INTRODUCTION

With businesses increasingly driven by personal data, jurisdictions globally have enacted legislations and regulations to safeguard the interests of data subjects' resident in their respective jurisdictions. This puts the data subjects' rights at the forefront of all business considerations, along with the institution of internal policies to manage personal data. Regional and global businesses must now navigate complex compliance obligations imposed by the various data protection frameworks existing the UAE. Interestingly, businesses such as Virtual Assets ("VA") Service Providers ("VASP") and financial technology companies ("FinTech"), based in the UAE, ADGM or DIFC, have clients and operations spread across the globe, resulting in personal data collection and processing across jurisdictions. In this case, they must comply with the applicable data protection regimes of multiple jurisdictions. Particularly relevant for such businesses spread across geographical and jurisdictional boundaries, are regulations on cross border transfer of data and mechanisms for exercise of data subjects' rights.

This newsletter is aimed at VASPS and FinTechs with operations in more than one jurisdiction in the UAE. For example, an FSRA licensed virtual asset exchange with personal data processing capabilities in the UAE mainland. The newsletter intends to deliver a framework to better identify similarities and differences in personal data protection regimes in these jurisdictions so that they can streamline compliance processes and reduce duplication of effort.

This newsletter does not intend to provide legal advice, but just contours of such similarities and differences.

Data Protection Frameworks in the UAE

There are three primary data protection regimes in force in the UAE. In the UAE mainland, it is the Federal Decree Law No. 45 of 2021 which is the main Personal Data Protection Law ("PDPL") for the country. The Executive Regulations for the PDPL, which will give teeth to the law, are yet to be framed. For the two financial freezones, i.e., Abu Dhabi Global Markets ("ADGM") and Dubai International Financial Centre ("DIFC"), the ADGM Data Protection Regulations 2021 and the Data Protection Law 2020- DIFC Law No. 5 of 2020 (as amended by DIFC Law No. 2 of 2022) respectively hold the field. DIFC'S Data Protection Law is supplemented by the DIFC Data Protection Regulations 2020.

Uniformity of purpose across the three frameworks

Most reassuringly, all the three data protection regimes, recognize the centrality of personal data to the digital economy and strike a balance between protecting the privacy of the individual on one hand, while enabling businesses to innovate and grow on the other hand. Specifically, the provisions relating to cross border transfers of data appear to be facilitative, rather than restrictive. Similarly, while special categories of personal data and sensitive personal data are recognized, their processing is permitted under certain conditions, including among others, if express consent is obtained from the data subject or if such processing is required for employment related purposes. Businesses, in their role as data controllers and data processors must adapt their operations to the requirements of these regimes, in order to be able to leverage the personal data collected by them, while ensuring the privacy of data subjects (individuals) who have shared that data.

Broadly speaking, all three data protection regimes, i.e., require that companies which collect and process personal data must first seek and obtain consent from the individual, except in certain limited circumstances, such as, when the processing is in public interest or is for judicial or security reasons. VASPS and FinTechs may benefit from making these exceptions clear in their client onboarding/account opening forms, as well as in their privacy policies.

Companies will also be required to take measures to secure the personal data under their control as well as maintain a record of the personal data processed. In addition, they will also need to report breaches of personal data to the appropriate authority - the UAE Data Office in case of the PDPL and the respective Commissioners in the ADGM and DIFC.

There are some elements of divergence in this general uniformity. Provided below is a comparative view of selected aspects of the three frameworks.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.