Data Protection in the UAE: PDPL? PDPL!
The UAE prepares for enforcement of landmark personal data protection law
Sunday, 2nd January 2022 was a historic day in the United Arab Emirates. No, not just because most people stayed in bed to celebrate the long weekend and the country’s change to a Saturday/Sunday weekend, but also because it saw the launch of numerous new federal laws.
The UAE kicked off the 51st year of its existence with changes to visa, residency, and company ownership laws, and a sweeping reform of its penal code. The sheer number of new laws and revisions to existing laws announced by the country’s rulers on 2nd January meant that many people and businesses almost overlooked one of the most significant changes: The UAE now has, for the first time ever, a federal data protection law - the technical term is “Federal Decree Law No. 45 of 2021 on the Protection of Personal Data”, but it’s probably easier to refer to it by its abbreviation, “PDPL”.
Prior to the introduction of the new federal law, data protection regulations and guidelines already existed in various Emirates and freezones, of course, but they were mostly piecemeal, and little known and enforced. The new federal law isn’t only much more extensive and better laid out, but it also creates a level playing field for the entire country and all businesses in the UAE, regardless of whether they operate on- or off-shore.
what’s in the new UAE data protection law?
The law, which came into force on 2 January 2022, aims to protect “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. It also applies to sensitive personal data, like race and philosophical beliefs, and biometric data such as fingerprints. The law largely mirrors the EU’s General Data Protection Regulation (GDPR) legislation and, just like GDPR, has “extra-territorial reach”, which means it applies to all organizations in the UAE that process data of “data subjects” (i.e. guests, customers, or users) inside or outside the country, but also to organizations outside the UAE that process data of guests/customers/users inside the UAE.
Like GDPR, PDPL prohibits the processing of personal data without the specific, clear, and unambiguous consent of data subjects, given in the form of explicit, positive, statements or actions. It also introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification and record keeping requirements. The law requires every “data controller” in the UAE to clearly explain to data subjects what data they collect, why they collect it, and how it is stored, and will only be able to use personal data for marketing purposes with the consent of data subjects. What’s a “data controller”? In a nutshell: If a business collects and stores data like customers’ email addresses, phone numbers, etc. it’s a data controller. Companies that collect and manage “high risk” data, may also need to appoint a designated data protection officer, who ensures compliance with the law internally and acts as the main contact point for data subjects and the government’s data office.
potential pitfalls of the new UAE data protection law
It’s very important to understand that PDPL doesn’t only apply to data a company collects or stores for its own use locally, e.g. data collected from guests visiting a restaurant or staying in a hotel, but that it applies to the entire data collection and storage chain, i.e. the data controller, all technology used in the process of collecting and managing the data, and all marketing or business partners involved in handling the data. A short example: Mohammed runs a busy restaurant in DIFC. Customers can dine-in or order online via the restaurant’s website. Mohammed’s team also invites all guests to sign up to the restaurant’s email newsletter or What’s App service, so they can get special deals and offers. Guests can even book tables in Mohammed’s restaurant online via a 3rd-party table booking app.
Here, naturally, Mohammed’s restaurant and its website need to be PDPL compliant, but so does the program/platform he uses to run the email and What’s App newsletter, and the 3rd-party table booking platform. If the restaurant runs joint marketing campaigns with other 3rd-parties, they also need to comply with the new law.
compliance, fines, and deadlines
Compliance with the law will be monitored by the newly created UAE Data Office. The exact details of penalties for non-compliance and breaches aren’t know yet, but a look at other countries with similar laws suggests that such fines can be considerable. In the EU, GDPR fines can reach into millions of Euro or up to 4 percent of a company’s annual turn-over. The deadline for businesses to comply with PDPL currently is Saturday, 28th May 2022, i.e. six months after the new law was announced.
help? help!
If you’re running a business in the UAE or if your business is based outside the UAE, but markets to customers in the United Arab Emirates, I can help you comply with the new law and avoid delays and fines. I have put together a number of flexible and cost-effective packages, incl. website and marketing audits and customized 1-2-1 consulting sessions - just click the button below and find out more! You can also connect with me on Twitter, LinkedIn, Facebook, or YouTube.