Understanding the UAE’s new federal data protection law - Part 1

2022 has already seen a considerable number of changes for businesses in the UAE, ranging from labour law updates to the announcement of the introduction of corporate tax. The sheer number of new laws and revisions to existing laws announced by the country’s rulers to date means that many people and businesses almost overlooked one of the most significant changes: The UAE’s first-ever, federal, data protection law, which comes into effect on 28^th May 2022 and promises to fundamentally change the (marketing) game for companies in the UAE and anyone marketing to UAE-based consumers.

Prior to the introduction of what is technically known as “Federal Decree Law No. 45 of 2021 on the Protection of Personal Data”, various Emirates and free-zones already had data protection regulations and guidelines, but they were mostly piecemeal and little known and enforced. The new federal law isn’t only much more extensive and better laid out, but it also creates a level playing field for the entire country and all businesses in the UAE, regardless of whether they operate on- or off-shore.

Leveling the playing field

The law aims to protect “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. It also applies to sensitive personal data, like race and philosophical beliefs, and biometric data such as fingerprints. The law largely mirrors the EU’s General Data Protection Regulation (GDPR) legislation and follows the introduction of similar laws in KSA and Oman. Just like GDPR, the UAE’s new federal data protection legislation has “extra-territorial reach”, which means it applies to all organizations in the UAE that process data of “data subjects” (i.e. guests, customers, or users) inside or outside the country, but also to organizations outside the UAE that process data of guests/customers/users inside the UAE.

Potential pitfalls

The new law prohibits the processing of personal data without the specific, clear, and unambiguous consent of data subjects, given in the form of explicit, positive, statements or actions. It also introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification and record keeping requirements. It is very important to understand that the new federal law doesn’t only apply to data a company collects or stores for its own use locally, e.g. data collected from guests visiting a restaurant or customers buying a product or service, but that it applies to the entire data collection and storage chain, i.e. the data controller, all technology used in the process of collecting and managing the data, and all marketing or business partners involved in handling the data. A short example: Farid runs a restaurant in JBR. Customers can dine-in or order online via the restaurant’s website. Farid’s team also invites all guests to sign up to the restaurant’s email newsletter or What’s App service, so they can get special deals and offers. Guests can even book tables in the restaurant online via a 3rd-party table booking app. Here, naturally, Farid’s restaurant and its website need to be compliant, but so does the program/platform he uses to run the email and What’s App newsletter, and the 3rd-party table booking platform. If the restaurant runs joint marketing campaigns with other 3rd-parties, they also need to comply with the new law.

Compliance, fines, and deadlines

Compliance with the law will be monitored by the newly created UAE Data Office. The exact details of penalties for non-compliance and breaches aren’t know yet, but a look at other countries with similar laws suggests that such fines can be considerable. In the EU, GDPR fines can reach into millions of Euro or up to 4 percent of a company’s annual turn-over. The deadline for businesses to comply with the new law currently is Saturday, 28th May 2022.

This article is not in any way legal advice. There are dozens of provisions in the new law that apply only in rare instances, which would be counterproductive to cover here. You should check with a lawyer to make sure your organization fully complies with the new law.

About the Author:

Martin Kubler, FIH, is the Chief Sloth at The Gluttonous Sloth, a business consultancy with attitude. Martin spent 16 years in the Middle East and now splits his time between his new home in Stockholm, Sweden, and his old haunts in the GCC. Martin specializes in all things marketing and digital and mostly works with small and medium-sized, or family-owned or operated companies.