Data Protection in the UAE

Nadim Al Jisr, Head of Legal Content at Thomson Reuters

On May 25th of 2018, the General Data Protection Regulation (GDPR) came into force. This EU regulation aims at unifying data protection rules and procedures across the European Union and protecting people’s personal data from breaches targeting it and its privacy – as part of it is being processed inside Europe or around the world.

What does this mean for the UAE?

            A lot of UAE Companies and businesses are considering this new EU regulation and identifying whether they fall within its scope of application. Unlike other countries, the UAE does not have “on-point” legislation that regulates the protection of personal data. However, data privacy or protection of personal data is in fact addressed in numerous provisions across different laws and regulations. They are numerous because these provisions may be part of laws promulgated by the Federal Government, or the Government of each Emirate, or Free-Zone Authorities, or part of directives and instructions issued by local Regulatory Authorities (such as the Telecommunications Regulatory Authority or Health Authority in Dubai and Abu Dhabi).

            Therefore, we will try, in this article, to identify the major laws and regulations that relate to data privacy or protection of personal data. In order to do so, we will divide these laws and regulations into two categories: (1) The main UAE Laws/Regulations and (2) the Free-zones Laws/Regulations.

1.       The Main UAE Laws that touch upon Data Protection:

To start with, the general principle on protecting an individual’s privacy was first set out by article (31)[1] of the UAE’s Constitution (of 1971). Cascading this principle to different and major UAE legislation, we can see that it has been emphasized in both Federal and Emirate Legislation.

A. Federal Legislation referring to Data Protection

Articles

The UAE’s Penal Code [2]
i. Articles 378 (as amended) and 379 suggest that any person breaching the privacy of another person will be punished with imprisonment and a fine; the punishment is aggravated if the perpetrator is a public employee.
The Law on the Practice of Human Medicine Profession [3]
i. Article 13 of this law forbids the doctor from disclosing any secret that a patient has confided it to him. It also lists the cases where this prohibition is subject to exceptions.
The Law Regulating the Telecommunication Sector [4]
i. Article 6 of this law establishes the Telecommunications Regulation Authority (TRA). ii. Article 14 of this law identifies the competences of the TRA, among which is the issuing of regulations concerning the use of customer data. iii. Article 72 of this law punishes any person who discloses the content of a call or message sent through the network.
The Cyber-crime Law [5]
i. Articles 21 and 22 of this law punish with imprisonment any individual who uses cyber networks to violate the privacy of another individual or to disclose confidential information obtained in the course of his work.
The law on Printing and Publishing [6]
i. Article 79 of this law prohibits the publication of news, pictures or comments related to an individual’s personal life or the disclosure of secrets that defames other people.
On the Emirate level, Dubai may be the only Emirate that has issued laws that directly address the transfer, exchange and protection of data.

B. Emirate Legislation referring to Data Protection

Article

Law on Data Dissemination and Exchange in the Emirate of Dubai [7]
Although it refers to data in general, the provisions of this law state that the “Concerned Authority” [8] shall, when performing its tasks and competences, adopt policies, mechanisms, rules and standards related to the dissemination of data and, in particular “Confidential data protection policy, attributed to the Data Providers such as data related to the individuals, institutions and companies”. [9]
Dubai Statistics Center Law [10]
i. Article 9 of this law expressly considers personal data, collected from statistic activities or research, to be confidential. Any exchange or transfer of this data shall exclusively be only through the Center provided that it obtained a prior
Health Data Protection Regulation [11]
The Dubai Healthcare City Authority (DHCA) has issued regulations that specifically manage the collection, transfer or exchange of private health information (including information about the patient’s medical records, disabilities, body substances, etc.) obtained from him/her.

2.       Free-Zones Laws/Regulations that touch upon Data Protection:

Free-zones on the other hand, have proven to be first in adopting special legislation that relates to Data Protection only. The prominent free-zones in the UAE are two: The Dubai International Financial Center (DIFC) and Abu Dhabi Global Markets (ADGM).

The DIFC has adopted its own Data Protection legislation. It is DIFC Law No. 1 of 2007 (as amended in 2012). Similarly, ADGM has also adopted its own Data Protection Regulations of 2015 (recently amended in 2018). These regulations are consistent with the EU’s regulations and directive on protection of privacy and personal data.

In a world where technology is immensely evolving at a fast pace, concerns about the ability of States and governments to succeed in protecting the privacy of their citizens have increased. It is not a trend. It is an actual threat that may be used to harm others, especially with the rise of AI[12] and IoT[13] and the integration of such technologies in machines that people use in their day-to-day life, for example a fridge. As a consequence, one may predict that countries will be more vigilant in addressing Data Privacy and building the proper legal infrastructure to ensure its protection when exchanged or transferred.

Author: Nadim Al Jisr

Bio: Nadim Al Jisr is Head of Legal Content for Thomson Reuters, Middle East and North Africa. He oversees the product content for Thomson Reuters Westlaw Middle East and manages its growth. Nadim previously practiced as a litigator and legal consultant, in Lebanon and Saudi Arabia, and is proficient in Arabic, English and French. He holds a Bachelor’s Degree in Law from the Lebanese University. 

References

[1] Article (31) of UAE Constitution: « The freedom of communication by post, telegraph and other means of communication and its confidentiality thereof are guaranteed in accordance with the law».

[2] Federal Law No. 3 of 1987 promulgating the Penal Code.

[3] Federal Law No. 7 of 1975 regulating the Practice of Human Medicine.

[4] Federal Decree by Law No. 3 of 2003 Regulating the Telecommunication Sector.

[5] Federal Decree by Law No. 5 of 2012 on combating cybercrimes.

[6] Federal Law No. 15 of 1980.

[7] Dubai Law No. 26 of 2015.

[8] Identified in Article (2) of Dubai Law No. 36 of 2015 as: “The authority responsible for supervising the application of this Law”.

[9] Article (6) of Dubai Law No. 26 of 2015.

[10] Dubai Law No. 28 of 2015 (after it repealed Dubai Law N. 23 of 2006).

[11] Dubai Healthcare City Authority Regulation No. 7 of 2013 (the “Health Date Protection Regulation”).

[12] Artificial Intelligence.

[13] Internet of Things.