The United Arab Emirates (UAE) is a federal system with recognized free economic zones (free zones) that draft their own legislation. These free zones are geographically demarcated areas within the UAE that permit foreign ownership and are dedicated to a specific industry, making them business hubs. The relevant federal law only applies if a free zone has not legislated any data protection. The dynamic between free zones and the patchwork of federal legislation makes it crucial for organizations to understand how recent legislation impacts data-driven activities within the UAE.
The UAE’s data regulations consist of a patchwork of sector-specific laws and a recent comprehensive data protection law, the Federal Decree-Law No.45 of 2021, also known as the “Data Protection Law.” The Data Protection Law went into effect on January 2nd and is awaiting the publication of its implementing regulations. The DPL brings federal legislation closer to harmonization with the legislation of the free zones and the GDPR.
Three free zones, the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Healthcare City (DHC), have their own data protection authority and legislation: the Data Protection Law No. 5 of 2020, ADGM Data Protection Regulations 2021, and DHA Health Data Protection Regulation 2013, respectively.
Here are the highlights of data protection in the UAE:
The Data Protection Law applies to organizations that control and process data of UAE citizens, regardless of whether they are inside the state. Organizations incorporated within a free zone are instead subject to their respective data protection laws, even if processing occurs outside the economic free zone.
Sensitive data—data that reveals a natural person’s family, racial origin, political or philosophical views, religious beliefs, criminal records, biometric data, or any health-related to the health/condition of a person—cannot be processed unless given explicit consent or it is necessary for carrying out the obligations of the data controller. Financial data and personal health information are subject to sector-specific requirements.
Data controllers must prove that the data subject gave their consent in a clear, unambiguous manner to process personal data and were aware of their right to withdraw consent. Upon withdrawal of consent, the data subject can request the erasure of their data. Consent requirements do not apply in the DHC unless organizations intend to disclose patient data.
Data subjects have a limited right to access and the right to correct erroneous information in all jurisdictions. Beyond the DHC, data subjects also have the right to portability, the limited right to request the erasure of their personal data, the right to object to or restrict all processing, and the right to object against automated decision-making and profiling.
Once its purpose has been fulfilled, personal data (excluding personal medical information or financial data) must be deleted, anonymized, or pseudonymized. Federal law requires a backup copy of credit data and patient health information to be safely archived after being processed by organizations. Patient medical information must also be securely retained on the central health data management system for at least 25 years after the patient’s last procedure. Organizations within the DHC must retain patient health data for a 10-year minimum.
Nearly all sectors and jurisdictions require organizations to protect data through technical and organizational safeguards like encryption or pseudonymization.
Organizations that operate on a substantial amount of sensitive data must have a Data Protection Officer who coordinates with regulatory authorities to demonstrate compliance and report security breaches.
The UAE permits cross-border personal data transfer if the recipient country has special legislation or is committed to multilateral agreements with the UAE to protect personal data. The Health Data Law prohibits the transfer of patient data outside the UAE unless granted special approval. Financial institutions licensed by the UAE Central Bank may transfer data but must retain an accurate copy of it within the UAE.
Organizations can transfer data from the free zones solely to approved jurisdictions. Companies can transfer data to non-adequate jurisdictions only if special additional safeguards – similar to those in GDPR – are provided. The DHC and DIFC approve of the same jurisdictions. None of the free zones consider the UAE adequate. Here are the white-listed countries by the DIFC and the ADGM.
The multiple jurisdictions within the UAE provide organizations with a challenge in fulfilling compliance requirements. The UAE is particularly lax on international data transfer. However, sector-specific regulations require the retention and localization of certain types of personal data. The free zones, on the other hand, only permit transfers to approved jurisdictions, which excludes the broader UAE. This exclusion provides a challenge in meeting data residency requirements.
Organizations should initially identify the regulations to which they are subject. CIOs should then map out the flow of data and determine which data is subject to localization requirements. Data flow should then be modified for localized data to be retained in the jurisdiction. Encryption should be standard practice for safeguarding personal data. Data to be erased or destroyed should be anonymized, pseudonymized, or deleted. Archived data should also be secured appropriately. Understanding data flow within the organization will also assist in managing security breaches and serving subject data rights.