On 5 September 2021, the UAE announced plans to introduce a new federal data protection law (“UAE Data Law”) in the coming weeks, its first-ever comprehensive data privacy and protection law to be issued.  The new law forms part of the UAE’s Projects of the 50, a set of economic and developmental initiatives designed to mark the country’s 50th anniversary, and launches the next phase of the UAE’s growth.

The UAE Data Law was developed in consultation with major technology companies. H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, has stated that “every single data law on the planet” was considered when drafting the new legislation.  The new law aims to be a “global law” that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for SMEs. Some aspects of the UAE Data Law will include:

  • the right to be forgotten, the right of access, the right of correction, and the right to be informed, all of which are already included in EU GDPR, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) data protection laws;
  • consent obligations regarding marketing of data by companies seeking to monetize data;
  • minimal restrictions on cross-border data flows or references to sensitive or restricted data; and
  • provisions for a new national data privacy regulator.

The UAE Data Law is likely to be issued before the end of November 2021, prior to the country’s 50th anniversary.  Once enacted, the UAE Data Law might also provide an adequate level of protection for the purposes of data transfers from other regulated jurisdictions, including the DIFC and ADGM.

The UAE Data Law will not likely apply to data privacy and protection related to government data or health data, which will be covered by separate new or revised legal regimes.

We will continue to monitor these developments at Inside Privacy.