18 Aug 2019

Recent changes to data privacy affecting the UAE

Authored by: Hadef & Partners, Sector Groups

In brief:

  • The “Internet of Things Framework” is now in effect in the UAE and requires those providing services in the digital space to register, categorise the data they collect and process, and potentially abide by data localisation requirements.
  • In addition, new European E-Privacy Rules are currently in draft form and are expected to come into force either later in 2019 or early 2020, focusing on privacy with respect to data processed in connection with electronic communication services; and
  • Entities in the Middle East intending to market to Europe will have to be compliant with the upcoming new E-Privacy Rules.

Data privacy remains a hot topic globally. The EU continues to make plans for new legislation, beyond the General Data Protection Regulations (the GDPR) which were introduced in May 2018. Such legislation could have a major impact on business models that provide any form of online communication, use online tracking technologies, or engage in electronic direct marketing with reference to, or in connection with, the EU.

The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)” to give it its full name (the E-Privacy Rules):

  • are intended to supplement the GDPR by addressing in detail the confidentiality of e-communications, and the tracking of internet users more broadly (cookies);
  • will have extra-territorial effect (like the GDPR); and
  • will apply to the use of e-communications and metadata (so relevant to calls, SMS, emails, VoIP & internet-messaging, such as BOTIM, WhatsApp, Facebook Messenger, Gmail & iMessenger), as well as the sending of unsolicited direct marketing to those in the EU, 

so businesses in the Middle East intending to market to users in the EU need to take notice and prepare.

Meanwhile in the UAE, the new Internet of Things regulatory framework (the IoT Framework) is now in effect and is made up of a Regulatory Policy (IoT Policy) and Procedures (IoT Procedures) requiring service providers to comply with a mandatory registration process; certain data protection principles regarding data storage; purpose limitation and data minimisation; as well as storage limitations.  GDPR compliant entities in the UAE may recognise many of these concepts as the IoT Framework adopts many terms and approaches of the GDPR.

Data localisation

Data localisation is one concept that has been included in the IoT Framework, requiring that data is categorised. Some categories of data must be mandatorily stored within the UAE, with others being allowed to be stored elsewhere.

We highlighted some examples of data localisation earlier this year in our article on UAE Federal Law No. (2) of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the Health Data Protection Law) which came into effect in May 2019 (see our article here for further details).  Entities processing data relating to healthcare must comply with the new legislation which introduced the establishment of a central system to store, exchange and collect healthcare data, and imposed fines for breaches of up to AED 1million.


We recommend careful consideration of the activities that your business undertakes to identify where it might be processing personal data, which can include where data is collected and used as part of relationships with third parties. The terms governing the collection, use and possibly the transfer of that data, should be carefully drawn up with data subjects’ privacy rights in mind.

Given the changes taking place relating to how we collect and use data, and with the introduction of new legislation, the impact on the way your business operates in this context; specifically how it commoditises the data it collects (such as from its website, its database of customers, service providers & suppliers), it is worth considering how (and where) you are obtaining the necessary consent for use and processing of that data as part of your business’ overall compliance and risk management strategy.

For more information, please contact us on sectors@hadefpartners.com.


This article, together with any commentary, does not constitute legal advice. It is provided solely for information purposes on a complimentary basis, without consideration of any specific objectives, circumstances or facts. It reflects then current views of the writer which may modify in time and based on differing objectives, circumstances or facts. A writer's view may differ from views of colleagues and/or the firm. You should seek legal advice on each specific matter. Access to this article does not form an attorney-client relationship.