Recent UAE media reports of a ‘new data law’ have attracted a lot of attention, including from businesses concerned at how such a law may impact on their activities.
Once a copy of the new Dubai Data Law comes to hand, we will provide more detailed comments. In the meantime, we make some limited observations based on information currently available.
A new UAE data protection law?
No! As a preliminary point, it is important to make clear that the Dubai Data Law is not a ‘data protection law’ as such; nor is it a law of federal application across the UAE.
The new law is aimed primarily at ensuring that data gathered by Dubai government entities is effectively shared amongst such entities, and with the private sector, so as to maximise opportunities to capture the benefit of such data for the emirate’s residents, visitors and economy.
Significantly, the type of data addressed by the law is data that is not confidential to the government, nor personal or sensitive to any specific individual. Essentially, the law obliges Dubai government entities to share such data amongst themselves, and with private sector entities, by setting out rules and mechanisms for doing so.
In contrast, a ‘data protection law’ can be generally understood as providing a legal framework for the processing of data relating to identifiable natural persons. Fundamentally, data protection laws are designed to protect an individual’s right to privacy with respect to the collection, storage and use of data relating specifically to that individual. This is not what the Dubai Data Law is about.
The Dubai Data Law was announced just prior to the commencement of the 35th edition of GITEX, a major information technology trade fair and conference held in Dubai. This year, some of the key themes being explored at GITEX include the ‘internet of everything’ for cities, the use of information technology to connect people, processes, data, and things to improve the liveability of cities and communities, as well as security risks associated with ‘big data’ and the use of cloud technology.
Despite this, GITEX itself is not the trigger for this announcement. The Dubai government has been considering its approach to ‘open data’ for some time. Last year, Dubai government established a committee charged with developing the emirate’s approach to open data, and establishing a framework for the use of data for ‘smart government’ and the development of Dubai as a ‘smart city’.
One aspect of this is the development of a framework for the handling of data in order to enhance public utilities, education, healthcare, transportation, communications, and related services for the benefit of those living in Dubai, as well as for companies and infrastructure operators operating in Dubai.
What is open data, and why is it important?
Open data can be broadly understood as data that can be freely used, re-used and redistributed by anyone, uninhibited by technical interoperability issues or the absence of a common approach to data categorisation. Greater knowledge resulting from greater data sources and volumes, and the ability to see new patterns in data, can lead to innovation in products and services, enhanced efficiency and effectiveness, and better ability to measure results.
The government sector is the major collector of data in any developed economy, so ensuring that data collected by the government is gathered and made available, internally and externally, in a methodical manner is fundamental to the successful development of a smart city.
As noted above, the data relevant to the Dubai Data Law is not data relating to identifiable natural persons. By way of example, the data of interest isn’t the information that shows that my son and daughter are aged 11 and 13, but rather the data that shows that the number of primary school-aged children in my neighbourhood means that a new high school is required as the existing high school won’t be adequate given the forecast growth in student numbers. Similarly, the data of interest isn’t the information that shows I recently had my local pharmacy fulfil a prescription for antibiotics, but rather the data that shows that a certain antibiotic is in high demand at the moment and this could indicate that further supplies need to be delivered or that the antibiotic is being over-prescribed.
What about a new data protection law?
Developments in respect of open data, and the passing of the Dubai Data Law, bring to mind a number of related queries. The most obvious one is, while data that doesn’t relate to identifiable natural persons is now the subject of a law, what about personal data that does relate to identifiable natural persons? Can we expect legislation that sets-out the requirements with which any entity processing personal information relating to identifiable people needs to comply?
While we don’t have any answers to these particular questions, we do expect that the Dubai Data Law will provide some useful guidance in helping to identify what is, and what is not, ‘personal’ data. To the extent that the Dubai Data Law is intended to enable non-personal data to be shared, the law will need to explain exactly what makes data suitable for sharing. In doing so, it will be necessary to provide a framework for categorising whether data is personal or sensitive. Indirectly, this is likely to provide some guidance when it comes to analysing data protection related issues in this jurisdiction.