Awatif Mohammad Shoqi Advocates & Legal Consultancy | View firm profile
Introduction:
Data protection is paramount for preserving individual privacy and ensuring the responsible handling of personal information. In the UAE, the legal framework for data protection is established by Federal Decree-Law No. 45/2021 on the Protection of Personal Data (Data Protection Code) and Federal Decree-Law No. 34/2021 concerning the Fight Against Rumours and Cybercrime. This article delves into the key principles and regulations governing personal data protection in the UAE, focusing on the mechanisms in place to prevent data breaches and uphold privacy.
Federal Decree-Law No. 45/2021: The Data Protection Code
The Data Protection Code provides a comprehensive framework for the protection of personal data in the UAE. Key definitions under Article 1 of the Data Protection Code include:
-
- Data: Information processed by humans or computers, whether organized or unorganized, including numbers, words, and images.
- Personal Data: Information that identifies or makes an individual identifiable, including sensitive personal data and biometric data.
- Sensitive Personal Data: Private details such as family background, beliefs, criminal records, or health information revealing physical, psychological, or sexual conditions.
- Biometric Data: Unique personal data resulting from specific processing techniques confirming identification through physical, physiological, or behavioural characteristics, such as facial images or fingerprint data.
Data Protection Measures: Articles 17 and 18 grant individuals the right to object to personal data processing, with exceptions for consent, contractual obligations, or legal requirements under Article 6. Controllers, responsible for managing personal data, must establish clear communication channels for data security. The law mandates technical and organizational measures, including encryption and pseudonymization, to ensure data protection.
Assessment and Transfer: Article 21 requires controllers involved in high-risk processing to conduct an effective assessment, evaluating potential privacy risks. Article 22 allows for the transfer of personal data outside the UAE under special circumstances subject to Data Office approval. Article 23 provides guidelines for data transfer outside the UAE, differentiating between cases with and without adequate protection.
Regulatory Mechanisms: Article 24 authorizes individuals to file complaints with the Data Office for alleged data protection violations. The Data Office can investigate and impose administrative penalties for proven violations. Concerned parties may submit grievances against Data Office decisions to the Office General Manager within 30 days. Administrative penalties may be issued by the Cabinet based on the Office General Manager’s report.
Federal Decree-Law No. 34/2021: Combatting Rumours and Cybercrime
Federal Decree-Law No. 34/2021 addresses breaches of personal data and information, establishing strict penalties for unauthorized access and misuse:
Article 6 – Breach of Personal Data and Information:
- Unauthorized access, acquisition, modification, damage, disclosure, leakage, cancellation, deletion, copying, publication, or re-publication of electronic personal data or information using information technology may result in detention for not less than six months and/or a fine of AED 20,000 to 100,000.
- If the data or information relates to medical records, bank accounts, or e-payment methods, the penalties may be aggravated.
- Receiving, keeping, storing, or using such data knowing it is illegitimate to obtain shall also result in detention and/or a fine.
Article 44 – Disclosure of Secrets and Privacy Breach: Unauthorized use of information networks or technology to breach privacy or family life may lead to detention for not less than six months and/or a fine of AED 150,000 to 500,000. This includes:
- Eavesdropping, recording, communication, transmission, or disclosure of conversations or materials.
- Taking or spreading photographs or electronic images without consent.
- Spreading news, images, or information to harm a person.
- Publishing photographs of casualties or victims without permission.
- Tracking or disclosing geographical data of third parties.
- Altering or processing recordings or images to defame or abuse another person may result in detention for not less than one year and/or a fine of AED 250,000 to 500,000.
Conclusion:
The UAE’s legal framework for data protection, including Federal Decree-Law No. 45/2021 and Federal Decree-Law No. 34/2021, ensures robust measures to protect personal data and privacy. These laws emphasize the importance of responsible data handling, and establishing stringent penalties for breaches and unauthorized access.