech industry, in Abu Dhabi alone, 8 million online transactions have been reported for 2020 and, more generally, the UAE ranks amongst the world’s best countries in government digital transformation. While having enabled digitization is commendable, ensuring that the cyberspace is safeguarded and that individuals have the necessary protections is even more crucial.

Concepts and Definitions 
At first glance, this recent law seems to have adopted very similar terms to those used in the European General Data Protection Regulation 2016/679 (GDPR) (e.g. data subject, processing, controller and processor) and gives them broadly similar definitions. 

Under the UAE law, “personal data” expressly includes an individual’s name, voice, picture, identification number, electronic identifier, and geographical location. It also defined biometric and sensitive personal data. General principles are also highlighted in the PDPL including, principles of lawfulness, fairness, and transparency (as set forth in Article 5), as well as those of accuracy (from which derives the right to erase and correct inaccurate data mentioned in Article 16), confidentiality (Article 7) and security (Article 9). 

These key principles are broadly similar to those set out in the GDPR as well as other international texts such as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as Convention 108 as well as its modernized version, Convention 108+). 

Extraterritoriality
The PDPL seems to have adopted an extraterritorial approach to its applicability. As the term suggests, this means that the UAE can extend its legal powers beyond its territorial boundaries. In comparison, however, while the EU GDPR applies to non-EU entities, prerequisites such as the targeting or monitoring of EU-based data subjects need to be present to trigger this extraterritorial application. 

Under the UAE’s PDPL and, particularly, Article 2, the territorial scope of applicability seems broader since offshore data controllers or data processors can automatically be subject to the law if they process personal data of subjects who are present in the UAE. Indeed, data protection provisions will apply, under the PDPL, whenever the processing involves:

  • The data subject who resides or has a place of business within the UAE;
  • the controller or processor is inside the UAE, irrespective of whether the processing of personal data is carried out inside or outside of the UAE; or
  • the controller or processor is located outside the UAE and processes personal data of data subjects that are inside the UAE.

Exceptions and Exemptions
One of the major issues of the UAE’s PDPL is that there are an important number of exemptions and exceptions which weaken its scope of protection and create room for breach of personal data and increase risks of unmonitored surveillance.

Government data
Among the most significant exceptions is the fact that the law excludes government data and does not apply to government entities that control or process personal data. Indeed, Article 2 provides that the provisions of the PDPL “shall not apply” to the following:

  1. government data
  2. government authorities that control or process personal data 
  3. personal data held with security and judicial authorities 
  4. a data subject who processes his/her data for personal purposes 
  5. health personal data that is subject to legislation regulating the protection and processing thereof
  6. banking and credit personal data and information that is subject to legislation regulating the protection and processing thereof. e.g. companies and institutions located in the free zones of the State and are subject to special legislation on Personal Data Protection

This, therefore, implies that a large chunk of personal data processing will NOT be subject to privacy compliance. Further, by excluding public sector entities from the provisions of this law, the PDPL leaves room for unmonitored collection and processing of personal data by state entities without any limitation on the nature, amount, or means of processing. Most importantly, this implies that the public sector in its entirety, cannot be held accountable for any breach of citizens’ personal data. Ultimately, this would undermine trust in government and related digital services.

Other important exclusions 

  • Personal health data where applicable legislation regulates the protection and processing of such data. Health information, in particular the transfer of health information outside of the UAE, is already heavily regulated in the UAE under the ICT Health Law and various emirate level laws, policies, and procedures (including those in relation to telemedicine);
  • banking and credit data and information where applicable legislation regulates the protection and processing of such data; and
  • entities in free zones where sectoral laws (i.e. laws that are industry-specific) in relation to personal data are in place (namely the Dubai International Financial Centre, Abu Dhabi Global Market and, potentially, Dubai Healthcare City).

This will likely make compliance harder on organizations as they will need to navigate through the provisions of the PDPL, the existing sectoral law, and free-zone specific laws.

Finally, another striking exemption is that the PDPL grants the UAE Data Office (established by Federal Decree-Law No. 44/2021), as a data protection authority, power to exempt establishments which do not process a “large” amount of personal data.

While this likely includes small and medium size businesses, the law does not clearly define what “large” amounts truly means. Such ambiguity will have to be clarified by executive regulations. While the EU GDPR, for instance, exempts small organizations from some obligations such as appointing a Data Protection Officer, this UAE provision might spare certain entities compliance with any of these obligations.

Once again, this creates another layer of imbalance among entities to whom privacy obligations shall apply and further restrains the intended scope of protection.

Data Subject Rights
In line with international best practices, the UAE law sets out in Articles 13 through 18, a broad range of individual data subject rights including, the right to access personal data (“Right to Obtain Information”), the right to portability of personal data (“Right to Personal Data Transfer”), the right to rectification, the right to be forgotten (“Right to Erasure”), the right to restrict the processing, as well as the right to object to both automated and non-automated processing. 

One important gap identified in these provisions is the fact that the PDPL does not provide for a specific timeline for a controller to respond to a data subject access request. This should also be included in the expected implementing regulation to allow fair implementation of the law.

Lawful Basis

The PDPL presents consent as the primary lawful basis to be used when consent is NOT always appropriate and should be construed as one among other bases for processing personal data. Such prioritization contradicts the EU GDPR since the latter considers consent as one among six lawful bases for processing personal data.

Consent should be one among other options that constitute bases for the processing of personal data; it should not be the only option. Indeed consent is NOT always appropriate. Under GDPR, there are six available lawful bases for processing personal data. No single basis is better or more important than the others, the most appropriate basis to use will depend on the purpose of processing. Consent is one lawful basis for processing, but it is not always the most appropriate basis especially since it can be withdrawn.

Indeed, the PDPL prohibits the processing of personal data without the consent of the individual unless an exception applies. Further, while alternatives to consent include bases such as the performance of a contract and the performance of a legal obligation, the PDPL does not include “legitimate interest” as a legal basis for processing personal data. The GDPR, for example, provides that, where necessary, personal data may be processed based on the legitimate interests of a data controller, those of the data subject, or even those of third parties. These can include commercial interests, individual interests or broader societal benefits. The absence of “legitimate interest” in the PDPL may complicate compliance for many private sector entities which, quite often, resort to “legitimate interest” as a catch-all category. 

Cross-border Data Transfers
The PDPL allows for cross-border transfers of personal data which will have to be approved by the Data Office provided certain conditions are met. Under Article 22, international transfers would be primarily approved based on either adequate level of protection in the receiving state or other means that could justify the transfer (which are set out in Article 23).

Article 22 provides that adequacy of the level of protection would be established either by (i) the existence of a data protection legislation that contains most important provisions pertaining to the protection of personal data or (ii) by bilateral/multilateral agreements. While the latter case is clear, the criteria for assessing third countries’ data protection legislation to approve international transfers remains ambiguous. A list of “adequate” jurisdiction would still need to be established.

Further, reciprocity and bilateral adequacy may be harder to establish when the UAE law itself contains this many carve outs. Aside from adequacy, the PDPL also allows cross-border transfers on different grounds such as explicit consent of the data subject, public interest, or the necessity to perform a contractual obligation that binds the data subject and the data controller.

Oversight and Enforcement
The law refers to the establishment of a Data Office (established by Federal Decree-Law No. 44/2021) that would serve as a national data protection authority to handle data breach notifications, complaints from data subjects, approve cross-border transfers and adequacy, suggest policies and strategies to foster protection of personal data, and issue guidance and instructions.

A striking provision is Article 27 which grants the possibility to delegate some of the Office’s powers to local government authorities. While involving governmental authorities may not be shocking considering the law excludes the public sector from the scope of its applicability, delegation of oversight in the realm of data protection is certainly not a common legal provision, particularly, since ensuring independent oversight is a key issue.

Finally, while administrative rather than criminal penalties that would be imposed by the Office are anticipated, the law does not specify their nature nor determine any amounts. It seems that, once more, such a provision would need to be clarified by executive regulation.

Conclusion
To conclude, while the UAE’s issuance of a data protection law is a commendable step towards providing safeguards to individuals in the digital space, some critical gaps persist. Indeed, the large carve-outs in the law and, particularly, the exclusion of public sector authorities as well as government data from the scope of application of the law, undermine its effectiveness and leave a wide room for function-creep.

If the intent behind adopting such a text is to align the UAE’s data protection legal framework with international standards and facilitate data flow in and out of the country, critical amendments must be introduced to reduce the scope of exemptions in the law and provide sufficient independence and capacity to the Data Office to achieve its mission of overseeing compliance with and sanctioning violations of data protection obligations.

In a country where digitization has penetrated the public and private sectors and where digital transactions are undertaken on a daily basis, having a solid protection of personal data is key and must apply to everyone, equally.

Featured image via Adobe.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Nay Constantine

Nay is a lawyer and legal consultant with expertise in information technology law and data protection matters. She is qualified to practice law in New York and Beirut. She holds a Master’s degrees in law from Harvard Law School and Paris 2 Assas and a Bachelor of laws from Université Saint Joseph.