The UAE issued a landmark federal data protection law on 20 September 2021, moving the Emirates towards greater transparency and harmonisation with other jurisdictions in the region. The UAE federal data protection law, which came into force on 2 January 2022, provides greater clarity on what is permissible in terms of the collection, processing, review and transfer of personal data in onshore UAE. In doing so, it enhances the privacy rights of data subjects and in turn the obligations of those collecting, processing, reviewing and transferring personal data and, consequently, will radically change how organisations in onshore UAE deal with personal data. The executive regulations in connection are projected to be issued in March 2022. In this blog, we examine the new federal law’s key features and its impact on employee monitoring and internal investigations.
Global best practice alignment
In an effort to better align with international best practice data protection principles, several countries and jurisdictions in the GCC have reformulated their data laws in recent years. Within the UAE, in the last few years, the DIFC and ADGM amended their data protection laws to bring them in line with the EU’s GDPR while the Dubai Healthcare City now has its own formal data protection law. Previously, without a standalone federal data protection law, data protection and privacy in onshore UAE was governed by a patchwork of various laws, including the Cybercrimes Law. That created ambiguity. As an unfortunate legal quirk, that also meant onshore UAE was not generally recognised by the DIFC as an ‘adequate’ jurisdiction for data transfers. Now the UAE has a comprehensive federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) and it is likely the DIFC will recognize the UAE as an adequate jurisdiction for data sharing.
In line with this data protection law development, the UAE also recently amended its Cybercrimes Law. This law imposes criminal liability for data protection violations where the perpetrator does not have authorised access to that personal data, such as hackers. The changes to the Cybercrimes Law clarify, strengthen and expand the scope of the earlier cybercrimes law.
Increased security, enhanced rights
One of the key principles of the new UAE data protection law is ensuring transparency in the collection and processing of data. In a move towards harmonisation with DIFC and ADGM data protection laws, the UAE’s new law:
- defines personal data as ‘any data related to an identified natural person or a related natural person who can be identified, directly or indirectly, through the linking of data’;
- requires data processing to be conducted in a fair, transparent and lawful manner;
- obliges personal data collections to have a clear and specific purpose and be conducted only within the scope of that purpose;
- empowers employees/data subjects to correct any inaccuracies in the data collected;
- requires security measures to safely store personal data and to protect against data breaches or unlawful and unauthorised processing; and
- restricts the storage of personal data once the purpose for collection no longer applies.
In particular, under the new federal data protection law, employees or data subjects have enhanced rights over their personal data. They may request that their personal data is transferred to another controller, that inaccurate information is corrected, and the deletion of personal data in certain circumstances. For example, an employee may request deletion of personal data if it is no longer necessary for the purpose it was collected, consent is withdrawn, or the processing of personal data violates the data protection law.
The new federal data protection law also establishes the Emirates Data Office (EDO), an onshore data privacy regulator. The EDO will develop data protection regulation, receive and investigate data breaches including alleged employer breaches through security measures, and establish mechanisms for complaints and appeals. The EDO will be overseen by a Director General to be appointed by Federal decree under the executive regulations, and is authorised to propose draft laws, decrees, regulations, and resolutions related to the EDO for the Cabinet’s review.
Consent and notification
Except in certain circumstances, in the absence of consent from a data subject, the new federal data protection law prohibits the (a) collection, (b) processing, (c) review and (d) transfer of personal data to jurisdictions lacking adequate data protection legislation. For example, consent is not required where the personal data is:
- publicly available;
- required to comply with legal obligations or protect public interest; or
- necessary for an employer to perform obligations or for an employee to exercise their rights.
An organisation’s authority to collect, process, review and transfer data derives from the ‘clear’ and ‘unambiguous’ consent of the employee/data subject. However, employees/data subjects are entitled to withdraw their consent. Importantly, the withdrawal of consent does not affect the lawfulness or legitimacy of any data processing performed before the consent was withdrawn.
In the event a potential or actual data breach occurs, an organisation is required to notify the EDO if the breach is likely to result in a risk to the privacy of a data subject or to the confidentiality and security of personal data. The organisation must also notify the employee within a period to be set by the executive regulations if the breach is likely to result in a risk to the privacy, confidentiality, and security of the personal data. Importantly, this reporting requirement is triggered simply by the likelihood of a risk to the personal data and not an actual breach to the privacy of the data subject. Where the breach is discovered by the data processor, the processor must report the breach to the organisation who must then report to the EDO and the employee.
Employee monitoring and investigations
The new federal data protection law clarifies and further restricts the way personal data can be collected, processed, reviewed, and transferred by organisations and investigators in onshore UAE. As with the DIFC and ADGM data protection laws, employee monitoring in onshore UAE is permitted so long as notice is given to the employee and the employee consents. However, personal data can be collected, stored and processed only for a specified purpose and for a limited time. Employees can withdraw consent for any purpose and at any time and restrict the employer’s authority to process data. These strict requirements and enhanced rights may create challenges in conducting internal investigations and organisations should consider appropriate policies and agreements to mitigate these risks.
Other challenges could arise that may also hinder investigations. The time restrictions placed on data storage may prevent an investigator from obtaining historical information. The consent requirements may also create roadblocks for an investigator attempting to gather information without ‘tipping off’ a data subject suspected of wrongdoing. In fact, investigators operating in jurisdictions with strict consent requirements are finding that these types of laws hinder their ability to conduct investigations. For example, it is understood that investigators in China are required to obtain an employee’s consent before collecting personal data for internal investigations even if the data is stored on company-owned devices. Lawyers in China are reportedly concerned that employees suspected of wrongdoing may use the relevant data protection law to intentionally obstruct investigations. Given the new UAE data protection law’s provisions on consent, similar concerns may arise here as organisations get to grips with the law.
As evidenced by the new federal data protection law and amendments to the Cybercrime Law, the UAE is enhancing data protection transparency and prioritising privacy rights. Although the executive regulations are yet to be issued, it is never too soon for organisations to begin to evaluate their investigation policies, IT acceptable use policies, inter-office agreements, and employment agreements. Organisations may need to put in place and strengthen policies and procedures to ensure compliance under the new data protection law. Organisations and investigators will need to examine potential action plans in the event the target of, or witnesses for, an investigation exercise their rights to withdraw or refuse consent, which obstructs an investigation.
The authors would like to thank our former colleague, Eiman Hager, for her research and contributions to this article.