In simple words ‘Data Protection’ can be defined as the law and/or regulation designed to protect your Personal Data or Personally Identifiable Information (PII), which is collected, processed and stored by companies, institutions etc. In this era where data security breaches happen almost daily, it is essential that data protection laws and regulations restrain and shape the activities of companies and other institutions.
The objective of this article is to give an overview of key UAE Laws and Regulations existing in mainland (DIFC has separate Data Protection Law) which will ensure that UAE citizens and residents personal information is protected. Its an attempt by the author and all data and information provided on this article is for informational purposes only and the accuracy, completeness, suitability, or validity of any information on this article must be validated individually before making any decisions.
Laws and Regulations
The definition of personal data must be looked in much broader terms than what’s defined in other countries where pictures, private messages etc can be also considered as personal data.
Overall Data Protection in UAE is governed by federal laws and regulations from UAE Central Bank & Telecommunications Regulatory Authority (TRA). These UAE Federal Laws and regulations contain various provisions in relation to privacy and the protection of Personal Data.
- The Cyber Crime Law - Federal Decree Law no. (5) of 2012. The Cyber Crime Law criminalises obtaining, possessing, modifying, destroying or disclosing (without authorisation) electronic documents or electronic information relating to medical records (Article 7).
- Article 31 of the UAE Constitution of 1971, which guarantees the right to secrecy of communications.
- Penal Code (Federal Law No 3 of 1987 as amended)
- UAE's Central Bank published the Regulatory Framework for Stored Values and Electronic Payment Systems ("Digital Payment Regulation") Jan 1st 2017
- Telecommunications Regulatory Authority (TRA)- The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017
- The DHCC Health Data Protection Regulation No. 7 of 2013
- The DIFC implemented DIFC Law No. 1 of 2007 Data Protection Law in 2007 which was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law ('DPL').
- The Dubai Data Law, which has been in force since 27 December 2015
Data Residency or Data Transfer Restrictions
According to the Penal Code (Clause 379), personal data may be transferred to third parties inside and/or outside of the UAE if the concerned person have consented in writing to such transfer. The key expectation is to have consent from the concerned person.
However, Central Bank of The United Arab Emirates ‘Regulatory Framework For Stored Values and Electronic Payment Systems’ mandates that all Payment System Operators (PSPs) must store and retain all User and transaction data exclusively within the borders of the UAE.
As per Telecommunications Regulatory Authority (TRA) ‘The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017’ licensees must obtain a Subscriber’s prior consent before sharing any 'Subscriber Information' with its affiliates and/or other third parties not directly involved in the provision of the telecommunications services ordered by the Subscriber. Further the licensees must ensure that the third-parties are taking all reasonable and appropriate measures to protect the confidentiality and security of the Subscriber Information and the third party’s obligation should be taken care contractually and they should be made responsible for protecting confidentially and security of Subscriber Information. It’s the obligation of licensee to ensure that all reasonable measures to protect the privacy of Subscriber Information that it maintains in its files, whether in electronic or paper form.
Central Bank of The United Arab Emirates ‘Regulatory Framework For Stored Values and Electronic Payment Systems’ mandates that all Payment System Operators (PSPs) must store and retain user and transaction data for a period of five (5) years from the date of the original transaction.
The DHCC Health Data Protection Regulation mandates that medical and dental records of UAE national and expatriate patients should be retained for 10 years after the date of last entry into the record; 20 years for medico-legal cases and 10 years for deceased patients.
Telecommunications Regulatory Authority (TRA) CPR mandates that Licensees shall maintain records of Consumer Complaints for a minimum period of two (2) years, or such other period as may be specified in the License (3 years).
The security requirements or measures that needs to be taken to protect the data must be defined by companies, institutions etc by looking at the applicable legislative and regulatory requirements. Once the legislative and regulatory requirements are identified, companies should do a detailed due diligence and come up with best practices and security controls to protect ‘Personal Data or Personally Identifiable Information (PII)’. Its important to ensure that, the level of best practices and security controls implemented can provide adequate level of ‘Personal Data’ protection and will ensure that companies are protected from data breaches or claims arising out of data breaches.
Details of Best Practices and Security Controls to protect ‘Personal Data’ will be discussed in a separate article.
Regulatory Framework For Stored Values and Electronic Payment Systems Published on 1-1-2017
Federal Decree-Law no. (5) of 2012 ON COMBATING CYBERCRIMES
The Consumer Protection Regulations, Version 1.3, Issued 10 January 2017
Dubai Health Care City Authority Health Data Protection Regulation No. 7 of 2013
All data and information provided on this article is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this article and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.