United Arab Emirates

By James Bowden and Kanan Kasuya

The Authors

James Bowden
Partner
jbowden@afridi-angell.com
Tel: +971 4 330 3900

James heads the data privacy and cyber security practice at Afridi & Angell. He advises companies in the TMT sector on industry specific regulatory compliance as well as on general corporate and commercial matters. Prior to joining Afridi & Angell, James gained in-depth technology outsourcing experience while working as inhouse counsel with one of Canada’s leading technology companies. He is a member of the Ontario Bar.

The Authors

Kanan Kasuya
Partner
kanan@afridi-angell.com
Tel: +971 4 330 3900

Kanan’s practice focuses on corporate and commercial matters. She advises clients on general corporate and commercial matters, such as the establishment, structuring and winding down of businesses in the UAE. Kanan joined Afridi & Angell in 2014. She is a member of the Quebec Bar Association.

The DIFC Authority has proposed the enactment of legislation (the Proposed Law) to replace its current Data Protection Law, DIFC Law 1 of 2007 (as amended) (the Current Law).

The Proposed Law is the subject of Consultation Paper 6 of 2019, which is presently posted on the DIFC website for public comments to be provided by 18 August 2019.

The intention behind the Proposed Law is to align the Current Law with the General Data Protection Regulation (GDPR), to reflect the latest technology, privacy and security law developments, and adapt the same to the unique requirements of the DIFC. As GDPR has international application and has become the de facto global standard for data privacy, the Proposed Law is expected to provide consistency and familiarity for businesses in the DIFC that operate on an international scale.

Some noteworthy aspects of the Proposed Law are as follows:

Data Subject Rights

In addition to the right to access, rectify and erase personal data and the right to object to Processing which exist under the Current Law, there are new rights introduced in the Proposed Law that are as follows:

  • right to withdraw consent to processing of personal data (Processing);
  • right to the restriction of Processing;
  • right to know the recipients of the personal data;
  • right to data portability (i.e., right of a Data Subject to receive its personal data from a Controller in a structured, commonly used and machine-readable format);
  • right to not be subject to automated decision making (including profiling) which produces legal effects concerning, or significantly affects, the Data Subject. Examples of automated decision making include online credit applications and online recruitment tools; and
  • right to non-discrimination against a Data Subject for exercising any of the Data Subject rights.

Controllers must make available a minimum of two methods (e.g., by phone, email or online form) by which the Data Subject can contact the Controller to exercise any of the Data Subject rights. Such methods should not be onerous.

Apportionment of liability between Controllers and Processors

The Proposed Law (like the Current Law) stipulates that if a Data Subject suffers material or non-material damage by reason of any contravention of the Proposed Law, it will be entitled to compensation.

Unlike the Current Law, the Proposed Law stipulates when the Controller and the Processor are held liable for the damages caused.

  • A Controller involved in Processing which infringes the Proposed Law shall be liable for damages caused.
  • Processors will be liable where it has not complied with the obligations specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.
  • Where multiple Controller(s) or Processor(s) are involved in the Processing and where each is responsible for any damage caused by the Processing, each shall be held jointly and severally liable for the entire damage.

Information to be provided to Data Subjects

The Proposed Law has increased the number of items of information to be submitted to the Data Subjects when personal data is collected. The information that must also be provided to the Data Subjects includes (among others):

  • contact details of the Data Protection Officer (if applicable);
  • reference to the appropriate safeguards in the event personal data is transferred to a third country or international organisation;
  • the existence of the Data Subject’s right to withdraw consent to the Processing;
  • clarification of the legitimate interest or compliance obligations (for which the personal data is being collected);
  • recipients of the personal data; and
  • any other information to guarantee fair and transparent Processing vis-à-vis the Data Subject, which include (among others):
    • the period of which the personal data will be stored;
    • existence of the other Data Subject rights (set out in point 1 above) as well as the right to lodge a complaint with the Commissioner of Data Protection (the Commissioner); and
    • whether Processing will restrict or prevent the Data Subject from exercising any of the Data Subject rights.

The Proposed Law also specifies that the information must be provided to the Data Subject in writing, including where appropriate by electronic means.

Consent to Processing

Controllers must be mindful of the requirements in the Proposed Law to ensure that consent to Processing has been obtained from the Data Subject. Consent under the Proposed Law means clear and unambiguous consent after clear disclosure of every purpose for which the personal data will be collected, processed and used.

Requirements for Legitimate and Lawful Processing

The Proposed Law continues the Current Law’s requirement for Legitimate Processing (now re-phrased as “Legitimate and Lawful” Processing under the Proposed Law). Personal data must still be processed fairly and transparently vis-à-vis the Data Subject, be limited to the purpose for which it is collected, and must also be accurate (requiring that it be updated via erasure or rectification without undue delay, where necessary).

The Proposed Law additionally requires that:

  • it would not suffice that Controllers are processing personal data in accordance with the Proposed Law; Controllers would also need to demonstrate such compliance (including to the Commissioner); and
  • personal data must now be kept secure and protected against unauthorised or unlawful Processing and against loss, destruction or damage using appropriate technical or organisational measures.

Legitimate Interests

“Legitimate interest” remains one of the grounds under which personal data can be collected. “Legitimate Interests” continue to remain undefined; however, the Proposed Law does introduce two situations which are considered as a “legitimate interest”:

  • transferring personal data within a group of undertakings for internal administrative purposes; and
  • processing personal data as strictly necessary and proportionate to ensure network and information security, and to prevent fraud.

The Proposed Law also introduces restrictions on the use of “legitimate interests” as grounds for Processing. Public authorities cannot rely on such grounds to collect personal data. Furthermore, Controllers who wish to rely on this basis must conduct a careful assessment as to whether a Data Subject can reasonably expect at the time and context to the collection of personal data.

Organisational measures to be put in place for DIFC entities

Certain documents and measures would need to be put in place by DIFC entities:

  • technical and organisational measures that ensure personal data is processed in accordance with the Proposed Law and protect the Data Subject’s personal data;
  • a written data protection policy proportionate to the processing activities;
  • a policy and process for securely and permanently deleting personal data;
  • a written record in electronic format of the Processing activities; and
  • a written contract in compliance with the Proposed Law (i) between a Controller and a Processor, (ii) between Controllers, and (iii) between a Processor and a sub-Processor. If Processing activity is commenced without such agreement, they would be in breach under the Proposed Law.

In addition, a DIFC entity transferring personal data to a jurisdiction that lacks an adequate level of protection must take appropriate safeguards. For a discussion of these appropriate safeguards, see point 10, below.

High-Risk Processing Activities

The Proposed Law introduces the concept of “High Risk Processing Activities,” which is Processing where one or more of the following applies:

  • new technologies are being deployed which may increase the risk to Data Subjects or render it more difficult for Data Subjects to exercise their rights; or
  • a considerable amount of personal data will be Processed where such Processing is likely to result in a high risk to the Data Subject (on account of the sensitivity of the Personal Data); or
  • the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons (such as profiling), on which decisions are based to produce legal effects on, or significantly affect, the natural person; or
  • a non-trivial amount of Special Categories of Personal Data (currently called “Sensitive Personal Data” under the Current Law) is to be Processed.

There are additional obligations that arise for DIFC entities carrying on such activities. These include (among others):

  • the appointment of a Data Protection Officer (to assist the Controller and Processor in monitoring the compliance with the Proposed Law); and
  • submission of assessments to the Commissioner (namely the Annual Assessment and Data Protection Impact Assessments).

9. Cessation of Processing. The Proposed Law introduces rules on when the Controller must cease the Processing and how personal data must be handled thenceforth.

Where the basis for Processing ceases to exist or the Controller is required to cease Processing via the exercise of Data Subject rights, the Controller is required to ensure that personal data is securely and permanently deleted, or where this is not possible, archived in a manner such that the data is “put beyond further use.” The exception to this rule is where such personal data is necessary for the establishment or defense of legal claims, or to be retained in accordance with applicable laws.

“Put beyond further use” means that:

  • the Controller must not use the personal data to inform any decision in relation to the Data Subject or in a manner that affects the Data Subject in any way;
  • no party (other than the Controller) has access to the personal data;
  • personal data is protected by appropriate technical and organisational security; and
  • the Controller has in place a strategy for the permanent deletion of personal data, if or when this becomes possible.

Transferring personal data to a jurisdiction lacking an adequate level of protection

Unlike in the Current Law, the Commissioner no longer grants a permit or written authorisation to transfer personal data to such jurisdiction. The Proposed Law provides an updated list of conditions, one of which must be satisfied in order to transfer personal data to such jurisdiction:

  • appropriate safeguards must be put in place, which must be in one of the following forms (among others):
    • a code of conduct (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;
    • a certification mechanism (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;
    • a legally binding and enforceable instrument;
    • data protection procedures and policies applicable to Group entities, (referred to “Binding Corporate Rules” in the Proposed Law), which may be approved by the Commissioner (but is not mandatory).
  • one of the specific derogations listed in the Proposed Law apply. Such derogations are substantially similar to the transfer conditions set out in the Current Law. This includes (among others) thetransfer is necessary for the performance of a contract or public interest, or that the Data Subject consented to the transfer.
  • the transfer satisfies the conditions of “limited circumstances,” which is that it is a one-time transfer that concerns only a limited number of Data Subjects, is necessary on the grounds of legitimate interests, and where the Controller has provided suitable safeguards with respect to the protection of personal data. In this situation, the Controller must inform the Commissioner of this transfer.

Transferring personal data to a governmental authority outside of DIFC

The Proposed Law introduces guidelines that must be followed in order for the Controllers to disclose and transfer personal data, outside the DIFC, to a governmental authority (the Requesting Authority). Controllers must:

  • exercise reasonable caution and diligence to determine the validity and proportionality of the request for personal data;
  • ensure that any disclosure of personal data is made solely for the purpose of meeting the objectives identified;
  • assess the impact of the proposed transfer in light of the potential risks to the Data Subject’s rights;
  • implement measures to minimize such risks; and
  • where possible, obtain appropriate and written assurances from the Requesting Authority that it will respect the rights and freedoms of the Data Subjects.

Failing any of the above, the Controller should not disclose or transfer personal data to the Requesting Authority.

Rectification and erasure notification

Controllers must notify each recipient to whom the personal data is disclosed when personal data is rectified, erased or subject to restricted processing.

Personal Data Breach

This is a new feature in the Proposed Law. If there is a Personal Data Breach that compromises a Data Subject’s confidentiality, security or privacy, the Controller must notify the breach to the Commissioner. When the Personal Data Breach is likely to result in high risk to the Data Subject’s confidentiality, security or privacy, the Controller must also communicate the Personal Data Breach to the Data Subjects. ■

 

 

Afridi & Angell

Founded in 1975, Afridi & Angell is a full-service UAE law firm in its fifth decade at the forefront of the legal community. From the beginning, our hallmarks have been a commitment to quality, unsurpassed knowledge of the law and the legal environment, and crafting of innovative business solutions. Licensed in the three largest Emirates of Abu Dhabi, Dubai and Sharjah as well as the Dubai International Financial Centre, our practice areas include banking and finance; corporate and commercial law; arbitration and litigation; construction; real estate; infrastructure projects; energy; project finance; maritime (wet and dry); and employment. We advise local, regional and global clients ranging in size and sophistication from start-ups, sole proprietorships, family-owned businesses, entrepreneurs and investors to some of the world’s largest public and private companies, governments and quasi-government institutions. We attract and retain clients with our dedication to practical guidance focused on their business needs supported by decades of experience here in our home jurisdiction, the UAE.

Afridi & Angell is the exclusive member firm in the UAE of top legal networks and associations, most notably Lex Mundi, the world’s leading network of independent law firms, and World Services Group.

www.afridi-angell.com

 

Afridi & Angell’s inBrief provides a brief overview and commentary on recent legal announcements and developments. Comments and opinions contained herein are general information only. They should not be regarded or relied upon as legal advice.

© 2019, Afridi & Angell

Related Articles by Firm
Regulatory Authorities to regulate Relevant Activities in accordance with Economic Substance Regulations announced
Businesses licensed in the UAE should fast track an assessment to determine if they are subject to the regulations.
UAE Ministry of Finance issues guidance on Economic Substance Regulations
Thirteen topics covered in the guidance that may be of interest to businesses affected by the regulations.
Law 6 of 2019: On the ownership of common property in the Emirate of Dubai
The New Law is an important development for Dubai as most real estate is held by way of property owned in common.
The private equity, venture capital and start-up ecosystem in the UAE: Recent developments
The changes will result in the establishment of new funds and attract more entrepreneurs and investors to the UAE.
SCA issues guidelines for financial institutions on anti-money laundering
The advent of AML and ATF guidance is a welcome step for businesses in the UAE.
New economic substance regulations in the UAE
The rules are a response to the UAE being put on the EU's blacklist of non-cooperative tax jurisdictions.
Keeping up with the trend: The New DIFC Insolvency Law
The New Law introduces many welcomed features and is a step forward in maintaining the UAE’s position as a world leading trade hub.
The New DIFC Employment Law: Key Changes
The new law will directly affect almost 24,000 employees based in the DIFC.
Merger clearance matters in the UAE
Despite the limited number of filings and the dearth of decisions, parties conducting M&A in or from the UAE should consider the impact of the competition regime.
New regulations offer welcome guidance to Anti-Money Laundering Law
The new AML Law has been shaped by international AML standards and provides several mechanisms to combat money-laundering.
Health data confidentiality on a rise in the UAE
A new law requires businesses that use information and communication technology for processing health data to ensure its confidentiality, accuracy and validity.
New Tawazun economic programme policy guidelines issued
It is hoped that the new programme will enable defence contractors to identify more accessible opportunities to generate offset credits.
New administrative fines imposed by the UAE Insurance Authority
Insurance and reinsurance providers should review the resolution and the list of violations to ensure their compliance.
Significant changes to UAE’s Civil Procedure Code
While the changes are welcome, they put pressure on litigants to plead their cases within relatively short time periods ...
New long-term residency visas in UAE
In a welcome development, the new law introduces long-term residency visas for four categories of persons.
New promotion regime for domestic funds
A new agreement could make the UAE a much more attractive place to establish funds.
Federal Penal Code amendments
The amendments are designed to make the UAE's Penal Code consistent with other recent federal legislation and current federal enforcement policies.
Netting arrangements made enforceable in the UAE
For decades, banks and other counterparties in the UAE have obtained financial services from foreign financial institutions. Industry bodies, such as the International Swaps and Derivatives Association (ISDA), the International Capital Market Association and the International Securities Lending Association, have ...
New anti-money laundering law
The new law introduces subtle but important changes to the AML landscape in the UAE.
The UAE's new Foreign Direct Investment Law
Majority foreign ownership is not yet a reality, but the framework is now in place.
Significant precedents from the DIFC courts
Afridi & Angell successfully defended an anti-suit injunction, an application to exclude evidence and obtained a document production order.
New services by Dubai Rental Disputes Centre
The Rental Good Conduct Certificate service is a first-of-its-kind initiative in the world.
ADGM announces tech start-up licensing regime
The licence provides access to a Professional Services Support Programme aimed at allowing entrepreneurs entry to a community of businesses, financial services and professional advisers.
Dubai relaxes rules on filing appeals before the Court of Cassation
The Decree provides that appeals to the Court of Cassation must be filed within 60 days of the judgment of the Court of Appeal.
Off-plan sales in Dubai: Risks and rewards
Whether buyers are looking to expand their real estate portfolio or buyers are simply looking to find their ideal home, great deals can be found in Dubai’s off-plan real estate sector ...
The UAE Federal Arbitration Law: A First Look
The approval of the long-awaited law by the Federal National Council was announced in March this year.
Legal reforms in Abu Dhabi
Abu Dhabi has introduced new rules governing the functioning of the Emirate’s judiciary.
UAE: Off-plan sales: risks and rewards
Great deals can be found in Dubai’s off-plan real estate sector, but it is critical that prospective buyers do their homework ...
The New UAE Pledge Law – Security Registration
UAE Federal Law 20 of 2016 introduced a new regime for registering a pledge over moveable assets which are pledged as security for the repayment of a debt ...
UAE VAT Designated Zones Defined
A Designated Zone is required to be a specific fenced area with security measures and Customs controls in place ...
Certificate of Good Conduct Required for all UAE Employment Visas
New requirement will be introduced shortly ...
Dubai: Dawn Raids – Do you have a policy in place, and is it fit for purpose?
How you handle a dawn raid will have a significant impact on the discussions and negotiations that are sure to follow.
Dubai: Changes to Law Allowing Developers to Terminate Off-Plan Sales Contracts
An important development that will assist developers who are facing a difficult real estate market ...
UAE VAT Executive Regulation Update: Free Zone Guidance
The UAE Ministry of Finance has announced the Executive Regulation for the Federal Decree-Law ...
Opportunities in Dubai’s Healthcare Sector
Dubai is the fastest growing healthcare market within the GCC and is becoming an increasingly attractive sector for investors. Afridi & Angell explain the key drivers and options available to investors ...
VAT registration in the UAE has commenced
The United Arab Emirates Federal Tax Authority has commenced accepting registrations for Value Added Tax through its online portal ....
UAE: VAT and Excise Tax
The UAE has issued substantive law on Value Added Tax (VAT) and Excise Tax ...
New Ministerial Decision brings clarity to Private Joint Stock Companies
The private joint stock company is one of the forms of company contemplated by UAE Federal Law No. 2 of 2015 concerning commercial companies ...
Be VAT ready - Tax Procedures Law is already here
Under the VAT regime, businesses will be collecting taxes on behalf of the government and will file tax returns accordingly ...
UAE – Centre for Amicable Settlement of Disputes update
Centre for Amicable Settlement of Disputes can no longer mediate disputes when a bank is a party to such dispute ....
New UAE Funds Regime
The UAE has embarked on an ambitious undertaking by introducing new business friendly mutual funds regulations to stimulate the UAE funds industry and provide the foundation for a more developed regional funds regime in the Gulf Cooperation Council ...
New UAE Pledge Law over Movable Assets
The new Pledge Law of the UAE was enacted on 12 December 2016 ...
Doing Business in Iran: Donald J. Trump; Mining Investment Opportunities
The election of Mr. Donald J. Trump as President of the United States has resulted in much consideration by corporates of existing strategies with respect to Iran...
The UAE Competition Law Clarified
Two Cabinet Decisions have been issued which provide guidance on the implementation of the Competition Law, particularly on market share thresholds and on small and medium establishments.
Potential Criminal Liability for Arbitrators and Experts in the UAE
The UAE Penal Code was amended to introduce the concept of criminal liability for arbitrators, experts, and translators who issue dishonest and partial decisions and opinions.
The New UAE Bankruptcy Law
Perhaps the most important new feature of the new Law is the introduction of a regime that allows for protection and reorganization of distressed businesses ...
Doing Business in Iran: The Momentum Builds
The momentum for doing business in Iran is expected to increase at an even greater pace after the November US elections.
Proposed Insurance Authority Decision Concerning Marketing of Insurance Policies by Banks in the UAE
The Emirates Insurance Authority prepared a draft regulation concerning marketing of insurance policies by banks in the UAE.
The thing about … Amjad Ali Khan
Recently in Dubai, ASIAN-MENA COUNSEL’s Patrick Dransfield photographed Amjad Ali Khan, the co-founder and Managing Partner of Afridi & Angell and also put to him a series of questions on behalf of the <...
UAE Ministerial Decision No. (272) of 2016
The Ministerial Decision No. (272) of 2016 addresses the scope of Article 104 of Federal Law No.2 of 2015, stating which articles relating to public and private joint stock companies apply to limited liability companies.
Doing Business in Iran: the banking bottleneck
With the easing of sanctions against Iran, vast business opportunities have opened up. The challenge is whether and how to participate in such a potentially phenomenal market without taking undue risks.
Doing Business in Iran: Life After (Secondary) Sanctions
The legal landscape for doing business in Iran has changed significantly since the easing of certain Iran related sanctions.
Doing Business in Iran: Life After (Secondary) Sanctions
The legal landscape for doing business in Iran has changed significantly in the past seven months ...
UAE Legal Bulletin
Updates on the possibility of a Value Added Tax, the new PPP Law and other developments which companies doing business in the UAE should know
UAE's New Labour Regulations Take Effect January 1, 2016
A number of recently announced initiatives could introduce potentially significant changes to the rules governing the workforce in the UAE.
Introducing the Dubai World Trade Centre Free Zone
Aside from its central location and its world class facilities, the Dubai World Trade Centre Free Zone offers a wide range of services for companies.
UAE Legal Bulletin July-August 2015
Insights into the new Commercial Companies Law and relevant corporate updates which can help companies conduct business in the UAE, particularly in Dubai
The New UAE Commercial Companies Law – A First Look
We highlight the changes which the new UAE Commercial Companies Law (Federal Law No.2 of 2015) introduces.
Do I need a DIFC will?
With the opening of the Wills and Probate Registry in the DIFC, it is now possible to register a will in Dubai and have a high degree of confidence that it will be enforced.
DFSA imposes record fine on Deutsche Bank
The Dubai Financial Services Authority (DFSA) imposes its largest fine to date on Deutsche Back AG Dubai (DIFC Branch), sending a strong signal that DFSA is both independent and unafraid to take on well-resourced opponents.
Abu Dhabi Global Market starts first phase of activities
Effective 15 June 2015, the Abu Dhabi Global Market began accepting license applications from existing non-financial service tenants of Al Maryah Island that have either a private limited or branch office legal structure.
Dubai Statistics Center – you may be next!
Companies in the Emirate of Dubai have recently been receiving questionnaires requesting detailed information about their business, including financial information...
Free Zones in the UAE – an overview
Strategically located between Europe, Africa and Asia, the United Arab Emirates has become a hub for trade and commerce throughout the world ...
UAE Competition Law - All bark and no bite?
Federal Law No. 4 of 2012 on the regulation of competition (the “Competition Law”) introduced a regime for the regulation of anti- competitive behavior in the UAE which previously did not exist ...
Related Articles
Latest amendment to the procedure for the resolution of small claims lawsuit
The new procedure provides more optimal and effective regulation than the previous regulation.
Thailand Plus incentives under BOI
The two new incentives encourage companies to move from overseas to Thailand.
Investing in uncertain times is not a paradox, it is a solution
Redesigning legal processes can deliver efficiency gains of between 15% and 50%.
Related Articles by Jurisdiction
Headcount reduction in the GCC
With economic commentators predicting a difficult 2016, employers across the region may be forced to look at staffing levels. With commodity prices ...
Enforceable obligation to be friendly: a new principle of law
A recent judgment from the Commercial Court in London established a new principle of law, in one of the cases brought by Clyde & Co’s dispute resolution team in Dubai ...
Selling products in the UAE – opportunity or minefield?
With its oil wealth and strong demand for all manner of industrial and consumer goods, the United Arab Emirates (UAE) is an attractive …
Latest Articles
Latest amendment to the procedure for the resolution of small claims lawsuit
The new procedure provides more optimal and effective regulation than the previous regulation.
Thailand Plus incentives under BOI
The two new incentives encourage companies to move from overseas to Thailand.
Investing in uncertain times is not a paradox, it is a solution
Redesigning legal processes can deliver efficiency gains of between 15% and 50%.