Data Protection Laws and Remedies for Breach in the UAE

The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data Protection (the PDPL), which came into force on 2^nd January 2022, provides for the protection of information and privacy of personal data. Aside from the PDPL, the Constitution of the UAE as well as sector-specific regulations (such as the telecommunications, consumer protection, and cybercrime laws) also provide some limited data protection rights. Some of the free zones, such as the Dubai International Financial Centre ('DIFC'), the Abu Dhabi Global Market ('ADGM'), and the Dubai Healthcare City ('DHCC') have each enacted separate data protection laws applicable to businesses operating in the relevant zone.

The PDPL is the generally applicable federal data protection law and applies broadly to the processing of personal data. 

The Data Protection Law in UAE adopts a concept similar to the GDPR and other similar data protection laws.

What constitutes Personal Data?

“Personal Data” is given a broad meaning, effectively capturing any information that can be used to identify a natural person either directly or indirectly by reference to an identifier such as a name, voice, photo, identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.

The PDPL also covers “sensitive data”, which includes information such as a natural person’s family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, health data, the sexual status of such person, etc, and “biometric data” obtained as a result of technical processing of a person’s physical, physiological or behavioral characteristics.

Data Controller & Data Processor

Data Controller – An entity or the natural person which determines the method, approach, criteria, and purpose of processing Personal Data

Data Processor - An entity or natural person that processes Personal Data on behalf of the Controller under the Controller’s direction and instruction

Scope of Application

The PDPL applies to every data controller or data processor

• Processing of personal data of people residing in the UAE or people having a business in the UAE
• In the UAE who processes the personal data of data subjects inside or outside the UAE; and
• Established outside the UAE carrying out processing activities in relation to data subjects located within the UAE

Regulatory Authority

The supervising authority responsible for overseeing the enforcement of the PDPL is set to be the Data Office which is established under the separate Federal Decree-Law No. 44 of 2021 ('Law No. 44/2021') issued contemporaneously with the PDPL. However, up to two years of operation of the PDPL, the Telecommunications and Digital Government Regulatory Authority ('TDRA') will provide administrative and logistical support. The Data Office will be responsible for:

• Issuing guidelines for implementing the PDPL;
• Handling complaints and data breach notifications; and
• Imposing administrative penalties

Key Principles of Data Privacy

There are certain seven key data privacy principles that form the fundamental conditions that one must follow when processing personal data, which are as follows:

• Lawfulness, fairness, and transparency in processing personal data.
• Process personal data for a specified and lawful purpose only
• Data minimization by ensuring that handling and processing data that you truly need and nothing more
• Accuracy in keeping the data up to date and necessary measures are in place for correcting and updating inaccurate data.
• Follow the limitation of time that is required for the need.
• Implement adequate security controls to ensure that personal data is protected against loss, destruction, or damage.
• Should take appropriate measures and records in place to be able to demonstrate your compliance.

Rights Of a Data Subject

A data subject shall have the following rights over their personal, non-personal, and sensitive data:

• Right to delete – A data subject shall have the right to delete personal data by making a request to that effect with the concerned data collector.
• Right to correct – Individuals can have their personal data rectified is inaccurate and also can be completed if it is incomplete.
• Right of access to information - Individuals have the right to be informed about what data is being processed and how it is being processed.
• Right to request for transfer of their data to another controller.
• Right not to be subject to automated decision-making
• Right to lodge a complaint with the Data Office where there is a reason to believe that the provisions of the PDPL have been violated.
• Right to restrict, suspend or stop the processing of their personal data except when:

• the processing of personal data in concerns of protecting the public interest and public health,
• if it was provided by data subject to the public voluntarily,
• in cases like processing is necessary for the defense of legal claims,
• if the processing is necessary for the assessment of an employee’s ability to perform work,
• if the processing is necessary for the Controller to carry out their legal obligations in the field of recruitment, social security or social protection or in compliance with other laws in the UAE
• for archiving, scientific or historical research
• processing is necessary to protect the interest of the Data Subject
• The processing is necessary for the performance of a contract to which the Data Subject is a party.

Exclusions

The PDPL does not apply to government data or government authorities. It is not entirely clear what “government data” means in this context. As it is referred to in its own right, separate from processing conducted by government authorities, so presumably it is intended to have a broader scope and to capture government data in the hands of third parties.

Data Breach

If a data breach is likely to result in a risk to the privacy, confidentiality, and security of personal data, then it must be communicated to the UAE’s Data Office as per Article 9 of the PDPL. The data controller must always notify the data subject of any breach of a data subject’s personal data. The timelines for breach notifications are yet to be determined in the executive regulations in relation to the PDPL.

Other data protection and privacy laws in the UAE

There are several other laws that contain express provisions in relation to privacy and the protection of personal data:

• Constitution of the UAE (Federal Law 1 of 1971)

Article 31 of the Constitution is considered to represent the general right to privacy for citizens of the UAE, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under law.

• Cyber Crime Law (Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumors and Cybercrime

A complaint may be filed with the cybercrime unit of the police in the respective emirate where:

• the Offender resides; or
• where the disclosure occurred

The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect. The same procedure identified above is then followed before the Courts. The cybercrime laws include expressing penalties and punishment in respect of breaches of government data and for attempts to commit cybercrime as well. If found guilty of an offense under the Cyber Crime Law, the punishment would be either detention, imprisonment, and/or a fine ranging from AED 150,000 and AED 3 million (Articles 2, 3, 6,7, 8 21, and 22 of the Cyber Crime Law).

• Telecommunications Law and Consumer Protection Regulations ( Federal Law by Decree No. 3 of 2003 Regarding the Organization of the Telecommunication Sector)

The TDRA (Telecommunications Development and Regulatory Authority) is responsible for overseeing the enforcement of the Telecoms Law.

Licensed operators/service providers are subject to a number of obligations, including taking all reasonable and appropriate measures to protect the privacy of subscriber (the data subject here) information, whether in paper or electronic form and prevent its unauthorized disclosure or use. In addition, where it is necessary for a licensed operator to provide subscriber information to a third party that is directly involved in the supply of telecommunication services, the operator must require the third party to take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information and use the subscriber information only to the extent required to provide the relevant telecommunication service.

Article 12 of the Consumer protection regulations issued by the TDRA seeks to ensure the protection of data relating to 'subscribers', or persons who contract with licensed operators for the supply of telecommunications services in the UAE. 'Subscriber information is defined as 'any information relating to a specific subscriber', which includes a person's personal details, service usage details, the content of communications, account status, and payment history.

In case of a breach, the “subscriber” must submit a complaint to the TDRA within 3 months from the last date of the action of the service provider. Upon examination of the said complaint, the TDRA may direct the service provider to undertake remedies as may be applicable under the consumer protection regulations issued by the TDRA.

The law provides that a person who intercepts the contents of telephone calls without prior permission by the competent judicial authorities may be punished with imprisonment for a period of not more than one year and/or a fine of not less than AED 50,000 and not more than AED 200,000.

• UAE Penal Code

Pursuant to Articles 431 & 432 of the Criminal Law, if the Courts find a suspect who by virtue of his profession, occupation, status, or specialization has access to a secret but discloses such secret in other than the cases permitted by Law, or who uses such secret for his own benefit or the benefit of another person or if data is collected by eavesdropping, recording or transmitting conversations done privately or through a phone unless such disclosure or use is authorized by the concerned person,  may be penalized by a fine of at least UAE Dirhams 20,000 (the fine is determined by the Courts) and/or imprisonment for at least one year.

Where the unauthorized disclosure of data violates provisions of the penal code, The Public Prosecutor in the Emirate where:

• the party suspected of the breach (‘Offender’) resides; or
• the disclosure occurred,

If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be brought against the suspect and transferred to criminal courts. A civil claim may also be claimed along with criminal remedies.

Conclusion

The new UAE legal reforms on Data Protection are the comprehensive and integrated frameworks for ensuring data protection. The framework establishes the data processing officers and Controllers for ensuring safety from the basic level. If the concerned are not complying with the legal framework of Data Protection, the companies are not only inviting the risk of penalties but also losing the customer’s confidence in the companies. It is not only focusing on the companies inside the UAE but also the entities outside the UAE, who has their scope of services in UAE.