Personal Data Infringement and Protection Under UAE Laws.
The establishment of strong legal frameworks is important for ensuring that personal data and individual privacy are managed and regulated appropriately. Data protection in the UAE is governed by Federal Decree-Law No. (45) of 2021 on the protection of personal data (Data Protection Code) and Federal No. (34) of 2021 on the fight against rumours and cybercrime.
Federal Decree-Law No. (45) of 2021: The Data Protection Code
The UAE’s personal data protection is regulated and governed by the Data Protection Code. Following are the important definitions under Article 1 of the Data Protection Code:
- Data: Information processed by humans or computers, whether organized or unorganized, including numbers, words, and images.
- Personal Data: Information that identifies or makes an individual identifiable, including sensitive personal data and biometric data.
- Sensitive Personal Information: Personal information, private in nature, consisting of family background, beliefs, criminal records, or health information that describes physical, psychological, or sexual conditions.
- Biometric Data: It refers to unique personal information that is processed using a specific technique that confirms identification through physical, physiological, or behavioural characteristics, such as fingerprint data or facial images.
- Right to Object the Personal Data Processing: The provisions for objecting to data processing, as per Articles 17 and 18, include the exception of consent, contractual obligations, or legal requirements in Article 6. Controllers are responsible for handling personal data and should maintain transparency in the communication of personal data for security purposes. The technical and organizational measures by the law include encryption and pseudonymization for ensuring protection.
- Assessment and Transfer: Article 21 imposes the obligation on controllers in cases of high-risk processing to effectively conduct an assessment on potential privacy risks. Article 22 authorizes special transfers of personal data outside the UAE upon data office approval. Guidelines for data transfer outside the UAE are outlined in Article 23, which distinguishes between circumstances with and without sufficient protection.
- The regulatory Processes: Article 24 allows individuals to submit complaints with the data office regarding breaches in data protection. The data office has the authority to investigate the facts and may impose the administrative fines. Concerned parties can forward grievances against the decisions taken by the data office to the office general manager within a period of 30 days. Administrative fines are issued by the cabinet, which takes into consideration the report from the office general manager.
Federal Decree-Law No. (34) of 2021: Combatting Rumors and Cybercrime (Cybercrime Law)
The Cybercrime Law regulates violations of personal information and data and imposes severe penalties for misuse and unauthorized access:
Article 6 – Breach of Personal Data and Information:
- Infringing on electronic personal data or information, by means of information technology, through unauthorized access, acquisition, modification, damage, disclosure, leakage, cancellation, deletion, copying, publication, or re-publication, shall be punishable by detention for not less than six months and/or a fine of AED 20,000 to 100,000.
- In cases where the data or information involves medical records, bank accounts, or e-payment methods, the penalties shall be aggravated.
- Receiving, keeping, storing, or using such data knowing it is illegitimate to obtain shall also be punished with detention and/or a fine.
Article 44 – Disclosure of Secrets and Privacy Breach: Unauthorized use of information networks or technology to breach privacy or family life may lead to detention for not less than six months and/or a fine of AED 150,000 to 500,000. This includes:
- Eavesdropping, recording, communication, distributing, or disclosure of conversations or materials.
- Taking or sharing photographs or electronic images without consent.
- Spreading news, images, or information with the intent to harm another person.
- Publishing pictures of casualties or victims without permission.
- The tracking or disclosure of geographical data of third parties.
- Defaming or abusing another person by modifying or processing a recording or image, which can lead to imprisonment for not less than one year and/or a fine of AED 250,000 to 500,000.
Copyright © of this article is retained by the author and/or other copyright owners. We explicitly grant you permission to download a copy, without any alteration, of this article for personal non-commercial research or study, without prior permission or any charge. This article can be utilized on your website or for marketing, however, we grant you permission to host this article on your website and no other rights. This content should not be altered in any way or sold commercially in any format without prior permission of the copyright holder. During reference of this article, full biographic details entailing the name of the author, his designation, the institute and the publishing date of the article shall be provided.
