How does the new UAE Federal Decree Law on Personal Data Protection compare against the GDPR?
Written By
On 27 November 2021, the much-anticipated Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (“PDPL”) was published by the UAE Cabinet Office. The PDPL is the first comprehensive federal data privacy law in the UAE to regulate the collection and processing of personal data in the UAE. It forms part of an unprecedented legal reform of the legal system designed to enable the UAE’s ambitious growth and innovation agenda.
A. Background
The PDPL will take effect from 2 January 2022. Further executive regulations are expected to be published on 20 March 2022 (“Executive Regulations”). Whilst the PDPL provides for an implementation period of six months from the publication of the Executive Regulations, this date may be extended at the discretion of the Cabinet.
In addition to the PDPL, UAE Federal Decree-Law No.44 of 2021 on the establishment of the Emirates Data Office was also issued on 20 September 2021. The UAE Data Office (“Data Office”) will act as the data protection regulatory authority, operationalising the PDPL’s requirements.
The influence of the General Data Protection Regulation (“GDPR”) on the PDPL is clear and it is generally aligned with wider international practices of data protection with key transparency and accountability principles enshrined in the PDPL. In this article, we provide an overview of the PDPL and a high-level comparison against the well-established GDPR.
B. Key aspects
Below we provide a brief overview of the key headlines with a deeper dive in the comparison table in section D of this article.
- Personal data – this is defined as “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”.
- Territorial Scope – The PDPL will have extra-territorial reach. It will apply to any organisation that is established in the UAE and processes personal data, as well as any organisation that is established outside the UAE and processes personal data of data subjects inside the UAE. The PDPL will not apply to government data, public entities, health data, banking and credit data.
- Lawful Basis for Processing – Central to the PDPL is the requirement of consent for lawful processing of a data subject's personal information. However, it also sets out a number of additional lawful bases which entities can rely on as a lawful means through which they can process personal data such as public interest, protect public health and to perform a contract amongst others (Articles 4, 5 and 6).
- Controller / Processor – The PDPL stipulates controller and processor obligations similar to the GDPR (Articles 7 and 8).
- Data Protection Officer – The PDPL introduces a requirement to appoint a Data Protection Officer (DPO) who has sufficient skills and knowledge in data protection to oversee compliance (Articles 10 and 11).
- Record of Processing Activities – The PDPL brings in the requirement to create a record of processing activities (“ROPA”) (Article 7 clause 4 and Article 8 clause 7).
- Mandatory Data Breach Reporting - the PDPL makes data breach reporting a mandatory requirement (Article 9).
- Data Subject Rights – The introduction of data subject rights gives individuals new rights over their data such as access, objection, rectification and erasure amongst others (Articles 13, 14, 15, 16, 17, 18).
- Data Protection Impact Assessments – A requirement to perform Data Protection Impact Assessments (“DPIA”) on processing activities which pose a high risk to the privacy and confidentiality of the data subject’s data (Article 21).
- Cross Border Data Transfers – Transfers can only take place to approved countries (a list is not yet available) or in limited other circumstances (contractual necessity; public interest). There is no mechanism to use contracts to provide safeguards for data transfers to unapproved countries, so this has the potential to be restrictive. (Articles 22 and 23).
- Free Zones – The PDPL keeps intact existing laws within the UAE’s financial free zones and will operate alongside the Data Protection Law Dubai International Financial Centre Law No. 5 of 2020 (“DIFC DP Law”) and Abu Dhabi Global Market’s Data Protection Regulations 2021 (“ADGM DP Law”). This means the privacy landscape in the UAE remains relatively complex to navigate and somewhat fragmented.
- Penalties – The PDPL does not state the penalties that will apply for breaches. The level of sanctions is expected to be specified in the subsequent Executive Regulations. Data subjects can file a complaint with the UAE Data Office if they have reason to believe that the PDPL has been breached by a controller or processor. Administrative penalties can be imposed as part of a decision by the Council of Ministers.
- Data Office – The Data Office will be the first dedicated onshore national personal data protection regulator in the UAE and will, amongst other things be responsible for handling data breach notifications, complaints from data subjects, approving jurisdictions with an adequate level of protection for international transfers, imposing administrative penalties and proposing and developing policies, strategies and legislation. In addition, it will undertake awareness raising initiatives and can exempt companies that do not process large volumes of data.
C. What happens next?
It is clear that the UAE has been inspired by the gold standard data protection regime provided in the EU’s GDPR. In light of the PDPL, all businesses operating in the UAE and those processing personal data of data subjects located in the UAE will need to carefully reassess their activities and make changes to align with the new PDPL. Whilst the PDPL will not be effective immediately, we recommend that businesses start to take compliance steps as soon as possible. In addition, any international businesses with global privacy compliance programmes should seek to expand those to cover the UAE. Our dedicated team is on hand to help guide you through all aspects of the PDPL. If you’d like to get in touch, please contact us.
D. Comparison between UAE’s PDPL and EU’s GDPR
The below table explores, at a high-level, some of the main features of the new PDPL in comparison to the EU’s established GDPR.
| Definitions | The PDPL uses very similar terms to the GDPR (e.g., 'personal data’, ‘data subject’, ‘processing’, ‘controller’ and ‘processor’) and gives them broadly similar definitions. The definition of personal data expressly includes an individual’s name, voice, picture, identification number, electronic identifier, and geographical location. It also includes sensitive personal data and biometric data. The definition of biometric data is personal data resulting from processing, using a specific technique, relating to the physical, physiological or behavioral characteristics of a data subject, which allows or confirms the unique identification of the data subject, such as facial images or dactyloscopic data. The definition of sensitive personal data is comparable with the GDPR’s definition of special categories of personal data. There are some differences – for example, the PDPL’s definition includes data revealing an individual’s family and criminal record data. Whilst criminal offence data is treated differently to other personal data under GDPR, it does not fall under the definition of special categories of personal data. |
| Territoriality |
The PDPL applies to the processing of personal data by any:
The GDPR does not automatically apply where a non-EU organisation processes personal data of individuals in the EU – certain conditions have to be met (targeting or monitoring). PDPL is broader in this regard. However, GDPR also applies to organisations outside the EU where their processing is “in the context of the activities of an establishment in the EU” – i.e., GDPR can apply when processing is connected to an EU establishment even if that establishment does not carry out the processing. By contrast, PDPL only applies to processing by the UAE person. The application of the law to data subjects reflects the wording of the PDPL and is somewhat odd as data subjects will often benefit from an exemption if they process data for ‘personal purposes’. |
| Exceptions | The PDPL allows the UAE Data Office to exempt establishments that do not process a large volume of personal data. It appears that the intention is to exempt small and medium sized businesses. The GDPR does not have an equivalent exemption mechanism for businesses. |
| Data protection principles | The PDPL contains general requirements regarding lawfulness, fairness and transparency, purpose limitation, data minimisation, data quality, retention and security that are broadly similar to the principles set out in the GDPR. There may be further provisions outlined by the Executive Regulations. |
| Legal basis for processing | Under GDPR, consent is one of a number of lawful bases and is not presented as the primary lawful basis. The PDPL, however, prohibits the processing of personal data without the consent of the individual unless an exception applies. For example, processing will be permitted without consent if it is necessary to execute a contract with a data subject; to comply with legal obligations; to protect the public interest; if the personal information has already been made publicly available by the data subject or the processing is necessary for the establishment or defence of legal claims or relates to judicial or security measures (amongst others). The PDPL does not allow for processing on the basis of ‘legitimate interests’ pursued by the controller/a third party which is provided in the GDPR. |
| Consent |
Consent needs to be specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data by a statement or by a clear affirmative action, whether in writing or electronically. This means that businesses can no longer rely on ‘catch all’ consent, which has been commonly used by UAE businesses. Other consent requirements are similar to those set out in the GDPR. Controllers will need to be able to prove consent. The method for obtaining consent should include information on how the data subject may withdraw consent and the procedure for doing so must be easy for them., Withdrawal of consent does not impact the legality of the processing carried out prior to the withdrawal. |
| Data subject rights |
The PDPL provides data subjects with a number of rights including: (i) right to access (ii) request the transfer (which is broadly consistent with the right to data portability under the GDPR); (iii) the right to be forgotten; (iv) the right to restrict; (v) the right to object; and (vi) the right to object to automated processing. The rights under the PDPL are nuanced and subject to various exceptions which do not fully align with the GDPR. The controller may only reject a data subject’s request in limited circumstances. For example, where the request is for information not covered under the PDPL; or where the request is overly repetitive, conflicts with judicial procedures or investigations; could adversely affect the controller’s information security efforts or otherwise affects the privacy and confidentiality of others’ personal data. The information needs to be provided without charge. The PDPL does not set out a timeline for a controller to respond to a data subject access request, although this is expected to be covered in the Executive Regulations. |
| Technical and organisational measures |
Like GDPR, the PDPL contain a general security obligation for controllers and processors, that requires them to put in place measures appropriate to the level of risk. The PDPL provides that the controller and processor must implement technical and organisational measures to maintain a high standard of data security appropriate to the level of risk, which may include encryption and pseudonymisation, implementation of technical and organisation measures that guarantee the availability of personal information and measures for testing and assessing the effectiveness of implemented measures. |
| Data protection officer |
Like the GDPR, the PDPL introduces the role of the data protection officer (DPO). Under the GDPR, public authorities and any organisation whose core activities require “regular and systematic monitoring” of data subjects “on a large scale” or “large scale” processing of special categories of data or criminal convictions and offences are required to appoint a DPO. Although the situations in which it is mandatory to appoint a DPO seem to be influenced by the GDPR, they are different. The PDPL requires a DPO to be appointed when the processing would cause a high risk to the privacy of the data subject as a consequence of adopting new technologies, the processing would involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing, and/or or where the processing will be made on large volumes of sensitive personal data. Like the GDPR, the PDPL provides that companies must appoint a DPO who has sufficient skills and knowledge in data protection to oversee compliance. The DPO can be an employee of the company or an external party who may be based inside or outside the UAE. As such, companies who have DPOs for GDPR purposes could use the same individual to fulfil a similar role in relation to the UAE, provided that individual has training and support on UAE requirements. Moreover, the PDPL outlines that resources should be made available to the DPO to guarantee that they are able to carry out their responsibilities. |
| Data protection impact assessments |
The PDPL introduces a requirement on data controllers to perform DPIAs when using any modern technology that would pose a high risk to privacy and confidentiality. Under GDPR, “high risk” is measured by reference to the risk of infringing a natural person’s rights and freedoms – but the PDPL talks about a high risk to the privacy and confidentiality of the personal data. It remains to be seen if this difference in language results in a significant difference in practice. Also, it is notable that the PDPL limits the DPIA requirement to where “modern technology” is used. Whilst the GDPR calls out the use of new technologies in particular, the requirement to carry out a DPIA is not limited to these situations. The PDPL sets out the minimum information that should be included in an impact assessment and these overlap with the requirements of a DPIA pursuant to GDPR. For example, a clear explanation of the nature of the processing activity concerned and the purpose, an assessment of the necessity of the processing in relation to its purpose, an assessment of the potential risks on the protection of personal information of data subjects and the suggested measures to mitigate the potential risks of such processing activities. It is expected that the Data Office will prepare a list of the type of processing operations for which no personal data protection impact assessment is required made available through its website. |
| Data breaches |
Data breaches must be notified to the UAE Data Office immediately upon awareness. The obligation is to report any personal data breach that would “prejudice the privacy, confidentiality and security of a data subject’s personal data”. The obligation applies to all data breaches, whereas the GDPR’s supervisory authority notification obligation in relation to personal data breaches does not apply to breaches that are unlikely to result in a risk to data subjects. The strict timing under the PDPL is notable – it is immediate, whereas GDPR specifies that notification should be without undue delay and, where feasible, not later than 72 hours. The controller must also notify the data subject of the breach and, unlike the GDPR, there is no higher threshold (e.g., high risk) for any such data subject notification than that which is set for notifying the Data Office. More details in respect of notifying data subjects will be set by the Executive Regulations, including any reporting period. Similar to the GDPR, there is an obligation on processors to inform the controller of any breach – though under this is as soon as they become aware of it (rather than the GDPR’s timing, which is “without undue delay”). |
| Transparency | The PDPL does not include an express requirement for controllers to provide privacy information to data subjects. As noted above in the subject access section above, data subjects have the right to receive information by submitting requests without charge to the types of information which would ordinarily be contained in a privacy notice to the controller. In response, the controller must share specific information, such as the type of data that is processed, purposes for processing, the recipients inside or outside the UAE of the data, procedures for exercising their rights and the protection measures taken for international processing of the personal data. |
| Records of processing activities | The PDPL requires controllers and processors to maintain a record of processing activities. The content requirements are largely aligned with the equivalent requirements under the GDPR, but with some additional points. For example, data controllers are required to include the data of the persons authorized to access the personal data. |
| International transfers | Similar to the GDPR's concept of adequacy, the PDPL allows for the transfer of personal data outside of the UAE to countries having an adequate level of data protection (though the list of such ‘adequate’ jurisdictions is not yet published by the Data Office). It may be possible to transfer data to other jurisdictions where any exemptions apply. For example, securing the explicit consent of the data subject, provided that this does not conflict with the public or security interests of the UAE, or if the transfer is necessary to perform obligations or to execute a contract with the data subject. While it is not expressly stated in the PDPL to be the case, we would expect the Executive Regulations to include details of approved countries. |
| Marketing |
The PDPL sets out that businesses may only use personal data for direct marketing purposes with the consent of the data subject. Under the GDPR, processing for direct marketing purposes is given as an example of processing that could be necessary for the legitimate interest of a controller (though separate e-Privacy legislation could require consent). Like the GDPR, the PDPL has a right for data subjects to object to processing for direct marketing purposes. |
