Does your company do business in the UAE? Might you carry out an internal investigation involving your UAE operations? Is your company at risk of a regulatory investigation in the UAE?
If the answer is ‘yes’ to any of these questions, and bearing in mind that the data you hold probably includes personal data about your employees, business partners and customers, you need to be aware that there are restrictions on the transfer of personal data to outside and, to some extent, within the UAE.
These restrictions apply to all transfers, no matter the size, purpose or frequency. And to make matters more complicated, there is no comprehensive UAE federal data protection law, no single data protection regulator and no statutory definition of ‘personal data’ in most of the UAE. Rather, there is a patchwork of relevant laws – and those laws are regularly changing.
To help you make sense of this complexity, below we set out the legal requirements for transferring personal data out of the UAE.
The UAE jurisdictions with data protection laws
Several laws govern privacy or data security in the UAE:
- There are federal criminal sanctions in relation to general personal privacy as well as federal cybercrime and e-commerce laws relating to electronic transfers that apply across the UAE.
- Three free-trade zones (FTZs) have standalone data protection laws – the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM) and the Dubai Healthcare City (DHCC). UAE federal law also applies to the FTZs.
These laws are subject to change. For example, in June 2019, the Telecommunications Regulatory Authority of the UAE launched a national cybersecurity strategy. As part of this initiative, it is expected that the UAE will adopt a GDPR-style data protection law, though its timing and scope is still unclear, as is who the regulator for the new law will be. In addition, the DIFC Authority recently consulted on a draft data protection law.
What is personal data?
UAE federal law does not define ‘personal data’. However, the FTZ laws define it as any data that refers to an identifiable natural, living person. This includes, among other things, passport details, Emirates ID number, employment contracts, individual health records, biometric data and individual bank details.
The natural person to whom the personal data relates is referred to as the ‘data subject’. In the absence of a specific provision in the federal laws, this is a helpful working definition for the purposes of those federal laws.
General requirements for data transfers involving the UAE
Under the UAE criminal code, personal data may be transferred to third parties within or outside the UAE if either:
- the data subject consents in writing to the transfer, for example by way of consent in an employment or supply contract; or
- where otherwise permitted by law – for example, the DIFC and ADGM allow transfers that are made at the request of a local or foreign government authority where the data controller is subject to the authority of the regulator, police of other government agency.
In addition, if the personal data relates to a crime that the data subject was allegedly involved in, and the disclosure is made in good faith, the legal requirement to obtain the data subject’s consent may be waived.
This might help when carrying out an internal investigation. However, at the time the investigation is being carried out, you will not know if the data subject has, in fact, committed a crime.
While we are not aware of any cases involving a breach of these provisions of the criminal code, for transfers outside the UAE, significant legal consequences could apply. A breach could form the basis for a criminal complaint, which could lead to a minimum of one-year’s imprisonment for the relevant individuals and/or a fine of up to AED 20,000 (c. $5,400).
Further, depending on how the data is obtained or transferred, other legal requirements may apply under the federal cybercrime or e-commerce laws. For example, the disclosure of information obtained by electronic means for the purposes of an electronic transaction, such as an online purchase, is sanctioned with a fine ranging from AED 20,000 to AED 200,000.
Given the above, it is sensible (but not bullet-proof) for companies with business in the UAE to:
- get consent from their employees, business partners and customers to transfer their personal data – and regularly refresh that consent;
- establish and make employees aware of your policies on personal data, data review and transfers; and
- implement appropriate measures to protect personal data in the event of a transfer within or outside of the UAE.
Key features of data transfer requirements in the DIFC
In the DIFC, ‘data controllers’ may transfer personal data out of the DIFC if the recipient is in a jurisdiction that has laws ensuring an adequate level of protection for that personal data.
An ‘adequate level of protection’ is established if:
- the recipient is in a jurisdiction on the DIFC’s list of ‘adequate protection regimes’;
- certain limited circumstances exist; or
- the Commissioner of Data Protection (the Commissioner) approves the transfer.
Each of these is briefly addressed below.
Note that the Commissioner monitors and investigates potential data protection breaches. If the data controller does not comply with the rules, it could receive a fine of up to $20,000.
Challenges with the DIFC’s limited list of adequate protection regimes
The DIFC list includes all EU and European Free Trade Association member states plus Andorra, Argentina, Japan, New Zealand, Uruguay, the Channel Islands, the Faroe Islands and the Isle of Man. The DIFC has already confirmed that, in the event of Brexit, the United Kingdom will remain on the list of trusted jurisdictions.
The most noticeable absentee from this list is the United States. US transfers were previously possible under the Safe Harbour mechanism, but this has been replaced with the EU-US Privacy Shield, which the DIFC has yet to recognise. In the meantime, the DIFC has acknowledged that personal data originating in the DIFC can be transferred to the United States via the EU without breaching DIFC law.
Notably, the transfer of personal data from the DIFC to other UAE jurisdictions and elsewhere in the region is restricted. In particular, the onshore UAE jurisdictions and the ADGM are not included in the list of trusted jurisdictions, a situation that may create difficulties for companies that conduct their UAE business out of the DIFC. None of the member states of the GCC are on the list either.
Other limited circumstances
Data controllers may transfer personal data out of the DIFC to non-listed jurisdictions under limited circumstances, including with the consent of the data subject, for the exercise or defence of legal claims, and to comply with certain specific regulatory requirements.
Commissioner approval to transfer
The draft DIFC data protection law proposes ending the Commissioner’s power to authorise transfers of personal data to unapproved jurisdictions, replacing it with the requirement that appropriate safeguards be put in place.
If the draft law is enacted in its current state, companies will take on the role (and the risk) of deciding, in most cases, whether it is safe to proceed with a personal data transfer.
Potential new rules for transfer to government authority
The draft law also introduces specific rules for the transfer of personal data to a government authority outside the DIFC where the requesting authority has statutory authority over the controller.
Under such circumstances, the data controller must exercise reasonable caution and diligence to determine the validity and proportionality of the request for personal data and to assess the impact of such transfer in light of the risks to the data subject’s rights.
The data controller is also required to either put in place adequate enumerated safeguards before making the transfer or rely on an exception set out under the draft law. In some cases, the data controller may have to notify the Commissioner of Data Protection of the transfer and inform the data subject of the transfer and the grounds of such transfer.
Key features of data transfer requirements in the ADGM
The 2015 Data Protection Regulations (‘the Regulations’) govern data privacy and protection in the ADGM.
The key definitions in the Regulations are almost identical to those of the DIFC data protection law. However, in the ADGM it is the Registrar who performs roughly the same role as the DIFC’s Commissioner.
Any infringement of the Regulations may lead to a direction by the Registrar that the data controller refrain from processing personal data. Failure to comply with such a direction may lead to a fine of up to $15,000.
The ADGM maintains its own list of approved jurisdictions to which personal data may freely be transferred. This list includes:
- the same jurisdictions listed by the DIFC with the exception of Croatia and Japan; and
- the DIFC despite no reciprocal treatment by its sister jurisdiction.
Like the DIFC list, the ADGM list does not include onshore UAE or other GCC jurisdictions. Personal data transfers from the ADGM to the United States and Canada are allowed, subject to the recipient complying with the terms of the EU-US Privacy Shield and the Canadian Personal Information Protection and Electronic Documents Act respectively.
As for transfers of personal data from the ADGM to non-approved jurisdictions, the Regulations maintain an almost identical list of conditions to that of the current DIFC law, but also include more flexible options that allow data controllers to self-police.
The data protection landscape in the UAE is piecemeal and evolving.
Companies with business in the UAE need to be mindful of the differing laws and take appropriate measures to ensure compliance.
In particular, legal, compliance, human resources and information technology officers need to plan and prepare adequately for personal data transfer requirements that are an inevitable part of modern business.
These issues are particularly acute in the context of carrying out any internal investigation.