The UAE has recently released the Federal Decree-Law 45 of 2021 on the Protection of Personal Data (UAE Data Protection Law) with an effective date of 2 January 2022.The UAE Data Protection Law does not apply to various categories of data or entities that hold personal data such as: (i) government data; (ii) government authorities that control or process data; (iii) any data held with security and judicial authorities; (iv) individuals who process their own data for personal purposes; (v) health data; (vi) banking and credit data; and (vii) data held by free zone companies and institutions (as these entities are subject to personal data protection legislation implemented by the relevant free zones identified herein). In the Dubai International Financial Centre free zone (DIFC), DIFC Law No. 5 of 2020 and its regulations (DIFC Data Protection Law) govern the collection, use, and disclosure of personal information within the DIFC.

In the Dubai Healthcare City free zone (DHCC), Data Protection Regulation (7) of 2013 (DHCC Health Data Regulations) governs the use of patient’s medical information by entities and professionals registered in the DHCC.

In the Abu Dhabi Global Market free zone (ADGM), Data Protection Regulations 2021 (ADGM Regulations) governs the collection, use and disclosure of personal information processed by entities registered in the ADGM. Note: Prior to the enactment of the UAE Data Protection Law, key privacy legislation governed the UAE. There were laws containing provisions concerning the protection of confidential information (UAE Laws), which include, among others:

• Federal Law No. 5 of 1985 promulgating the Civil Transactions Law of the UAE, as amended (Civil Code) and Federal Law No. 8 of 1980 concerning the Regulation of Labour Relations, as amended (Labour Law) – which prohibit the disclosure of commercial/trade secrets of a company by an employee.
• Federal Law No. 3 of 1987 concerning the Penal Code, as amended (Penal Code) – which prohibits the disclosure and misuse of private, personal information, trade secrets and content of phone calls and messages. • Federal Law No. 6 of 2010 on Credit Information, as amended (Credit Information Law) – which prohibits the disclosure of credit information.
• Federal Decree-Law No. 5 of 2012 on Combating Cyber Crimes, as amended (Cyber Crimes Law) – which criminalizes certain acts involving confidential, electronic information.
• Federal Law No. 10 of 2008 on Medical Liability (Medical Law) – which provides for the protection of patient information. • Cabinet Decision No. 21 of 2013 on Information Technology Security Regulation at Federal Government Entities, issued on July 3, 2013 (IT Security Regulation) – which provides the standard relating to data protection within the UAE federal government sector.
• Federal Decree-Law No. 3 of 2003 on Organizing the Telecommunications Sector, as amended, and several implementing regulations (Telecoms Law) – which prohibits the disclosure of (consumer) information that is collected by telecommunication service providers in the UAE.
• Telecommunications Regulatory Authority’s Regulatory Policy of Internet of Things (IoT) dated 22 March 2018 (IoT Policy) – which sets the standard relating to data storage and protection for IoT Service Providers.
• Federal Law 2 of 2019 on the Use of Information and Communication Technology (ICT) in health Fields and its implementing regulations, Cabinet Decision 32 of 2020 (ICT Law) – which provides a standard relating to ICTs used by healthcare service providers in the UAE as well as how UAE health data must be stored.
• Department of Health Abu Dhabi (DOH) Standard on Patient Healthcare Data Privacy dated 16 September 2020 (DOH Healthcare Data Standard) – which provides a standard relating to the use and disclosure of patient health information in Abu Dhabi.
• Stored Value Facilities (SVF) Regulation dated 30 September 2020 (SVF Regulations) - which provides the regulatory framework governing digital payment in UAE (which includes data processing requirements). Notably absent from the above list is a data protection law applicable to banks and financial institutions. Data protection practices in the financial sector are based largely on custom and learned expectations of the UAE Central Bank, and are not codified, with limited exceptions (such as the SVF Regulations noted above).

There are areas that are designated as “free zones” within each emirate of the UAE that is governed by their own respective rules and regulations, although they remain subject to most federal and emirate-level laws. Noteworthy free zones for purposes of a discussion of data protection are DIFC, (ADGM) and DHCCfree zones which have their own respective data protection laws.

• The DIFC is subject to DIFC Data Protection Law, which govern the collection, use and disclosure of personal information within the DIFC.
• The DHCC is subject to DHCC Health Data Regulations, which governs the use of patient’s medical information by entities and professionals registered in the DHCC. • The ADGM is subject to ADGM Regulations, which governs the collection, use and disclosure of personal information within the ADGM.

The UAE Data Protection Law applies toto to protect confidential information relating to:

1. Personal Data;
2. Sensitive Personal Data; and
3. Biometric Data.

Personal Data is defined as “Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data”.

Sensitive Data is defined as “Any data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

Whilst Biometric Data is defined as “Personal Data resulting from processing, using a specific technique, relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of the natural person, such as facial images or dactyloscopic data”.

DIFC Data Protection Law protects Personal Data (including Special Categories of Personal Data) (as defined below) that are stored, collected or gathered within the DIFC.

ADGM Regulations protect Personal Data (including Special Categories of Personal Data) (as defined below)  that are processed by entities registered in the ADGM (regardless of whether the data processing takes place in ADGM or not).

DHCC Health Data Regulations protects the Patient Health Information, which is the information about a patient that relates to his or her physical or mental health or condition, including the reports from any diagnostic procedures and information related to the payment for services.

Note: Each of the UAE Laws in addition to the UAE Data Protection Law protects different types of confidential information in the UAE, which we can illustrate very briefly as follows:

• Civil Code and Labour Code: trade/business secrets of the company.
• Penal Code: details of an individual’s private life, trade secrets and contents of phone calls and messages.
• Credit Information Law: Credit information and details of an individual’s private life, opinions, beliefs and health. By “credit information”, includes financial records (including revenue, movable and immovable assets, bank transactions) and the creditworthiness of an individual.
• Cyber Crimes Law: confidential “electronic information”. “Electronic information” is defined as any information that is stored, processed, generated or transmitted through information technology. Certain examples of confidential, electronic information are credit card and bank account numbers, passwords, data of an electronic document, medical information/records, and confidential information obtained during work.
• Medical Law: all confidential information of a patient which the doctor becomes aware of from the patient or independently.
• IT Security Regulation: confidential information held by the UAE federal government.
• Telecoms Law: any consumer information/data collected through means of telecommunication.
• IoT Policy: any consumer information/data collected by IoT Service Providers
• ICT Law: health data and information.
• DOH Healthcare Data Standard: health-related information of patients in Abu Dhabi (e.g. physical or mental health or condition, healthcare service and fees).
• SVF Regulations: confidential information held by SVFs

DIFC: The DIFC Data Protection Law protects Personal Data obtained within the DIFC. Personal Data is defined as information of an identifiable individual.

Under this law, there is also a category under Personal Data defined as Special Categories of Personal Data which is subject to heightened levels of protection. Special Categories of Personal Data are information concerning the racial, ethnic or communal origin, opinions, political affiliation and opinion, religious or philosophical beliefs or opinions, criminal records, trade union membership, health or sex life, genetic data and biometric data.

Personal Data and Special Categories of Personal Data must be collected, gathered or stored within the DIFC to be protected under this law.

ADGM: The ADGM Regulations protect Personal Data that are processed by Controllers and Processors registered in the ADGM regardless of whether such data is processed in ADGM or not. Similar to the DIFC Data Protection Law, the ADGM Regulations also offer a heightened level of protection for Special Categories of Personal Data. The definition of “Special Categories of Personal Data” are similar between the DIFC Data Protection Law and ADGM Regulations except that ADGM Regulations additionally include “health data and individual’s sexual orientation”.

DHCC: The DHCC Health Data Regulations protect Patient Health Information that is obtained by professionals and entities registered within the DHCC. Patient Health Information is the information about a patient that relates to his(her) physical or mental health or condition, including the reports from any diagnostic procedures and information related to the payment of services.

The UAE Data Protection Law applies to(i) the processing of Personal Data of natural persons residing in the UAE or having a workplace in the UAE, (ii)  Any person (whether natural or legal) located in the UAE controlling or processing the personal data of any natural person and (iii) any person (whether natural or legal) located outside the UAE controlling or processing the data of people within the UAE.DIFC Data Protection Law applies to (i) individuals or entities that are operating in the DIFC and (ii) individuals and entities that process Personal Data in DIFC as part of a stable arrangement (other than on an occasional basis).

ADGM Regulations apply to individuals and entities within the ADGM.

DHCC Health Data Regulations apply to individuals and entities that are operating in the DHCC.

Note: Individuals and entities that process confidential information are subject to the UAE Laws. Depending on the context, sector and nature of the confidential information, the applicable laws vary. In addition, the UAE Data Protection Law applies more broadly across all processing activities in the UAE.

The following UAE Laws apply to specific persons:

Credit Information Law: entities that are authorized to process credit information, recipients/beneficiaries of credit information and individuals that are subject to the credit information.

Cyber Crimes Law: persons processing electronic information who are involved in cybercrime that is wholly or partially committed in the UAE.

Medical Law:  doctors, and arguably other employees in hospitals and clinics although this is not express.

IT Security Regulation: employees of the UAE federal government.

Telecoms Law: telecommunication service providers and consumers of such means of telecommunication.

IoT Policy: IoT Service Providers. IoT means “Internet of Things”, which is a network of physical objects that are embedded with information technology for the purpose of connecting and exchanging data with other devices and systems over the internet. 

ICT Law: Persons (natural or legal) using ICT within the health sector. This includes an entity providing medical services, health insurance services, brokerage services, claims management services or electronic services in the medical field.

DOH Healthcare Data Standard: (i) health care entities regulated by DOH in Abu Dhabi and (ii) healthcare professionals, insurance providers, service providers, vendors, brokers and third-party administrators that process or store patient health information in Abu Dhabi.

SVF Regulations: Stored Value Facilities, by “Stored Value Facilities” (or SVF), refers to a non-cash facility whereby a customer pays a sum of money in exchange for values, reward points, crypto assets or virtual assets. Examples include prepaid cards, mobile e-wallets, internet-based payment platforms, etc.   

DIFC: The DIFC Data Protection Law applies to (i) individuals or entities that are operating in the DIFC and (ii) individuals and entities that process Personal Data in DIFC as part of a stable arrangement (other than on an occasional basis). Specifically, it applies to a Controller and Processor. A Controller is defined as an individual in the DIFC who determines the purposes and means of processing personal information. A Processor is an individual who acts on behalf of the Controller.

ADGM: The ADGM Regulations apply to Controllers and Processors in the ADGM. Controller and Processor have the same meaning in the DIFC Data Protection Law and the ADGM Regulations. 

DHCC: DHCC Health Data Regulations applies to healthcare professionals, healthcare service providers, companies, educational institutes, research operator, and non-clinical entities that are licensed to operate in the DHCC, and patients providing health information to such individuals and entities.

There is a list of controls that govern how Personal Data shall be processed in the UAE. The processing of Personal Data must be fair, transparent and lawful, and for a specific and clear purpose. Personal data must be accurate, correct and limited to the purpose for which the processing is required. Moreover, technical and organizational measures should be in place to correct or erase incorrect personal data, whilst keeping the data secure and protected from any breach or unauthorized processing. In addition, personal data must not be retained after the purpose of processing has been fulfilled, unless it is anonymised.  

Certain sectoral laws have varying requirements, ranging from particular data collection requirements (e.g. Credit Information Law) or obligation to have data processing policies and procedures in place (e.g. DOH Healthcare Data Standard).

The DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulations provide significant requirements with respect to the collection of personal information.

With respect to the DIFC Data Protection Law and ADGM Regulations, the requirements include the obligation of the Controller to provide certain information to the data subject (e.g. identify of the Controller, the right to access and rectify the Personal Data) when collecting personal data from the data subject and the obligation to collect the information lawfully and for a legitimate purpose.

With respect to the DHCC Health Data Regulations, the patient must be made aware of certain information (e.g. the reason for data collection, the intended recipients of the patient health information, and rights to access and correct the patient health information) prior to collecting the patient health information. Patient health information shall not be collected for unlawful means or for means that are unfair or unreasonably intrusive on the personal affairs of the patient.

Note: Generally, the UAE Data Protection Law, DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulations all prescribe that A data subject under the Law must provide consent for the collating, use and storing of their personal information. For the consent to be sufficient, the controller must be able to prove that it has the clear and unambiguous consent of the data subject. Furthermore, at the time of requesting the consent it must be made sufficiently clear that the consent provided can easily be revoked at any time.

• The Credit Information Law stipulates that credit information can be collected; however, the collection of personal information (such as opinions, beliefs or details of the private life) is prohibited. Subject to restrictions by the Central Bank, if any, companies are required to collect credit information by way of electronic forms, which must be preserved.
• The DOH Healthcare Data Standard however requires individuals and entities subject to this standard to have a privacy policy and procedures in place that set out guidelines on how data is to be processed, collected and securely maintained.  

The DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulation provide substantial requirements with respect to the collection of personal information.

DIFC: The requirements are as follows:

The Controller must provide the following information (among others) to the data subject in writing (or by electronic means) when it is collecting the personal data:

• the name and contact details of the Controller (and if appointed, a Data Protection Officer);
• the specific, explicit and legitimate purpose(s) for processing personal data;
• the categories of personal data to be processed;
• the recipients (or categories of recipients) of personal data;
• the period to keep the Personal Data; and
• the data subject’s rights under the DP Law, which are the right to:
  • access, rectify and erase personal data;
  • withdraw the consent to processing personal data;
  • object to the processing of personal data;
  • restrict the processing of personal data;
  • data portability (i.e. right to receive personal data in a structured, commonly used and machine-readable format);
  • object to any decision based solely on automated processing (including profiling); and
  • not be discriminated against for exercising any of the data subject rights.

Furthermore, the DIFC Data Protection Law also sets out the lawful bases for collecting and processing personal information.

To name a few examples, Personal Data can be collected if:

• the data subject has given consent;
• it is necessary for the performance of a contract that the data subject is party to;
• it is necessary to comply with any legal obligation to which the Controller is subject; or
• it is necessary for the interest of the DIFC.

With respect to Special Categories of Personal Data, the DIFC Data Protection Law additionally requires that one of the following apply to collect such data. A few examples are: 

• the data subject has given explicit consent;
• processing is necessary for the context of the data subject’s employment;
• it is necessary for the vital interests of the data subject.

ADGM: The ADGM Regulations and DIFC Data Protection Law have similar requirements. The Controller must provide certain information (some of which are set out below) to the data subject when collecting the latter’s personal data and collect personal data lawfully and for a legitimate purpose.

• the name and contact details of the Controller;
• the purpose for processing;
• the legal basis for processing;
• the legitimate interests pursued by the Controller or a third party; 
• the recipients (or categories of recipients) of personal data
• the period to keep the Personal Data
• the data Subject’s rights, which are the right to:
  • access, rectify and erase personal data
  • restrict the processing of personal data
  • data portability
  • object to the data processing
  • object to any decision based solely on automated processing (including profiling)

The examples of the lawful bases for collecting and processing data under the DIFC section (above) also apply to ADGM. 

DHCC: The DHCC Health Data Regulations the requirements are as follows:

The Patient Health Information must be collected for a lawful purpose connected with the activity of the entity and from the patient directly. Prior to collecting the Patient Health Information, the entity or professional shall take reasonable steps to ensure that the patient is aware of:

• the fact that Patient Health Information is being collected;
• the purpose for which the Patient Health Information is being collected;
• the intended recipients of the Patient Health Information;
• the name and address of the entity or professional that is collecting and holding the Patient Health Information;
• whether or not the supply of the Patient Health Information is voluntary or mandatory;
• the consequences (if any) if the requested Patient Health Information is not provided; and
• the right to access and correct the Patient Health Information.

The Patient Health Information shall not be collected by unlawful means or means that are unfair or unreasonably intrusive of the patient’s personal affairs.

Under the UAE Data Protection Law For the UAE, there are rules of general application concerning the lawful use or disclosure of Personal Data. The lawful basis for processing Personal Data includes; (i) it is necessary to protect the public interest; (ii) it is related to Personal Data that has been made public by the data subject;(iii) it is necessary to establish any legal claim or defense of rights and claims or in connection with judicial or security procedures; (iv) it is necessary for the purposes of occupational or preventive healthcare; (v) it is necessary to protect public health, including protection against communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of medicines, drugs, and medical devices in accordance with the applicable legislation; (vi) it is necessary for the performance of a contract to which the data subject is a party or to take measures at the request of the data subject with the aim of concluding, amending, or terminating a contract; (vii) it is necessary for the Controller to perform specific obligations set out in other applicable legislation in the UAE; or (viii) Any other cases to be specified in the Executive Regulations.

Sector-specific laws do however provide some use and disclosure requirements.

The DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulations set out requirements to use and disclose personal information.

DIFC and ADGM: Such requirements include the obligation to use or disclose Personal Data lawfully and securely for the data subject’s intended purpose.

DHCC: The entity shall be limited to use and disclose the Patient Health Information for a lawful purpose connected with the activity of the entity, which has been expressly informed to the patient.

Note: The UAE Laws generally prohibit the disclosure of confidential information. Sectoral laws do, however, permit the disclosure of confidential information with the approval of the data subject, or permit it in specified circumstances. For example: 

The IoT Policy requires technical measures to be established by the Data Processor of the IoT Service Providers to permit relevant UAE authorities to inspect the stored data. Furthermore, Mission Critical IoT Service Providers are required to keep subscriber information so that they can be provided to the TRA as and when requested. “Mission Critical IoT Service Providers” are IoT Service Providers where the failure of its service may result in an adverse impact on the health of individuals, public convenience or national security. 

The Credit Information Law requires a company to obtain the consent of a data subject to use and disclose credit information. Exceptionally, a data subject would not be required in the following situations: (i) a company requests credit information to prepare and develop its credit database; or (ii) a recipient of the credit information report requests company to issue a credit information report to its debtors in accordance with the controls set out by the Central Bank. Disclosure of the credit information is subject to the restrictions of the UAE Central Bank and shall be governed by an agreement between the company and a third party. Lastly, a company can exchange credit reports and information of non-citizens with credit information companies and centers outside the UAE on the basis of the principle of reciprocity.

Under the Medical Law, a doctor may disclose patient information to prevent a communicable disease outbreak, or to the patient’s spouse, among other specific exceptions.

ICT Law prevents patient information from being used for non-health purposes without obtaining the written approval of the patient except in certain cases. Such cases include (among others): (i) scientific and clinical research; (ii) if requested by the judicial authorities; or (iii) the health data is required by health insurance companies or any health services funding entity for the purposes of auditing, approving or verifying the financial benefits related to health services received by a patient.

The DOH Healthcare Data Standard requires entities and professional subject to this standard to (i) exchange patient health information with the Abu Dhabi Health Information Exchange Platform (Malaffi), and (ii) restrict the access and use of patient health information on a “need to know” basis (i.e. staff members will only access enough information for them to carry out their tasks.)

SVF Regulations can disclose customer data to the Central Bank, other regulatory authorities (with the prior approval of the Central Bank) or by a UAE court order.  

The DIFC Data Protection Law and the DHCC Health Data Regulations are required to use and disclose personal information lawfully and for the intended purpose.

DIFC and ADGM: As stated in the response to Question 4 above (DIFC), the Controller must inform the data subject of the specific purpose for processing personal data and the recipients (or categories of recipients) of personal data during the data collection.

The Controller must ensure that the data is used (processed) and disclosed (as applicable) according to what was informed to the data subject during the data collection.

The Controller must also ensure to process (use) personal data for one of the lawful bases set out in the DIFC Data Protection Law (some of which are set out in the response to Question 4 above).

DHCC: The entity is restricted to using and disclosing the Patient Health Information for a lawful purpose, which (i) was informed to the patient and (ii) is connected with the entity’s function and activity.

The DHCC Data Health Regulations also restrict the use of such information for any other purpose. Examples of exceptions to this rule are: (i) obtaining authorization from the patient; (ii) serious and imminent threat to public health, public safety or the patient’s health; or (iii) for statistical or research purposes.

Disclosure of Patient Health Information is also highly restricted to certain recipients and situations, which include (among others): (i) the patient; (ii) as authorized by the patient; (iii) as necessary to prevent serious or imminent threat to public health, public safety or the patient’s health; (iv) the relevant healthcare professionals for the treatment of the Patient; or (v) the caregiver, spouse or close relative of the patient. Such disclosure is only permitted to the extent necessary to satisfy an intended purpose.

Note: The Regulations also provide similar, but fewer, restrictions on the disclosure of Patient Identification Information.

There are no rules of general application concerning the storage, security and retention of personal data applicable to UAE entities. We expect that the Executive Regulation of the UAE Data Protection Law which has yet to be published to provide some clarity on the general application relating to this criteria. There are certain sector-specific requirements set out in the sectoral laws, such as the Credit Information Law and ICT Law.

The DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulations require appropriate and secure IT infrastructures and organizational measures to be in place to store and retain personal information.

Note: There are no rules of general application concerning storage, security and retention of personal data. The general rule onshore that is applied in practice is by analogy and extension of the broad general prohibition on disclosure in the UAE Law, and extending that concept to a duty of preventing disclosure, and therefore, to a duty of taking reasonable steps to secure it. This approach is based on assumptions about how a UAE court would view a breach and the court’s likely expectation that industry practices must be followed. As such, there is a lack of precision around exactly which measures must be taken, but the general principle is that one must keep with best practice in their industry as that is the standard against which they may judge in the event of a breach.  

Certain sectoral laws do however have their own unique guidelines concerning data storage, security and retention. A typical requirement amongst sectoral laws are the requirements for appropriate and secure infrastructure to store personal information.

The IoT Policy requires data to be classified as follows:

• Open data (which can be freely exchanged with third parties).
• Confidential data (where unrestricted disclosure of such data may cause limited damage to individuals, businesses or the government);
• Sensitive data (where the unrestricted disclosure of such data may cause significant damage to individuals, businesses or the government);
• Secret data (where the unrestricted disclosure of such data may cause significant damage to the interests of the UAE as a country and higher damage to individuals, businesses and the government.

The IoT Service Provider shall use an encryption standard that fulfills the requirements of the UAE authorities.

IoT Service Providers shall follow the specific principles for the storage of data:

• Data shall be collected for a specified, explicit and legitimate purpose;
• Data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed; and
• Data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purpose for which the data is processed.

SVF Regulations require SVFs to have in place adequate policies, measures and procedures to protect their information and accounting systems, databases, books and accounts and other records and documents from unauthorized access, retrieval and tampering. Information should be classified into different categories according to the degree of sensitivity to indicate the extent of protection required (which should be set out in the SVFs guidelines). Sensitive data stored in end-user devices (e.g. payment data or personally identifiable information and authentication data) must be appropriately secured against theft and unauthorized access or modification. Sensitive data must be encrypted and stored in a secure storage environment using strong and widely recognized encryption techniques.

The Credit Information Law requires a company to (i) prepare a credit registry (to be processed in a timely and safe manner); (ii) have a database on all matters related to credit information, credit record (which is to be updated periodically); and (iii) prevent any loss, destruction or illegal and unsafe access, use or amendment of the credit information. The Central Bank shall be linked to the company’s credit information database.

The ICT Law requires the ICT to (i) keep all health data and information confidential while allowing circulation of them in authorized cases; (ii) ensure the validity and credibility of health data by protecting the integrity of it from destruction or unauthorized amendment, alteration, deletion or addition; and (iii) ensure the availability of health data to authorized parties and to facilitate access when needed. An identity number shall be included in all health transactions, registers and files to organize and store such data. Furthermore, health data shall be kept for 25 years following the last health procedure provided to the patient. 

The DOH Healthcare Data Standard requires health data to be kept for 25 years in accordance with ICT Law and must maintain reasonable and appropriate administrative, technical and physical safeguards to securely store the patient health data.

DIFC, ADGM and DHCC’s respective data protection laws require a secure infrastructure to store and retain personal information.

DIFC and ADGM: The DIFC Data Protection Law requires Data Controllers and Data Processors to have technical and organizational measures to ensure that personal data is processed in a secure manner (without any unlawful or unauthorized use, destruction, loss or disclosure of personal data) solely for the specific purpose of processing (that was expressly informed to the data subject) and data subjects’ rights are protected in accordance with the applicable law.

DHCC: The DHCC Health Data Regulations ensure that the information system in place to store Patient Health Information is secure. Security incidents involving the information system must be detected, prevented and responded to in a timely manner. The information system must be assessed and reviewed, with appropriate modifications made to security policies, practices, measures and procedures on a regular basis. The information system must be such that the stored Patient Health Information is accurate, can be easily removed and shared with the relevant healthcare professional but can be safeguarded from destruction, loss or unauthorized tampering. Personnel must also take the necessary measure to check the accuracy of the Patient Health Information.

The regulations provide a minimum period to retain the Patient Health Information. For example, medical and dental records of adults are retained for 10 years after the date of last entry; the equivalent for children is retained for 10 years following the date the child turns 18 years old.

UAE Data Protection Law: The UAE Data Protection Law grants the data subject the right to obtain information without charge relating to (i) the type of  the data subject Personal Data that is processed (ii) purposes of processing (iii) decisions made based on automated processing, including any profiling (iv) targeted sectors or establishments with which the data subject Personal Data is to be shared, whether inside or outside the UAE (v) controls and standards for the periods of storing and keeping  the data subject Personal Data (vi) protection measures for Cross-Border processing made (vii) procedures to be taken in the event of a breach or infringement of the data subject Personal Data, especially if the breach or infringement poses a direct and serious threat to the privacy and confidentiality of  the data subject Personal Data .

There are, also, such rights in the DOH Healthcare Data Standard, DIFC Data Protection Law, ADGM Regulations and the DHCC Health Data Regulations. The data subject and the patient, as applicable, are entitled to be informed of its right to access and rectify the personal information.

Note: There are no laws of general application concerning the right of access and correction of personal data, other than by law or by practice on an industry-specific basis. For instance, an account holder’s right to demand copies of account opening information from a bank, and copies of transaction records up to five years old, or a law firm client’s right to demand his files from the law firm.  

DIFC: The DIFC Data Protection Law grants the data subject the right to (i) withdraw the consent to processing personal data; (ii) access, rectification and erasure of Personal Data; (iii) object to processing Personal Data; (iv) restrict the processing of Personal Data; (v) data portability (i.e. the right to receive Personal Data in a structured, commonly used and machine-readable format); (vi) not be discriminated against for exercising any of the data subject rights, and (vii) object to any decision based solely on automated processing (including profiling).

ADGM: ADGM Regulations has slightly different rights as the DIFC Data Protection Law, which are the right to (i) access, rectify and erase personal data; (ii) restrict the processing of personal data; (iii) data portability; (iv) object to the data processing; and (v) object to any decision based solely on automated processing (including profiling).

DHCC: The DHCC Health Data Regulations grants the patient the right to know whether any Patient Health Information is held, the right to access the information and the right to correct the Information.

DOH Healthcare Data Standard: Patients have the right to review and obtain a copy of their health information (which includes medical records, billing records, health plan enrolment, claims adjudication and medical management records. Entities shall respond to patient’s requests to correct and delete data records to ensure that the patient's health information is up-to-date.

For UAE, the UAE Data Protection Law prescribes that in countries where there is no data protection law, entities operating in the UAE may transfer data under a contract or agreement that obliges the entities in those countries to implement the provisions, measures, controls and requirements set out herein, including provisions related to imposing appropriate measures on the controller or processor through a competent supervisory or judicial authority in that country, which shall be specified in the contract. In addition to that, express consent of the data subject to transfer his/her Personal Data outside the UAE in a manner that does not conflict with the security and public interest of the UAE. On the other hand, it is also possible to carry out a cross-border transfer of data without consent where the transfer is necessary to fulfill obligations and establish, exercise or defend rights before judicial authorities, if the transfer is necessary to enter into or execute a contract between the controller and data subject, or between the Controller and a third party to achieve the Data Subject's interest,  if the transfer is necessary to perform a procedure relating to international judicial cooperation, or if the transfer is necessary to protect the public interest.

The UAE Central Bank prohibits banks from transferring or storing client data outside of the UAE. Similarly, the ICT Law and DOH Healthcare Data Standard also prohibit health data originating from the UAE from being kept and transferred outside of the UAE.

The IoT Policy distinguishes the storage requirements based on the classification of data. Certain data must be kept within the UAE, while others may be transferred to a jurisdiction that meets or exceeds UAE’s Data Protection Law.

DIFC Data Protection Law and ADGM Regulations distinguish between transferring data to a jurisdiction with and without an adequate level of protection (where the latter can be done if certain requirements are satisfied). The DIFC Data Protection Law also sets out specific requirements to transfer personal data to a requesting authority.

DHCC Health Data Regulations prohibit the transfer of data to jurisdictions with less stringent requirements, including other parts of the UAE (outside the respective free zone).

The UAE Central Bank prohibits banks from transferring or storing client data outside of the UAE. This is in accordance to Central Bank circulars of very broad application, which have been applied over time by the Central Bank in this manner.

The ICT Law and DOH Healthcare Data Standard also prohibit health data originating from the UAE from being stored, processed, generated or transferred outside of the UAE. 

The IoT Policy distinguishes the storage requirements based on the classification of data.

• Secret, sensitive and confidential data for individuals and businesses shall primarily be stored within the UAE. They may be stored outside the UAE provided that the destination country for data storage meets or exceeds the data security and user protection policies followed within the UAE.
• Secret, sensitive and confidential data for the government shall remain within the UAE.
• Open data may be stored within or outside the UAE.

The DIFC Data Protection Law, ADGM Regulations and DHCC Health Data Regulations provide certain restrictions on the transfer of data outside the respective free zone.

DIFC and ADGM: Personal Data can be transferred outside of the DIFC if it satisfies one of the conditions under the applicable law.

• A country with an Adequate Level of Protection: Personal data can be transferred out of DIFC if the recipient country has an adequate level of protection. The Commissioner determines the countries that have an adequate level of protection.
• A country without an Adequate Level of Protection: If the recipient country does not have an adequate level of protection, then the transfer can be done if it satisfies certain conditions. To name a few examples:
  • There are appropriate safeguards in place;
  • There is a code of conduct that is approved by the Commissioner;
  • The data subject explicitly consents to the transfer;
  • The transfer is necessary to perform a contract between the data subject and the Controller (or to perform a contract in the interest of the data subject)

The DIFC Data Protection Law also sets out specific requirements to transfer personal data to a requesting authority. The Controller or Processor must (among others): 

• exercise reasonable caution and diligence to determine the validity and proportionality of the request for personal data;
• assess the impact of the proposed transfer in light of the potential risks to the data subject’s rights; and
• where reasonably practicable, obtain appropriate written and binding assurances from the requesting authority that it will respect the data subject’s rights.

DHCC: Patient Health Information can be transferred outside the DHCC if:

• data is transferred to a jurisdiction that has an adequate level of protection in place for personal data;
• data is authorized by the patient; or
• the data transfer is necessary for the ongoing provisions of healthcare services to the patient.

 Under the UAE Data Protection Law,  the Controller must notify the data subject in the event that the infringement or breach would prejudice the privacy, confidentiality and security of his/her Personal Data and advise him/her of the procedures taken thereby, within such period and in accordance with such procedures and conditions which will be set by the Executive Regulations. We suspect that the Controller will also be required to submit a report to the UAE Data Office which will be established body to regulate the enforcement of UAE Data Protection Law.

In the DIFC and ADGM, the Data Controller must notify the Commissioner of Data Protection in the event of a breach of its Personal Data database. Where there is a high risk to the security of the data subject, the Data Controller shall also inform the data subject of such breach.

Under the ICT Law, any suspicious activities that may affect the confidentiality of health data shall be reported.

The DOH Healthcare Data Standard requires entities to have a policy in place, which (i) sets out the mechanism and procedure for a patient to complain to DOH if (s)he believes his(her) data privacy rights have been breached; and (ii) provides a point of contact for making complaints with respect to the entity.

In the DHCC, the entity is required to periodically disclose security incidents (such as data breaches) to the Customer Protection Unit ("CPU").

DIFC and ADGM: Under the DIFC Data Protection Law, however, the Data Controller must notify the DIFC Commissioner of Data Protection in the event of a Personal Data Breach. Where a Personal Data Breach is likely to result in a high risk to the security or right of a data subject, the Controllers shall communicate the Personal Data Breach to the affected data subject as soon as practically possible.

ICT Law: The ICT Law requires suspicious activities that may affect the confidentiality of health data to be reported but does not specify who to report to.

The DOH Healthcare Data Standard requires entities to have in place a policy that sets out the procedure for patients to complain to DOH if (s)he believes his(her) data privacy rights have been breached.

DHCC: Under the DHCC Health Data Regulations, the entity must review the security of the information system, which stores the Patient Health Information. This review includes the requirement to periodically notify the CPU, a department within the regulator (the Centre for Healthcare Planning and Quality) of security incidents to the information system.

Pursuant to the UAE Data Protection Law, the UAE will established the UAE Data Office that will administer the standards and controls set by the Executive Regulation of the UAE Data Protection Law. There are regulators that regulate certain sectors, such as the UAE Central Bank, which regulates banks and financial institutions and money exchanges, and the Telecommunications Digital Regulatory Authority (TDRA) that regulate the telecommunication network and IoT Service Providers in the UAE. Generally, privacy-related grievances are dealt either in the civil courts of the UAE (if there is a civil remedy being sought), or by way of complaints to the police departments of the relevant Emirate where the matter complained of is criminal (as some privacy breaches are treated as criminal in the UAE), which would then be taken up by the public prosecutor if the complaints are accepted.

In the DIFC and ADGM, the privacy regulator is their respective Commissioner of Data Protection. The Commissioner of Data Protection is responsible for administering the DIFC Data Protection Law or ADGM Regulations (as applicable). In the DHCC, the privacy regulator is the Center for Healthcare Planning and Quality (CPQ). The CPQ is responsible for administering the DHCC Health Data Regulations. The CPU however oversees complaints under the Regulations.

Note: There is no national privacy regulator in the UAE. Offenders who commit criminal offenses under the Penal Code and Cyber Crimes Law can be prosecuted by the public prosecutor in the criminal courts. Data subjects can also attach a civil claim to the criminal proceedings, or file a separate claim in the civil courts.

There are regulators for certain sectors, although they are broad industry regulators which are not specific to data protection, such as:

• the UAE Central Bank that has the authority to control, supervise and restrict the collection, storage and disclosure of credit information, and generally to regulate the practices of banks, financial institutions, money exchanges and SVFs.
• the TDRA enforces the Telecoms Law and IoT Policy and governs means of telecommunication and IoT Service Providers.
• Health authorities enforce the ICT Law with respect to health data. In the case of Abu Dhabi, the DOH enforces the DOH Healthcare Data Standard with respect to health data.

In the consumer context, complaints can be made to the Department of Economic Development or Municipality (being the general licensing authority for businesses) for the relevant emirate where a business has inappropriately used or disclosed consumer data (by spamming, usually), and the relevant Department or Municipality may choose to contact the business to investigate and require that they cease the practice complained about.

DIFC: The DIFC Commissioner of Data Protection is in charge of administering the DIFC Data Protection Law. So far as reasonably practicable, the DIFC Commissioner of Data Protection has powers, which include, among others:

• monitoring, ensuring and enforcing compliance with the DIFC Data Protection Law;
• auditing a Data Controller or Data Processor, including accessing their premises and their processing equipment;
• issuing warnings and recommendations to Data Controllers and Data Processors;
• initiating proceedings for a contravention of the DIFC Data Protection Law before the courts;
• imposing fines in the event of non-compliance with the DIFC Data Protection Law; and
• preparing draft regulations, standards, or codes of practice, or guidance.

ADGM: The ADGM Commissioner of Data Protection is in charge of administering the ADGM Regulations. The ADGM Commissioner of Data Protection has powers, which include, among others:

• Monitoring, ensuring and enforcing compliance with the ADGM Regulations;
• Handle and investigate complaints lodged by data subjects; and
• Initiate investigations into a Controller’s or Processor’s compliance with the ADGM Regulations.

DHCC: The CPQ is in charge of administering the DHCC Health Data Regulations. The powers of the CPQ include:

• auditing the Patient Health Information upon request by an entity, to ascertain that the Information was maintained in accordance with the regulations;
• monitoring the compliance with the regulations; and
• propose rules, standards and policies associated with the regulations.

It is worth noting that the CPU however oversees complaints under the regulations, including interference with Patient Health Information.

In the criminal context, penalties for a privacy breach are imprisonment, a fine, or both.

Offenders can be prosecuted by the public prosecutor in criminal courts. Data subjects can also attach a civil claim to the criminal proceedings or file a separate claim in the civil courts if they have suffered quantifiable damages as a result of the breach. In some cases, specific performance remedies can also be sought through the civil courts, although such remedies are rare. Under the UAE Data Protection Law, the UAE Data Office will verify the causes of the infringement and breach to ascertain the integrity of the security measures taken, and shall impose the administrative penalties as prescribed under the UAE Data Protection Law and decisions issued under the Executive Regulations thereof.

DIFC:  The DIFC Commissioner of Data Protection will issue a direction to the Data Controller or Data Processor to do or refrain from doing any act or prohibit the offender from processing the Personal Data. If the Data Controller or Data Processor fails to comply with the direction, the Commissioner may impose either a fine, compensation or file the matter with the court. A data subject who suffers harm from the privacy breach by the Data Controller or Data Processor is entitled to compensation from the latter.

ADGM: The response to DIFC also applies to ADGM. The main difference is in the penalty that the ADGM Commission of Data Protection can impose; it can impose a fine of an amount not exceeding USD $28 million or file the matter with the court.

DHCC: Misuse of the patient’s personal data (a contravention under the DHCC Health Data Regulations) will be investigated, then ultimately be subject to the decision of the Register of Companies, the DHCA Licensing Board, or the DHCA Fitness to Practice Panel (as applicable). Disciplinary actions that are imposable vary, including the imposition of financial penalties, the imposition of conditions, suspension, revocation, refusal to renew or termination of the DHCC license (among others).

Criminal sanctions for unauthorized access or disclosure of confidential information are imprisonment (in some cases, for at least two years), a fine (which varies widely, from AED 20,000 to AED 1,000,000), or both. Certain examples are:

Article 17 of the Credit Information Law: an individual is subject to imprisonment (of at least two years), a fine (of at least AED 50,000), or both for (i) unauthorized disclosure or access of credit information; (ii) privacy breach; or (iii) distortion of credit information.

Article 379 of the Penal Code: an individual is subject to imprisonment (of at least one year), a fine (of at least AED 20,000), or both for unauthorized disclosure of trade secrets.

Paragraph 2 of Article 380 of the Penal Code: an individual is subject to imprisonment (of at least three months) or a fine (of at least AED 5,000) for unauthorized disclosure of the contents of a letter or conversation. 

In the banking context, the UAE Central Bank has the discretion to impose administrative and financial sanctions as deemed appropriate, which includes: fines, replacing or restricting the power of Senior Management or Board of Directors of the relevant entity, or barring individuals from the UAE financial sector.

Offenders can be prosecuted by the public prosecutor in criminal courts. Data subjects can also attach a civil claim to the criminal proceedings or file a separate claim in the civil courts.

Furthermore, for violations under the Telecoms Law and the IoT Policy, the TDRA can impose an administrative fine of up to AED 10 million for violating any provision under the law or executive order, decisions, regulations, policies and instructions issued by the TDRA.

DIFC: In accordance with the DIFC Data Protection Law, if the DIFC Commissioner of Data Protection is satisfied that the Data Controller or Data Processor has committed a privacy breach, the Commissioner may issue a direction either (i) to do or refrain from doing any act within a specific time; or (ii) prohibit the Data Controller or Data Processor from processing Personal Data.

If the Data Controller or Data Processor fails to comply with the direction, he may be subject to fines and be liable for compensation. Alternatively, the DIFC Commissioner of Data Protection may raise this matter with the court.

A data subject who suffers damage caused by the privacy breach by the Data Controller or Data Processor is entitled to compensation from the Data Controller or Data Processor.

ADGM: The response for DIFC applies to ADGM mutatis mutandis. The ADGM Commission of Data Protection however has the choice of imposing a fine of an amount not exceeding USD $28 million or filing the matter with the court. 

DHCC: Under the DHCC Health Data Regulation and the DHCC Regulations No. 1 of 2013 ("DHCC Governing Regulations"), a patient who is harmed by contravention under the regulations (such as by interference of Patient Health Information or Patient Identifiable Information), can file a complaint against the offender with the CPU. After CPU investigates the matter, the matter is then referred to the Registry of Companies, the DHCA Licensing Board or the DHCA Fitness to Practice Panel (depending on the circumstances of the complaint) for its review and decision.

Once the contravention is confirmed, the deciding committee (the Registry of Companies, the DHCA Licensing Board or the DHCA Fitness to Practice Panel) will take disciplinary actions, which range from financial penalties, the imposition of conditions, suspension, revocation, refusal to renew or termination of the DHCC license (among others).

For the UAE, there are no rules of general application governing electronic marketing, but the UAE Data Protection Law offers the right for data subjects to object and stop the processing of their Personal Data for direct marketing and the act of profiling

The ("TDRA") has however issued the Unsolicited Electronic Communications Regulations, whereby telecommunication service providers are under an obligation to minimize the transmission of unsolicited electronic marketing. This is a high-level principle and it is unclear whether and to what extent it is enforced in practice.

The ICT Law prohibits health advertisements on the Central System without obtaining a license from MOHAP. MOHAP (through entities) can block or prohibit websites that publish health advertisements, which violate the standards and controls in place within the UAE. 

Note: For onshore UAE, there are no rules of general application governing electronic marketing.
The TDRA has issued the Unsolicited Electronic Communications Regulations which specifically governs unsolicited electronic marketing with a “UAE link”. By UAE link, the regulations refer to communications that originate in the UAE, communications where the device accessing the communication is in the UAE or the recipient of the communications is in the UAE.

Telecommunication service providers are required to have in place measures to reduce the transmission of unauthorized electronic marketing communication and prevent the future transmission of such communications, failing which, they will be in contravention of the Regulations.

The ICT Law prohibits health advertisements on the Central System without obtaining a license from MOHAP. MOHAP may request entities to prohibit or block websites (whether originating from within or outside the UAE) that violate UAE’s controls and standards on health advertisement. Whoever publishes a health advertisement through the Central System without authorization shall be punished by a fine of not less than AED 100,000 and not more than AED 200,000. 

Rather than a development of an onshore data protection law, there has been development in data protection laws in the UAE in various sectors, notably the healthcare sector.

The ICT Law set a standard regarding health data in the UAE, and with the contemplation for a creation of a Central System, it is anticipated that the way health data is stored, processed, exchanged and disclosed will become more controlled. Abu Dhabi has already adopted its own standards (DOH Healthcare Data Standard) based on the ICT Law.

There seems to be a trend in the UAE towards data localization. This is the case for health data (under the ICT Law) and certain types of consumer data (under IoT Policy). Where data is transferred outside of the UAE, there is now a requirement for such jurisdiction to have an adequate level of protection, and if not, for appropriate safeguards to be in place to ensure data subject’s rights are protected.

The DIFC issued the DIFC Data Protection Law in 2020, which repealed the previous data protection law (DIFC Law 5 of 2007). Soon after, the ADGM issued its own data protection regulations in 2021.

In terms of expected reforms, it is widely expected that the UAE will issue a new data privacy law applicable to onshore UAE in the near future. This is generally anticipated to be a major reform, the latest in a series of major legislative reforms that the UAE has undertaken in recent years (dramatically overhauled companies law, insolvency law, competition law, anti-money laundering regulations, security regulation, among many others). There is speculation that the new law will largely be based on the principles set out in the GDPR. The timing of the new law remains unknown.

Note: The ICT Law has set a standard for how health data in UAE are to be stored and processed by the ICTs within the healthcare sector. The contemplation of a creation of a Central System means that there would be more control over how the data is stored, exchanged, used and disclosed. In line with the ICT Law, the DOH in Abu Dhabi has followed suit and set out its data protection standards for health-related entities and professionals in Abu Dhabi (DOH Healthcare Data Standard). Abu Dhabi has gone a step further in harmonizing the information security system within the healthcare sector by issuing the Abu Dhabi Healthcare Information and Cyber Security Standards. Entities had a 12-month transitional period from February 3, 2019 (when ADHICs came into effect) to comply with the ADHICs Standards. So far, there has been no such development in the other emirates.

There also seems to be a trend for data localization with respect to sensitive data. Health data under the ICT Law are now required to be stored within the UAE. Likewise, the IoT Policy requires certain types of data to be kept within the UAE. Where any transfers are permitted outside of the UAE (such as with DIFC or ADGM), there is a requirement for the jurisdiction to have an adequate level of protection, and if not, for relevant entities to have appropriate safeguards in place to ensure data subject’s rights are protected. 

Other developments include the DIFC issuing the DIFC Data Protection Law in 2020, which repealed the previous data protection law (DIFC Law 5 of 2007) and that ADGM has issued its own Data Protection Laws, which is similar to the DIFC Data Protection Law.