In-brief:
The adoption of AI systems by businesses has gained significant popularity in the UAE (as it has globally) across various sectors, including healthcare, finance, retail, and recruitment, partly driven by the country’s commitment to becoming a global leader in technology and innovation. The UAE Government has made considerable investments in AI through initiatives like the UAE Artificial Intelligence Strategy 2031, which aims to integrate AI into all aspects of UAE governance and public services.
In the UAE private sector, AI is increasingly being used for data analytics, customer service automation, and predictive modelling. AI-powered ‘chatbots’ and virtual assistants are commonly used in customer service and e-commerce, while machine learning algorithms are being applied by the finance sector for fraud detection and risk management. In the recruitment space, AI-driven tools are being increasingly used for candidate screening, social media analysis, and predictive hiring, helping companies make faster, more informed, hiring decisions.
With its rapid adoption across multiple industries, AI is contributing to the UAE’s vision of becoming a global innovation hub, however, the growing reliance on AI raises important questions about data privacy and data protection.
Background of Data Protection in the UAE
In the UAE, data protection is governed by legislation enacted in three jurisdictions: the Dubai International Financial Centre (“DIFC”), the Abu Dhabi Global Market (“ADGM”), and ‘onshore’ UAE (i.e. the UAE jurisdiction outside of the DIFC and the ADGM).
The DIFC’s data protection regime operates under the DIFC Data Protection Law No. (5) of 2020 (the “DIFC Data Law”), and its associated Data Protection Regulations (the “DIFC Data Regulations”). The ADGM’s data protection regime operates under the ADGM Data Protection Regulations 2021, and related rules (the “ADGM Data Regulations”). Both of these jurisdictions are closely aligned with global standards, like the EU’s GDPR, emphasizing transparency, consent, and data subject rights when dealing with personal data. In 2023, the DIFC updated the DIFC Data Regulations to include ‘Regulation 10’, which specifically addresses the processing of personal data through autonomous or semi-autonomous systems, which is broadly a reference to AI.
‘Onshore’ UAE data protection regulation is governed by Federal Decree Law No. (45) of 2021 Concerning the Protection of Personal Data (and its (as yet awaited) Executive Regulations) (the “PDPL”), which introduces a comprehensive data protection regime covering all sectors, with notable focus on data subject consent, cross-border data flow rules, and the establishment of a national data protection authority.
While the DIFC and ADGM offer tailored regulations for financial and free zone activities in the context of personal data protection for those established in those financial free zones, the PDPL provides a unified framework for the protection of personal data across the UAE, and beyond, in respect of that of its residents and citizens.
DIFC Data Law and Regulation 10
Until the introduction of Regulation 10, the DIFC’s data protection regime did not explicitly refer to AI, however, certain concepts contained in the DIFC Data Law impacted, and continue to impact, the implementation of AI systems. These include the requirement to apply ‘data protection by design and default’ (designing the system with data protection in mind), conducting data protection impact assessments (“DPIAs”) when adopting certain types of systems, and the grant of additional rights to data subjects, including the right to receive additional information or to object to processing in the context of profiling and automated decision making (both of which concepts can apply to an AI system).
In the context of AI, Regulation 10 specifically addresses the processing of personal data through ‘autonomous’ and ‘semi-autonomous systems’. The definition of these concepts is broad and captures multiple technologies, including those broadly referred to as ‘AI’ (noting, in this regard, that defining ‘AI’ and ‘AI systems’ is not a clear cut task). Regulation 10 was heralded by the DIFC as the first enacted regulation in the UAE addressing the “processing of personal data via systems such as artificial intelligence (AI) or generative, machine learning technology” (DIFC Press Release, 7th September 2023).
Regulation 10 aims to ensure the ethical and secure handling of personal data within AI systems. A key feature of Regulation 10 is its focus on interoperability, providing a platform for aligning various international guidelines and principles related to AI development (such as the OECD AI Principles, AI Ethics Guidelines by the European Commission and the UNESCO AI Ethics Framework). This approach fosters a collaborative and transparent environment for creating and maintaining innovative, yet safe, AI systems.
Pursuant to Regulation 10, DIFC companies must notify the DIFC Commissioner prior to using many applications adopting AI. Notification will depend on various factors, including whether the relevant processing of personal data is deemed to be a “High Risk Processing Activity”. We expect that much AI software will fall within this definition, since it will likely be involved in the ‘systematic and extensive’ evaluation of data, reviewing ‘personal aspects’ of data relating to a natural person (i.e. personal data), automated processing, and making decisions that result in a ‘legal effect’ to a natural person. In addition, DIFC companies will be required to provide data subjects with a wide range of information if their personal data is to be processed by such AI systems (unless certain exemptions apply). Data subjects also have the right to request additional information from the system operator (being the controller of the system).
Regulation 10 emphasizes the importance of ethical AI design principles, including fairness, transparency, and accountability, to seek to prevent bias and to ensure responsible data processing.
The principles of Regulation 10 are supported by similar principles in the DIFC Data Law (although, as noted above, the DIFC Data Law does not explicitly address AI in the same way as Regulation 10 does, and instead encompasses principles and requirements that are pertinent to AI systems).
ADGM Data Regulations
Similar to the DIFC Data Law, the ADGM Data Regulations do not expressly consider AI based data processing, but they do contain rules and standards that would apply to AI adoption in data processing/AI systems. A key provision in the ADGM Data Regulations to note is the requirement for data controllers to implement ‘data protection by design and by default’. This mandates that data protection measures be integrated into the development and operation of systems, including AI technologies, for data processing, thus seeking to ensure that personal data is processed in compliance with the regulations from the outset. The ADGM Data Regulations also emphasize the importance of conducting DPIAs for personal data processing activities that may result in high risk to an individual’s rights and freedoms. Given the potential for AI systems to impact personal data processing, conducting DPIAs may be required to identify and mitigate risks associated with the adoption of AI technologies.
Furthermore, the ADGM Data Regulations (and DIFC Data Law) require data controllers to maintain records of processing activities, which is crucial for transparency and accountability in AI operations. This aligns with the broader objective of ensuring that personal data processing, including that involving AI, is lawful, fair, and transparent.
‘Onshore’ UAE
‘Onshore’ UAE has established a comprehensive framework to regulate AI, integrating the PDPL with ethical guidelines and policies to ensure responsible AI development and deployment. A cornerstone of this framework is the PDPL, which mandates that personal data processing (including processing by AI systems) must adhere to principles of transparency, accountability, and fairness. Similar to both the DIFC Data Law and ADGM Data Regulations, the PDPL includes concepts such as carrying out DPIAs and providing data subjects with additional rights, such as a right to object to any decisions resulting from automated processing (except in specific, defined circumstances).
In addition to the PDPL, the UAE (and/or Dubai) has introduced the following AI guidelines and policies:
- the National Program for Artificial Intelligence: UAE National Strategy for Artificial Intelligence 2031;
- the National Program for Artificial Intelligence: AI Guide;
- the UAE Charter for Development & Use of Artificial Intelligence; and
- Smart Dubai: AI Ethics Principles & Guidelines,
(together, the “UAE AI Policies”).
The UAE AI Policies aim to position the country as a global leader in this space, by promoting innovation, while ensuring the ethical development and use of AI technologies. These policies focus on creating a strong governance framework that balances technological advancement with principles of transparency, fairness, and accountability (similar to the principles in the PDPL, DIFC Data Law and ADGM Data Regulations). The UAE AI Policies emphasize the importance of aligning AI development with societal values, legal standards, and ethical considerations, to ensure that AI systems contribute positively to various sectors.
In addition to the UAE AI Policies, the Dubai Centre for Artificial Intelligence has recently introduced the ‘Dubai AI Seal’ to verify and authenticate AI businesses in Dubai. The Dubai AI Seal assures stakeholders that the AI systems offered by certified companies in Dubai comply with ethical standards, regulatory requirements, and best practices in the AI industry. By obtaining the AI Seal, companies can demonstrate their commitment to responsible AI use, which is crucial for fostering data protection, security, and overall industry growth.
Whilst AI is a relatively new concept, there are a number of additional UAE laws that (indirectly) form part of the UAE legal framework for regulating AI, including Federal Law No. (5) of 1985 (the Civil Code), Federal Decree Law No. (31) of 2021 (Penal Code), and Federal Decree-Law No. 34 of 2021 (Cybercrimes Law). The Civil Code seeks to ensure that AI systems (and/or their designers and/or operators) adhere to contractual obligations and protect individuals and entities from AI-induced harm or breach of contract. The Penal Code addresses potential criminal activities related to AI, including fraud, negligence, and violations that may arise from the use of AI systems, ensuring accountability for unlawful actions. The Cybercrimes Law regulates AI in the context of cybersecurity, imposing penalties for unauthorized access or misuse of data by AI systems. Together, these UAE laws help ensure that AI technologies are developed and used responsibly, while safeguarding public safety, privacy, and legal rights.
Specific rules and guidelines in regard to the adoption of AI technology have also been released in a number of industry sectors in the UAE, including the healthcare and financial services sectors. These include “Guidelines for Financial Institutions Adopting Enabling Technologies” issued jointly by the UAE Central Bank, the Securities and Commodities Authority, the Dubai Financial Services Authority and the Financial Services Regulatory Authority of the ADGM, as well as the Department of Health’s “Policy on Use of Artificial Intelligence (AI) in the Healthcare Sector of the Emirate of Abu Dhabi” and the Dubai Health Authority’s “Artificial Intelligence in the Healthcare”.
Regulation of AI systems in the UAE is therefore nationwide and sector focused.
Dispute Resolution, Penalties and Complaints
Each of the DIFC Data Regulations, the ADGM Data Regulations, and the PDPL establish processes for data subjects with data protection related complaints against data controllers or processors to follow, as well as related penalties for data protection violations (although, for the PDPL, it is expected that penalties will be set out in the awaited Executive Regulations). To seek to mitigate the risk of data protection related complaints (and, indeed, penalties), it is imperative for companies using AI systems to be aware of their obligations to data subjects in the UAE.
In addition, those adopting AI systems in their businesses should be mindful of the convenience offered to consumers under the soon to be introduced consumer complaints process of the Dubai Corporation for Consumer Protection and Fair Trade (the DCCPFT, which is part of the Dubai Department of Economy and Tourism (DET)). This new process enables consumers to file formal complaints against businesses quickly and easily, simply by messaging on WhatsApp. We expect that complaints capable of being launched by consumers in this way will include those related to the use of AI, such as AI-induced harm or breach of contract claims, and AI-related consumer protection concerns. A Dubai resident could simply upload documents related to their grievance via WhatsApp, and would quickly receive a ‘resolution letter’ from the DCCPFT, which they would then be able to present to the relevant business for execution and the swift resolution of their complaint. If a company refused to accept the resolution prescribed by the DCCPFT, they would face potential penalties.
Businesses using AI systems in their UAE operations would be well advised to become familiar, therefore, not only with the data protection related dispute resolution processes and potential penalties for violations as set out in the various legislation, but also with the mechanisms that are being put in place in the UAE to aid consumers in exercising their rights.
Conclusion
As AI continues to transform various sectors in the UAE, it is essential for businesses to consider and address the various challenges that come with its rapid adoption, particularly in the areas of data privacy and data protection. The UAE's evolving legal framework, including data protection regulations and ethical guidelines, plays a critical role in balancing innovation with safeguarding individuals’ rights. By maintaining this balance, the UAE, together with businesses operating in the UAE and embracing its vision, can continue to lead in AI innovation, while ensuring responsible and secure use of these transformative technologies.
For more information, please contact a member of the Hadef Commercial Team (Victoria Woods, Partner - v.woods@hadefpartners.com, Diana Froyland, Senior Counsel - d.froyland@hadefpartners.com, or Julie Beeton, Senior Counsel - j.beeton@hadefpartners.com).