Data Protection and Digital Compliance in the UAE: A Comprehensive Analysis

The article is written by Ratmir Proskurnov and Valeria Doskovskikh.

In today's business world, where data is often referred to as the new "gold," the proper management and protection of data have become critical priorities. Global corporations, especially those operating across various jurisdictions, must navigate complex regulatory landscapes. As the business focus increasingly shifts towards the Middle East, understanding the regulatory environment in key centers such as the UAE is essential.

The UAE is rapidly becoming a global hub for businesses due to its significant investment appeal and a developed legislative framework that addresses global challenges. Notably, the UAE's information security regulations, including the Personal Data Protection Law (PDPL) at the federal level and specific laws in free economic zones, are exemplary. This article aims to provide a detailed analysis of these regulations and their alignment with global standards like the European General Data Protection Regulation (GDPR).

Data Protection Legislation in the UAE

For businesses entering the UAE, understanding the dual-layered legislative framework—federal laws and regulations within free economic zones—is crucial. The UAE's legal system is unique, integrating continental, Anglo-Saxon, and traditional legal principles, while Sharia law does not influence data protection legislation. The PDPL, akin to a condensed version of the GDPR, imposes stringent requirements to safeguard data subjects' privacy and establish mechanisms for addressing violations.

To date, UAE courts have not adjudicated disputes related to data protection, necessitating a reliance on European legal precedents for guidance. However, the local judiciary's evolving practices will eventually provide clearer insights into the application of these laws. Additionally, sector-specific federal laws, such as those governing information technology in healthcare, further elaborate on data security requirements.

Free Economic Zones and Their Regulations

Each free economic zone in the UAE operates under distinct regulations tailored to specific economic sectors, often based on English law or a hybrid legal system. For instance, the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) follow common law principles, while the Dubai Multi Commodities Centre (DMCC) aligns with federal PDPL standards. Notably, there is no precedent law in data protection within these zones, reflecting the nascent and evolving nature of this legal area.

Key Principles of the UAE's PDPL and Free Zone Laws

The UAE's Personal Data Protection Law (PDPL) and free zone laws encompass fundamental principles similar to those of the GDPR. While federal legislation lacks explicit principles for data controllers and processors, several key principles are essential to understanding and implementing effective data protection practices:

• Lawfulness: Controllers and processors must process personal data and obtain the data subject's consent strictly before processing begins and only for the specified purposes. Other grounds for processing are unlawful, except for established exceptions such as protecting public interests.
• Fair Processing: Controllers and processors must adhere to the principle of good faith when processing personal data, ensuring that data handling practices are just and equitable.
• Transparency: Data subjects must be informed about who will process their personal data and for what purpose. The data processing procedure, whether automated or not, must be explained in accessible and understandable language.
• Purpose Limitation: Personal data must be processed solely for the established purpose. This principle is the "core" of data protection, determining the lawfulness of data processing activities.
• Data Minimization: Controllers must request only as much personal data as necessary for processing in connection with the stated purposes. Data redundancy is unacceptable.
• Data Accuracy: Controllers and processors are obligated to delete or correct inaccurate data related to the data subject, ensuring that all information remains current and correct.
• Storage Limitation: Personal data must be deleted or anonymized after the processing purposes have been achieved. Anonymization should ensure that the identification of the data subject becomes impossible, and data recovery is technically unfeasible.
• Security: Controllers and processors must immediately notify the UAE Data Office upon detecting violations of personal data processing rules to maintain data integrity and security.
• Accountability: Controllers and processors are personally responsible for compliance with data processing principles and must take preventive actions to avoid breaches of data integrity. 

These principles provide a framework for protecting personal data and ensuring that processing activities are conducted lawfully, transparently, and securely.

Features of Personal Data Processing and Mechanisms for Preventing Violations

The approach taken by the UAE legislator in developing the PDPL differs significantly from that of the European legislator. The UAE Federal Personal Data Protection Law establishes a restrictive approach regarding the grounds on which the processing of personal data is considered lawful. In other words, the PDPL adheres to the principle that only the consent of the data subject is a legitimate basis for processing, with exceptions outlined in Article 4 of the PDPL merely as deviations from the general rule. Conversely, European legislation and the laws of free zones adopt a more permissive approach, including various grounds for lawful data processing beyond the consent of the data subject, equal in legal force. For example, processing personal data without obtaining additional (separate written) consent is permitted in each of the free zones for the performance of a contract, protecting the vital interests of the data subject, or fulfilling a legal obligation imposed on the controller.

Working with special categories of personal data (sometimes referred to as "sensitive" data) presents the most significant challenge from a data compliance perspective. Both European and UAE legislators categorize data that characterizes ethnicity, religious or political beliefs, biometric and genetic data, sexual orientation, and more as special categories of data. The segregation of such data into a separate category is due to its close association with the data subject and its ability to precisely identify the individual, thereby posing a risk of invasion of privacy and violation of fundamental human rights.

A unified regulatory feature of processing special category data is the mandatory requirement to obtain the explicit consent of the data subject, as well as the obligation for the entity processing the data to establish the position of Data Protection Officer (DPO). This individual is personally responsible for violations related to data processing and ensures the prevention of breaches in data processing and protection, including through training employees and updating their knowledge when legislative changes occur. Additionally, in some free zones, such as ADGM, there is a requirement to develop and adopt an appropriate policy document dedicated specifically to the processing of special category data for each data subject.

The DPO is a key control function aimed at achieving a high level of data protection compliance in any company. Initially, appointing a DPO was not mandatory, but over time, entities processing personal data have been required to appoint a DPO in the following cases: 1) if the processing of personal data may pose a high risk to the privacy and integrity of the data subject; 2) if the processing is systematic and conducted using automated means; 3) if a significant amount of special category data is being processed. In the free zones, the need to establish the position of DPO and hire for this role arises, in addition to the mentioned grounds, if a government body is involved in data processing (here, continuity with European GDPR can be traced) or by direct instruction from the authorized supervisory authority.

A critical issue is defining the boundaries of evaluative indicators such as high risk and significant volume when appointing a DPO. One of the DPO's responsibilities is to systematically conduct Data Protection Impact Assessments (DPIA), which serve as a preventive measure aimed at identifying and analyzing risks concerning the data subject and their rights and freedoms, from the perspective of European regulation, or in terms of privacy and confidentiality violations, from the perspective of UAE regulation. This divergence in understanding the subject of violations is again related to the peculiarity of the UAE's state structure and understanding of the law, where the inviolability of privacy and confidentiality takes precedence, followed by other freedoms.

For example, the federal PDPL does not define the concept of "high risk," complicating business operations by introducing legal uncertainty. However, in the ADGM free zone law, this concept is disclosed and introduces a criterion that qualitatively differentiates it from the European legislator's understanding—the potential physical, material, or non-material harm to the data subject. In no other law is physical harm highlighted as a potential risk for the data subject.

In the DIFC free zone, high risk has an even broader interpretation, namely the presence of one or more criteria when processing personal data: 1) the use of new technologies or methods that create a risk for the security and rights of the data subject (for example, if a company stores personal data on a blockchain or uses artificial intelligence for its processing, DPIAs must be conducted systematically); 2) processing involves a significant volume of personal data (the law does not specify what volume should be considered significant, but the DIFC regulation provides examples where this criterion definitely applies to a specific case, such as if a company employs several hundred employees (a similar requirement applies to an outsourcing company tasked with processing personal data of the principal's employees and clients). This criterion will also be mandatory if the company holds bank account details and copies of official documents of data subjects); 3) processing is carried out using automated means, and the results of such processing have significant legal consequences for the data subject; 4) processing involves a significant volume of special category data.

It seems logical and useful for the federal legislator to adopt the experience of free zones in developing and implementing assessment criteria for initiating DPIAs into their regulations. Although federal legislation currently appears more "liberal" in this part, we recommend adopting a conservative approach and broadly interpreting federal legislation, considering all known assessment criteria when developing a personal data processing policy to avoid violations and large fines, the size of which will be disclosed later.

Specifics of Cross-Border Data Transfer in the UAE

An equally complex and controversial issue in data protection is the cross-border transfer of personal data to other parties for subsequent processing and use. The strict regulation of this issue, as noted earlier, is dictated by the nature of personal data, namely its vulnerability and close association with the data subject's personality.

The distinctive feature of the UAE in this matter is also related to the country's territorial organization, specifically the concept of extraterritoriality. From the perspective of free zones, transferring data to the mainland UAE is considered a cross-border data transfer. It is crucial for businesses to understand this feature because non-compliance with data transfer rules can result in significant reputational risks for the company as well as substantial financial penalties.

Another feature of the local legislator's approach to cross-border data transfer is the non-unified understanding of the legal grounds for data transfer to other countries, which are enshrined both at the federal level and at the level of free zones.

Firstly, the universal and most transparent basis for cross-border data transfer is the "adequacy decision." An adequacy decision represents an agreement between jurisdictions (for example, between a free zone and a state) that the level of personal data protection, processing regime, control, and verification corresponds to the level of protection provided by the transferring jurisdiction. The reason for establishing such an international guarantor was the unprecedented case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II case”), which broadly initiated the conclusion of adequacy agreements between countries. Now, data transfer with an adequacy decision is the most universal method but not the only one to ensure protection in cross-border data transfers.

Secondly, cross-border transfer in the absence of an adequacy decision can be carried out with the explicit consent of the data subject.

Thirdly, based on appropriate safeguards, controllers (both transferring and receiving data) undertake to maintain an effective level of personal data protection according to the national legislation of each. The specificity of this basis lies in the dispositive nature of agreeing and legally approving such an instrument. For example, in the ADGM free zone, not all appropriate safeguards require approval from the Data Protection Commissioner, while in DIFC, without such approval, the safeguards will not be valid. Common appropriate safeguards include binding corporate rules (an instrument similar to the Internal Code of Conduct, which applies to signatories and is most commonly used for data transfer within a group of companies located in different parts of the world) and standard data protection clauses included in contracts (free zones actively share approved provisions that can be used as a basis for a specific agreement).

It is important to understand that appropriate safeguards are not absolute. In other words, even with signed assurances of awareness of the counterparty's specifics, the risk of violating data subject rights or data transfer procedures remains. This is often due to differences in the levels of development of data protection regulations. Aware of this, European and local legislators are working on creating methodologies for risk assessment of compliance or non-compliance with legal, technical, and organizational norms during data transfer (due diligence assessment). The DIFC free zone has developed the Ethical Data Management Risk Index (EDMRI), allowing the transferring party to quickly, effectively, and with full understanding and compliance with regulatory requirements, know what to expect from the counterparty. This index enables the assessment not only of compliance with regulatory requirements and risks of the counterparty's jurisdiction but also of the counterparty's propensity to comply with regulatory requirements in that jurisdiction. It seems that this methodology can be used at the federal level and in other free zones, considering the peculiarities of each jurisdiction.

Cross-border transfer of personal data is an extremely challenging task from a compliance perspective and requires deep methodological development of agreements and, most importantly, confidence that no fatal error will occur during data transfer, costing the company its reputation and resulting in significant negative financial consequences.

Liability of Entities in Personal Data Protection and Financial Costs for Businesses

The European GDPR is well-known for its multimillion-euro turnover fines imposed on violators. In contrast, the UAE takes a different approach, refraining from imposing turnover fines for non-compliance with data protection laws. Additionally, at the federal level, there are no specifics regarding the maximum or minimum fine amounts or the method of calculating fines. However, it is likely that the UAE legislator will eventually adopt a similar system of fines, as turnover fines are a fairly effective measure. Judging by the violations committed by European companies, turnover fines do not fully resolve data protection law violations. Due to the relative novelty of the issue, we can expect a surge in violations and, consequently, rapid development of legislation not only in Europe but also in the UAE.

The free zones ADGM and DIFC have approached regulating liability for data protection violations more concretely by setting maximum fine limits: in ADGM, fines should not exceed $28 million; in DIFC, fines should not exceed $100,000.

DIFC regulation features a unique aspect in terms of imposing fines, namely the presence of two types of fines—administrative and general. Administrative fines have their limits and are related to violations of data subjects' rights. General fines are provided for large-scale and significant violations, such as when a company illegally processes and disseminates personal data of a special category. Responsibility will be assessed not only in terms of the damage caused but also in terms of the duration and systematic nature of the violation. Additionally, DIFC provides for public reprimands initiated by the Data Protection Commissioner, which can have extremely negative consequences for the company's future activities, such as leading to a decrease in the stock price of a publicly traded company.

Companies registered in the free zones discussed in this article should remember that conducting activities in these territories entails not only obligations to the data subject, counterparty, or supervisory authority in the field of personal data processing and protection but also financial obligations called the data protection fee. Companies established in these free zones must apply to the supervisory authority for registration as a processor and pay an annual fee of $300 in ADGM and between $10 and $500 in DIFC. If a company registers and immediately applies for personal data processing without paying these fees (which in DIFC can increase to $1,250 in certain cases), the registration cannot be completed.

The fine system should be adapted to the specifics of violations committed by controllers and processors. Therefore, the approach taken by DIFC and the European approach, where each violation has a specific fine amount, seems appropriate. Given the absence of precedent law in the UAE, lawyers and businesses are keenly observing the development prospects of data protection legislation in this region, which is one of the most advanced and responds to most global challenges in business, economics, and law.

Conclusion

This article aims to highlight and draw businesses' attention to the specifics of regulations in personal data processing and protection. The UAE jurisdictions have specific features distinguishing personal data processing compared to the European region and other jurisdictions. Businesses developing in the UAE need to understand and adapt to these specifics and, most importantly, continuously monitor changes. As lawyers and entrepreneurs, we observe and participate in the formation of personal data legislation in the United Arab Emirates, which will continue to evolve and transform in response to global challenges.