New landmark data protection law issued in UAE

The UAE has issued new legislation to regulate the collection and processing of personal data in the country. This long-awaited development is in line with wider international practices in protecting the privacy of individuals and personal data.

The new law was announced by the UAE Cabinet Office on 27 November 2021, along with several other significant legislative changes introduced as part of an unprecedented legal reform program in advance of the UAE’s Golden Jubilee.

The ruling creates a framework to ensure confidentiality and to protect the privacy of individuals, such as data subjects, by requiring organisations that fall within the scope of the Data Protection Law to implement appropriate governance for the management and protection of personal data.

A single national data privacy regulator – to be known as the UAE Data Office – will be established under a separate statute to regulate the implementation of the Data Protection Law. The UAE Data Office will be responsible for a wide range of tasks that include:

• Proposing and preparing policies relating to data protection
• Proposing and approving the standards for monitoring the application of federal legislation regulating personal data
• Preparing and approving systems for complaints and grievances
• Issuing guidelines and instructions for the implementation of data protection legislations

As of yet, the penalties have not been published for potential breaches of the law, however, the level of sanctions will be specified in subsequent executive regulations, including any administrative penalties that may be imposed. It is unclear whether those regulations will contain a schedule of fines (and other sanctions) for different violations or simply specify a maximum amount with more discretion available to the UAE Data Office and the Courts.

The Data Protection Law will have extra-territorial reach, similar to the EU General Data Protection Regulation (GDPR) and the recently-issued Personal Data Protection Law in Saudi Arabia. It will apply to any organisation that is established in the UAE and processes personal data of data subjects inside or outside the UAE, as well as any organisation that is established outside the UAE and processes personal data of data subjects inside the UAE.

It will take effect from 2 January 2022, although it also anticipates further executive regulations that will clarify various aspects (including the scope and level of sanctions). Controllers and processors will then have a period of six months from the date of issuance of such regulations to adjust their status and comply with the Data Protection Law.