Privacy and protection: data in mainland UAE
Malack El Masry and Charlotte Jackson of Ibrahim & Partners summarise the key laws to consider regarding data protection in the UAE
Data protection is an increasingly important topic and one which the regulators within the United Arab Emirates (UAE) are taking seriously. The article provides a run-down of mainland data transfer considerations.
Under UAE mainland laws there is no principle data protection law of itself, there are, however, references to privacy and data matters in a number of laws or controls that have implications on the transfer of (i) personal data within and outside the UAE; or (ii) the transfer of business data as a result of storage controls that may affect their transfer outside the UAE.
A number of the free zone jurisdictions have their own data protection regulations and restrictions, particularly, in the Dubai Healthcare City, Dubai International Financial Centre and Abu Dhabi Global Market.
The key laws to consider regarding data in the UAE are the following:
The UAE Penal Code
The UAE Penal Code (Federal Law No. 3 of 1987, as amended by Federal Law No. 34 of 2005) provides:
Protection of privacy – the violation of “private or familial life of individuals” by perpetrating (unless authorised by law or with the victim’s consent) by recording or transmitting conversations or capturing or transmitting pictures of a person in a private place (including publishing of such recordings or pictures) is prohibited, punishable by a fine and imprisonment; and
Protection of professional confidentiality – where, by virtue of his profession, craft, position or art, a person is entrusted with a secret he is prohibited from divulging it (unless it is allowed by law, the other person provides consent, it is used for his own personal interest or for the personal interest of another person) and this is punishable by a fine and imprisonment.
The UAE Penal Code is wide-reaching and does not permit the ‘divulging’ of secrets, whilst there is no definition of what constitutes ‘divulging’ or ‘secrets’, it will arguably include any personal data about an individual. This means that consent would be required to transfer such data.
The UAE Constitution
The UAE Constitution provides for a general right to privacy with respect to correspondence (whether in writing or verbally) and the secrecy of such correspondence shall be guaranteed in accordance with the law. However, this seems to only apply to UAE nationals.
The Cybercrime Law (Federal Law No. 5 of 2012 on Combatting Cybercrimes) prohibits the disclosure, publication and re-publishing of any information that was obtained by unauthorised access to websites or electronic information systems or networks and prohibits the use of technological means for the invasion of privacy (including publishing, recording, transferring, transmitting and photographing, as well as using such technology to amend or process a record or photo for the purpose of defaming another person or invading his privacy) punishable by imprisonment and a fine.
Consumer Protection Law
The Consumer Protection Law (Federal Law No. 15 of 2020 on Consumer Protection) was issued in late 2020, incorporating obligations and restrictions on all companies within the UAE (including free zones) protecting consumers' privacy and data security and restricting companies from using consumers’ data for promotional and marketing purposes. This is a new law and the implications of such restrictions in practice are, as yet, untested. There is, however, a one-year implementation period (until November 2021) to ensure that companies are in compliance with this legislation.
The Data Security Resolution
The Data Security Resolution (UAE Cabinet Resolution No. 21 of 2013 addressing data security for Federal Authorities) restricts how data belonging to the UAE federal government can be used, including prohibiting the sending, forwarding, removing or distribution of emails that contain confidential information. This resolution also prohibits the federal authorities from using any external data storage mediums for the storage of personal data.
Federal authorities are defined under the resolution as “the ministries and public corporations and institutions and the bodies affiliated to the federal government”. As the definition set out under this resolution does not clearly define what are the “bodies affiliated to the federal government”, it is not clear the level of ownership or connection with government companies would be deemed to fall under the ambit of this resolution.
Sector specific/regulatory considerations
There are also rules, guidelines and policies that are government or sector specific, for example:
Health Data Law
The UAE Health Data Law (UAE Federal Law No. 2 of 2019) regulates the use of information technology and communications in the healthcare sector. The law applies to all entities operating in the UAE and the free zones that provide healthcare, health insurance, healthcare IT and other direct or indirect services related to the healthcare sector or engaged in activities that involve handling of electronic health data.
Telecommunications and Digital Regulatory Authority
The Telecommunications Law (Federal Law by Decree No. 3 of 2003 regarding the Organisation of the Telecommunications Sector) which provides protection to all data obtained through any means of communication. The Telecommunications and Digital Regulatory Authority (TRA) has published protocols and guiding principles as well as its 2014 Consumer Protection Regulations, which restrict the extent to which Etisalat and Du can share the personal details of their customers and placing obligations on them to prevent the unauthorised use and disclosure of such information (these are specific to the two telecommunication entities in the UAE).
The TRA also oversees cyber security within the UAE and has issued mandatory standards and principles (including the Information Assurance Regulation), as a means of supporting best practices in safeguarding use of electronic and cyber technology, which are applicable to UAE government entities and to other entities identified as critical entities (in accordance with the UAE Critical Information Infrastructure Protection (CIIP Policy)).
Whilst the above sets out some restrictions and gives some general rights of privacy, in September 2021, it was announced that a new federal law regarding data protection was to be introduced, to unify the obligations and restrictions regarding data and it is therefore expected that the mainland UAE’s position will change significantly when the new law is issued.
Malack El Masry
Partner, Ibrahim & Partners
Senior associate, Ibrahim & Partners