UAE - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
There is no federally applicable data protection law in the United Arab Emirates ('UAE'), and there is no single national data protection regulator. There are no specific laws governing the processing of personal data by public sector institutions.
Article 31 of the UAE Constitution (only available in Arabic here) is considered to represent a general right to privacy for citizens of the UAE: it provides for the right to freedom and secrecy of communication by post, telegraph or other means of communication under law.
Provisions of the UAE Civil Code ('the Civil Code') and Federal Law No. 3 of 1987: The Penal Code ('the Penal Code') are also relevant. The Civil Code sets out certain obligations on employers when dealing with employee information, particularly on termination of an employee's employment (Article 913) and, separately, provisions on the basis for non-competition agreements where employees have access to their employer's confidential information and/or client information (Article 909).
Article 378 of the Penal Code provides that it is a criminal offence to publish personal data which relates to an individual's private or family life. Article 380 of the Penal Code provides that anyone who opens correspondence without the consent of the intended recipient, or overhears a telephone call, also commits an offence. Article 380 also specifically prohibits the unlawful disclosure of correspondence and other information which come to a person’s knowledge in the course of his or her work.
Other laws which govern aspects of the processing of personal data in the UAE are summarised in Section 13 below.
The UAE plays host to a number of special economic zones known as 'free zones', which offer tax, customs and other benefits to businesses. Of these free zones, the Dubai International Financial Centre ('DIFC'), the Abu Dhabi Global Market ('ADGM') and Dubai Healthcare City ('DHCC') have each enacted separate data protection laws applicable to businesses operating in the relevant zone.
Whilst there has been no formal confirmation or release, a draft federal data protection law is understood to be under consideration by the UAE government.
There are no relevant guidelines in this area at present.
1.3. Case Law
There is no relevant case law in this area at present.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
2.2. What types of processing are covered/exempted?
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
There is no regulator for data protection at present.
3.2. Main powers, duties and responsibilities
4. KEY DEFINITIONS | BASIC CONCEPTS
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
9. DATA SUBJECT RIGHTS
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment
11. DATA BREACH NOTIFICATION
11.1. General obligation
11.2. Sectoral obligations
13. ADDITIONAL RELEVANT TOPICS
Federal Law No.8 of 1980 ('the Labour Law') regulates the maintenance of records relating to employees. Article 53 of the Labour Law requires every employer of five or more workers to: (a) keep a special file for each worker, showing his name, trade or occupation, age, nationality, place of residence, marital status, date of employment, remuneration and any adjustments thereto, penalties imposed on him, occupational injuries and diseases he has sustained and the date of and reasons for termination of his service; and (b) create a leave card for each worker, to be kept in the worker's file, divided into annual leave, sick leave and other leave.
Article 54 of the Labour Law requires each employer of 15 or more workers to maintain in each place of business: (i) a register of wages detailing the starting and leaving dates and salary of each employee; (ii) a register of work injuries; (iii) general workplace regulations; and (iv) a document detailing the penalties for employees in default. Infringement of the provisions of the Labor Law is punishable by imprisonment and /or a fine of not less than AED 10,000 (approx. €2,420).
13.2. Telecommunications Law and Consumer Protection Regulations
Article 72(6) of the Federal Law by Decree No 3 of 2003 Regarding the Organisation of the Telecommunication Sector ('the Telecommunications Law') provides that a person who intercepts the contents of telephone calls without prior permission by the competent judicial authorities may be punished with imprisonment for a period of not more than one year and/or a fine of not less than AED 50,000 (approx. €12,102) and not moe than AED 200,000 (approx. €48,410). If a licensed operator reasonably believes that equipment is being used for the interception of telephone calls contrary to Article 72(6), it may place the equipment under surveillance (Article 75). Orders may also be issued for the seizure or destruction of the relevant equipment (Article 76).
There are also requirements which derive from the Telecommunications Law with which only licensed operators are required to comply. 'Licensed operator' in the context of the Telecommunications Law means a business with a specific operator licence from the TRA, the authority which oversees the telecommunications sector in the UAE.
Under powers granted to it by the Telecommunications Law, the Telecommunications Regulatory Authority has issued the Consumer Protection Regulations ('the CPR'). Article 12 of the CPR seeks to ensure the protection of data relating to 'Subscribers', or persons who contract with licensed operators for the supply of telecommunications services in the UAE. 'Subscriber Information' is defined as 'any information relating to a specific Subscriber', which includes a person's personal details, service usage details, the content of communications, account status and payment history.
Licensed operators are subject to a number of obligations, including to take all reasonable and appropriate measures to protect the privacy of Subscriber Information (whether in paper or electronic form) and prevent its unauthorised disclosure or use (Articles 12.1 and 12.3 of the CPR). In addition, where it is necessary for a licensed operator to provide Subscriber Information to a third party which is directly involved in the supply of telecommunication services, the operator must require the third party to:
- take all reasonable and appropriate measures to protect the confidentiality and security of the Subscriber Information; and
- use the Subscriber Information only to the extent required to provide the relevant telecommunication service (Article 12.8 of the CPR).
13.3. Cybercrime Law
Article 2 of the Federal Law by Decree No 5 of 2012 on Combating Cybercrimes (13 August 2012) ('the Cybercrime Law') prohibits the unauthorised accessing of websites or electronic information systems or networks. This offence is punished by imprisonment (the period is not specified) and/or a fine not less than AED 100,000 (approx. €24,205) and not in excess of AED 300,000 (approx. €72,615). If an offence under Article 2 results in, among other things, the disclosure, alteration, copying, publication and republication of data, it is punishable by imprisonment for a period of at least six months and/or a fine not less than AED 150,000 (approx. €36,307) and not in excess of AED 750,000 (approx. €181,537). If the data affected by an offence under Article 2 are 'personal', the offence is punishable by imprisonment for a period of at least one year and/or a fine not less than AED 250,000 (approx. €60,512) and not in excess of AED 1,000,000 (approx. €242,050).
Article 15 of the Cybercrime Law provides that any person who intentionally and without permission captures or intercepts any communication through any computer network, website or other information technology commits an offence. The offence is punishable by imprisonment (the period is not specified) and/or a fine not less than AED 150,000 (approx. €4,205) and not in excess of AED 500,000 (approx. €121,025). There is also a separate offence for any person who discloses information obtained unlawfully by receipt or interception of communications, which is punishable by imprisonment for a period of at least one year.
Article 21 of the Cybercrime Law establishes an offence relating to the invasion of privacy of an individual, by means of a computer network and/or electronic information system and/or information technology, without the individual's consent and unless otherwise authorised by law. This offence covers activities including eavesdropping and photographing and is punishable by imprisonment of a period of at least six months and/or a fine not less than AED 150,000 (approx. €24,205) and not in excess of AED 500,000 (approx. €121,025).
Article 21 also provides that a person commits an offence if he/she uses a computer network and/or electronic information system and/or information technology to amend a record or photograph for the purposes of defamation, to cause offence to another person or to invade another person's privacy. This offence is punishable by imprisonment for a period of at least one year and/or a fine not less than AED 250,000 (approx. €60,512) and not in excess of AED 500,000 (approx. €21,025).
13.4. Commercial Transactions Law
Articles 26 to 38 of the Federal Law No.18 of 1993: Commercial Transactions Law ('the Commercial Transactions Law') set out detailed provisions relating to the maintenance of commercial books. For instance, Article 30 requires the trader to keep exact copies of the originals of all correspond4ence telegrams and invoices sent or issued by him for the purpose of his business activities, as well as all incoming correspondence (originals), telegrams, invoices and other documents related to his trade, for a minimum period of five years from the date of issue or receipt.
13.5. Health Data Law
In the UAE, a new health data protection law (UAE Federal Law No.2 of 2019 (only available in Arabic here)) ('the Health Data Law') was enacted in May 2019 which introduces noteworthy obligations around the collection, processing and transfer of health data (as defined below) by a broad range of entities, including healthcare providers, medical insurance providers, healthcare IT providers and providers of direct and/or indirect services to the healthcare sector (eg outsourced services, including cloud services) located onshore, in DHCC and in the Free Zones (Health Service Providers).
Health data is defined broadly to include all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology ('CPT') codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results and names of patients.
The new Health Data Law seeks to protect health data in line with international best practice, as well as enabling the UAE’s Ministry of Health both greater control over the sensitive data of its residents (as opposed to potentially putting it at risk in other jurisdictions) and a greater ability to collect and analyse health data in order to improve public health initiatives.
Further detail is anticipated in the implementing regulations, to be published in due course.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES