UAE Data Protection and Privacy Regime

05 April 2018

Laws governing data protection in the UAE are not as highly developed as in other jurisdictions such as the EU. However, data-related obligations are increasing and an awareness of the UAE data protection and privacy regime is growing significant to companies operating in the region. In this article, we would like to provide you with a brief overview and future outlook on the data protection and privacy regime in the UAE.

General Overview

Unlike other countries, the UAE does not have one sole data protection law in place. Laws governing data protection can rather be found in a number of laws like the Constitution of the UAE (Federal Law 1 of 1971) or the Penal Code (Federal Law 3 of 1987). Furthermore, some Free Zones have established their own comprehensive data protection regime on the basis of data protection laws applicable in Western jurisdictions. In particular, divulging private or family “secrets” of an individual may be punishable under UAE law. Therefore, especially in cases where the personal data relates to the private or family life of an individual prior consent of the concerned individual should be obtained before sharing such data.

Penal Code

The UAE Penal Code contains a variety of provisions which criminalize the disclosure of ‘secrets’ pertaining to private and family life of an individual. The relevant provisions form the legal groundwork for data and privacy protection under UAE law. As an example, Article 379 Penal Code restricts the transmission of personal data which was entrusted to a person by way of his/her profession or craft. Other provisions in the Penal Code generally restrict the transmission of private pictures or conversation without the prior consent of the Individual. In October 2016, a new article 380 was introduced to the UAE Penal Code which has led to some insecurities and controversy with regards to data protection standards in the UAE. The new law prohibits the unlawful copying, distribution or disclosure of information and data that a person obtains in the course of their employment. Although the new provision was originally drafted to target company insiders its language is broad enough to criminalize even single acts of data sharing without the prior consent of the individual. It remains to be seen whether and how the local courts may restrict the
application of the rather broad wording of article 380 to particular cases.

Dubai International Financial Center (“DIFC”) and Dubai Healthcare City In contrast to the Federal Laws of the UAE, both the DIFC and the Dubai Healthcare City have their own data protection laws. The respective laws are similar to the EU Data Protection Directive and apply to individuals and companies based in the DIFC or the DHC. The laws provide rules and regulations
regarding the collection, disclosure and use of personal data for companies operating from the respective Free Zones.

Conclusion and Outlook

Data-related obligations for companies operating in the UAE are evolving. This is not only evidenced by the recent introduction of article 380 Penal Code but also by the implementation of all-inclusive data protection laws within some Free Zones. In particular, when processing or transferring personal data which relate to the private and family life of an individual, the prior consent of the data subject should be obtained in writing. Furthermore, companies operating within certain industrial sectors, including medical, banking and insurance, should be aware of the specific local and federal data protection regulations applying to their industries.

Does your company comply with the Data Protection and Privacy Laws in the UAE? Germela-Lootah now provides Data Protection Audits for its clients operating in the UAE.
For further information or assistance, please contact our colleagues at Germela-Lootah at +971-4-288-8345 or at