How UAE’s new data law will change the way enterprises use personal data

The UAE plan to introduce a new data law that addresses privacy concerns and place limits on entities seeking to profit from personal data is expected to have far-reaching consequences for enterprises.

Although free zones operating within the country like DIFC (Dubai International Finance Centre) and AGDM (Abu Dhabi Global Market) have their own data protection regulations, the UAE does not currently have a uniform federal law to govern data privacy and protection.

The new law, announced earlier this month, is still being drafted. A UAE minister has told local media that the new set of regulations will have a low cost of compliance, in particular so as not to burden small and medium enterprises (SMEs). 

Nevertheless, individuals will have a series of rights, with which enterprises must comply, according to Omar Al Olama, the UAE minister of state for digital economy, AI and remote working systems.

Enterprises will be allowed to monetize personal data as long as they have user consent, he said. Individuals “have so many rights within this law — individuals have the right to be forgotten, have the right of access, the right to information,” Al Olama was quoted as saying in media reports.

The new legal framework, however, will allow enterprises to work effectively in the global data marketplace, clearing the way for international companies based in the UAE to operate data transfers effectively across borders, industry insiders said.

CSO guides to privacy rules around the world

• How GDPR has inspired a global arms race on privacy regulations
• The EU’s GDPR
• Laws across Asia-Pacific
• Laws in US states
• California’s CPRA
• Laws in Canada
• Australia’s CDR and Australia’s proposed GDPR-inspired privacy law
• New Zealand’s Privacy Act
• The UAE’s data law
• China’s PIPL

The new law will essentially unify all existing regulations into one federal law. This “will streamline compliance for companies across all sectors of the economy, making it easier for them to do business anywhere in the UAE,” said Nicolai Solling, chief technology officer at UAE-based cybersecurity firm Help AG. “It will also bring the UAE’s data regulations in line with global best practices, making it easier for multinational corporations to conduct business within the UAE,” he said.

Apart from protecting individual privacy, the new law will reassure the public that the data they share with businesses, such as personal details, transaction records and employment profiles, will not be misused by third parties for fraudulent purposes, Solling added.

The newly announced data law is by no means UAE’s first attempt at regulating personal data usage. Among regulations introduced in the past, the Federal Decree-Law No (5) of 2012 stands out most prominently. This law made it illegal to disclose any information obtained by electronic means, if such information was procured in an unauthorized manner. It also makes a person liable, if they use an electronic information system to offend another person or invade their privacy.

More recently, a regulation was introduced that called on financial enterprises to protect customer data. The ‘Stored Value Facilities’ (SVF) regulation, which came into effect in November 2020, makes amendments to the licensing and enforcement regime for SVF on mainland UAE; it does not affect the DIFC and ADGM free zones. UAE defines SVF as a facility that accepts a sum of money or monetary equivalent (that may include crypto assets or virtual assets) in exchange for the storage of the value of that money or monetary instrument.

The law, which mandates that customer data should be stored and maintained in the UAE, also says such data can only be made available to the corresponding customer, the central bank, or other regulatory authorities following prior approval.

Enacting laws is one thing, but ensuring that enterprises are complying with the rules is a different matter altogether. UAE’s cybersecurity firms can play a role here by managing data security and compliance for enterprises. “We would ensure that the data management and protection protocols in place are not only compliant with the UAE data laws, but also in line with global best practices,” said Solling.

This might be even more crucial in a country like UAE where policies tackling consumer data are not well defined at the enterprise level and even if they are, rarely enforced. Nearly all (99%) of UAE’s enterprises use third-party trackers and ad platforms. However, only 68% of respondents have well-defined and documented policies for customer data privacy and a mere 8% strictly apply them, according to a survey by technology firm Zoho. “This rampant use of third-party trackers in the business space has severe ethical and privacy implications because of the enormous amounts of customer data being gathered through them,” said Hyther Nizam, Zoho’s MEA president in a report. Nizam added that large companies behind third-party trackers could combine data collected across different websites and build comprehensive individual profiles for hypertargeted advertising.