Data Protection Law has evolved to guarantee the sanctity of personal data. This is primarily due to the increased contours of data usage in the digital ecosystem occasioned by digital trade and technology utilization. Its importance, therefore, accounts for the reason it is considered the oil of the digital economy. The need to regulate its usage, processing, transfer, and security underscores the enactment of Data Protection Laws in different countries. The most comprehensive of these laws is the General Data Protection Regulation, applicable in the EU. Since its enactment on May 25, 2018, several other countries, especially in Africa and Asia, have replicated the same. In 2018, Nigeria’s Technology regulatory agency enacted a data Protection Regulation (NDPR), and in 2021, the government of Dubai drafted its first federally applicable Data Protection Regulation which came into force in 2022. This paper focuses on the importance of the GDPR in the UAE.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
Data Protection Regime In The UAE
Data Protection has been a central part of the UAE’s policy regime. This assertion is underscored by the numerous related privacy and data protection laws including the consumer protection law, laws on the protection of health data and information, the electronic transactions and trust services Law as well as section 31 of the UAE’s Constitution which guarantees the confidentiality of information. In 2015, the government of Dubai passed the Dubai Data Law amongst whose objectives is the data protection and individual privacy. Notwithstanding, the law was not comprehensive as it failed to meet with international best practices, excluding for instances certain data protection rights and conditions for cross-border transfer. Similarly, the onshore as opposed to the freezones had a low compliance data protection level which was tied to the absence of a standalone data protection regime and practices.
To remedy the situation, The UAE issued a landmark federal data protection law on 20 September 2021, known as the Personal Data Protection Law which came into effect on 2 January 2022. The new law has been received with open arms as it aligns with global practices and provides more clarity in relation to the collection, processing and transfer of personal data in the UAE. It should be emphasized that the law does not cover personal health data and information, or personal banking and credit data and information where there is separate legislation covering such personal data and information. The Law also does not apply to UAE free zones, such as the Dubai International Financial Centre and the Abu Dhabi Global Market that have their own data protection laws.
Importance Of The GDPR In The UAE
It must mentioned that Data protection prior to the enactment of the standalone Personal Data Protection Law was governed by different laws relating to data protection such as Cybercrime Laws etc. A major influence to the enactment of the PDPL has been the GDPR. First, in the bid to keep pace with best practices, many jurisdictions within the UAE had reformulated their laws. For instance, the Dubai International Financial Centre and the Abu Dhabi Global Market amended their data protection laws to bring them in line with the EU’s GDPR. One of such is the definition of the personal data and the objectives of the data processor and controller which are very similar to that found in the GDPR. Similarly, certain features including the definition of consent and its exceptions are also incorporated in the new law. This is quite important considering the economic growth and the current commercial wave in the UAE. The idea of consent, its request and exceptions therefore have to be fully elucidated, although with a few challenges such as difficulties to be faced by investigators in collecting data without the subject’s consent. This, it is believed will be addressed by the Executive regulations.
Much more of the GDPR’s influence in the UAE Data Protection regime is that it enabled the UAE drafters to easily adopt essential principles of data protection such as purpose limitation and data minimization. In essence, the data provided by data subjects (employees etc) should be used for the required purpose and within a specified time. In line with the GDPR, the law also provides a mechanism for the reporting of data breach which must be directed to the controller by the processor, and then swiftly to the Data office and the data subject by the controller. The measures undertaken to salvage the breach must also be stated. Similarly important is that the GDPR's standards of cross-border transfer of personal data were fully incorporated in the new law, allowing the Data Office to regulate and carryout due diligence in the transfer of data across borders. Countries not having the required and adequate data Protection system are restricted from such transfers. Additionally, like the GDPR, the law has an extra-territorial effect as its covers the processing of data belonging to UAE’s citizens and holds such controller responsible in the event of breach.
In general, the UAE like every other developing nation found a great deal of inspiration from the GDPR. The importance of having a harmonized and federally applicable data protection law in a commercial center like the UAE cannot be overemphasized. From a clear adoption of data protection principles to the detailed provisions relating to the collection and processing of data, the GDPR proves important. As Data Protection is a global practice and not peculiar to a culture or race, it is hoped that jurisdictions will collectively improve the data protection regime in the bid to ensure its sanctity.