What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The United Arab Emirates (UAE) does not currently have an overarching national data privacy law. That said, there are a few federal laws which touch upon privacy-related subjects. In addition to federal laws, the UAE has free trade zones (also called free zones), which are business regions permitted to have their own set of laws, that apply within the zone. Areas outside the free zones (i.e. the majority of the country) are typically referred to as "mainland" or "onshore" for legal purposes. In the mainland, the UAE legislates at a federal government level and also at a local Emirate (e.g. Abu Dhabi, Dubai, etc.) level.
While each free zone may have their own regulations, the federal UAE laws will generally also apply, except when explicitly excluded under the law of the relevant free zone. Note that general mainland criminal laws will usually apply in free zones.
Data protection related laws at the federal level include:
- Federal Law No. 3 of 1987, Penal Code, (as amended), Arts. 378 and 379 – Sets penalties for the violation of private or family life without consent, such as when an individual “lends his ears, records or transmits, through an apparatus of any kind, conversations that took place in a private place or through the telephone or any other apparatus” or, if someone “Captures or transmits, through any kind of apparatus, the picture of a person in a private place.” Penalties can also be imposed if an individual divulges a secret unlawfully for personal interests or for the interests of another person without authorization. This law is not typically used to prevent normal business activities, but when operating onshore it is prudent to obtain the consent of individuals when collecting or sharing their data in order to establish a legal basis.
- Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields (ICT Health Law) – Ensures the safety and security of health data information that may be attributed to the health sector. This law places strict limits on the international transfer of health data protected under the ICT Health Law. Implementing regulations are expected to provide more clarification in the future, which will also hopefully provide clarification as to whether employee-related health data is subject to the law.
- Federal Law No. 5 of 2012 on Combatting Cybercrimes (as amended by Federal Law No. 12 of 2016 and Federal Decree Law No. 2 of 2018) – Includes financial and detention penalties for the invasion of privacy, including transferring information, disclosing information and making copies without authorization or a lawful basis for doing so. There are also penalties for using electronic information systems and technology to amend or process a “record, photo or scene for the purpose of defamation of or offending another person or for attacking or invading his privacy (Art. 21).”
Defamation can be a serious criminal offence in the UAE (not just under this law but also under other criminal codes and the Shariah concept of slander). Care should be taken to not use language which is offensive or highly negative in a subjective sense when discussing any individual. Reviews and appraisals should be treated as highly confidential and restricted to a need to know basis. Article 20 creates a criminal offence of insulting a person or attributing to a person an incident that may make the person subject to punishment or contempt by using an information network or information technology tool. It is good practice to remind employees to exercise discretion when commenting publicly on people, companies or public bodies. Negative posts about a person on social media, such as Facebook, can lead to criminal proceedings and custodial sentences.
The Cybercrimes law (Article 21) creates an offence of (in summary) assaulting the privacy of a person by overhearing or intercepting communications, capturing or transferring pictures of a person or, publishing news or comments about a person via an electronic system or network without lawful permission. On the mainland, this means that it is important to obtain the consent of any individuals you are publicly commenting on or featuring in pictures. It is important for employees to also understand these risks.
In order to monitor staff communications, employers should have a process for obtaining consent from employees. There are no particular rules or requirements around the form or content of the consent.
- Regulatory Framework for Stored Values and Electronic Payment Systems, published by the UAE Central Bank, 1/1/2017 – Gives the Central Bank the power to regulate digital payment mechanisms and infrastructures, including free trade zones (but excluding financial free zones). Under this regulation, licensed Payment Service Providers are responsible for maintaining the confidentiality of user identification and transaction records.
Free Trade Zone Laws
While the UAE doesn’t have an overarching data privacy law, some of the free zones do have their own data privacy laws which apply to employees who work within a particular free zone. Data protection laws in the free trade zones include:
- Abu Dhabi Global Market (ADGM) – The Data Protection Regulations 2015, Data Protection (Amendment) Regulations 2018 and Data Protection (Amendment No. 1) Regulations 2020 each set the core requirements for data controllers processing personal data in the ADGM. The Regulations are based on the European Data Protection Directive and apply to entities incorporated in the ADGM.
- Dubai Healthcare City (DHCC) – The Health Data Protection Regulation No. 7 of 2013 is designed to promote and protect patient health information in the DHCC.
- Dubai International Financial Centre – Data Protection Law, DIFC Law No. 5 of 2020 (effective July 1, 2020) replaces the DIFC’s original data protection law and applies to all companies within the DIFC, as well as non-DIFC entities which data controllers and data processors who regularly process personal data in the DIFC under stable arrangements. The law is based substantially on the GDPR.
Because there is no official data protection authority in the UAE, there is no overarching regulator for data privacy. The free zones with data protection laws have their own regulator responsible for enforcing them.