A Q&A guide to data protection in the United Arab Emirates.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The United Arab Emirates (UAE) is a federation of seven emirates. Each emirate in the UAE is subject to federal law and has its own local laws which apply in that emirate. Free zones such as the Dubai International Financial Centre (DIFC) have also been established in the UAE. This chapter considers data protection law in the UAE, but not in the DIFC. For further information concerning data protection law in the DIFC, see PLC Data Protection multi-jurisdictional guide: United Arab Emirates, Dubai International Financial Centre (DIFC) chapter (www.practicallaw.com/5-518-8829).
There is currently no specific data protection law in the UAE. However, various UAE laws provide certain rights of privacy relevant to the protection of personal data.
The UAE Constitution provides that an individual enjoys "freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law" (Article 31).
The Penal Code (Federal Law 3 of 1987 as amended) sets out certain rights of privacy. In particular it prohibits:
The publication of news, pictures or comments pertaining to the secrets of people's private or family life, even if true (Article 378).
Any person who because of his profession, craft, situation or art is entrusted with a secret from disclosing or using (to his or another's advantage) that secret without the consent of the individual concerned and where not otherwise permitted by law (Article 379).
The interception and/or disclosure of correspondence or a telephone conversation without the consent of the relevant individuals (Article 380).
Other laws containing certain privacy protections or requirements relating to record-keeping include:
The Civil Code (Federal Law 5 of 1985 as amended), which includes provisions relating to record-keeping by employers.
The Labour Law (Federal Law 8 of 1980), which includes provisions relating to record-keeping by employers.
The Cyber Crimes Law (Federal Law 2 of 2006), which includes provisions regarding hacking and similar crimes.
The Electronic Transactions and Commerce Law (Federal Law 1 of 2006) and the Commercial Transactions Law (Federal Law 18 of 1993) (see below, Sectoral laws).
The UAE does not currently have any specific sectoral data protection laws.
However, various UAE federal and emirate-level laws include provisions relevant to personal data in particular sectors, including:
The regulation of credit information in relation to credit bureaus (Decree 8 of 2010 of the Emirate of Dubai on Emirates Credit Information Company).
Record-keeping by commercial traders and banks (Commercial Transactions Law and the Electronic Transactions and Commerce Law).
The protection of secret/confidential patient information (UAE Medical Liability Law (Federal Law 10 of 2008)).
Non-disclosure of information gathered by internet service providers (ISPs) in providing services (Electronic Transactions and Commerce Law 2 of 2002 of the Emirate of Dubai).
Protection of consumers' information by telecommunication service providers (UAE Telecommunications Regulatory Authority Privacy of Consumer Information Policy).
The UAE does not currently have a specific data protection law and therefore does not recognise concepts such as "data controllers" and "data processors" in the same way as Directive 95/46/EC on data protection (Data Protection Directive). The general laws referred to in Question 1 are universally applicable in the UAE except in the DIFC which has its own civil and commercial legal regime and is only subject to the Penal Code (the criminal law) of the UAE.
The UAE does not currently have a specific data protection law and therefore does not recognise the concepts of "data protection", "personal data" and "data subjects" in the same way as the Data Protection Directive. In addition, there is no data protection regulatory authority. However, the UAE does have various provisions in its Constitution and criminal, civil and commercial laws which provide to an extent, rights and protections for certain personal and/or confidential data (see Question 1).
As there is no specific data protection law in the UAE, the concept of "data processing" is not currently recognised under UAE law. However, there are various privacy protections under UAE law the effect of which is to impose certain rights and obligations concerning the processing of personal data (see Question 1).
Federal laws apply throughout the UAE. Each emirate in the UAE is subject to federal laws and has its own local laws which apply in that emirate. The DIFC has its own civil and commercial legal regime but the UAE Penal Code applies (see Question 1).
This does not apply as there is no specific data protection law in the UAE (see Question 1).
There is no concept of "data processing", no requirement for notification or registration prior to processing data and no data protection regulatory authority to whom notifications are to be made (see Question 3).
Although the UAE does not currently have a specific data protection law, the existence of certain privacy protections in various UAE laws means that in practice the processing of personal data should not be carried out without the prior consent of the individual concerned (see Question 3).
The processing of personal data should not be carried out without the prior consent of the individual concerned (see Question 8).
This is not applicable as the UAE does not have a specific data protection law (see Question 8).
Concepts such as "personal data" and "sensitive personal data" are not recognised under UAE law in the same way as they are in the Data Protection Directive. However, certain data relating to individuals and families would be likely to be considered "sensitive" as a result of the Islamic traditions and sharia law.
There is no specific data protection regime in the UAE which sets out information requirements or recognises the concepts of "data subjects" or "personal data" although the consent of individuals should be obtained before processing data (see Questions 1 and 8).
There is no specific data protection regime in the UAE which recognises the concepts of "data subjects" or "personal data" (see Question 3).
There is no specific data protection regime in the UAE which recognises the concepts of "data subjects" or "personal data" (see Question 3).
There is no specific data protection regime setting out security requirements in relation to personal data or otherwise in the UAE (see Question 1).
There is no specific data protection regime which recognises the concept of "data subjects" or a "data protection regulator" (see Question 3).
The concepts of "data processing" and "data controllers" are not recognised under UAE law (see Question 2).
Cookies or equivalent devices are not specifically regulated under UAE law.
The UAE's Telecommunications Regulatory Authority enacted the Unsolicited Electronic Communications Regulatory Policy in 2010, which regulates electronic spam and obliges the UAE's two telecommunications service providers to minimise, and where possible, prevent or eliminate the transmission of spam.
The UAE does not have a specific data protection law and does not address the cross-border flow of data. However, it is advisable to seek prior consent to the processing of personal data from the concerned individual to the extent necessary to overcome the various privacy protections set out in UAE law (see Question 8).
There is no specific data protection regime in the UAE and therefore data transfer agreements are not used (see Question 1).
There is no specific data protection regime in the UAE and data transfer agreements are not used (see Question 21). However, it is advisable to seek prior consent to the processing of personal data to the extent necessary to overcome the various privacy protections set out in UAE law (see Question 8).
There is no national regulator in charge of data protection in the UAE (see Question 3).
There is no national regulator in charge of data protection in the UAE (see Question 3).
The various privacy rights and protections under the laws set out in Question 1 give rise to both criminal penalties (including imprisonment and/or fines) and civil remedies in relation to breaches of privacy or confidentiality.
See table, Sanctions for data breaches.
There is no specific data protection regime and no national data protection regulator in the UAE.
T +971 4 709 6655
F +971 4 709 6601
E alexander.shepherd@simmons-simmons.com
W www.simmons-simmons.com
Qualified. England and Wales, 2000
Areas of practice. Data protection; technology; media; telecommunications; intellectual property; commercial; corporate.
Recent transactions
