Potential Legal Issues Associated with Consent under the UAE Federal Data Protection Law
The United Arab Emirates (the “UAE”) proved itself to be a country which swiftly responds to new social, cultural and commercial trends by actively enacting legislation to protect the rights and interests of its citizens and residents. Therefore, it is surprising to see that it took nearly five decades for the UAE to introduce its own data protection legislation, namely the Federal Decree-Law No. 45 of 2021 (the “Data Protection Law”). This article will focus on the type of data that falls within the scope of the Data Protection Law, the type of entities that should be concerned with its enactment and potential legal issues surrounding consent of data subjects.
Firstly, it is important to understand what type of data and/or information falls within the meaning of “data” under the Data Protection Law. Article 1 provides that this legislation applies to all types of data, such as, by way of example, personal information, beliefs, criminal records, biometric data, images, and videos. However, Article 2 provides that certain type of information is excluded from the scope of the Data Protection Law, such as government data, personal data held with judicial authorities, health records, as well as banking information.
In addition to the above, Article 2 clarifies which entities fall within the scope of the Data Protection Law and which do not. While data controllers and processors both inside and outside the UAE that collect and process data of UAE citizens and residents fall within the scope of application of the Data Protection Law, Article 2 makes it clear that entities that are located in free zones that are subject to a different legislation on data protection (e.g., Dubai International Financial Centre) and government authorities are excluded from its scope.
The Data Protection Law makes it clear that collection and processing of data is prohibited without data subject’s consent. Article 1 defines consent as a specific, informed, and unambiguous indication of a person’s agreement to the processing of his/her personal data, by a statement or by a clear affirmative action. The law does not state how a “clear affirmative action” can be demonstrated. Article 6 further emphasises that for data subject’s consent to be valid, such consent must be given in writing or electronically in a clear, simple, unambiguous and easily accessible manner.
The UAE is one of the most mobile countries in the world. Nearly any product or service can be delivered by a service provider to a consumer at a click of a button. Such service providers have had data privacy policies in place many years prior to enactment of the Data Protection Law. We have all come across windows on our screens asking if we agree for our data to be processed by a certain service provider or agree to be subject to their privacy policies. Since the enactment of the Data Protection Law, the critical question is whether or not a simple click of a button will amount to a “clear affirmative action” and if not, what should companies that collect and process personal data exercise to avoid any liability and/or penalty.
With the establishment of a Data Protection Office (the “DPO”), the government entity responsible to oversee implementation of the Data Protection Law, it is very likely that the DPO will conduct investigations into privacy policies of companies that collect and process data and such investigations may lead to penalties. The companies in the UAE and abroad that collect and process data should exercise due care and revise their data privacy policies in light of this legislative development.
Our team of expert lawyers at ADG Legal can assist in and advise on any matter you may have.
Bahriddini Sultan – Paralegal
Peter Gray – Partner