UAE DATA PROTECTION, PRIVACY & CYBERSECURITY LAWS – PART 1

26 August 2023

Bini Saroj

Since January 2022, the UAE has undergone a major legal reform amending several important laws such as the UAE Data Protection Law which came into force on 2 January 2022

Dubai: Data Protection has lately been one of the most vital topics discussed as it affects the privacy of each individual and business. The UAE, as a leading hub in the region, has amended its laws to make sure that its legal environment is updated

The UAE Data Office, tightly liaised with the UAE Cabinet acts as the federal data regulator in the UAE. It is responsible to prepare policies and legislations related to data protection, propose and approve the standards for monitoring Personal Data Protection Law, organize complaints and grievances system related to data, and in general prepare platforms and issuing guidelines and instructions to ease the implementation of the law.

The new laws related to Data are issued as well to cover the following:

1.      The Personal Data Protection Law (PDPL), -Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data is an integrated framework guaranteeing the confidentiality of information and protection of the privacy of individuals in the UAE. It provides for a proper governance for data management and protection by defining the rights and duties of all concerned parties.

2.       Data and Privacy Protection Laws issued under the same framework cover the following:

a.     Consumer protection law: The Federal Law No. 15 of 2020 on Consumer Protection protects all consumer rights, including the data of the consumers and refrain suppliers from using any data for marketing purposes.

b.     Data Protection Law: Dubai International Financial Centre (DIFC) Law No 5 of 2020- whereby direct marketing is not specifically regulated as an activity by the DPL or the Data Protection Regulations (DPR). In the event the data is to be used for direct marketing purposes then this must be specified in the processing information provided to data subjects. It is up to the advertising company who is conducting the marketing to point out whether they have a lawful basis, inclusive of consent, to conduct the activity. Individuals or companies have the right to object to their data being used for direct marketing purposes, and such objection should be respected.

c.      Protection of health data and information, Federal Law No. 2 of 2019 concerning the Use of Information and Communication Technology (ICT) in health-related regulates the use of patient data in health care sector in both onshore and in the free zones.

d.     Law on combatting rumors and cybercrimes, Federal Decree Law No. 34 of 2021 addresses the concerns relating to the misuse and abuse of online technologies, increasing the level of protection from online crimes committed through the use of ICT, networks and platforms.

e.      Internet Access Management (IAM) policy which is implemented by the Telecommunications and Digital Government Regulatory Authority (TDRA), in coordination with National Media Council as well as the two licensed internet service providers in the UAE: Etisalat and Du. You can report any online content that is used for impersonation, fraud and phishing and/or invaded your privacy to Etisalat and Du so it is taken down.

f.       Electronic Transactions and Trust Services law – regulates the validity of electronic documents and enhances the legal value of digital signature along with its security level. It provides provisions for e-Transactions, the way e-Documents should be stored and saved, sent and received to be considered as valid. Furthermore; it provides licensing requirements for trust services providers who are duly licensed to create, validate and preserve e-Signatures, e-Seals and digital certification.

3.      Dubai Data law

The Government Dubai passed a law aiming to protect both data and privacy of the individual and provides citizens with the right to request for and access government information. This law is called “Dubai Data Law”

In conclusion, it remains crucial to understand that the legal system of the UAE is multi-layered and laws are issued at the Federal and Emirate level. Additionally, the UAE has many special economic zones (Free Zones) which can issue their own laws and executive regulations. Thus, when a Free Zone has not legislated for data protection, the relevant onshore law will apply in this regard. Therefore all companies must be compliant otherwise they may face penalties and jail term, given the fact that the onshore criminal law is applicable in the Free Zones (independently from the fact that these zones have a data protection law or not).

ALKETBI TOUCH:

Our team frequently provides legal assistance and advice on all regulations, and UAE legal procedures in the event you need to have a deeper understanding and chat about related matters, let us know