In the February issue of Legal Insight magazine, an article by the head of the international practice Ratmir Proskurnov and lawyer Valeria Doskovskikh was published, dedicated to the protection of personal data in the UAE.
Companies entering the UAE market often do not pay enough attention to the protection of personal data, which can lead to negative consequences, including large fines.
Typically, a company does not realize that its activities are directly related to the processing and use of personal data and requires compliance with local legislation in this area. In the article for Legal Insight magazine, the head of the international practice Ratmir Proskurnov and lawyer Valeria Doskovskaya have gathered information important for identifying potential risks and developing a methodology for managing personal data.
In each of several jurisdictions within the UAE (mainland, offshore, and free economic zones), its own industry regulation may apply. Regulation in the field of personal data management and protection is represented both at the federal level (Personal Data Protection Law, PDPL) and at the level of free economic zones with their own acts. The article provides a comparative analysis of the norms of the PDPL and the laws of the free economic zones, Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), and discusses the legal aspects of compliance in the field of personal data protection.
The UAE legislative system combines elements of continental, Anglo-Saxon, and traditional legal systems. However, Shariah norms have not affected the legislation on personal data protection (hereinafter - PD). Its main feature at both the federal level and in free economic zones (hereinafter - FEZ) is its similarity to the GDPR. The PDPL is an equivalent of the GDPR but with stricter requirements for controllers. As of January 2024, no disputes related to the violation of the PDPL have been considered by the courts of the UAE.
Regulation in each free zone is a set of individual rules for a specific sector of the economy, based on the system of common law or a combination of Anglo-Saxon and continental legal systems. For example, the ADGM and DIFC zones in their official documents and releases state that they are guided by the common law system. Free zones often establish requirements for subjects participating in the processing, transmission, and other use of personal data that are different from those of the federal legislature, as well as "own" sanctions for their violation. For example, in the ADGM free zone, the protection of personal data is regulated by the Data Protection Regulations 2021 (DPR), in the DMCC free zone by the provisions of federal legislation PDPL, and in the DIFC zone by the Data Protection Law 2020 (DPL).
However, not all free zones have developed their own regulations for personal data protection, so in the absence of such, the provisions of the PDPL are applied. The correct determination of applicable law is a guarantee of risk management in this area.
Typically, a company does not realize that its activities are directly related to the processing and use of personal data and requires compliance with local legislation in this area. In the article for Legal Insight magazine, the head of the international practice Ratmir Proskurnov and lawyer Valeria Doskovskaya have gathered information important for identifying potential risks and developing a methodology for managing personal data.
In each of several jurisdictions within the UAE (mainland, offshore, and free economic zones), its own industry regulation may apply. Regulation in the field of personal data management and protection is represented both at the federal level (Personal Data Protection Law, PDPL) and at the level of free economic zones with their own acts. The article provides a comparative analysis of the norms of the PDPL and the laws of the free economic zones, Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), and discusses the legal aspects of compliance in the field of personal data protection.
The UAE legislative system combines elements of continental, Anglo-Saxon, and traditional legal systems. However, Shariah norms have not affected the legislation on personal data protection (hereinafter - PD). Its main feature at both the federal level and in free economic zones (hereinafter - FEZ) is its similarity to the GDPR. The PDPL is an equivalent of the GDPR but with stricter requirements for controllers. As of January 2024, no disputes related to the violation of the PDPL have been considered by the courts of the UAE.
Regulation in each free zone is a set of individual rules for a specific sector of the economy, based on the system of common law or a combination of Anglo-Saxon and continental legal systems. For example, the ADGM and DIFC zones in their official documents and releases state that they are guided by the common law system. Free zones often establish requirements for subjects participating in the processing, transmission, and other use of personal data that are different from those of the federal legislature, as well as "own" sanctions for their violation. For example, in the ADGM free zone, the protection of personal data is regulated by the Data Protection Regulations 2021 (DPR), in the DMCC free zone by the provisions of federal legislation PDPL, and in the DIFC zone by the Data Protection Law 2020 (DPL).
However, not all free zones have developed their own regulations for personal data protection, so in the absence of such, the provisions of the PDPL are applied. The correct determination of applicable law is a guarantee of risk management in this area.
Boundaries and principles of the legislation on personal data in the mainland and free zones
Legislation on personal data establishes the principle of extraterritoriality, in other words, the legal force of PDPL, DPR, DPL extends to controllers and processors, as well as to data subjects regardless of whether their processing takes place in a free zone or in the mainland of the UAE.
This principle is revealed in the processing of data:
A special place in understanding local data protection legislation is given to the concept of permanent establishment. It should be noted that a legal entity can operate outside the jurisdiction in which it is established. With branches, subsidiaries, businesses can operate worldwide and process personal data in different jurisdictions. Given that the UAE data protection legislation adheres to GDPR principles, attention should be paid to the European Court of Justice (ECJU) clarifications. In order to determine the affiliation of a branch or subsidiary to a specific jurisdiction in the case Weltimmo, 20157, ECJU established a three-step test. If the processor or controller positively answers the questions of this test, it means that the branch, subsidiary, or enterprise must comply with and adhere to the national legislation of the state in which they are established. In the case of regulation in the DIFC free zone, the concept of permanent establishment is inseparably linked to the obligation to notify the PD Commissioner of the commencement of their processing, as well as to pay the prescribed fee, for which a penalty is imposed for non-payment.
When starting operations in a new location in the UAE, it is necessary to comply with local regulations regarding the processing and protection of personal data, as the activities of subsidiaries or permanent establishments are subject to supervision by local regulatory authorities, regardless of the location of the head company's establishment.
This principle is revealed in the processing of data:
- of a subject who is a resident in the UAE (where the controller and processor may not necessarily be located or processing personal data within the UAE);
- by a controller or processor located in the UAE, while the data subject is outside the country;
- when it is directly related to a company located in a free zone or mainland;
- when it is related to the earnings of the company carrying it out, located in a free zone or mainland (where the data subjects may not necessarily be located in the UAE).
A special place in understanding local data protection legislation is given to the concept of permanent establishment. It should be noted that a legal entity can operate outside the jurisdiction in which it is established. With branches, subsidiaries, businesses can operate worldwide and process personal data in different jurisdictions. Given that the UAE data protection legislation adheres to GDPR principles, attention should be paid to the European Court of Justice (ECJU) clarifications. In order to determine the affiliation of a branch or subsidiary to a specific jurisdiction in the case Weltimmo, 20157, ECJU established a three-step test. If the processor or controller positively answers the questions of this test, it means that the branch, subsidiary, or enterprise must comply with and adhere to the national legislation of the state in which they are established. In the case of regulation in the DIFC free zone, the concept of permanent establishment is inseparably linked to the obligation to notify the PD Commissioner of the commencement of their processing, as well as to pay the prescribed fee, for which a penalty is imposed for non-payment.
When starting operations in a new location in the UAE, it is necessary to comply with local regulations regarding the processing and protection of personal data, as the activities of subsidiaries or permanent establishments are subject to supervision by local regulatory authorities, regardless of the location of the head company's establishment.
Features of personal data processing and mechanisms for preventing violations
The obligation to obtain explicit consent from the data subject, as well as the establishment of the position of Data Protection Officer (DPO) by the controller, is a unified requirement in all jurisdictions of the UAE. The DPO is personally responsible for violations related to the processing of personal data, provides for the prevention of violations in the field of their processing and protection.
DPO should be appointed if:
The establishment of the position of DPO in the SEZ is justified not only by the unique data processing by a state entity incorporated in a free economic zone, such as the Dubai Financial Services Authority, but also by direct instructions from the authorized supervisory authority.
An important issue is the determination of the boundaries of assessment categories, such as high risk and significant volume, when appointing a DPO. One of the responsibilities of the DPO is to systematically conduct a Data Protection Impact Assessment (DPIA). This measure is aimed at identifying and analyzing risks related to the violation of privacy and confidentiality.
In the Federal PDPL, the concept of high risk is not disclosed. However, it is disclosed in the ADGM free zone law, where the criterion of potential physical, material, or immaterial harm to the data subjects is introduced. In no other law is physical harm singled out as a potential risk to data subjects. In DIFC, the concept of "high risk" is interpreted even more broadly, namely as the presence of one or more of the following criteria when processing personal data:
DPO should be appointed if:
- the processing of personal data may pose a high risk to the confidentiality and privacy of the data subject;
- the processing is systematic and carried out using automated means;
- a significant volume of special category data is processed.
The establishment of the position of DPO in the SEZ is justified not only by the unique data processing by a state entity incorporated in a free economic zone, such as the Dubai Financial Services Authority, but also by direct instructions from the authorized supervisory authority.
An important issue is the determination of the boundaries of assessment categories, such as high risk and significant volume, when appointing a DPO. One of the responsibilities of the DPO is to systematically conduct a Data Protection Impact Assessment (DPIA). This measure is aimed at identifying and analyzing risks related to the violation of privacy and confidentiality.
In the Federal PDPL, the concept of high risk is not disclosed. However, it is disclosed in the ADGM free zone law, where the criterion of potential physical, material, or immaterial harm to the data subjects is introduced. In no other law is physical harm singled out as a potential risk to data subjects. In DIFC, the concept of "high risk" is interpreted even more broadly, namely as the presence of one or more of the following criteria when processing personal data:
- When processing data, new technologies or methods that create risks to the security and rights of the data subject are used (for example, if a company stores personal data in a blockchain or uses artificial intelligence for their processing, DPIAs should be conducted on a systematic basis);
- processing involves a significant amount of personal data (legally, the volume that should be considered significant is not established, but examples of applying this criterion to a specific case are provided in the DIFC regulation. For example, if a company employs several hundred employees (a similar requirement is imposed on an outsourcing company entrusted with processing personal data of the principal's employees and clients). It should also be noted that this criterion will be mandatory if the company has banking details and copies of official documents of data subjects;
- processing is carried out using automated means, and the results of such processing have significant legal effects for the data subject;
- processing is related to a substantial amount of special category data (e.g. religious beliefs, health status, etc.).
The specifics of cross-border personal data transfer in the UAE
One distinctive feature of the UAE in this matter is also related to the concept of extraterritoriality. From the perspective of free zones, the transfer of data to the mainland of the UAE is considered to be a cross-border transfer. It is important to understand this, as non-compliance with data transfer rules can lead to significant reputational risks for the company, as well as substantial fines.
Another characteristic is the lack of a common understanding of the lawful basis for transferring data to other countries, which is established at both the federal level and within the free zones.
First of all, the universal and most transparent basis for cross-border data transfers is the adequacy decision. It is an agreement between jurisdictions (for example, between a free zone and a state) that the level of protection of personal data, the regime of their processing, control and verification correspond to the level of protection provided by the jurisdiction transferring the data. Currently, data transfers with an adequacy decision in place are the most universal, but not the only way to ensure protection in cross-border data transfers.
Secondly, cross-border transfers in the absence of an adequacy decision can be made with the explicit consent of the data subject.
Thirdly, cross-border transfer may be carried out on the basis of appropriate safeguards, by which controllers (data senders and recipients) undertake to maintain an effective level of protection of personal data in accordance with the legislation of each state. The specificity of this basis is the discretion in the matter of approval and lawful endorsement of such a tool. For example, in the ADGM free zone, not all appropriate safeguards require the approval of the data protection commissioner, while in the DIFC, on the contrary, safeguards are invalid without his approval. Usually, proper guarantees include: binding corporate rules (a tool similar to an Internal Code of Conduct, which applies to signatories and is often used for data transfer within a group of companies located in different parts of the world), and standard data protection clauses included in the contract (approved provisions that can serve as the basis for a specific agreement are actively shared in free zones).
It is important to understand that appropriate guarantees are not absolute, even with signed assurances of awareness of the specifics of the counterpart's risk of violation of data subjects' rights or violation of data transfer procedures. Knowing and understanding this, European and local legislators are working on creating a methodology for assessing the risks of compliance with legal, technical and organizational standards in data transfer (due diligence assessment). Cross-border transfer of personal data requires thorough methodological development of the agreements being developed, as errors made can affect the company's reputation and lead to negative financial consequences.
Another characteristic is the lack of a common understanding of the lawful basis for transferring data to other countries, which is established at both the federal level and within the free zones.
First of all, the universal and most transparent basis for cross-border data transfers is the adequacy decision. It is an agreement between jurisdictions (for example, between a free zone and a state) that the level of protection of personal data, the regime of their processing, control and verification correspond to the level of protection provided by the jurisdiction transferring the data. Currently, data transfers with an adequacy decision in place are the most universal, but not the only way to ensure protection in cross-border data transfers.
Secondly, cross-border transfers in the absence of an adequacy decision can be made with the explicit consent of the data subject.
Thirdly, cross-border transfer may be carried out on the basis of appropriate safeguards, by which controllers (data senders and recipients) undertake to maintain an effective level of protection of personal data in accordance with the legislation of each state. The specificity of this basis is the discretion in the matter of approval and lawful endorsement of such a tool. For example, in the ADGM free zone, not all appropriate safeguards require the approval of the data protection commissioner, while in the DIFC, on the contrary, safeguards are invalid without his approval. Usually, proper guarantees include: binding corporate rules (a tool similar to an Internal Code of Conduct, which applies to signatories and is often used for data transfer within a group of companies located in different parts of the world), and standard data protection clauses included in the contract (approved provisions that can serve as the basis for a specific agreement are actively shared in free zones).
It is important to understand that appropriate guarantees are not absolute, even with signed assurances of awareness of the specifics of the counterpart's risk of violation of data subjects' rights or violation of data transfer procedures. Knowing and understanding this, European and local legislators are working on creating a methodology for assessing the risks of compliance with legal, technical and organizational standards in data transfer (due diligence assessment). Cross-border transfer of personal data requires thorough methodological development of the agreements being developed, as errors made can affect the company's reputation and lead to negative financial consequences.
Responsibility of subjects under personal data legislation
As is known, the European GDPR is famous for its multimillion turnover fines introduced as a measure of accountability for its violators. In the UAE, at the federal legislative level, turnover fines are not established. Additionally, at this level, neither the maximum or minimum amount of the fine nor the method of its calculation is specified.
The ADGM and DIFC free zones have defined maximum penalties: in the ADGM, the penalty amount should not exceed $28 million; in the DIFC - not more than $100,000. In the DIFC, there are two types of penalties: administrative and general. Administrative penalties have their limits and are related to violations of data subjects' rights. General penalties are provided for in the event of large-scale and significant violations, for example, when a company unlawfully processes and disseminates personal data relating to special categories. In addition, as already noted, public reprimands are provided within the DIFC free zone, initiated by the Commissioner for Data Protection, which can have extremely negative consequences for the company's further activities, such as leading to a decrease in the share price of a publicly traded company on the stock market.
The ADGM and DIFC free zones have defined maximum penalties: in the ADGM, the penalty amount should not exceed $28 million; in the DIFC - not more than $100,000. In the DIFC, there are two types of penalties: administrative and general. Administrative penalties have their limits and are related to violations of data subjects' rights. General penalties are provided for in the event of large-scale and significant violations, for example, when a company unlawfully processes and disseminates personal data relating to special categories. In addition, as already noted, public reprimands are provided within the DIFC free zone, initiated by the Commissioner for Data Protection, which can have extremely negative consequences for the company's further activities, such as leading to a decrease in the share price of a publicly traded company on the stock market.