The United Arab Emirates announced that would introduce a new federal data protection law. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.

Existing regulation of data protection differs between free trade zones and the remaining onshore areas of the UAE. Onshore areas are under federal jurisdiction, while the free trade zones are empowered to create their own legal and regulatory framework for all civil and commercial matters.

Existing data regulation

  • Dubai International Financial Centre (“DIFC”).
  • Dubai Healthcare City (“DHCC”), both free trade zones in the Emirate of Dubai
  • Abu Dhabi Global Market (“ADGM”), in the Emirate of Abu Dhabi, have formal data protection regimes.

At present, there is no unified set of privacy or data protection laws at the federal level and there is no single national data privacy regulator. While there are UAE laws that provide general rights to privacy, the concept of processing or transferring data is not extensively regulated for companies operating outside of the DIFC, DHCC or ADGM.

General rights to privacy in the UAE include:

UAE Constitution addresses privacy by providing that freedom of communication by post or other means of communication and the secrecy thereof is guaranteed in accordance with the law. UAE Penal Code prohibits those who have access to an individuals’ personal data from disclosing or publicizing that information.

The Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed.”

The Data Protection Law is a step towards establishing a data protection regime in the UAE that would provide an adequate level of protection for the purposes of data transfers from the European Union and other regulated jurisdictions.