1 Executive Summary
The United Arab Emirates recently passed a collection of legislative reforms to bring their economic and commercial development goals in alignment with international best practice. This strategic look at regulations for data protection, electronic transactions and trust services, industrial property rights, copy rights, trademarks, and other commercial and social topics was prompted by the country's 50th year anniversary to proactively strengthen the country's legal foundation for future growth.
One of the nearly 50 legislative additions to the UAE's federal laws is No. 45, the Personal Data Protection Law (PDPL), which was announced in December 2021 and came into effect on January 2, 2022.[^1] The law will be accompanied by an Executive Regulations that provide additional technical and operational details on complying with the Data Protection law, and the publication of these will trigger a 6-month grace period that companies have to bring their operations and processes into compliance with the regulation. The accompanying Executive Regulations are expected in spring 2022. Supporting the Data Protection Law (No. 45) is Law No. 44 which establishes the UAE Data Office which will be the data protection regulatory authority to operationalize the Data Protection Law's requirements.
This law will elevate and standardize data protection for companies operating in and handling personal data from the UAE. As with many other regions, organizations in the UAE often have little visibility into the corporate data that is collected, stored, and transferred, which creates risks for data breaches and losses due to ransomware; investigations from 2021 indicate that only approximately 31% of data stored by the participating UAE companies is critical to business operations, leaving 69% of redundant, obsolete, trivial, or shadow data that presents significant risk.[^2]
This is the first federally applicable data protection law in the UAE. Other data protection laws have been established in some of the many financial free zones in the UAE, where their applicability is limited to the free zone that passed it, for example in the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM). While the new law does not apply to these financial free zones (existing data protection laws enforced in each free zone still stand), it takes important steps to create alignment between data protection practices in the EU and 'global best practice', closely oriented around the EU's GDPR.
This Leadership Brief offers an analysis of the PDPL in relation to the GDPR, and provides recommendations for businesses located in the UAE or that otherwise are impacted by this new data law.