The United Arab Emirates in Jan 2022 has introduced its Personal Data Protection Law frameworks to protect the privacy of individuals and secure their information. This law provides a robust governance framework for data protection in UAE, which upholds individuals’ right to privacy. Though it is symmetric to the European union’s GDPR, this law imbibed some authentic clauses to suit the needs of UAE smart cyber architecture. This law will come into effect by March 23, 2022. According to the law, the data controllers got 1 year from the date of effect to get compliance with the new data protection law. Unlike GDPR, UAE’s data protection is not a unified regulation. Several other regulations are preceding recent data protection laws which are mostly sector-specific like Telecommunication and Digital government regulatory authority (TDRA). This particularly makes the UAE’s data protection compliances much more effective and also complex.

1. Central Banks consumer protection regulation

On 31st December 2020, the UAE Central Bank published its Consumer Protection Regulation. It applies to all Central Bank Licensed Financial Institutions, which had one year to ensure their compliance. Central Bank Law requires that all data and information related to customers should be considered confidential. the Consumer Protection Regulation requires that Licensed Financial Institutions must collect the minimal amount of Consumer Data and information needed in respect to their licensed activities and remain in compliance with all other related laws and treat Consumers’ information relationships and business affairs as private and confidential.
The Central Bank Consumer Protection Standards outline detailed requirements regarding how licensed financial institutions must comply. These standards include Licensed Financial Institutions.
  • having a proper Data Management Control Framework
  • using secure digital transaction processing and controls
  • designating responsibility and accountability for the data management and protection function to a senior position in management who reports directly to senior management.
  • ensuring personal data is:
    1. collected for a lawful purpose directly related to the Licensed Financial Activities of the Licensed Financial Institution.
    2. adequate and not excessive in relation to the stated purpose.
    3. collected with appropriate security and protection measures against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  • notifying consumers before requesting consent to share consumer personal data.
  • obtaining the express consent of consumers before use or sharing of their data.
  • retaining all personal data, documents, records and files securely for a minimum of 5 years.
  • notifying the Central Bank of any material data breaches, losses, destruction or alteration when they occur.

2. Central Bank "Stored Value Facilities" Regulations

 The term ‘stored value facility (SVF) covers any non-cash facility through which a customer pre-pays money (or ‘money’s worth’) so that they may subsequently use that payment method to pay for goods or services. This is one of a kind innovative framework to regulate the stored value and electronic payment systems. Central Bank of UAE is the SVF licensing authority and looks after the protection of consumer data assessment. SVF framework plays a major role in the regulation of crypto assets. With crypto being recognized by several world organizations, it’s a proactive approach to regulating the crypto space. SVF regulations have explicitly mentioned the limitations of overseas SVF service providers. Furthermore, this regulation enacted stringent cyber resilience and data protection frameworks to protect the information of UAE residents. An SVF Licensee must store and retain all customer and transaction data for five years from the date of the creation of the customer data, or longer if required by other laws.

3. ICT Health care Laws and Regulations

 Information and technology are playing a crucial role in delivering efficient healthcare services. Also, IT helps in better management of healthcare data which provides a better mechanism to access, process and storing of healthcare data. some of the key features of ICT Healthcare regulations are:
  • It established a centralised Health data exchange system that is safe and secure.
  • It shall hold entities processing health data responsible for data security. Also, the data is made accessible to authorities concerned with this law.
  • This law provides some exceptions to health care providers to share health data without the consent of a data principal in cases such as
        • Scientific research
        • Insurance requirements
        • As a health preventive measures
        • When ordered by a judicial authority
  •  The ICT Health Law states that Health Data cannot be stored, processed, generated, or transferred outside of the UAE unless the activity has been approved by a resolution of a health authority or the Ministry. Non-compliance may also attract heavy monetary penalties.
  • The ICT Health Law requires that Health Data must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient.

4. Dubai Data Law

 Dubai data law emphasises a mechanism to share the data gathered within Dubai, among the entities both private and public to enhance the business opportunities for Business firms, investors and visitors to Dubai city. The primary aim of the law is to ensure a transparent exchange of data that include the best international data privacy practices. The Dubai Data Law provides that Dubai data shall be published and exchanged via an electronic system, bulletins, reports, and any other means determined by a Competent Authority. Interestingly, the Dubai data is deemed to be a state asset and the Data provider is responsible to handle the data exchange and dissemination according to the prescribed regulations in Dubai data law.

5. Personal Data Protection Law

 Apart from the other data protection regulations, UAE on Jan 2, 2022, published its  Personal Data Protection Law to protect individuals’ right to privacy and information. This data protection law provides enhanced standards and controls for the processing of data by controllers and processors. We Discuss here some brief provisions included in PDPL
  •   PDPL has constituted some basic guiding principles on analysing security architecture like 
                          1.Biggest vulnerabilities in the security arena
                          2.Role of training of employees in security preparedness, reporting and incident management
                          3.Role of Incident management policy
  •  Development of Incident Management plans with effective procedures to reduce the risk of personal data leak and efficient standard procedure to tackle the data breach.
  •   According to the law, the controllers and processors shall ensure that there is effective training of personnel working with data to ensure they identify the deep vulnerabilities and any data breach that occurs. Also, to react with swift response to any hacking events.
  •   If there happens any personal data breach, the controller and processor shall immediately notify the Data Protection commissioner describing the nature of the breach including the scale and range of personal data leaked, possible consequences of the data breach and measures taken to mitigate the impact of the data breach. Further, the breach is communicated to the data principal.
  •   GDPR constitute some different procedure to notify the concerned authority, the timeframe and the necessity to intimate the data principal. 
  •   PDPL applies to personal data of people residing in UAE, data processed by controllers and processors based in UAE, offshore controllers and processors processing personal data of data principals residing in UAE.
  •  The PDPL introduces rights for individuals to access, rectify, correct, delete, restrict processing, request cessation of processing or transfer of data, and object to automated processing.
To Conclude, UAE is the most cyber targeted country in MENA Region. PDPL is a regulation in the right direction that increases the security stature of the country and the business environment. The PDPL keeps intact the existing data protection and privacy laws within the UAE’s financial free zones, DIFC and ADGM, as well as the rules of the Dubai Health Care City, as well as applicable onshore laws regulating health data and banking and credit data. As much of the PDPL regulations were drawn from the EU’s GDPR, it facilitates Business entities in UAE and the International Business operators a smooth compliance experience.