While the UAE constitution and certain federal laws recognise an individual right to privacy in specific circumstances, the UAE has not established a federal data protection regime of the type found in jurisdictions such as Australia, the European Union or Hong Kong.
Notwithstanding the absence of federal laws, the DIFC and Dubai Healthcare City free zones have both enacted data protection laws and regulations which regulate the processing, storage and transfer of personal data.
In addition, certain other federal and local laws apply to the security and processing of personal data in certain circumstances, including in relation to employee records, financial information, electronic commerce, communications, healthcare and cybercrime.
- Federal and Local Emirate Laws
In terms of a constitutional right to privacy, Article 31 of the UAE Constitution states that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. In addition, Articles 378, 379 and 380 of the Penal Code (Federal Law No. 3 of 1987) establish criminal offences in relation to the disclosure or use of “secrets”, i.e. personal data, or the interception or disclosure of correspondence or telephone conversations.
Articles 53 and 54 of the UAE Labour Law (Federal Law No. 8 of 1980) impose record-keeping obligations on employers with five or more employees. Companies operating within the UAE should also be aware of Federal Laws No. 3 and No. 5 of 2012, which respectively establish the National Electronic Security Authority (NESA) and combat cybercrimes. NESA has been charged with developing policies and standards to ensure electronic security as well as suggesting further legislation in support of its goals. Such legislation, policies and standards are likely to impact the processing and storage of personal data in the UAE. The cybercrimes law criminalises a number of activities relating to the unauthorised access, amendment, interception, damage or use of certain types of data.
- Data Protection in the DIFC and in Dubai Healthcare City
Data protection in the DIFC is regulated by the Data Protection Law (DIFC Law No 1 of 2007 (amended by DIFC Law No 5 of 2012)) and by the Data Protection Regulations (Consolidated Version No. 2 in force on 23/12/2012). The DIFC laws and regulations are based on international best practices and will be familiar to companies with experience of compliance with the European Data Protection directive. The DIFC laws establish a Commissioner of Data Protection which is responsible for ensuring compliance with the DIFC laws in relation to the collection, storage, processing and transfer of personal data in the DIFC and who has the power to enforce compliance and impose sanctions where a data controller is non-compliant.
Data protection in Dubai Healthcare City is regulated by Dubai Healthcare City Regulation No. 7 of 2008. As per the DIFC laws, the Dubai Healthcare City regulation addresses the collection, use, disclosure and transfer of healthcare data and establishes a Health Data
Protection Ombudsman who is responsible for administering the regulation and for dealing with complaints under the regulations.
Neither the DIFC nor Dubai Healthcare City are on the European Commission’s list of third countries offering an adequate level of protection for the purpose of a transfer of personal data outside of the European Union. However, the DIFC has stated in its “Strategic Plan for 2012 – 2014” that it intends to apply to the European Commission for a declaration of adequacy. Such a declaration would offer EU companies a simple and reliable route to complying with European export rules for data exports to the DIFC.