On May 25th of 2018, the General Data Protection Regulation (GDPR) came into force. This EU regulation aims at unifying data protection rules and procedures across the European Union and protecting people’s personal data from breaches targeting it and its privacy – as part of it is being processed inside Europe or around the world.
What does this mean for the UAE?
A lot of UAE Companies and businesses are considering this new EU regulation and identifying whether they fall within its scope of application. Unlike other countries, the UAE does not have “on-point” legislation that regulates the protection of personal data. However, data privacy or protection of personal data is in fact addressed in numerous provisions across different laws and regulations. They are numerous because these provisions may be part of laws promulgated by the Federal Government, or the Government of each Emirate, or Free-Zone Authorities, or part of directives and instructions issued by local Regulatory Authorities (such as the Telecommunications Regulatory Authority or Health Authority in Dubai and Abu Dhabi).
Therefore, we will try, in this article, to identify the major laws and regulations that relate to data privacy or protection of personal data. In order to do so, we will divide these laws and regulations into two categories: (1) The main UAE Laws/Regulations and (2) the Free-zones Laws/Regulations.
1. The Main UAE Laws that touch upon Data Protection:
To start with, the general principle on protecting an individual’s privacy was first set out by article (31) of the UAE’s Constitution (of 1971). Cascading this principle to different and major UAE legislation, we can see that it has been emphasized in both Federal and Emirate Legislation.
A. Federal Legislation referring to Data Protection
B. Emirate Legislation referring to Data Protection
2. Free-Zones Laws/Regulations that touch upon Data Protection:
Free-zones on the other hand, have proven to be first in adopting special legislation that relates to Data Protection only. The prominent free-zones in the UAE are two: The Dubai International Financial Center (DIFC) and Abu Dhabi Global Markets (ADGM).
The DIFC has adopted its own Data Protection legislation. It is DIFC Law No. 1 of 2007 (as amended in 2012). Similarly, ADGM has also adopted its own Data Protection Regulations of 2015 (recently amended in 2018). These regulations are consistent with the EU’s regulations and directive on protection of privacy and personal data.
In a world where technology is immensely evolving at a fast pace, concerns about the ability of States and governments to succeed in protecting the privacy of their citizens have increased. It is not a trend. It is an actual threat that may be used to harm others, especially with the rise of AI and IoT and the integration of such technologies in machines that people use in their day-to-day life, for example a fridge. As a consequence, one may predict that countries will be more vigilant in addressing Data Privacy and building the proper legal infrastructure to ensure its protection when exchanged or transferred.
Author: Nadim Al Jisr
Bio: Nadim Al Jisr is Head of Legal Content for Thomson Reuters, Middle East and North Africa. He oversees the product content for Thomson Reuters Westlaw Middle East and manages its growth. Nadim previously practiced as a litigator and legal consultant, in Lebanon and Saudi Arabia, and is proficient in Arabic, English and French. He holds a Bachelor’s Degree in Law from the Lebanese University.
 Article (31) of UAE Constitution: « The freedom of communication by post, telegraph and other means of communication and its confidentiality thereof are guaranteed in accordance with the law».
 Federal Law No. 3 of 1987 promulgating the Penal Code.
 Federal Law No. 7 of 1975 regulating the Practice of Human Medicine.
 Federal Decree by Law No. 3 of 2003 Regulating the Telecommunication Sector.
 Federal Decree by Law No. 5 of 2012 on combating cybercrimes.
 Federal Law No. 15 of 1980.
 Dubai Law No. 26 of 2015.
 Identified in Article (2) of Dubai Law No. 36 of 2015 as: “The authority responsible for supervising the application of this Law”.
 Article (6) of Dubai Law No. 26 of 2015.
 Dubai Law No. 28 of 2015 (after it repealed Dubai Law N. 23 of 2006).
 Dubai Healthcare City Authority Regulation No. 7 of 2013 (the “Health Date Protection Regulation”).
 Artificial Intelligence.
 Internet of Things.