UAE Data Law – The United Arab Emirates Announces New Federal Data Protection Law

Overview of the New Federal Data Protection Law

The UAE Data Law will be a global regulation that targets cross-border transfers, international companies, and big data. The goal is to provide these entities with guidance on the issue of data privacy and protection, so that processes are seamless – and to reduce the cost of compliance.

H.E. Omar Bin Sultan Al Olama, who is the Minister of State for Artificial Intelligence, played a major role in designing the new law. He worked alongside large technology firms and reviewed every other data law in existence while drafting the proposal.

The UAE aims to issue the new law before the end of 2021, as they want to introduce it before their big 50th anniversary. The legislation will protect data transfers from other regulated jurisdictions as well. However, it most likely will not apply to health or government data, as those will be addressed by separate proposals.

So, what exactly will the new federal data protection law in the UAE include? Here are some of the most essential aspects of the proposed legislation:

• Provisions to introduce a National Data Privacy Regulator
• Obligations to obtain consent for marketing of data and any information that will be monetized
• User’s right to access, correct, and delete information that is collected about them
• User’s right to be informed about what data is being collected and why
• Measures to minimize restrictions on cross-border data flows

As you can see, the UAE Data Protection Law includes concepts like those in the GDPR and other global privacy regulations.

Business Implications of the UAE Data Law

You may be wondering, what implications does the new privacy and consent regulation have for businesses?

For starters, most companies that operate in the UAE will fall under the jurisdiction of the law. Businesses that operate here will likely control or process private data about UAE residents and, as such, will be held responsible for meeting the requirements laid out by the law.

This data can include anything from personal information collected about employees and suppliers to cookies and other tracking technology used to gather data about website visitors. Any business that is subject to the new law will need to take steps to ensure they are compliant.

That means organizations must take proactive measures to obtain consent from their users, properly store and process data, and follow other applicable rules. For many businesses, this can be as easy as working with a consent management platform to implement privacy policies and obtain consent.

Simply put, some organizations will need to change the way they track consumer behavior, use cookies, and sell information to third parties. The extent of changes needed will vary by company, but most will need to at least implement a way to get user consent before tracking data.

CookieFirst, for example, provides companies the tools they need to comply with GDPR and other similar privacy regulations – and the UAE Data Protection Law is no different. We can support your efforts to adapt to these changes and ensure that your business is minimally disrupted throughout the process.

What Happens if Companies Don’t Comply with the UAE Data Law?

Non-compliance is always a concern – but what happens if a business does not meet the requirements? The consequences will vary but are severe. They can range from financial and criminal sanctions to reputational damage and expensive litigation.

In other words, it is better to facilitate compliance with the new regulations right away so that you can avoid these penalties. Although it is still not entirely clear how the UAE will enforce the law and apply sanctions, you can look at similar cases of non-compliance with the GDPR to get an idea.

EU Regulators fined Amazon over $800 million for breaching GDPR in July 2021, and WhatsApp Ireland also faced a fine of about $260 million. As you can see these are no small sums – breaching data regulations can be disastrous for a company from both a financial and reputational perspective.

Preparing for the Future

Businesses must take steps to prepare for a future under the United Arab Emirates Data Protection Law. Even though it is not yet effective and is currently in draft form, now is the perfect time for companies to understand its implications and adjust their processes accordingly.

For example, your organization should use data mapping to understand what information you possess, how it is processed and stored, and who is responsible for managing it. Once you identify the data risks you are exposed to, you can create a plan to mitigate them and ensure that you comply with the new law.

This can look like creating new procedures to govern the collection and retention of data or establishing a privacy policy that outlines how your business will protect consumer information.

The data protection law will ultimately outline the obligations of data processes and controllers, but getting a head start on these changes can help prepare you for success. Similarly, you can consider the policies and procedures as a work in process and update them later, if necessary.

Your team should also consider partnering with a consent management platform like CookieFirst, which can help you alleviate some of the compliance burdens. The data protection law will be an ongoing business obligation, so our system can allow you to operate effectively under the new rules moving forward.