Blog

United Arab Emirates (UAE) Data Protection and Privacy Laws & Regulations

Posted by Biji Scaria on October 20, 2017 at 11:21

Introduction

In simple words ‘Data Protection’ can be defined as the law and/or regulation designed to protect your Personal Data or Personally Identifiable Information (PII), which is collected, processed and stored by companies, institutions etc. In this era where data security breaches happen almost daily, it is essential that data protection laws and regulations restrain and shape the activities of companies and other institutions.

The objective of this article is to give an overview of key UAE Laws and Regulations existing in mainland (DIFC has separate Data Protection Law) which will ensure that UAE citizens and residents personal information is protected. Its an attempt by the author and all data and information provided on this article is for informational purposes only and the accuracy, completeness, suitability, or validity of any information on this article must be validated individually before making any decisions.

Laws and Regulations

The definition of personal data must be looked in much broader terms than what’s defined in other countries where pictures, private messages etc can be also considered as personal data.

Overall Data Protection in UAE is governed by federal laws and regulations from UAE Central Bank & Telecommunications Regulatory Authority (TRA). These UAE Federal Laws and regulations contain various provisions in relation to privacy and the protection of Personal Data.

  • The Cyber Crime Law - Federal Decree Law no. (5) of 2012. The Cyber Crime Law criminalises obtaining, possessing, modifying, destroying or disclosing (without authorisation) electronic documents or electronic information relating to medical records (Article 7).
  • Article 31 of the UAE Constitution of 1971, which guarantees the right to secrecy of communications.
  • Penal Code (Federal Law No 3 of 1987 as amended)
  • UAE's Central Bank published the Regulatory Framework for Stored Values and Electronic Payment Systems ("Digital Payment Regulation") Jan 1st 2017
  • Telecommunications Regulatory Authority (TRA)- The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017
  • The DHCC Health Data Protection Regulation No. 7 of 2013
  • The DIFC implemented DIFC Law No. 1 of 2007 Data Protection Law in 2007 which was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law ('DPL').
  • The Dubai Data Law, which has been in force since 27 December 2015

Data Residency or Data Transfer Restrictions

According to the Penal Code (Clause 379), personal data may be transferred to third parties inside and/or outside of the UAE if the concerned person have consented in writing to such transfer. The key expectation is to have consent from the concerned person.

However, Central Bank of The United Arab Emirates ‘Regulatory Framework For Stored Values and Electronic Payment Systems’ mandates that all Payment System Operators (PSPs) must store and retain all User and transaction data exclusively within the borders of the UAE.

As per Telecommunications Regulatory Authority (TRA) ‘The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017’ licensees must obtain a Subscriber’s prior consent before sharing any 'Subscriber Information' with its affiliates and/or other third parties not directly involved in the provision of the telecommunications services ordered by the Subscriber. Further the licensees must ensure that the third-parties are taking all reasonable and appropriate measures to protect the confidentiality and security of the Subscriber Information and the third party’s obligation should be taken care contractually and they should be made responsible for protecting confidentially and security of Subscriber Information. It’s the obligation of licensee to ensure that all reasonable measures to protect the privacy of Subscriber Information that it maintains in its files, whether in electronic or paper form.

Data Retention

Central Bank of The United Arab Emirates ‘Regulatory Framework For Stored Values and Electronic Payment Systems’ mandates that all Payment System Operators (PSPs) must store and retain user and transaction data for a period of five (5) years from the date of the original transaction.

The DHCC Health Data Protection Regulation mandates that medical and dental records of UAE national and expatriate patients should be retained for 10 years after the date of last entry into the record; 20 years for medico-legal cases and 10 years for deceased patients.

Telecommunications Regulatory Authority (TRA) CPR mandates that Licensees shall maintain records of Consumer Complaints for a minimum period of two (2) years, or such other period as may be specified in the License (3 years).

Security

The security requirements or measures that needs to be taken to protect the data must be defined by companies, institutions etc by looking at the applicable legislative and regulatory requirements. Once the legislative and regulatory requirements are identified, companies should do a detailed due diligence and come up with best practices and security controls to protect ‘Personal Data or Personally Identifiable Information (PII)’. Its important to ensure that, the level of best practices and security controls implemented can provide adequate level of ‘Personal Data’ protection and will ensure that companies are protected from data breaches or claims arising out of data breaches.

Details of Best Practices and Security Controls to protect ‘Personal Data’ will be discussed in a separate article.

References

Regulatory Framework For Stored Values and Electronic Payment Systems Published on 1-1-2017

https://www.centralbank.ae/en/pdf/notices/Regulatory-Framework-For-Stored-Values-And-Electronic-Payment-Systems-En.pdf

Federal Decree-Law no. (5) of 2012 ON COMBATING CYBERCRIMES

http://ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf

The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017

https://www.tra.gov.ae/assets/xy9LbOAZ.pdf.aspx

Dubai Health Care City Authority Health Data Protection Regulation No. 7 of 2013

https://www.dhcr.gov.ae/AboutDHCRDocuments/9-Health%20Data%20Protection%20Regulation.pdf

Disclaimer

All data and information provided on this article is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this article and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

Views: 1069
Tags: cyber, data, law, legislation, officer, privacy, protection, security, uae, and
Votes: 0
E-mail me when people leave their comments –
Follow

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

FEATURED BLOG POSTS

LATEST BLOG POSTS

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead