The UAE Cabinet Office announced the much-anticipated Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ("PDPL") on November 27, 2021. The PDPL is the UAE's first comprehensive federal data privacy law, governing the acquisition and processing of personal data. It is part of a historic law reform meant to support the UAE's ambitious economic and innovation strategy.

The General Data Protection Regulation ("GDPR") has had a significant impact on the PDPL, and it is typically linked with larger international data protection practices, with essential transparency and accountability concepts established in the PDPL.

Definitions

The PDPL employs terms that are extremely similar to those used in the GDPR (e.g., "personal data," "data subject," "processing," "controller," and "processor") and provides broadly similar meanings.

The GDPR's specific categories of personal data definition is comparable to that of sensitive personal data. There are notable distinctions; for example, the PDPL definition includes information about a person's family and criminal history. While criminal offense data is processed differently under GDPR than other personal data, it does not fall under the definition of special categories of personal data.

Territory

The PDPL governs the processing of personal data by any of the following entities:

A data subject who lives or works in the UAE; a controller or processor-based in the UAE, regardless of whether personal data is processed within or outside the UAE; or a controller or processor-based outside the UAE who processes personal data of data subjects who live or work in the UAE.

When a non-EU organization processes the personal data of EU residents, the GDPR does not immediately apply; certain conditions must be met (targeting or monitoring). In this way, PDPL is more expansive.

GDPR, on the other hand, applies to organizations outside the EU where their processing is "in the context of the operations of an establishment in the EU" - that is, when processing is linked to an EU establishment even though that institution does not perform the processing. PDPL, on the other hand, only applies to process done by a UAE individual.

The law's application to data subjects mirrors the PDPL's phrasing, which is strange because data subjects commonly get an exemption if they process data for 'personal purposes.’

Exceptions

The UAE Data Office can exclude establishments that do not process a considerable volume of personal data under the PDPL.Entities in free zones where there are already laws in relation to personal data in place (namely the Dubai International Financial Centre, Abu Dhabi Global Market, and, potentially, Dubai Healthcare City).

The objective appears to be to exempt small and medium-sized firms. There is no analogous exception option for corporations in the GDPR.

Data protection principles

The PDPL includes general criteria for lawfulness, fairness, and transparency, as well as purpose limitation, data minimization, data quality, retention, and security, which are roughly similar to the GDPR's principles. The Executive Regulations may include further additional provisions.

Legal basis for processing

Consent is one of several legitimate bases under GDPR, however, it is not stated as the primary valid basis. However, unless an exemption exists, the PDPL prohibits the processing of personal data without the agreement of the individual. Processing without consent will be permitted, for example, if it is required to carry out a contract with a data subject; to comply with legal obligations; to protect the public interest; if the data subject has already made the personal information publicly available; or if the processing is required for the establishment or defense of legal claims or relates to judicial or security measures (amongst others).

The PDPL does not allow for processing on the basis of ‘legitimate interests pursued by the controller/a third party which is provided in the GDPR.

Consent

Consent must be a precise, informed, and unambiguous declaration or affirmative action, whether in writing or electronically, indicating the data subject's acceptance to the processing of personal data. This means that enterprises may no longer rely on the so-called "catch-all" permission that has been widely employed in the UAE.

Other consent requirements are similar to the GDPR's requirements. Controllers must be able to demonstrate consent. The method for getting consent should contain instructions on how the data subject can withdraw consent, and the procedure must be simple for them to follow. , The legality of the processing carried out previous to the withdrawal is unaffected by the loss of consent.

Data subject rights

The PDPL gives data subjects a variety of rights, including the right to access, the right to request a transfer (which is generally similar to the GDPR's right to data portability), the right to be forgotten, the right to restrict, the right to object, and the right to object to automated processing.

The PDPL's rights are ambiguous and subject to a number of exclusions that do not entirely align with the GDPR. Only under exceptional circumstances may the controller refuse a data subject's request. For example, if the request is for information not covered by the PDPL; or if the request is excessively repetitive, conflicts with judicial procedures or investigations; or if the request could jeopardize the controller's information security efforts or otherwise compromise the privacy and confidentiality of others' personal data. The information must be made available without charge. The PDPL does not provide a timeframe for a controller to reply to a data subject access request, but the Executive Regulations are likely to address this.

Technical and organizational measures

The PDPL, like the GDPR, imposes a broad security duty on controllers and processors, requiring them to implement measures that are proportional to the amount of risk.

According to the PDPL, the controller and processor must take technical and organizational measures to maintain a high level of data security appropriate to the level of risk, which may include encryption and pseudonymization, as well as technical and organizational measures that ensure the availability of personal information and measures for testing and assessing the effectiveness of implemented measures.

Data protection officer

Although the GDPR appears to have an impact on scenarios where a DPO is required, they are not the same. When processing sensitive personal data would result in a high risk to the data subject's privacy as a result of adopting new technologies, the processing would involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing, and/or the processing would be done on large volumes of sensitive personal data, the PDPL requires the appointment of a DPO.

The PDPL, like the GDPR, requires enterprises to hire a DPO with the necessary data protection skills and competence to oversee compliance.

The DPO might be an internal firm employee or an external party headquartered in or outside the UAE. As a result, organizations with DPOs for GDPR reasons might utilize the same person to fulfill a comparable job in the UAE, as long as that person has received training and assistance on UAE standards. Furthermore, the PDPL specifies that the DPO shall be provided with resources to ensure that they are able to fulfill their tasks.

Data protection impact assessments

When employing any modern technology that poses a high danger to privacy and confidentiality, the PDPL requires data controllers to conduct DPIAs. The GDPR defines "high risk" as a risk of infringing on a natural person's rights and freedoms; however, the PDPL refers to a high risk to the privacy and confidentiality of personal data. It needs to be seen whether this linguistic distinction translates into a big difference in practice. It's also worth noting that the PDPL restricts the DPIA obligation to situations using "modern technology." While the GDPR specifically mentions the use of new technologies, the duty to conduct a DPIA is not restricted to these scenarios.

The PDPL specifies the minimal information that should be included in an impact assessment, and these standards coincide with the GDPR's DPIA requirements. For example, a clear explanation of the nature and purpose of the processing activity in question, an assessment of the processing's necessity in relation to its purpose, an assessment of the potential risks to data subjects' personal information, and suggested measures to mitigate the potential risks of such processing activities.

Data breaches

Data breaches must be reported to the UAE Data Office as soon as they are discovered. Any breach of personal data that "prejudices the privacy, confidentiality, or security of a data subject's personal data" must be reported. The requirement applies to all data breaches, but the GDPR's supervisory authority notification requirement for personal data breaches does not apply to breaches that are unlikely to put data subjects in danger. The PDPL's stringent timeframe is remarkable - it is instantaneous, whereas the GDPR requires notification to be made without undue delay and, where possible, within 72 hours.

The controller must also tell the data subject of the breach, and unlike the GDPR, there is no higher threshold (e.g., high risk) for data subject notification than there is for reporting the Data Office. The Executive Regulations will include more information about alerting data subjects, including any reporting term.

Similar to the GDPR, processors must notify the controller of any breach as soon as they become aware of it (rather than the GDPR's "without undue delay").

International transfers

The PDPL, like the GDPR's idea of adequacy, permits for the transfer of personal data outside of the UAE to countries with an appropriate degree of data protection (albeit the Data Office has yet to produce a list of such 'adequate' jurisdictions). If any exemptions apply, it may be allowed to transfer data to other jurisdictions. For example, obtaining the data subject's explicit consent, if this does not contradict with the UAE's public or security interests, or if the transfer is required to fulfill duties or execute a contract with the data subject. We expect the Executive Regulations to include details of permitted countries, even though it is not explicitly specified in the PDPL.

Records of processing activities

The PDPL mandates that controllers and processors keep track of their processing activity. The content standards are substantially in line with the GDPR's equivalent obligations, with a few exceptions. Data controllers, for example, are obligated to include information about those who are allowed to access personal data.

Marketing

Businesses may only use personal data for direct marketing purposes with the consent of the data subject, according to the PDPL. Processing for direct marketing purposes is an example of processing that could be necessary for a controller's legitimate interests under the GDPR (through separate e-Privacy legislation that could require consent).

The PDPL, like the GDPR, gives data subjects the right to object to processing for direct marketing reasons.

Suggestive Sources :

1. UAE: Federal level data protection law enacted – Privacy Matters

2. Ensuring Data Protection - News | Khaleej Times

3. UAE - Data Protection Overview | Guidance Note | DataGuidance

4. Data Protection Legislation - Privacy - United Arab Emirates

5. UAE issues landmark personal data protection law: Clyde & Co

6. Data protection laws - The Official Portal of the UAE Government

7. Quick Comparison Chart (GDPR and DIFC) | Practical Law

8. The impact of GDPR in UAE | CMS Expert Guide

The UAE Cabinet Office announced the much-anticipated Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ("PDPL") on November 27, 2021. The PDPL is the UAE's first comprehensive federal data privacy law, governing the acquisition and processing of personal data. It is part of a historic law reform meant to support the UAE's ambitious economic and innovation strategy.

The General Data Protection Regulation ("GDPR") has had a significant impact on the PDPL, and it is typically linked with larger international data protection practices, with essential transparency and accountability concepts established in the PDPL.

Definitions

The PDPL employs terms that are extremely similar to those used in the GDPR (e.g., "personal data," "data subject," "processing," "controller," and "processor") and provides broadly similar meanings.

The GDPR's specific categories of personal data definition is comparable to that of sensitive personal data. There are notable distinctions; for example, the PDPL definition includes information about a person's family and criminal history. While criminal offense data is processed differently under GDPR than other personal data, it does not fall under the definition of special categories of personal data.

Territory

The PDPL governs the processing of personal data by any of the following entities:

A data subject who lives or works in the UAE; a controller or processor-based in the UAE, regardless of whether personal data is processed within or outside the UAE; or a controller or processor-based outside the UAE who processes personal data of data subjects who live or work in the UAE.

When a non-EU organization processes the personal data of EU residents, the GDPR does not immediately apply; certain conditions must be met (targeting or monitoring). In this way, PDPL is more expansive.

GDPR, on the other hand, applies to organizations outside the EU where their processing is "in the context of the operations of an establishment in the EU" - that is, when processing is linked to an EU establishment even though that institution does not perform the processing. PDPL, on the other hand, only applies to process done by a UAE individual.

The law's application to data subjects mirrors the PDPL's phrasing, which is strange because data subjects commonly get an exemption if they process data for 'personal purposes.’

Exceptions

The UAE Data Office can exclude establishments that do not process a considerable volume of personal data under the PDPL.Entities in free zones where there are already laws in relation to personal data in place (namely the Dubai International Financial Centre, Abu Dhabi Global Market, and, potentially, Dubai Healthcare City).

The objective appears to be to exempt small and medium-sized firms. There is no analogous exception option for corporations in the GDPR.

Data protection principles

The PDPL includes general criteria for lawfulness, fairness, and transparency, as well as purpose limitation, data minimization, data quality, retention, and security, which are roughly similar to the GDPR's principles. The Executive Regulations may include further additional provisions.

Legal basis for processing

Consent is one of several legitimate bases under GDPR, however, it is not stated as the primary valid basis. However, unless an exemption exists, the PDPL prohibits the processing of personal data without the agreement of the individual. Processing without consent will be permitted, for example, if it is required to carry out a contract with a data subject; to comply with legal obligations; to protect the public interest; if the data subject has already made the personal information publicly available; or if the processing is required for the establishment or defense of legal claims or relates to judicial or security measures (amongst others).

The PDPL does not allow for processing on the basis of ‘legitimate interests pursued by the controller/a third party which is provided in the GDPR.

Consent

Consent must be a precise, informed, and unambiguous declaration or affirmative action, whether in writing or electronically, indicating the data subject's acceptance to the processing of personal data. This means that enterprises may no longer rely on the so-called "catch-all" permission that has been widely employed in the UAE.

Other consent requirements are similar to the GDPR's requirements. Controllers must be able to demonstrate consent. The method for getting consent should contain instructions on how the data subject can withdraw consent, and the procedure must be simple for them to follow. , The legality of the processing carried out previous to the withdrawal is unaffected by the loss of consent.

Data subject rights

The PDPL gives data subjects a variety of rights, including the right to access, the right to request a transfer (which is generally similar to the GDPR's right to data portability), the right to be forgotten, the right to restrict, the right to object, and the right to object to automated processing.

The PDPL's rights are ambiguous and subject to a number of exclusions that do not entirely align with the GDPR. Only under exceptional circumstances may the controller refuse a data subject's request. For example, if the request is for information not covered by the PDPL; or if the request is excessively repetitive, conflicts with judicial procedures or investigations; or if the request could jeopardize the controller's information security efforts or otherwise compromise the privacy and confidentiality of others' personal data. The information must be made available without charge. The PDPL does not provide a timeframe for a controller to reply to a data subject access request, but the Executive Regulations are likely to address this.

Technical and organizational measures

The PDPL, like the GDPR, imposes a broad security duty on controllers and processors, requiring them to implement measures that are proportional to the amount of risk.

According to the PDPL, the controller and processor must take technical and organizational measures to maintain a high level of data security appropriate to the level of risk, which may include encryption and pseudonymization, as well as technical and organizational measures that ensure the availability of personal information and measures for testing and assessing the effectiveness of implemented measures.

Data protection officer

Although the GDPR appears to have an impact on scenarios where a DPO is required, they are not the same. When processing sensitive personal data would result in a high risk to the data subject's privacy as a result of adopting new technologies, the processing would involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing, and/or the processing would be done on large volumes of sensitive personal data, the PDPL requires the appointment of a DPO.

The PDPL, like the GDPR, requires enterprises to hire a DPO with the necessary data protection skills and competence to oversee compliance.

The DPO might be an internal firm employee or an external party headquartered in or outside the UAE. As a result, organizations with DPOs for GDPR reasons might utilize the same person to fulfill a comparable job in the UAE, as long as that person has received training and assistance on UAE standards. Furthermore, the PDPL specifies that the DPO shall be provided with resources to ensure that they are able to fulfill their tasks.

Data protection impact assessments

When employing any modern technology that poses a high danger to privacy and confidentiality, the PDPL requires data controllers to conduct DPIAs. The GDPR defines "high risk" as a risk of infringing on a natural person's rights and freedoms; however, the PDPL refers to a high risk to the privacy and confidentiality of personal data. It needs to be seen whether this linguistic distinction translates into a big difference in practice. It's also worth noting that the PDPL restricts the DPIA obligation to situations using "modern technology." While the GDPR specifically mentions the use of new technologies, the duty to conduct a DPIA is not restricted to these scenarios.

The PDPL specifies the minimal information that should be included in an impact assessment, and these standards coincide with the GDPR's DPIA requirements. For example, a clear explanation of the nature and purpose of the processing activity in question, an assessment of the processing's necessity in relation to its purpose, an assessment of the potential risks to data subjects' personal information, and suggested measures to mitigate the potential risks of such processing activities.

Data breaches

Data breaches must be reported to the UAE Data Office as soon as they are discovered. Any breach of personal data that "prejudices the privacy, confidentiality, or security of a data subject's personal data" must be reported. The requirement applies to all data breaches, but the GDPR's supervisory authority notification requirement for personal data breaches does not apply to breaches that are unlikely to put data subjects in danger. The PDPL's stringent timeframe is remarkable - it is instantaneous, whereas the GDPR requires notification to be made without undue delay and, where possible, within 72 hours.

The controller must also tell the data subject of the breach, and unlike the GDPR, there is no higher threshold (e.g., high risk) for data subject notification than there is for reporting the Data Office. The Executive Regulations will include more information about alerting data subjects, including any reporting term.

Similar to the GDPR, processors must notify the controller of any breach as soon as they become aware of it (rather than the GDPR's "without undue delay").

International transfers

The PDPL, like the GDPR's idea of adequacy, permits for the transfer of personal data outside of the UAE to countries with an appropriate degree of data protection (albeit the Data Office has yet to produce a list of such 'adequate' jurisdictions). If any exemptions apply, it may be allowed to transfer data to other jurisdictions. For example, obtaining the data subject's explicit consent, if this does not contradict with the UAE's public or security interests, or if the transfer is required to fulfill duties or execute a contract with the data subject. We expect the Executive Regulations to include details of permitted countries, even though it is not explicitly specified in the PDPL.

Records of processing activities

The PDPL mandates that controllers and processors keep track of their processing activity. The content standards are substantially in line with the GDPR's equivalent obligations, with a few exceptions. Data controllers, for example, are obligated to include information about those who are allowed to access personal data.

Marketing

Businesses may only use personal data for direct marketing purposes with the consent of the data subject, according to the PDPL. Processing for direct marketing purposes is an example of processing that could be necessary for a controller's legitimate interests under the GDPR (through separate e-Privacy legislation that could require consent).

The PDPL, like the GDPR, gives data subjects the right to object to processing for direct marketing reasons.

Suggestive Sources :

1. UAE: Federal level data protection law enacted – Privacy Matters

2. Ensuring Data Protection - News | Khaleej Times

3. UAE - Data Protection Overview | Guidance Note | DataGuidance

4. Data Protection Legislation - Privacy - United Arab Emirates

5. UAE issues landmark personal data protection law: Clyde & Co

6. Data protection laws - The Official Portal of the UAE Government

7. Quick Comparison Chart (GDPR and DIFC) | Practical Law

8. The impact of GDPR in UAE | CMS Expert Guide