{"id":803,"date":"2019-01-28T06:22:56","date_gmt":"2019-01-28T05:22:56","guid":{"rendered":"https:\/\/hjinterim.wordpress.com\/?p=803"},"modified":"2019-01-28T06:22:56","modified_gmt":"2019-01-28T05:22:56","slug":"privacy-and-data-protection-in-the-uae","status":"publish","type":"post","link":"https:\/\/hjinterim.tech\/index.php\/2019\/01\/28\/privacy-and-data-protection-in-the-uae\/","title":{"rendered":"PRIVACY AND DATA PROTECTION IN THE UAE"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large is-style-rounded\"><img fetchpriority=\"high\" decoding=\"async\" width=\"852\" height=\"480\" src=\"https:\/\/hjinterim.files.wordpress.com\/2019\/01\/1.jpg?w=756\" alt=\"\" class=\"wp-image-804\" srcset=\"https:\/\/hjinterim.tech\/wp-content\/uploads\/2019\/01\/1.jpg 852w, https:\/\/hjinterim.tech\/wp-content\/uploads\/2019\/01\/1-300x169.jpg 300w, https:\/\/hjinterim.tech\/wp-content\/uploads\/2019\/01\/1-768x433.jpg 768w\" sizes=\"(max-width: 852px) 100vw, 852px\" \/><\/figure>\n\n\n<div id=\"a11y-menu\">\u00a0<\/div>\n<header id=\"extended-nav\" class=\"extended-nav nav-main-container global-alert-offset-top is-loading-nav\" role=\"banner\">\n<div class=\"nav-main__content full-height display-flex align-items-center\">\n<div class=\"nav-item__wormhole\">\u00a0<\/div>\n<\/div>\n<\/header>\n<div id=\"ember19\" class=\"ember-view\">\n<div class=\"application-outlet \">\n<div id=\"ember23\" class=\"ember-view\">\u00a0<\/div>\n<div class=\"authentication-outlet\">\n<div class=\"reader\">\n<article class=\"reader__content\" role=\"main\">\n<div class=\"relative reader__grid\"><header id=\"reader-article-header\"><time class=\"reader-article-header__publish-date\">Published on January 24, 2019<\/time><\/header>\n<div id=\"ember57\" class=\"reader-author-info__sticky reader-author-info__sticky_content sticky ember-view\">\n<div class=\"reader-author-info__container-wrapper\">\n<div class=\"reader-author-info__container display-flex align-items-center justify-space-between\">\n<div id=\"ember58\" class=\"reader-author-info ember-view\">\n<div id=\"ember62\" class=\"ml2 feed-shared-avatar-image b0 member ember-view\">\n<div id=\"ember63\" class=\"presence-entity presence-entity--size-4 ember-view\">\u00a0<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div id=\"ember81\" class=\"ember-view\">\u00a0<\/div>\n<div id=\"ember85\" class=\"ember-view\">\n<div class=\"reader-article-content\" dir=\"ltr\">\n<p>Authored by: Prof. Dr. Ir. Henk Jan Jansen<\/p>\n<p>The protection of personal data and privacy considerations are more important than ever due to globalisation and technological development.<\/p>\n<p>Although there are no explicit laws or authorities that deal specifically with privacy and data protection in the UAE (excluding in the Dubai International Financial Centre (\u201cDIFC\u201d) and Abu Dhabi Global Market (\u201cADGM\u201d) Free Zones, discussed below in more detail), a number of UAE Laws are relevant.<\/p>\n<p>In this article, we briefly summarise key UAE laws and regulations relevant to privacy and data protection, and action points to be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with such legislation.<\/p>\n<p><strong>The main UAE Laws which are relevant to privacy and data protection<\/strong><\/p>\n<ul>\n<li>UAE Constitution<\/li>\n<\/ul>\n<p>The UAE Constitution addresses privacy by providing that \u201cf<em>reedom of communication by post, telegraph or other means of communication and the\u00a0secrecy\u00a0thereof shall be guaranteed in accordance with the law\u201d.\u00a0\u00a0<\/em>The broadly held view among lawyers practicing in the UAE is that this provision was intended to enshrine a basic right to privacy in relation to an individual\u2019s personal and family affairs.<\/p>\n<p>A wrongful invasion of this right to privacy might constitute a \u201cwrongful act\u201d for which a civil action for damages would lie, pursuant to the Civil Code (see below).<\/p>\n<ul>\n<li>The Civil Code<\/li>\n<\/ul>\n<p>A wrongful breach of privacy may result in a civil action for damages pursuant to Federal Law No. 5 of 1985 (the \u201cCivil Code\u201d).\u00a0The Civil Code provides that a person who suffers unlawful infringement of any of the rights appurtenant to him (such as the above constitutional right) has the right: (a) for such infringement to cease; and (b) to compensation. Further, wrongful invasion of the right to privacy under the Constitution may constitute a \u201cwrongful act\u201d pursuant to the Civil Code, giving rise to a civil action for damages. The Civil Code provides that any harm done to another shall render the perpetrator liable to make good the harm.<\/p>\n<p>Given the importance attached to the concept of \u201cgood name\u201d and the right to privacy in relation to personal matters in this jurisdiction, we are of the view that \u201charm\u201d could be held by the courts to include \u201cdamage to reputation\u201d and \u201cinvasion of privacy\u201d (a constitutional right). It is important to note that because wrongful conduct of this nature would not result in physical injury, a valid claim for compensation may only apply to the extent that the \u201cwrongdoer\u201d had acted with intent.<\/p>\n<ul>\n<li>The Penal Code<\/li>\n<\/ul>\n<p>In conjunction with the constitutional right to privacy, Federal Law No. 3 1987 (the \u201cPenal Code\u201d) provides for the protection of individuals from the interception and disclosure of their personal data.<\/p>\n<p>The Penal Code prohibits those who have access to individuals\u2019 personal data from disclosing or publicising that information. In particular, the Penal Code specifically prohibits the publication of people\u2019s private affairs, and provides sanctions of imprisonment and\/or a fine for anyone who, through any means, publishes news, pictures or comments pertaining to secrets of a person\u2019s private or family lives, even if such publications are true.<\/p>\n<p>The Penal Code makes it clear that corporate entities can also be guilty of the offences established by the Penal Code, through the agency of directors, agents and other representatives. A corporate body convicted under these provisions would be liable to pay a fine or be subject to confiscatory measures.<\/p>\n<ul>\n<li>Electronic Transactions and Commerce Law<\/li>\n<\/ul>\n<p>Federal Law No. 1 of 2006 and its corresponding Dubai Law No. 2 of 2002 relating to Electronic Transactions and Commerce (\u201cETCL\u201d) is principally concerned with the security of electronic transactions and ensuring that electronic data is authentic and reliable.<\/p>\n<ul>\n<li>Cyber Crimes Law<\/li>\n<\/ul>\n<p>Federal Law No. 5 of 2012 relating to Combating Information Technology Crimes, known as the \u201cCyber Crimes Law\u201d is principally concerned with the abuse\/misuse of electronic information, including its development through the internet by people generally. It deals with hacking, identity theft and fraud. It can also capture instances where a person gains access to an electronic information system, website or computer network without authorisation. The Cyber Crimes Law also makes it illegal to disclose any information obtained by electronic means, if such information was obtained in an unauthorised manner.<\/p>\n<ul>\n<li>GDPR<\/li>\n<\/ul>\n<p>From 25 May 2018, companies based in the UAE will need to consider the extent to which they may fall within the scope of the European Union\u2019s General Data Protection Regulation (\u201cGDPR\u201d). For more information on this legislation and how it may affect companies in the UAE.<\/p>\n<p><strong>The DIFC and ADGM<\/strong><\/p>\n<p>Each of the Dubai International Financial Centre (\u201cDIFC\u2019\u201d) and the Abu Dhabi Global Market (\u201cADGM\u201d) free zones has its own specific data protection law.<\/p>\n<p><strong>What action to take<\/strong><\/p>\n<p>There are action points which can be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with the legislation referenced above. We summarise some of the possible action points below:<\/p>\n<ul>\n<li>Conduct a data audit to understand the type of data your business holds.<\/li>\n<li>Ensure that adequate privacy policies are in place to explain the way in which relevant data is collected, used or disclosed and maintain appropriate internal management of data by implementing such policies.<\/li>\n<li>Keep data subjects updated should the storage, transfer or processing of their personal data change.<\/li>\n<li>Consider whether further action needs to be taken in order to comply with the GDPR. Please see the recent article below for further details in this regard.<\/li>\n<\/ul>\n<p><strong>Six things UAE companies need to know about the GDPR<\/strong><\/p>\n<p>UAE companies may be caught by the GDPR and if so, they will be subject to its provisions and responsible for compliance with certain of its obligations. Below we highlight six of the main things UAE companies need to be aware of in relation to the GDPR:<\/p>\n<ol>\n<li><strong>Wide scope<\/strong><\/li>\n<\/ol>\n<p>The GDPR applies to companies located within the EU who hold \u2018personal data\u2019 i.e. that which is identifiable to an individual (a \u2018Data Subject\u2019).<\/p>\n<p>It also however applies to companies located outside of the EU, including the UAE, if they:<\/p>\n<ul>\n<li>offer (or envisage offering) goods or services to Data Subjects in the EU; or<\/li>\n<li>Monitor the behavior in the EU of Data Subjects.<\/li>\n<\/ul>\n<p>This significantly broadens the scope of the GDPR to well outside of EU boundaries, and will consequently mean that many UAE companies could fall within scope of the GDPR\u2019s provisions. Examples of how a UAE company may be caught by the GDPR include:<\/p>\n<ul>\n<li>sending certain material to EU based businesses;<\/li>\n<li>monitoring Data Subjects via cookies when they access the company\u2019s website;<\/li>\n<li>capturing data from Data Subjects through mobile apps, websites etc. for analytical purposes; and<\/li>\n<li>Where UAE companies outsource the storage or processing of, for example, customer information to data centres or service providers located in the EU, they would indirectly fall within its reach by virtue of the location of these providers.<\/li>\n<\/ul>\n<ol>\n<li><strong>Privacy by design<\/strong><\/li>\n<\/ol>\n<p>The GDPR does not allow for a \u2018one size fits all\u2019 approach and insists upon \u2018privacy by design\u2019 which means considering data protection at the outset of any project, product or system, and building in elements addressing those considerations from the start. Privacy by design is not a new concept, however, as the United Kingdom\u2019s Information Commissioner\u2019s Office points out, data protection compliance is often \u2018bolted on as an after-thought or ignored altogether\u2019. The GDPR seeks to change that.<\/p>\n<ol>\n<li><strong>Compliance must be demonstrated<\/strong><\/li>\n<\/ol>\n<p>Under the GDPR, there is a big focus on accountability and one of the biggest changes compared to the previous legislation is that companies must be able to demonstrate compliance. The intention behind this is to force a more proactive approach to data protection. The practicalities of this mean that companies must be in a position to reflect and record their actual compliance, for example, by maintaining a comprehensive audit trail.<\/p>\n<ol>\n<li><strong>No \u2018broad-brush\u2019 consent<\/strong><\/li>\n<\/ol>\n<p>Broad-brush consents to data processing and the old pre-filled tick box approach will not suffice, as the thresholds for compliance will be higher under the GDPR. A request for consent must be given in an intelligible and easily accessible form, along with details of the purpose for the processing the data. Consent received must be clear and it must be made as easy for a Data Subject to withdraw consent as it was to give it.<\/p>\n<ol>\n<li><strong>Action stations<\/strong><\/li>\n<\/ol>\n<p>The GDPR comes into force on 25 May 2018 and many companies have been taking action to get \u2018GDPR ready\u2019 for several months, even years in the case of larger organisations. Below are what we consider to be the three main actions UAE companies should take ASAP:<\/p>\n<ul>\n<li>Conduct a Data Protection Audit<\/li>\n<\/ul>\n<p>UAE companies should consider and take advice as to whether, and to what extent, they are caught by the GDPR\u2019s scope and to do this a comprehensive operational audit should be conducted. It is also important for companies to assess and understand what, if any, personal data of Data Subjects they actually hold, where, and for what purpose.<\/p>\n<ul>\n<li>Be aware of legal risks<\/li>\n<\/ul>\n<p>Ensure that the entire business is aware of the legal risks associated with the GDPR so that they can remain pro-active. For example, it is possible that some UAE companies may not currently be caught by the GDPR, but future projects, such as the launch of a new website which includes cookies, may mean that they fall under the GDPR in the future.<\/p>\n<ul>\n<li>Review and update agreements<\/li>\n<\/ul>\n<p>UAE companies need to ensure that their agreements with customers and third parties (including standard terms of business in print and online) are GDPR ready. By this we mean that existing data protection provisions should be assessed and amended if they are not fit for purpose, and, where relevant, new provisions should be introduced that specifically deal with the GDPR.<\/p>\n<ol>\n<li><strong>Substantial fines<\/strong><\/li>\n<\/ol>\n<p>EU Regulators can impose significant fines for breaches of the GDPR, up to a maximum of 4% of annual global turnover or \u20ac20 million, whichever is the higher.<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>UAE companies should not assume that the GDPR will simply not apply to them by the virtue of their non-EU based business. Close consideration ought now to be given to whether, and to what extent, your business is caught by the broadened, potential extra-territorial scope of the GDPR.<\/p>\n<p>If the GDPR does apply, UAE businesses must take action to ensure that they are compliant with the GDPR\u2019s requirements and stringent timeframes, or risk being hit with hefty fines.<\/p>\n<p>UAE businesses should also take the opportunity to ensure compliance with other applicable data protection legislation, including, of course, UAE laws and regulations.<\/p>\n<p><strong>Use of VPN within Governmental premises (<\/strong>Virtual Private Network)<\/p>\n<p><em>According to Cybercrime\u00a0<\/em><strong><em>Law<\/em><\/strong><em>\u00a0number 9, police and authorities can take\u00a0<\/em><strong><em>legal<\/em><\/strong><em>\u00a0action against those who\u00a0<\/em><strong><em>use illegal VPNs<\/em><\/strong><em>\u00a0for other inappropriate activities. Therefore, if an Emirati citizen or an expat living in the\u00a0<\/em><strong><em>UAE<\/em><\/strong><em>\u00a0is using\u00a0<\/em><strong><em>VPN<\/em><\/strong><em>\u00a0for legitimate purposes, the\u00a0<\/em><strong><em>use<\/em><\/strong><em>\u00a0of the\u00a0<\/em><strong><em>VPN<\/em><\/strong><em>\u00a0itself would not be\u00a0<\/em><strong><em>illegal<\/em><\/strong><em>.<\/em><\/p>\n<p>In April, an extensive ban on Skype was lifted, and residents who can afford the expensive Etislat and du VoIP services can use Skype in the country. The UAE Telecommunications Regulatory Authority says that the new rules will still permit the use of Skype, but accessing blocked content is punishable.<\/p>\n<p>Blocking VoIP and VPNs for vague security reasons is likely to force people to adopt Etislat and du, both of which are accessible to the state. This, in turn, will bring up costs for the average citizen and is likely to anger the expat community.<\/p>\n<p>By restricting such services, it is also likely that business in the country will suffer, as foreign companies will have a tougher environment in which to operate.<\/p>\n<p>The UAE Cybercrime Law No 5 of 2012, issued by President His Highness Shaikh Khalifa Bin Zayed Al Nahyan in 2012, includes stern punishments that could go up to a life sentence and\/or a fine varying between Dh50,000 and Dh3 million depending on the severity and seriousness of the cybercrime.<\/p>\n<p>While the UAE\u2019s Telecommunications Regulatory Authority (TRA) has always maintained that the illegal use of VPN is against its policies, the police have also cautioned that legal action can be taken under Law Number 9 against users of VPN for any illegal activities.<\/p>\n<h3><strong>What is NESA saying about the use of VPN?<\/strong><\/h3>\n<h4>Conclusion is that the use of VPN is only forbidden by law for illegal use not for the legal use from and too different entities. See also the following link for more information about\u00a0<a href=\"https:\/\/www.tra.gov.ae\/en\/services-and-activities\/internet-guidelines\/details.aspx#pages-67185\" target=\"_blank\" rel=\"nofollow noopener\">INTERNET GUIDELINES<\/a><\/h4>\n<\/div>\n<\/div>\n<div class=\"social-detail\">\n<div id=\"ember100\" class=\"reader-social-details clear-both ember-view\">\n<div id=\"ember116\" class=\"reader-social-details__likes-modal ember-view\">\u00a0<\/div>\n<\/div>\n<\/div>\n<footer class=\"reader-related-content pv3 relative\">\n<div class=\"reader-related-content__author display-flex align-items-center pb4 pt1\">\u00a0<\/div>\n<\/footer><\/div>\n<\/article>\n<\/div>\n<\/div>\n<aside id=\"msg-overlay\" class=\"msg-overlay-container ember-view\">\n<div id=\"ember214\" class=\"mh4 msg-overlay-list-bubble msg-overlay-list-bubble--is-minimized msg-overlay-list-bubble--expanded ember-view\">\n<section class=\"msg-overlay-list-bubble__content msg-overlay-list-bubble__content--scrollable\">\n<div id=\"ember226\" class=\"msg-overlay-list-bubble-search ember-view\">\n<div class=\"msg-overlay-list-bubble-search__input-container\">\u00a0<\/div>\n<\/div>\n<\/section>\n<\/div>\n<\/aside>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u00a0 \u00a0 \u00a0 Published on January 24, 2019 \u00a0 \u00a0 Authored by: Prof. Dr. Ir. Henk Jan Jansen The protection of personal data and privacy considerations are more important than ever due to globalisation and technological development. Although there are no explicit laws or authorities that deal specifically with privacy and data protection in the &#8230; <a title=\"PRIVACY AND DATA PROTECTION IN THE UAE\" class=\"read-more\" href=\"https:\/\/hjinterim.tech\/index.php\/2019\/01\/28\/privacy-and-data-protection-in-the-uae\/\">Read more<span class=\"screen-reader-text\">PRIVACY AND DATA PROTECTION IN THE UAE<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":828,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"quote","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[25],"tags":[],"class_list":["post-803","post","type-post","status-publish","format-quote","has-post-thumbnail","hentry","category-security","post_format-post-format-quote"],"_links":{"self":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts\/803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/comments?post=803"}],"version-history":[{"count":0,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts\/803\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts\/828"}],"wp:attachment":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/media?parent=803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/categories?post=803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/tags?post=803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}