Dubai has recently implemented a new data protection law, Act N, which replaces the current privacy law. This 50-page law modernizes the current data regulations and is being considered by many companies and businesses in the United Arab Emirates. Unlike other countries, the United Arab Emirates does not have “specific” legislation that regulates the protection of personal data. However, data privacy or the protection of personal data are addressed in numerous provisions of different laws and regulations.
These provisions may form part of laws enacted by the Federal Government, the Government of each Emirate or the authorities of the free zones, or be part of the directives and instructions issued by local regulatory authorities. The general principle of protecting a person's privacy was first established in article (3) of the Constitution of the United Arab Emirates (of 197). This cascading principle has been emphasized in both federal and Emirates legislation, with Dubai being the only Emirate that has issued laws that directly address the transfer, exchange and protection of data. In today's world, where technology is advancing rapidly, there is an increasing concern about governments' capacity to protect citizens' privacy. As a result, countries are becoming more vigilant in addressing data privacy and creating the right legal infrastructure to ensure its protection when it is exchanged or transferred.
The European Union's General Data Protection Regulation (GDPR) is incredibly strict when it comes to penalizing companies and websites that don't comply with any of its provisions. The United Arab Emirates data protection law establishes nine data protection principles, which are similar to those used in the EU GDPR. However, it does not yet have standardized sanctions for websites and companies that fail to comply with regulations. All companies operating in the United Arab Emirates, or that are based outside the United Arab Emirates but process personal data of data subjects located in the United Arab Emirates, should evaluate their activities and make changes to comply with the Data Protection Act as soon as possible. The Data Protection Act also gives the United Arab Emirates Data Office the possibility of exempting certain organizations that do not process a large volume of personal data from some or all of its requirements. In addition, parties operating in jurisdictions without data protection laws may transfer personal data pursuant to an agreement that requires parties in the foreign country to apply the Act.
Companies established in the free zones of Dubai International Financial Center (DIFC) and Abu Dhabi Global Market (ADGM) are subject to their own data protection laws and are exempt from PDPL. It is essential for companies operating in Dubai to be aware of their obligations under this new law and take steps to ensure compliance. Companies should assess how and in what areas they need to modify their data processing practices to comply with both laws. They should also consider publishing privacy notices that contain information about their rights under PDPL. Non-compliance with this law can result in fines of up to 20 million euros or 4% of a company's annual global turnover. Overall, it is important for businesses operating in Dubai to understand their responsibilities under this new law and take steps to ensure compliance.
Companies must evaluate their activities and make changes to comply with both laws as soon as possible. Failure to comply with this law can lead to hefty fines.