UAE Federal Decree Law 45 on Personal Data Protection
United Arab Emirates joins Saudi Arabia in passing Federal Decree Law No. (45) of 2021 on Personal Data Protection (“PPD Law”) to apply comprehensive data protection legislation to another country in the MENA region. Notably, the PPD largely reflects GDPR legislation.
The PPD law will not come into force immediately and will be complemented by the publication of a set of executive regulations (issued by the Emirates Data Office – which will oversee the PPD law) which we believe will be published in March 2022. In under the provisions of the PPD law, organizations will have an additional six months from the date of adoption of the executive regulations to comply with them. This gives companies a window of ten months from the date of this alert to ensure their full compliance. As those familiar with the GDPR rollout will recall, while 10 months may seem like enough time to fix the issues we note below, these processes always take longer than expected and we strongly recommend that all businesses subject to PPD law take immediate action along the lines indicated in this alert.
Therefore, please keep reading to find recommendations for the preparation and implementation of the PPD law and an overview of the PPD law itself.
What should we do now?
Before delving into the details of the PPD, this section briefly covers the steps you can take right now to start preparing for the implementation of the PPD.
As with other comprehensive data privacy regulations, the first step that all businesses should take is to identify the personal data that is being processed. Building the special personal data file is not only a requirement, but will inform other activities required by law.
Work with your IT team to determine the technical and organizational measures in place to protect personal data. Develop a plan to close any gaps between these measures and the express requirements of the law and best national and international standards and practices.
Identify your subcontractors and fill any necessary contractual gaps, including any provisions relating to cross-border transfers.
Establish procedures to respond to data subjects’ requests to exercise a right granted under the PPD Act.
Comparison with GDPR
Borrowing heavily from the GDPR, the PPD law uses a controller / processor system with similar obligations to protect the personal data of data subjects. The PPD law has extraterritorial applicability to controllers and contractors located outside the United Arab Emirates who process the personal data of data subjects in the country. The PPD law prohibits cross-border transfers of personal data, unless the transferee is in a country offering adequate protections, is under contract to provide adequate protections or with the express approval of the data subject. The PPD law prohibits the processing of personal data without the approval of the data subject (a concept similar to consent under the GDPR) unless an exception applies. Although most of the exceptions are the same, additional notable exceptions include exceptions that differ from those of the GDPR, in particular when the processing is linked to personal data which has become available and known to all by an act of the data subject and those discussed below related to the workplace. The main obligations of data controllers and processors include:
control of the amount of personal data processed through a purpose limitation, a data minimization requirement and a storage limitation;
the obligation to ensure data security through appropriate technical and organizational procedures and measures, proportionate to the risks and to the best standards
the obligation to keep a record of the processing;
an obligation to maintain contractual agreements with subcontractors;
a set of obligations imposed on processors which mirror those imposed on data controllers; and
an obligation to report data breaches, although more details are expected from the executive regulations, including the notification deadline.
The PPD law also contains a set of rights of the data subject, including the right to: (i) information; (ii) request a transfer; (iii) rectification or erasure; (iv) restrict processing; (v) stop treatment; and (vi) object to automated processing.
PPD law in the workplace
Like the GDPR, the broad definition of personal data in the PPD law encompasses employee data and its processing in the context of employment. Unlike the GDPR, the PPD law provides specific provisions for the employee-employer relationship. The PPD law is applicable to the processing of personal data of every data subject who resides in the UAE. where is a workplace. Treatment without the approval of the person concerned is considered lawful if it is necessary for the purposes (i) of occupational medicine in order to assess the employee’s work capacity; or (ii) the data controller fulfilling his obligations and exercising his legally established rights in the field of labor law.
Other differences from the GDPR
The PPD law includes several exceptions to enforceability, including data type exceptions for health data (which is already regulated by the ICT health law), government data (which is undefined) or personal banking and credit data which have legislation regulating the protection and processing of such data – with this last point in mind, it will be interesting to see if the Executive Regulations add extra meat to the bone on this point. Additionally, the PPD law does not apply to DIFC or ADGM, which have their own tailor-made data protection laws (which also borrow heavily from the GDPR).
Although some obligations can be clarified in the Executive Regulations, administrative sanctions and other acts constituting a violation of the law will perhaps be the most significant. The PPD law specifies that the data subject can lodge a complaint with the Office and if it is proven that the controller or the processor is in violation, an administrative sanction can be imposed, but for now, we do not know what these penalties will be.
Just like the GDPR, the implementation of the PPD law is likely to take a long time and it is recommended to start the process now to avoid facing possible administrative penalties.