UAE Law Regarding the Protection of Personal Data
The United Arab Emirates joins Saudi Arabia by passing Federal Decree-Law No (45) of 2021 Regarding the Protection of Personal Data (“PPD Law”) to bring comprehensive data protection legislation to another country in the MENA region. Notably the PPD broadly mirrors the GDPR legislation.
The PPD Law will not take immediate effect and will be supplemented by the issuance of a set of Executive Regulations (issued by the Emirates Data Office- which will oversee the PPD Law) which we anticipate will be published in March 2022. Under the provisions of the PPD Law, organizations will have a further six months from the date on which the Executive Regulations are passed in order to comply with the same. This provides a window of around ten months from the date of this alert for businesses to ensure that they are fully compliant. As those familiar with the rollout of the GDPR will recall, whilst 10 months may seem ample time to attend to the issues that we note below, these processes always take longer than anticipated and we strongly recommend that all businesses that are subject to the PPD Law take immediate action along the lines noted in this alert.
Consequently, please continue reading to find recommendations for preparing for and implementing the PPD Law and an overview of the PPD Law itself.
What Should be Done Now?
Before diving into the details of the PPD, this section briefly covers steps to take now to begin preparing for the implementation of the PPD.
As with other comprehensive data privacy regulations, the first step all businesses should take is to identify the personal data currently being processed. Building the special record of personal data is not only a requirement, but will inform other activities required under the law.
Work with your IT team to determine the technical and organizational measures in place for protecting personal data. Develop a plan to close any gaps between those measures and the express requirements under the law and national and international best standards and practices.
Identify your processors and close any contractual gaps necessary, including any cross-border transfer provisions.
Establish procedures for responding to data subject requests to exercise a right granted under the PPD Law.
Comparison to GDPR
Borrowing heavily from the GDPR, the PPD Law uses a controller/processor scheme with similar obligations for protecting the personal data of data subjects. The PPD Law has extraterritorial applicability to controllers and processors located outside the UAE that process personal data of data subjects in the country. The PPD Law prohibits cross-border transfers of personal data unless the transferee is in a country with adequate protections, is under a contract to provide adequate protections, or with the express approval with the data subject. The PPD Law prohibits processing personal data without the approval of the data subject (a concept similar to consent under the GDPR) unless an exception applies. While many of the exceptions are the same, notable additional exceptions include exceptions that differ from those under the GDPR include when the processing is related to personal data that has become available and known to all by an act of the data subject and those discussed below related to the workplace. Key obligations of the controllers and processors include:
the control of the amount of personal data processed through a purpose limitation, a data minimization requirement, and a storage limitation;
the obligation to provide data security through appropriate technical and organizational procedures and measures commensurate with the risks and best standards
the obligation to maintain a record of processing;
a requirement to maintain contractual agreements with processors;
a set of obligations imposed on processors that mirrors those imposed on the controllers; and
a requirement to report data breaches, although more details are expected from the Executive Regulations, including the timeframe for notice.
The PPD Law also contains a bundle of rights of the data subject including the right to: (i) information; (ii) request transfer; (iii) rectification or erasure; (iv) restrict processing; (v) stop processing; and (vi) object to automated processing.
PPD Law in the Workplace
Like GDPR, the PPD Law’s broad definition of personal data encompasses employee data and processing in the employment context. Unlike GDPR, the PPD Law provides provisions specific to the employee-employer relationship. The PPD Law is applicable to the processing of personal data of each data subject that resides in the UAE or has a workplace in it. Processing without approval of the data subject is considered lawful if necessary for the purposes of (i) occupational medicine in order to assess the ability of the employee to work; or (ii) the controller carrying out his obligations and exercising his legally-established rights in the field of employment laws.
Other Differences from GDPR
The PPD Law includes several exceptions to the applicability, including data-type exceptions for health data (which is already regulated under the ICT Health Law), government data (which is undefined), or personal bank and credit data which have legislation regulating the protection and processing of such data- with this latter point in mind, it will be interesting to see if the Executive Regulations add additional meat to the bone on this point. Additionally, the PPD Law does not apply in the DIFC or ADGM, which have their own bespoke data protection legislation (which similarly borrow heavily from the GDPR).
While certain obligations may be clarified in the Executive Regulations, perhaps most significantly will be the administrative sanctions and other acts that constitute a violation of the Law. The PPD Law specifies that the data subject may submit a complaint to the Office and if it is proven that the controller or processor is in violate an administrative penalty may be imposed, but for now it is unknown what those penalties will be.
Much like the GDPR, implementing the PPD Law is likely to be time-consuming and it is recommended to begin the process now to avoid facing potential administrative sanctions.