Shantanu Mukherjee
Managing Partner, Ronin Legal Consulting, Dubai
 

As the global focus on data privacy intensifies, the United Arab Emirates (UAE) has been strengthening its data protection laws over the past few years to ensure compliance with international standards and to safeguard the privacy rights of individuals.

However, within the UAE, the regulatory landscape is multifaceted, with different legal frameworks governing data protection in distinct jurisdictions. While the UAE’s federal laws lay out broad provisions for data privacy, the financial free zones in the country, that is, the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC), have implemented their own data protection regulations.

For businesses, the key question is jurisdictional: where is the entity incorporated, where does it operate and what kinds of data does it handle? The answer determines whether federal laws, free zone laws or a mix of both apply.

Federal data protection

Personal Data Protection Law

The UAE’s Federal Law No 45 of 2021 on Personal Data Protection (the ‘PDP Law’) is its core federal privacy statute. It introduces GDPR-style principles around lawful processing, transparency and accountability for entities processing the personal data of UAE residents, whether the processing takes place inside or outside the UAE.

The PDP Law provides that individuals should be informed of the purposes for which their data is being processed and give consent (which must be informed, unambiguous and easily accessible). Data subjects have rights to information, access, correction, erasure, data portability, restriction and to object to certain automated processing.

Similar to the GDPR, organisations engaging in high‑risk or large‑scale processing of sensitive data must appoint a Data Protection Officer (DPO), implement appropriate technical and organisational standards, and notify the UAE Data Office and affected individuals in the event of data breaches.

The cross‑border transfer of personal data is only allowed to countries deemed ‘adequate’ by the UAE Data Office, typically where specific data protection legislation exists or where relevant international agreements are in place. Notably, the PDP Law does not apply to entities established in any of the UAE’s free zones that have their own special legislation for data protection in place.

Health Data Law

Even earlier than the PDP Law, the UAE introduced its Health Data Law via Federal Law No 2 of 2019, which was the first piece of federal legislation in the UAE to directly address data protection principles.

More specifically, it regulates the use of information technology and communications in the healthcare sector and mandates healthcare providers to ensure confidentiality, validity and credibility of health data. In contrast to the PDP Law, the Health Data Law applies to all entities operating in the UAE and the free zones that provide services in the healthcare sector.

The law, however, prohibits the transfer of health data outside the UAE apart from in the cases enumerated in Ministerial Resolution No 51 of 2021. There is also a distinct requirement in contrast to the GDPR, whereby data is to be stored for 25 years from the date on which the last procedure on the patient was conducted and not only until the purpose has been fulfilled.

The Health Data Law introduced provisions for a centralised health data management system that will securely store, exchange and collect all health data gathered by healthcare providers. This system aims to streamline the management of health data while ensuring its security and accessibility.

Along with the Health Data Law, the UAE has been making significant strides in enhancing health data management, cybersecurity and interoperability.

Electronic medical records and health information exchange

The UAE has been working on integrating Electronic Medical Records (EMR) to improve patient care and enhance the quality of healthcare services. EMRs facilitate the sharing of health data between different healthcare providers and ensure that medical professionals have access to accurate and updated patient information.

In Dubai and Abu Dhabi, various healthcare facilities have implemented EMR systems, allowing the standardisation of health data across different institutions. The launch of the healthcare platform 'NABIDH' by the Dubai Health Authority (DHA) to securely exchange trusted healthcare information across both public and private facilities in Dubai was a major step towards enhancing health information exchange in the UAE.

By centralising health data, NABIDH allows for advanced data analytics that can support public health initiatives, research and evidence-based decision-making. Hence, all the hospitals, clinics and diagnostic centres licensed under the DHA need to be connected with NABIDH and exchange information using one of the qualified EMR systems.

Interoperability of data and cybersecurity in the UAE

A critical component of the UAE’s data protection framework is ensuring that data, particularly health data, is interoperable, reliable and fit for purpose. To achieve this, the UAE has established the UAE Digital Data Interoperability Framework, which works in harmony with the European Interoperability Framework, W3C and ISO standards by offering guidance on how standards should be set to enhance data sharing and collaboration.

It provides principles and guidelines to help government and private sector entities manage and share data securely and efficiently. The UAE also has a Smart Data Framework, which provides the core standards for data classification, exchange and quality across various sectors, including healthcare.

Furthermore, the UAE’s National Cybersecurity Strategy, launched by the UAE National Electronic Security Authority, is focused on strengthening the nation’s cybersecurity infrastructure across all sectors. This strategy includes specific measures to protect health data from cyber threats and ensures that critical healthcare systems are secure. Abu Dhabi has its own Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) – a set of standards to ensure the confidentiality, integrity and availability of healthcare information in Abu Dhabi.

Dubai International Financial Centre (DIFC)

The DIFC introduced its data protection regime through DIFC Law No 5 of 2020 (the ‘DIFC Law’), which has been effective since 1 July 2020. Similar to the PDP Law, the DIFC Law also draws heavy influence from the GDPR.

It applies to all entities within the DIFC, including DIFC-registered companies and those offering services in, or to, the DIFC. Much like the PDP Law, the DIFC Law provides individuals with several rights over their personal data, such as access, rectification, erasure and portability of their data. Additionally, data subjects have the right to object to certain types of processing, such as processing based on public or legitimate interests or automated processing.

The law outlines specific grounds under which personal data can be lawfully processed, including obtaining explicit consent, fulfilling contractual obligations, compliance with legal requirements and protecting the legitimate interests of the data controller or a third party.

The DIFC Law requires that personal data transferred to countries outside the DIFC must have adequate protection as determined by the Data Protection Commissioner. This means that the destination country needs data protection standards comparable to those in the DIFC. If a country has been deemed adequate, then transferring data there is generally considered compliant with DIFC regulations.

Similar to the PDP Law, the DIFC Law mandates organisations that engage in large-scale data processing or sensitive data handling to designate a DPO to oversee their data protection practices and serve as a point of contact for data subjects and the DIFC Data Protection Commissioner.

Abu Dhabi Global Market (ADGM)

The ADGM introduced its own set of data protection regulations through the ADGM Data Protection Regulations 2021 (the ‘ADGM Regulations’). The ADGM Regulations apply to all entities within the ADGM, including entities that handle the personal data of individuals located in the ADGM or those entities that offer goods and services to individuals within the ADGM.

The ADGM Regulations provide individuals with comprehensive rights over their personal data that closely resemble those in the previously mentioned laws. Data controllers in the ADGM must ensure that any processing of personal data is conducted on one of several lawful bases, including obtaining consent, fulfilling a contract, complying with legal obligations, protecting vital interests or pursuing legitimate interests. This aligns not only with the DIFC Data Protection Law but also with international data protection practices.

Under the ADGM Regulations, personal data can be transferred internationally if the recipient jurisdiction provides an adequate level of data protection or if additional safeguards, such as standard contractual clauses or binding corporate rules, are put in place to protect the data during transfer. Organisations in the ADGM that engage in significant data processing activities or handle sensitive personal data must appoint a DPO. The DPO oversees the organisation’s compliance with the ADGM Regulations and liaises with the data protection authority.

The authority established under the ADGM Regulations is the Office of Data Protection, which is responsible for enforcing compliance with the regulations. The Office of Data Protection can monitor and enforce the application of the regulations and advise ADGM courts on measures relating to the protection of individuals’ rights with respect to processing. It can also investigate complaints, conduct audits and issue fines for non-compliance.

Comparing the federal and free zone laws

It is apparent that the various data protection laws in the UAE are not too distinct from one another, with significant similarities reflected not only among themselves but also with international data protection regulations like the GDPR.

Some of the important distinctions between them result primarily from their unique regulatory environments and jurisdictional scope. For example, in addition to the PDP Law, the UAE has several regulations and standards in place for data protection at the federal level. In contrast, the data protection regime in the DIFC and ADGM is largely comprised of the respective data protection laws mentioned earlier.

Most other free zones, such as the Dubai Health City (DHCC) – which has its Health Data Protection Regulation 2013 – also have singular, specific regulations aimed at regulating the free zone according to its requirements and not a comprehensive set of regulations.

As a general rule, a free zone’s legislation applies only to that particular free zone, as opposed to federal legislation such as the PDP Law, which applies across the entire UAE. However, the Health Data Law does not exclude the free zones and is all-encompassing, due to the sensitive nature of the data it is dealing with.

Furthermore, each jurisdiction in the UAE has established its own regulatory body to enforce its respective regulations. For example, the DIFC has its Commissioner of Data Protection, the ADGM has its Office of Data Protection and the UAE Data Office has been established as the regulatory body at the federal level (however, it is not yet operational at the time of writing).

Another important distinction is the fact that the PDP Law enumerates cases in which personal data can be processed without the consent of the data subject, thereby reflecting the federal nature of the law and its congruence with other major data protection laws that provide ‘public security’ exceptions which empower the State. However, laws in the free zones like the DIFC, ADGM and DHCC laws are comparatively more comprehensive given their zone-specific nature, with a higher degree of stringency and requirements to process personal data.

Conclusion

The UAE’s data protection laws reflect the country’s broader commitment to enhancing data privacy and aligning with global standards. Laws in the financial free zones are modelled more closely on the GDPR in certain respects. However, the PDP Law adopts a more flexible approach, with lesser fines and fewer stringent requirements to balance privacy and economic growth.

For businesses operating in the UAE and its free zones, understanding the nuances of the different data protection frameworks is crucial for ensuring compliance and minimising risk. Whether dealing with laws at the federal level or regulations within the DIFC and ADGM, it is essential for companies to implement lawful data governance practices to protect individuals’ personal data.