Authored by: Prof. Dr. Ir. Henk Jan Jansen
The protection of personal data and privacy considerations are more important than ever due to globalisation and technological development.
Although there are no explicit laws or authorities that deal specifically with privacy and data protection in the UAE (excluding in the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”) Free Zones, discussed below in more detail), a number of UAE Laws are relevant.
In this article, we briefly summarise key UAE laws and regulations relevant to privacy and data protection, and action points to be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with such legislation.
The main UAE Laws which are relevant to privacy and data protection
- UAE Constitution
The UAE Constitution addresses privacy by providing that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. The broadly held view among lawyers practicing in the UAE is that this provision was intended to enshrine a basic right to privacy in relation to an individual’s personal and family affairs.
A wrongful invasion of this right to privacy might constitute a “wrongful act” for which a civil action for damages would lie, pursuant to the Civil Code (see below).
- The Civil Code
A wrongful breach of privacy may result in a civil action for damages pursuant to Federal Law No. 5 of 1985 (the “Civil Code”). The Civil Code provides that a person who suffers unlawful infringement of any of the rights appurtenant to him (such as the above constitutional right) has the right: (a) for such infringement to cease; and (b) to compensation. Further, wrongful invasion of the right to privacy under the Constitution may constitute a “wrongful act” pursuant to the Civil Code, giving rise to a civil action for damages. The Civil Code provides that any harm done to another shall render the perpetrator liable to make good the harm.
Given the importance attached to the concept of “good name” and the right to privacy in relation to personal matters in this jurisdiction, we are of the view that “harm” could be held by the courts to include “damage to reputation” and “invasion of privacy” (a constitutional right). It is important to note that because wrongful conduct of this nature would not result in physical injury, a valid claim for compensation may only apply to the extent that the “wrongdoer” had acted with intent.
- The Penal Code
In conjunction with the constitutional right to privacy, Federal Law No. 3 1987 (the “Penal Code”) provides for the protection of individuals from the interception and disclosure of their personal data.
The Penal Code prohibits those who have access to individuals’ personal data from disclosing or publicising that information. In particular, the Penal Code specifically prohibits the publication of people’s private affairs, and provides sanctions of imprisonment and/or a fine for anyone who, through any means, publishes news, pictures or comments pertaining to secrets of a person’s private or family lives, even if such publications are true.
The Penal Code makes it clear that corporate entities can also be guilty of the offences established by the Penal Code, through the agency of directors, agents and other representatives. A corporate body convicted under these provisions would be liable to pay a fine or be subject to confiscatory measures.
- Electronic Transactions and Commerce Law
Federal Law No. 1 of 2006 and its corresponding Dubai Law No. 2 of 2002 relating to Electronic Transactions and Commerce (“ETCL”) is principally concerned with the security of electronic transactions and ensuring that electronic data is authentic and reliable.
- Cyber Crimes Law
Federal Law No. 5 of 2012 relating to Combating Information Technology Crimes, known as the “Cyber Crimes Law” is principally concerned with the abuse/misuse of electronic information, including its development through the internet by people generally. It deals with hacking, identity theft and fraud. It can also capture instances where a person gains access to an electronic information system, website or computer network without authorisation. The Cyber Crimes Law also makes it illegal to disclose any information obtained by electronic means, if such information was obtained in an unauthorised manner.
From 25 May 2018, companies based in the UAE will need to consider the extent to which they may fall within the scope of the European Union’s General Data Protection Regulation (“GDPR”). For more information on this legislation and how it may affect companies in the UAE.
The DIFC and ADGM
Each of the Dubai International Financial Centre (“DIFC’”) and the Abu Dhabi Global Market (“ADGM”) free zones has its own specific data protection law.
What action to take
There are action points which can be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with the legislation referenced above. We summarise some of the possible action points below:
- Conduct a data audit to understand the type of data your business holds.
- Ensure that adequate privacy policies are in place to explain the way in which relevant data is collected, used or disclosed and maintain appropriate internal management of data by implementing such policies.
- Keep data subjects updated should the storage, transfer or processing of their personal data change.
- Consider whether further action needs to be taken in order to comply with the GDPR. Please see the recent article below for further details in this regard.
Six things UAE companies need to know about the GDPR
UAE companies may be caught by the GDPR and if so, they will be subject to its provisions and responsible for compliance with certain of its obligations. Below we highlight six of the main things UAE companies need to be aware of in relation to the GDPR:
- Wide scope
The GDPR applies to companies located within the EU who hold ‘personal data’ i.e. that which is identifiable to an individual (a ‘Data Subject’).
It also however applies to companies located outside of the EU, including the UAE, if they:
- offer (or envisage offering) goods or services to Data Subjects in the EU; or
- Monitor the behavior in the EU of Data Subjects.
This significantly broadens the scope of the GDPR to well outside of EU boundaries, and will consequently mean that many UAE companies could fall within scope of the GDPR’s provisions. Examples of how a UAE company may be caught by the GDPR include:
- sending certain material to EU based businesses;
- monitoring Data Subjects via cookies when they access the company’s website;
- capturing data from Data Subjects through mobile apps, websites etc. for analytical purposes; and
- Where UAE companies outsource the storage or processing of, for example, customer information to data centres or service providers located in the EU, they would indirectly fall within its reach by virtue of the location of these providers.
- Privacy by design
The GDPR does not allow for a ‘one size fits all’ approach and insists upon ‘privacy by design’ which means considering data protection at the outset of any project, product or system, and building in elements addressing those considerations from the start. Privacy by design is not a new concept, however, as the United Kingdom’s Information Commissioner’s Office points out, data protection compliance is often ‘bolted on as an after-thought or ignored altogether’. The GDPR seeks to change that.
- Compliance must be demonstrated
Under the GDPR, there is a big focus on accountability and one of the biggest changes compared to the previous legislation is that companies must be able to demonstrate compliance. The intention behind this is to force a more proactive approach to data protection. The practicalities of this mean that companies must be in a position to reflect and record their actual compliance, for example, by maintaining a comprehensive audit trail.
- No ‘broad-brush’ consent
Broad-brush consents to data processing and the old pre-filled tick box approach will not suffice, as the thresholds for compliance will be higher under the GDPR. A request for consent must be given in an intelligible and easily accessible form, along with details of the purpose for the processing the data. Consent received must be clear and it must be made as easy for a Data Subject to withdraw consent as it was to give it.
- Action stations
The GDPR comes into force on 25 May 2018 and many companies have been taking action to get ‘GDPR ready’ for several months, even years in the case of larger organisations. Below are what we consider to be the three main actions UAE companies should take ASAP:
- Conduct a Data Protection Audit
UAE companies should consider and take advice as to whether, and to what extent, they are caught by the GDPR’s scope and to do this a comprehensive operational audit should be conducted. It is also important for companies to assess and understand what, if any, personal data of Data Subjects they actually hold, where, and for what purpose.
- Be aware of legal risks
Ensure that the entire business is aware of the legal risks associated with the GDPR so that they can remain pro-active. For example, it is possible that some UAE companies may not currently be caught by the GDPR, but future projects, such as the launch of a new website which includes cookies, may mean that they fall under the GDPR in the future.
- Review and update agreements
UAE companies need to ensure that their agreements with customers and third parties (including standard terms of business in print and online) are GDPR ready. By this we mean that existing data protection provisions should be assessed and amended if they are not fit for purpose, and, where relevant, new provisions should be introduced that specifically deal with the GDPR.
- Substantial fines
EU Regulators can impose significant fines for breaches of the GDPR, up to a maximum of 4% of annual global turnover or €20 million, whichever is the higher.
UAE companies should not assume that the GDPR will simply not apply to them by the virtue of their non-EU based business. Close consideration ought now to be given to whether, and to what extent, your business is caught by the broadened, potential extra-territorial scope of the GDPR.
If the GDPR does apply, UAE businesses must take action to ensure that they are compliant with the GDPR’s requirements and stringent timeframes, or risk being hit with hefty fines.
UAE businesses should also take the opportunity to ensure compliance with other applicable data protection legislation, including, of course, UAE laws and regulations.
Use of VPN within Governmental premises (Virtual Private Network)
According to Cybercrime Law number 9, police and authorities can take legal action against those who use illegal VPNs for other inappropriate activities. Therefore, if an Emirati citizen or an expat living in the UAE is using VPN for legitimate purposes, the use of the VPN itself would not be illegal.
In April, an extensive ban on Skype was lifted, and residents who can afford the expensive Etislat and du VoIP services can use Skype in the country. The UAE Telecommunications Regulatory Authority says that the new rules will still permit the use of Skype, but accessing blocked content is punishable.
Blocking VoIP and VPNs for vague security reasons is likely to force people to adopt Etislat and du, both of which are accessible to the state. This, in turn, will bring up costs for the average citizen and is likely to anger the expat community.
By restricting such services, it is also likely that business in the country will suffer, as foreign companies will have a tougher environment in which to operate.
The UAE Cybercrime Law No 5 of 2012, issued by President His Highness Shaikh Khalifa Bin Zayed Al Nahyan in 2012, includes stern punishments that could go up to a life sentence and/or a fine varying between Dh50,000 and Dh3 million depending on the severity and seriousness of the cybercrime.
While the UAE’s Telecommunications Regulatory Authority (TRA) has always maintained that the illegal use of VPN is against its policies, the police have also cautioned that legal action can be taken under Law Number 9 against users of VPN for any illegal activities.