September 9, 2021
This week, the United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications (the “Minister”) announced that the UAE would introduce a new federal data protection law (“Data Protection Law”), the first federal law of its kind in the UAE. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.
In the UAE, regulation of data protection differs between free trade zones and the remaining, onshore, areas of the UAE. Onshore areas are under federal jurisdiction, while the free trade zones are empowered to create their own legal and regulatory framework for all civil and commercial matters. Only the Dubai International Financial Centre (“DIFC”), Dubai Healthcare City (“DHCC”), both free trade zones in the Emirate of Dubai, and Abu Dhabi Global Market (“ADGM”), in the Emirate of Abu Dhabi, have formal data protection regimes, with laws in these free trade zones generally consistent with data protection laws in other developed jurisdictions.
At present, there is no unified set of privacy or data protection laws at the federal level and there is no single national data privacy regulator. Consequently, while there are UAE laws that provide general rights to privacy, the concept of processing or transferring data is not extensively regulated for companies operating outside of the DIFC, DHCC or ADGM.
General rights to privacy in the UAE include:
According to the Minister, the Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed.”
The Data Protection Law is a step towards establishing a data protection regime in the UAE that would provide an adequate level of protection for the purposes of data transfers from the European Union and other regulated jurisdictions.
We will provide an analysis of the law following its official release later this year.