Navigating Grey Areas In The UAE's Data Protection Regime

The Executive Regulations are yet to be issued, allowing data controllers ample time to adapt to the law, but in their absence, the transition may be incomplete and counterproductive.

The UAE legislator was among the first in the region to introduce a standalone data privacy law in September 2021, Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (the PPD).

The PPD is a relatively succinct law comprising 31 articles, most of which refer to the PPD's Executive Regulations (ER) for further clarity. The expectation has been that the ER would be issued within six months from the date of the issuance of the PPD, however this has taken longer than expected.

As final and comprehensive data privacy legislations have been introduced in the region over the last 12 months, this article will take a look at what we can expect from the PPD's ER.

Why are the ER essential?

There are more than 20 references to the ER under the PPD which clearly indicates that key data privacy principles, controls, conditions, and requirements remain unaddressed under the PPD.

The ER will tackle major points, notably:

• Exemptions: The UAE Data Office, the authority responsible for overseeing compliance with the PPD, may exempt some establishments that do not process a large volume of personal data from part, or all of the requirements of the PPD. The conditions, eligibility, and process to benefit from such exemption remain to be seen under the ER and are crucial to some companies hoping to be relieved from the costs of complying with the PPD.
• Additional legal basis: It is understood that the ER may include additional legal basis for the processing of personal data. This is considered to be one of the most anticipated points to be covered in the ER as the question on everyone's mind is whether the ER will add legitimate interest as a legal basis. This is because legitimate interest is seen as the most flexible legal basis and may be used by companies to justify personal data processing for marketing and other purposes. However, this flexibility can also be ambiguous, leading to potential misuse, and should therefore require careful consideration.
• Data breaches: Similar to the General Data Protection Regulation (GDPR) and other regional data privacy regulations, under the PPD, data breaches must be reported to the UAE Data Office as well as to the affected data subjects. However, the PPD does not provide a timeline to comply with such reporting obligations. It is also unclear if all types of breaches must be reported or if only certain breaches of a certain severity level will be subject to this obligation.
• Data transfers: Personal data may be transferred to countries benefiting from an adequacy decision. Alternatively, the PPD permits cross-border transfers by relying on other transfer mechanisms such as obtaining the data subject's explicit consent, creating adequate protection through appropriate safeguards and/or where the transfer is necessary to protect the public health, to defend legal claims etc. At present, the UAE Data Office has not published the list of adequate countries and it remains to be seen if the PPD will adopt standard contractual clauses in line with the approach followed under the GDPR and other data privacy regulations in the region.
• Penalties: The PPD is also silent on the scope and nature of penalties applied on those who are in violation. The UAE regulator might opt to mirror the GDPR's methodology by establishing a schedule of penalties tailored to specific types of violations, or alternatively, it could introduce a maximum general limit to fines that can be imposed for infringements. It is also worth wondering whether the UAE regulator will provide the UAE Data Office with additional corrective powers like imposing bans on data processing or audits.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.