22 May 2018

Privacy and data protection in the UAE

Authored by:

The protection of personal data and privacy considerations are more important than ever due to globalisation and technological development.

Although there are no explicit laws or authorities that deal specifically with privacy and data protection in the UAE (excluding in the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”) Free Zones, discussed below in more detail), a number of UAE Laws are relevant.

In this article, we briefly summarise key UAE laws and regulations relevant to privacy and data protection, and action points to be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with such legislation.

The main UAE Laws which are relevant to privacy and data protection

  • UAE Constitution

The UAE Constitution addresses privacy by providing that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”.  The broadly held view among lawyers practicing in the UAE is that this provision was intended to enshrine a basic right to privacy in relation to an individual’s personal and family affairs.

A wrongful invasion of this right to privacy might constitute a “wrongful act” for which a civil action for damages would lie, pursuant to the Civil Code (see below).

  • The Civil Code

A wrongful breach of privacy may result in a civil action for damages pursuant to Federal Law No. 5 of 1985 (the “Civil Code”).  The Civil Code provides that a person who suffers unlawful infringement of any of the rights appurtenant to him (such as the above constitutional right) has the right: (a) for such infringement to cease; and (b) to compensation. Further, wrongful invasion of the right to privacy under the Constitution may constitute a “wrongful act” pursuant to the Civil Code, giving rise to a civil action for damages. The Civil Code provides that any harm done to another shall render the perpetrator liable to make good the harm.

Given the importance attached to the concept of “good name” and the right to privacy in relation to personal matters in this jurisdiction, we are of the view that “harm” could be held by the courts to include “damage to reputation” and “invasion of privacy” (a constitutional right). It is important to note that because wrongful conduct of this nature would not result in physical injury, a valid claim for compensation may only apply to the extent that the “wrongdoer” had acted with intent.

  • The Penal Code

In conjunction with the constitutional right to privacy, Federal Law No. 3 1987 (the “Penal Code”) provides for the protection of individuals from the interception and disclosure of their personal data.

The Penal Code prohibits those who have access to individuals’ personal data from disclosing or publicising that information. In particular, the Penal Code specifically prohibits the publication of people’s private affairs, and provides sanctions of imprisonment and/or a fine for anyone who, through any means, publishes news, pictures or comments pertaining to secrets of a person’s private or family lives, even if such publications are true.

The Penal Code makes it clear that corporate entities can also be guilty of the offences established by the Penal Code, through the agency of directors, agents and other representatives. A corporate body convicted under these provisions would be liable to pay a fine or be subject to confiscatory measures.

  • Electronic Transactions and Commerce Law

Federal Law No. 1 of 2006 and its corresponding Dubai Law No. 2 of 2002 relating to Electronic Transactions and Commerce (“ETCL”) is principally concerned with the security of electronic transactions and ensuring that electronic data is authentic and reliable.

  • Cyber Crimes Law

Federal Law No. 5 of 2012 relating to Combating Information Technology Crimes, known as the “Cyber Crimes Law” is principally concerned with the abuse/misuse of electronic information, including its development through the internet by people generally. It deals with hacking, identity theft and fraud. It can also capture instances where a person gains access to an electronic information system, website or computer network without authorisation. The Cyber Crimes Law also makes it illegal to disclose any information obtained by electronic means, if such information was obtained in an unauthorised manner.

  • GDPR

From 25 May 2018, companies based in the UAE will need to consider the extent to which they may fall within the scope of the European Union’s General Data Protection Regulation (“GDPR”). For more information on this legislation and how it may affect companies in the UAE, please see our recent article here.

The DIFC and ADGM

Each of the Dubai International Financial Centre (“DIFC’”) and the Abu Dhabi Global Market (“ADGM”) free zones has its own specific data protection law.

What action to take

There are action points which can be considered by businesses with a presence in the UAE in order to mitigate the risk of failing to comply with the legislation referenced above. We summarise some of the possible action points below:

  • Conduct a data audit to understand the type of data your business holds.
  • Ensure that adequate privacy policies are in place to explain the way in which relevant data is collected, used or disclosed and maintain appropriate internal management of data by implementing such policies.
  • Keep data subjects updated should the storage, transfer or processing of their personal data change.
  • Consider whether further action needs to be taken in order to comply with the GDPR. Please see our recent article here for further details in this regard.
 
 

This article, including any advice, commentary or recommendation herein, is provided on a complimentary basis without consideration of any specific objectives, circumstances or facts. It reflects the views of the writer which may, in some cases, differ from those of the firm, especially in the developing jurisdiction of the UAE.