11 Apr 2016

THE WHAT, WHY, WHO AND HOW OF THE NEW DUBAI DATA LAW

Authored by: Victoria Woods and Yasmene Cerfontyne

What does the Dubai Data Law aim to do?

The Dubai Data Law, which has been in force since 27 December 2015 aims to improve efficiency between, and facilitate the integration of, services provided by federal and local governmental entities. It envisages the use of available data held by ‘data providers’ being utilized to help inform government decision making, strategic initiatives, and policies. The law also aims to support innovation, economic development, foster competition, and help Dubai achieve its vision of becoming a “smart city”.

The Dubai Data Law seeks to strike a balance between the use and exchange of data, and the need to maintain and protect confidentiality and privacy. To help do this, the law provides for the adoption of further legislation and policies for clear and specific methods of managing data, consistent with international best practices, and the establishment of governance rules on data use.

Why share data?

The concept of open data and data sharing generally is that via pooling knowledge from a wide variety of sources, collaborative networking, informed decision making, and innovation can be improved.

Usually, the exchange of “open data”, relates to non-confidential data, that is non-sensitive information, which is openly accessible for use, re-use and exchange by anyone without limitation.

If there was an outbreak of a health epidemic for example, open data could be the number of patients suffering from such epidemic (rather than the identity of the patients themselves, which would be personal or sensitive data). The use of open data in this scenario could inform health care and other authorities of the extent of the problem, and potentially assist with resourcing requirements and medication needs.

Another example of open data use could be the collection of certain traffic information, to help facilitate enhanced road systems and reduce traffic congestion.

Again, it has recently been announced a new city-wide online exchange point called Smart Dubai Platform will collect data from thousands of new sensors to be installed across Dubai, analyse the information and then share it live in real-time. The new platform will collate data gathered from the Internet of Things (the term used to describe the digital network of sensors installed in physical objects such as roads, curbs, municipal offices, buildings or in digital devices such as smartphones).

Who does it apply to?

The Dubai Data Law has implications for government entities, individuals, and corporate entities who use data related to Dubai. It could be that data originating from you or your activities (albeit non-sensitive data) is subject to pooling and sharing under the new law, or perhaps that you are deemed to be a ‘data provider’ for the purposes of the law, thereby being required to comply with its obligations in the use of data within your control.

Who will administer the Dubai Data Law?

The role of the ‘competent authority’ under the Dubai Data Law is to supervise the application and support the objectives of the Dubai Data Law, and to investigate complaints and alleged violations.

With respect to the ’dissemination and exchange of data‘, the authority will deal  with proposing legislation and policies, examining best practices, approving data classification  and monitoring compliance.

How does the Dubai Data Law impact data protection in Dubai?

In considering this question, we must first draw a distinction between the data protection regime applicable in UAE ‘onshore’ and the framework governing data protection in the Dubai International Financial Centre (DIFC), which operates its own separate distinct data protection regime. While there is no single piece of legislation in onshore UAE similar to the position in, for example, the European Union, there are various statutory protections afforded to individuals in respect of data protection contained within domestic federal legislation. In our view, although perhaps not as readily identifiable as they may be under a specific ‘data protection law’, the UAE does have legislation for the strict protection of personal information and, in fact, the principle of a right to privacy is enshrined in the UAE Constitution itself (Article 30 states that “Freedom of opinion and expressing it verbally or in writing or by other means shall be guaranteed within the limits of the law.”).

While the Dubai Data Law states that its provisions will not prejudice existing legislation affording data protection, it may be that it will pave the way for the adoption of a more focused data protection framework in Dubai. At present, however, the extent to which any rules, regulations and/or policies issued in connection with the Dubai Data Law, will contain data protection provisions, is eagerly awaited.

What are the challenges faced by the Dubai Data Law?

A key hurdle concerns the practical framework to be adopted, as it will be necessary to provide a system that allows for data sharing to take place, yet maintains sufficient security systems, quality control and vetting procedures to ensure the reliability and authenticity of data. From a ‘data provider’s’ viewpoint, such infrastructure will need to be easily accessible and usable. It is possible that some data providers may have difficulty in meeting the infrastructure requirements, particularly in terms of costs and resources.

In many jurisdictions that have already implemented open data policies, the balancing of open data and data sharing with an individual’s right to privacy seems to have been a particular challenge. This is often addressed by adopting a robust infrastructure with guidelines for users to help reduce any potential risks of data protection breaches. Risks could be mitigated by ensuring the redaction of any personal data that may be contained within open data or shared data (as an example).

How the new law will be implemented so that the use and re-use of open data takes place in a way that balances the obvious benefits of data sharing with the right to privacy, remains to be seen in Dubai. It will be interesting to note what (if any) express data protection regulations and safeguards in onshore UAE may be introduced to work alongside the Dubai Data Law.

 
 

This article, including any advice, commentary or recommendation herein, is provided on a complimentary basis without consideration of any specific objectives, circumstances or facts. It reflects the views of the writer which may, in some cases, differ from those of the firm, especially in the developing jurisdiction of the UAE.