The rise of data protection and impact on UAE businesses22 November 2021

The introduction of GDPR increased global awareness of the importance of data privacy and protection, with many regulators seeking to introduce or improve data privacy regulations in order to facilitate international data transfer, including countries in the Middle East.

By way of example, in 2016, Qatar introduced Data protection Law No. 13 of 2016, modelled on the GDPR. This was followed by Bahrain’s Personal Data Protection Regulation of 2018, Egypt’s Data Protection Law of 2019, Saudi Arabia’s NDMO Personal Data Protection Interim Regulations and, most recently, the Saudi Data Protection Law of 2021, which is expected to come into effect in Q1 of 2022.

Following the stream of countries building and developing data privacy and protection regimes, the United Arab Emirates have recently announced the imminent introduction of a new Federal Data Protection Law. Whilst data protection is not an unknown feature of UAE law, with other laws encompassing the protection of an individual’s right to privacy, the UAE Federal Data Protection Law will be the first stand-alone law of its kind in the UAE. The UAE Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications has stated the Federal Data Protection Law will “guarantee personal privacies and the ability for the private sector to grow, innovate, and prosper. It gives individuals the right to be forgotten, the right of access, the right of correction, and the right to be informed”. It is therefore also anticipated to be modelled on the GDPR.

HOW IS DATA PRIVACY RELEVANT TO BUSINESSES IN THE UAE?

All UAE businesses undoubtedly control and/or process personal data which will inevitably be protected under the UAE Federal Data Protection Law. This includes personal information held on employees, customers, suppliers etc.

Non-compliance with data protection regulations may have several implications for businesses. It can lead to financial or criminal sanctions, reputational damage and, of course, may subject a business to lengthy and expensive litigation. It is for these very reasons that businesses ought to ensure that the necessary measures are put in place to facilitate compliance with the anticipated data protection legislation.

While it remains to be seen how the UAE Federal Data Protection Law will sanction non-complying businesses, examples such as that of Amazon or any of the 800+ other fines issued by EU regulators since the implementation of GDPR in May 2018, show that the impact of non-compliance can be disastrous.

Financial problems are only part of the damage a business can suffer. Reputational damage is an inevitable consequence with equally detrimental effects. Loss of trust in a brand’s ability to safeguard its client’s information or an employer’s ability to protect its employees’ financial and personal information, can also have consequential reputational and financial implications for a business.

Therefore, it is imperative for businesses to start considering now what they need to do to prepare for the introduction of the UAE’s Federal Data Protection Law.

RISKS ASSOCIATED WITH NON-COMPLIANCE

In its July 2021 earnings report, Amazon disclosed having been fined US$800m+ for breaches of GDPR. WhatsApp Ireland Ltd was also fined circa US$260m earlier this year for breaching GDPR.

Another business giant hit this year by a GDPR-related scandal was Uber for breaching Article 22. Article 22 is intended to protect individuals from data controllers/processors using their data and making automated decisions that have a legal or significant impact. The ruling issued in the Netherlands was made in light of Uber’s “robo-firing” techniques which terminated employees purely on the basis of algorithms. In this case, Uber was ordered to re-instate several employees as well as pay them compensation for unfair termination.

While tech giants are able to handle the financial and, potentially, reputational implications of failing to comply with GDPR, this is not the case for less well established and stable businesses facing similar charges.

In addition, it is worth noting that depending on the jurisdiction and the appliable data protection regulations, the consequences of non-compliance may entail criminal sanctions against the data protection officer or even the directors of a company.

WHAT DO BUSINESSES IN THE UAE NEED TO DO TO PREPARE

While the legislation is still in draft form, this is a good time for businesses to start “data mapping”. Data mapping entails identifying what type of data a business holds, who it belongs to, where it is stored, how long the business retains it for, who has access to it etc.

The purpose of data mapping is to identify and manage risk associated with the extent of data collected from subjects. To mitigate that risk, businesses should start working towards establishing policies and procedures concerning the collection, retention, protection, processing and, eventually, disposal of personal data. Although the Federal Data Protection Law will ultimately specify data controllers’ and processors’ obligations towards their subjects, work in progress policies and procedures can subsequently be updated to meet the required regulatory threshold.

A key feature of data protection is that it imposes an ongoing obligation on businesses. It is not only a matter of identifying data and managing it together with data subjects, businesses should also start considering how best to implement, operate and monitor their data.