United Arab Emirates Allows Cross Border Data Flows of Personal Data
The United Arab Emirates’ Federal Decree-Law No. 45 2021 on the Protection of Personal Data (PDPL) was issued on September 20, 2021, enacted on November 28, 2021, and entered into force on January 2, 2022. It is an overarching law that covers the storage and processing of personal data belonging to UAE data subjects, regardless of where the data controller or data processor is established. The PDPL does not apply to types of data for which other legislation is in place covering the regulation of that data, including government data or data processing by government authorities, personal data held by security and judicial authorities, personal health data, or personal financial data.
The PDPL is largely in line with international privacy practices. For example, it adopts the principles of lawfulness, fairness and transparency and specified legal bases for processing personal data, such as cases when consent has been granted, cases in the interests of protecting the data subject or public, and cases where a legal contract is in place. The PDPL establishes rights, such as the right to obtain information, the right to data portability, the right to correct or erase personal data, the right to restrict personal data processing, the right to stop personal data processing in certain situation.
UAE Federal Decree Law No. 44 of 2021 is the basis for the establishment of a federal UAE Data Office. The UAE Data Office will be part of the Ministry of Cabinet Affairs and act as the federal data regulator for preparing policies and legislations related to personal data protection, proposing, and approving standards for monitoring Personal Data Protection Law, preparing systems for complaints and grievances related to personal data, and issuing guidelines and instructions for the implementation of the law. Implementing regulations for UAE Federal Decree Laws 44 and 45 are expected to be published during 2024 and go into force roughly six months after their enactment.
Articles 22 and 23 of the PDPL states when cross border flows of personal data outside of the UAE are permitted based on whether or not there is an adequate level of protection in each destination country. In particular, Article 22 of the PDPL states that when there is an adequate level of protection in another country, then the transfer of personal data outside of the UAE may take place in the following cases when approved by the UAE Data Office:
- The state or territory to which Personal Data is transferred has Personal Data protection legislation in place, including the main provisions, measures, controls, requirements, and rules in relation to the protection of confidentiality and privacy of the Personal Data relating to the Data Subject and his ability to exercise his rights, and provisions relating to the imposition of appropriate measures against the Controller or the Processor through a regulatory or judicial entity.
- The State’s accession to bilateral or multilateral agreements in respect of Personal Data protection with states to which Personal Data is transferred.
Article 23 of the PDPL states that in the absence of an adequate level of protection in another country, then the cross-border transfer and sharing of personal data outside of the UAE for processing purposes may take place in the following cases:
- In countries where no data protection law exists, establishments operating in the country and in such countries may transfer data under a contract or agreement binding the establishment in such countries to the provisions, measures, controls, and conditions stated in the UAE PDPL and containing provisions relating to the imposition of appropriate measures against the controller or the processor through a supervisory or judicial entity in such country which is specified in the contract.
- The express consent of the data subject to the processing of personal data relating to the data subject outside the State in such a manner that does not conflict with the public and security interest of the country.
- The transfer is necessary for performing obligations and establishing rights before judicial entities or exercising or defending them.
- The transfer is necessary for the entry into, or the performance of, a contract between the controller and the data subject, or between the controller and a third party for the interests of the data subject.
- The transfer is necessary for the performance of an act relating to international judicial cooperation.
- The transfer is necessary for the protection of public interest.
Other federal laws in the UAE that cover personal data protection and privacy include the UAE Constitution of 1971, which sets out a right to privacy, Federal Law No. 15 of 2020 on Consumer Protection, which states that consumers have the right to the privacy and security of their data and establishes restrictions on its use for promotional and marketing purposes, Federal Decree Law No. 31 of 2021 on the Issuance of the Crimes and Penalties Law, which protects against the release of secrets and refers to the protection of privacy in the case of family life, and Federal Decree Law No. 34 of 2021 Concerning the Fight Against Rumors and Cybercrime, which covers the unauthorized accessing of personal data in information technology systems.
The passage of the PDPL creates transparency that will enable businesses involved in digital trade and services to implement and expand their business operations with greater predictability than ever before.
If U.S. companies are facing any specific data flow issue while doing business in the UAE, they can reach out to us for more information.
For more information, please contact Office.Dubai@trade.gov.