New data protection law in UAE
Highlights of UAE Data Protection Law
This new law, which came into force on 2nd January, 2022, has various key ingredients to elaborate in detail. These ingredients are explained by taking cues from the top lawyers of USE
1. Extra-Territorial scope
The application of this new law is extended to both the types of companies;
- A registered company of UAE processing Personal data overseas;
- An overseas company processing personal data within UAE
However, the jurisdiction is not accorded by the legislation relating to the government entities, personal data already regulated by Abu Dhabi Global Market (ADGM) or Dubai International Financial Centre (DIFC) data protection laws.
Data processing Controls
In the new law, the processing mechanism of personal data is in line with the best Industrial standard, such as the GDPR in the European Union (EU). While processing, one of the essential conditions is that the process must be fair, transparent, and lawful in nature. The personal data should be taken only to the extent of basic requirements stipulated under the new law. Further, personal data must not be retained after the purpose of processing has been fulfilled, unless it is anonymised
The importance of consent
In the new law, it is explicitly provided that for processing the personal data, the consent of the user must be obtained. For constituting a valid consent, the following elements should be satisfied
- The data controller must be able to prove custom
- The consent must be simple, clear and unambiguous.
- The consent may be either in writing or electronically
The new law conferred various kinds of rights to the data Subjects, such as
- Accessing the personal data from a controller
- Transferring of the data
- Restricting the processing mechanism in certain situation.
- Filing objections to various kinds of data processing
In the new law, a well dedicated mechanism is set up to facilitate the transfer of personal data outside the UAE where the Data Office has approved a country or territory as having specialised personal data protection. However, if it appears that an adequate level of data protection is not available, the transfer would be governed by an agreement having all the necessary provisions.
The penalties for non-compliance with this new law will be in accordance with the Executive Regulations, which are due to be released in March 2022.