Data Protection in The United Arab Emirates

19 Apr 2023

The United Arab Emirates (UAE) is a federal state, a country which was established on 2nd December 1971, consisting of a federation of 7 Emirates. More than 50 years after its establishment, the UAE, through visionary leadership and significant wealth gathered thanks to its geographic location enabling it to become an air and maritime hub, its large quantities of natural resources globally, and the creation of solid financial and hospitality sectors, became the second largest economy of the Arab world and one of the most developed countries in the world. Among others, one of the main reasons the UAE has been successful is by building trust among its inhabitants, whether local population, foreign investors, and expatriates. In order to do so, the UAE has created a thorough legal framework enabling significant foreign populations to select the UAE as their new home. Due to globalization and digitalization, data protection has been at the heart of each and everyone’s concerns, especially the UAE Federal Government and the free zone authorities located in the country. Both businesses and individuals are at the heart of data protection and cybercrime regulations, for instance, banks and financial institutions which handle sensitive operations on a daily basis, or individual photos, biometric data, IP addresses, and passwords. Although it is indeed a global concern, the UAE has been at the forefront of such a battle by establishing impressively thorough legal frameworks on the subject matter in order to comply with global standards and training data protection officers, through Federal regulations and its free zones. It is particularly true for the 2 main financial free zones in the UAE: the Dubai International Arbitration (DIFC) Centre and the Abu Dhabi Global Market (ADGM), respectively established in 2004 and 2013. Take an insight through this article by the cyber security attorneys to know more about the analysis of the data protection regulations on the UAE Federal level, the DIFC level and the ADGM level, their implementation as well as the consequences of the breach if such regulations are breached. 

 

List Of Data Protection Regulations 

In the UAE, the regulations as summarized below table constitute the legal framework in the UAE (a) on the Federal level; (b) in the DIFC; and (c) in the ADGM, as well as the authorities responsible for supervising the implementation and enforcement of relevant regulations within their jurisdiction. These provisions will be explained further throughout the article, focusing on their implementation and consequences in case of regulations breach.

In the UAE, the regulations as summarized in the below table constitute the legal framework in the UAE (a) on the Federal level; (b) in the DIFC; and (c) in the ADGM, as well as the authorities responsible for supervising the implementation and enforcement of relevant regulations within their jurisdiction. These provisions will be explained further throughout the article, focusing on their implementation and consequences in case of regulations breach.

 

UAE Federal Government

DIFC

ADGM

Regulations

UAE Constitution of 1971;

Federal Law number 3 of 1987 (Penal Code);

Federal Decree-Law number 5 of 2012 (Cybercrime Law);

Federal Law number 2 of 2019 (Use of Information and Communication Technology in Health Fields);

Federal Law number 15 of 2020 (Consumer Protection);

Federal Decree-Law number 34 of 2021 (Combatting Rumours and Cybercrimes);

Federal Decree-Law number 45 of 2021.

DIFC Law number 5 of 2020;

DIFC Data Protection Law 2020

ADGM Data Protection Regulations 2021

Authority

UAE Data Office

Commissioner of data protection

Commissioner of data protection

 

Implementation Of Data Protection Regulations

 

  1. Controller and Processor

  1. Controller’s and Processor’s obligations

Pursuant to the relevant Federal, DIFC and ADGM regulations, both controllers have several key obligations. On the one hand, the controller must maintain a "special record" of personal data (and make it available to the Data Office on request along with any other information the Data Office requires); ensure processors provide sufficient guarantees and implement the technical and organizational measures necessary to comply with the Laws; and take appropriate technical and organizational measures to protect personal data (and manage automatic processing to ensure it is limited to its intended purpose). As for processors, they are only permitted to process personal data in accordance with the controller's requests and in accordance with any contracts the controller and processor have made. processors must implement the necessary organizational and technical safeguards to safeguard personal data and secure the processing environment (including any devices used for the processing). Additionally, processors must keep a unique record of the personal data they processed for a controller. Additionally, processors must make sure that processing is done within the defined purpose and processing duration, and they must notify the controller if the processing goes beyond these parameters. According to the Law, an agreement outlining and regulating processing operations carried out by several processors on behalf of a controller will be necessary.

 

  1. The case of Joint-Controller in DIFC and ADGM 

Article 23 of the DIFC Data Protection Law, and Article 25 of ADGM Data Protection Regulations set out the requirements underlying the mechanism of joint-controller, which is similar in essence. Both regulations consider that joint controllers shall determine their respective responsibilities for compliance with the requirements under the relevant regulations in a transparent manner, in particular with regard to the exercise of the data subject’s rights and their respective obligations to provide the data subject with the requested information. The agreement might name a person who data subjects can get in touch with. The agreement shall define the respective responsibilities and connections between the joint controllers and the data subjects. The data subject must be made aware of the basic terms of the agreement and may use his or her rights under the relevant regulations in respect of and against each of the controllers, regardless of the conditions of the agreement.

 

  1.     Data Protection Officer

  1.       UAE Federal Level

According to Federal Decree-Law number 45 of 2021, a data protection Officer (DPO) must be appointed whenever processing involves a high risk to the privacy and confidentiality of the personal data or data subject as a result of implementing new technologies, or a systematic and thorough assessment of sensitive personal data, including profiling and automated processing, as well as when such processing involves a significant amount of sensitive personal data.

 

  1. DIFC

‘High-Risk Processing Activities’ is an important part of the DIFC Data Protection Law 2020. Any organization that routinely engages in High-Risk Processing Activities is required to designate a DPO, as do all official DIFC entities other than the DIFC Courts. The necessary qualifications and positions of the DPO are specified by legislation. The commissioner of data protection must receive information on the DPO as part of the yearly notification process (or sooner if the details are updated). Unless the organization is a member of a larger group with a group DPO capable of carrying out the job and obligations, the DPO shall be headquartered in the UAE. The DPO can be hired under a service contract rather than as an employee if they choose. 

 

  1. ADGM

Similarly, to the mechanism in the DIFC, all official ADGM authorities and entities, other than ADGM Courts, must appoint a DPO. Any additional controller or processor that is subject to the law is required to appoint a DPO if their primary activities involve processing activities that demand routine, systematic, large-scale monitoring of data subjects or involve the processing of particular categories of personal data. The DPR outlines the duties and responsibilities of the DPO. The commissioner of data protection must be informed of the DPO's identification. If the entity in concern has fewer than five employees, there is an exception to the requirement to appoint a DPO, unless it is engaged in ‘High-Risk Processing Activities’ as defined by the ADGM Data Protection Regulations 2021. Indeed, according to the said regulation, it is construed to be a ‘High Risk Processing Activities’ when: “(a) a considerable volume of personal data will be Processed; (b) the Processing is likely to result in a high risk to the rights of Data Subjects; (c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (d) the processing involves adopting includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise their rights; or (e) the processing includes what is known as ‘special categories’ of personal data, with the exception when such data processing is mandated by the relevant legal framework.

 

  1.     Commissioner

  1. DIFC

The commissioner will be chosen by the president of the DIFC, who will make sure the candidate has the necessary education and training. The president must consult the DIFCA Board of Directors before appointing, reappointing, or removing the commissioner. The commissioner must be appointed for no longer than five years, and they are eligible for reappointment as long as the new term does not exceed 75 years old. The commissioner must not be held personally liable for any act or omission under or in connection with this Law, or in connection with his or her duties and powers as commissioner, unless the commissioner acted in bad faith. The DIFCA shall indemnify and hold the commissioner harmless with respect to all liabilities of any kind that the commissioner may incur or suffer in connection with the performance of his or her duties and functions under or related to this Law, as well as his or her duties and functions as commissioner. DIFC Courts cost for actions taken by the commissioner in connection with this Law or incurred while performing his regulatory duties are not expected of the commissioner. In cases when the commissioner is the unsuccessful party and the DIFC Court determines that the commissioner acted in bad faith or beyond the scope of his statutory duties, the DIFC Court may decide to impose costs against the commissioner. The commissioner has the authority granted to him by the DIFC Data Protection Law pursuant to this Law, and he is required to exercise those authorities and carry out those responsibilities in order to further the goals of this Law and the Regulations. The commissioner must act independently and impartially when exercising authority and carrying out his duties. He will not take direction from anybody else. The commissioner’s powers and duties include, among others, the following, and he has the right to do what he deems necessary to conduct such powers: To conduct investigations and inspections to confirm compliance with the DIC data protection Law; to issue a finding or make a declaration of compliance; to promote good practices and observance of the requirements of DIFC Data Protection Law by a controller or processor; to promote greater awareness and public understanding of data protection and the requirements and the Regulations in the DIFC; to impose fines for non-compliance with the DIFC Data Protection Law and any regulations, including from time to time setting any limits or issuing schedules of fines applicable to specific violations of the DIFC regulations; to commence proceedings for breach of DIFC Protection Law before the DIFC Courts. Such legal actions can either be self-initiated or commenced following a response to an investigation of a complaint, or request, set forth by a data subject.

 

  1. ADGM

In ADGM, the board of Directors of the Abu Dhabi Global Market has the competence to nominate the commissioner. in nominating such a commissioner, the board must: ensure that the commissioner is qualified and experienced enough for the position; choose a commissioner based on the registrar's suggestion of at least two candidates; announce its choice; and stipulate the appointment period, which cannot be longer than four years.  The board may designate the commissioner of data protection for further terms in a row, although such terms cannot total more than 12 years. By sending a three-month written notice to the ADGM registrar, the commissioner of data protection may resign from his or her position at any time. only substantial misconduct or the failure to continue meeting the requirements necessary for the performance of the commissioner of data protection's duties will result in removal from office by written notice from the board. to safeguard the rights of natural persons in connection to the processing of personal data in ADGM, the commissioner of data protection is in charge of overseeing and enforcing the implementation of these regulations. the commissioner of data protection shall not be held personally liable when acting within the scope of their authority, responsibility, or function is not personally accountable for any actions or inactions.

 

Sanction In Case of Non-Compliance in ADGM

Controllers or processors may incur administrative fines during the tenure of their professional duties if they commit a prohibited act or omit to commit an act they are mandated to do. In such instance the commissioner of data protection, by written notice (mentioning the nature of the grievance as well as the amount the controller or processor is liable to pay) to the controller or processor, may impose a fine in respect of the contravention of such amount as the commissioner of data protection determines to be appropriate, taking into account several factors. The amount determined by the commissioner of data protection must not exceed USD 28 million, and the factors taken into consideration are as follows: 

  • the intentionality or negligence of the violation; 
  • any action taken by the controller or processor to lessen the damage suffered by Data Subjects; 
  • the extent of responsibility of the controller or processor taking into account technical a consideration; 
  • the nature, gravity, and duration of the violation taking into consideration the nature scope or purpose of the Processing concerned as well as the number of Data Subjects affected, and the level of damage suffered by them;
  • degree of cooperation with the commissioner of data protection, in order to remedy the contravention and mitigate its possible adverse effects; 
  • specifically, whether and to what extent the controller or processor notified the commissioner of data protection of the violation; and
  • the categories of personal data affected by the violation; the manner in which the violation became known to the commissioner of data protection 

A controller or processor who has received a Penalty Notice or Direction may ask the ADGM Courts to reconsider the case. The ADGM Courts may issue any orders that it deems just and suitable in the circumstances, including determinations of fact about whether or not these Regulations have been violated as well as remedies for damages, fines, or other forms of compensation. Anyone who has experienced physical or emotional harm as a result of a violation of these regulations is entitled to compensation from the controller or processor for their losses. Any payment is in addition to any fines levied against the same controller or processor under section 55 and is unrelated to them. Any controller engaged in Processing is responsible for any harm done as a result of Processing that is against these Regulations. A processor is only responsible for the damage brought on by Processing when it has violated responsibilities in these Regulations that are particularly directed at processors or when it has acted outside of or against the controller's valid instructions. If a controller or processor can demonstrate that it had nothing to do with the occurrence that caused the damage, they are immune from liability.

 

Transfer Of Data in the ADGM

In this part, we shall focus on the transfer of data outside of ADGM and to international organizations mainly in the case of legal proceedings, or if a such transfer has been requested by public authorities of a jurisdiction other than the ADGM.  It is pertinent to note that such transfer shall ensure the maximum level of protection of the data, in line with the standards provided by ADGM Data Protection Regulations. When a controller or processor receives a request for personal data from a public authority outside of ADGM that has jurisdiction over the controller or processor or any division of its Group, the controller or processor should: use reasonable diligence to assess the legitimacy and appropriateness of the request, including to ensure that any disclosure of personal data is required to meet the requesting authority's objectives; Consider the impact of the proposed transfer in light of any potential risks to the rights and legitimate interests of any affected Data Subject, and, where appropriate, implement measures to reduce those risks, such as by omitting or minimizing the personal data transferred or utilizing appropriate safeguards for the transfer; and, wherever it is practical, obtain appropriate guarantees from the requesting authority that it will uphold the rights of Data Subjects.

From international cooperation perspectives, especially taking into consideration the particular importance the UAE authorities give to such instances, and to make it simpler for laws governing the protection of personal data to be successfully enforced, the commissioner of data protection may establish international cooperation mechanisms with reference to countries outside of ADGM and international organizations. He may provide international mutual assistance in the enforcement of laws for the protection of personal data, including through notification, complaint referral, investigative assistance, and information exchange, subject to the appropriate safeguards for the protection of personal data and other rights. Finally, he may promote the sharing and documentation of personal data protection laws and policies, even those involving disputes between jurisdictions that are not members of ADGM. The commissioner may also include relevant parties in meetings and initiatives to improve global cooperation in the implementation of laws for the protection of personal data.

 

Conclusion

The UAE, through Federal and free zone mechanisms, has been able to create a legal framework fully compliant with international standards on data protection. These mechanisms are well-integrated and when compared to each other, cover similar key points as to the nature of data that needs protection, the degree of care insofar processing such data is concerned, as well as the duties and obligations of the agents responsible for processing the data. Although the mentioned regulations are recent, their application has been recognized as efficient on national, regional and global levels, and it will not be a surprise to see the UAE and its free zones considered as leading jurisdictions for data and cybercrime protection, as it is one of the country’s main objectives to become one of the strongest countries in the world for digital services.