The rise of digital transformation continues to pressure authorities around the world to regulate data privacy. The UAE does not currently have a comprehensive federal data privacy and protection law, nor does it have a dedicated data protection regulatory authority. However, a number of distinct local and sector-specific laws contain provisions relating to data privacy, protection and security.
Data subjects based in the UAE may be entitled to hold the entities in possession of their data liable under the principles of the UAE Civil Code for their negligence in taking proper security measures. Furthermore, major concerns in relation to the data privacy breaches have been covered in the cybercrime laws to ensure users of digital platforms understand and respect privacy rights.
The UAE’s data privacy and protection-related provisions only apply to organisations established in onshore UAE and those in the free zones not governed by any specific data privacy laws. Certain free zones, including the Dubai International Financial Centre (DIFC), Dubai Healthcare City (DHCC) and Abu Dhabi Global Market (ADGM), have enacted specific data protection laws that are generally heavily modelled on European data privacy laws and influenced by international standards and best practices.
It is important to note that the General Data Protection Regulation (GDPR) and other international privacy laws will likely impact all UAE industries processing international customer data. If an organisation in the UAE processes personal data and offers goods or services to individuals based in the EU, they are required to be compliant with the GDPR. Similarly, this applies to organisations in the UAE that have an establishment in the EU and are processing personal data in that establishment.
UAE Health Data Law 2019
In February 2019, the President of the UAE issued Federal Law No. 2 of 2019, which regulates the use of information technology and communications in the healthcare sector. The law applies to all entities operating in the UAE and the free zones that provide healthcare, health insurance, healthcare IT and other direct or indirect services related to the healthcare sector or engaged in activities that involve handling of electronic health data.
Key components of the UAE Health Data Law concerns data security, data localisation, data retention and the implementation of a centralised health data management system, controlled by the Ministry of Health and Prevention.
Abu Dhabi Global Market
As part of the ADGM’s initiatives during COVID-19 pandemic, the ADGM released new data protection regulations repealing the 2015 regulations. The purpose of these new regulations is to align the ADGM’s legal requirements for the processing of personal data with the GDPR. The new regulations follow the DIFC’s adoption of the new DIFC Data Protection Law No. 5 of 2020.
The regulations are no longer limited to businesses registered in the ADGM. The regulations apply to the processing of personal data by a controller or processor in ADGM, irrespective of whether the processing takes place in ADGM or elsewhere.
The new regulations also propose the appointment of a data protection officer, data protection fee and penalties, further regulations on cross border transfers fines up to $28 million, depending on the corresponding contraventions of the law.
Accordingly, a transitional period of 12 months is proposed to current establishments, and six months to new establishments, commencing from February 14 2021.
Dubai International Financial Centre
In DIFC, the DIFC Law No. 1 of 2018 and the Data Protection Regulations 2018, Version 3 and the Data Protection Regulations 2018, Version 3 (as amended by DIFC Law No. 5 of 2020—effective July 2020) protects personal data collected and or processed within the jurisdiction of the DIFC and is applicable to all DIFC entities (both regulated and non-regulated).
In addition to any business registered in the DIFC, the 2020 law applies to any business which processes personal data within the DIFC as part of stable arrangements, and any business which processes data on behalf of either of the above. Data protection officers are mandated for DIFC bodies. Controllers and processors must both be able to demonstrate their compliance with the data protection principles in the law. The law sets a maximum fine of $100,000 for administrative breaches, with additional scope for unlimited fines for more serious violations. The law adds the ability for compensation claims to be made by or on behalf of data subjects.
The DIFC data protection laws and regulations are currently undergoing further reformations to cope with the rapid change in digital landscape. In particular, the proposed amendments include, but are not limited to, the introduction of a requirement that a data controller maintains a register of instances in which it has extended the period for compliance with a data subject access request, has charged a fee for such a request, or refused to act on such a request due to a request being complex, manifestly unfounded, or excessive. In addition, the amendments outline that the data protection commissioner may inspect the proposed register at any time and may request additional information, raise a query or conduct an investigation.
Dubai Health Care City Free Zone (DHCC)
DHCC is a healthcare free zone in Dubai that implemented DHCC Health Data Protection Regulation No. 7 of 2013 (which repeals and replaces the DHCC Data Protection regulation No. 7 of 2008). The UAE Federal Law No. 2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (Health Data Protection Law) affects all entities operating in the UAE (including onshore, Dubai Healthcare City and the free zones) that provide services relating to healthcare, health insurance and healthcare information technology. The law contains a general prohibition on transferring health data outside the UAE unless authorised by a health authority.
Health data is defined broadly to include all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results and names of patients.
Furthermore, entities processing data that relates to patient names, consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and lab results have to comply with the Health Data Protection Law. Failure to comply may result in breaches of up to AED 1million ($272,200).
In conclusion, businesses in the UAE should familiarise themselves with data protection law and ensure they take the necessary measures in compliance with the applicable laws and regulations.
Dania Yassin
Associate, Ibrahim & Partners