To what extent will GDPR affect the UAE?

Since before the establishment of societal systems humanity has been concerned with privacy, particularly with regards to the home, family and property. Religious doctrines have inculcated rules to safeguard the privacy of an individual, and, as society has developed, privacy protection has been made sacrosanct through governmental legislation.

It is not surprising therefore, that privacy is now regarded as a fundamental human right; as is stated in the 1948 United Nations Declaration of Human Rights: ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour or reputation.’ The 1950 European Convention of Human Rights builds upon this, declaring that, ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ Since inception, such basic rights have served to protect individuals against unexpected ‘arbitrary interference,’ and ‘attacks upon [the] home,’ reinforcing ‘the right to respect.’

Certainly, the advent of technology has intensified both the potential threat and likelihood of privacy attacks. Such attacks can be organised by any number of anonymous parties, from any chosen location on earth. For example, anonymous frauds may coerce an individual into inadvertently sharing private data, whether for medical, financial, educational or leisure purposes. In response to this growing threat, GDPR seeks to cast a wide and heavy blanket of protection over the private data of EU citizens and residents. Indeed, the new legislation extends beyond the political boundaries of the EU, attempting to guarantee data protection in an ever-growing global cyber arena.

The The UAE, like most nations, has established several laws and enactments to enshrine privacy protection at a governmental level. Article 40 of the UAE constitution stresses that ‘foreigners within the Federation shall enjoy the rights of freedom stipulated in international charters which are in force or in treaties and agreements to which the Federation is party. They shall be subject to corresponding obligations.’ Such enactments help to ensure that all citizens and residents across the UAE share basic privacy rights. In addition, many provisions of the Federal Criminal Law seek to protect the privacy of an individual, their property, home, family, honour and reputation. This is reflected in the Federal Law of Civil Transaction and the Federal Law of Commercial Transactions. Furthermore, UAE laws on cybercrime respond to the new challenges of the digital and cyber era, particularly with regards to the global flow of information. For example, data protection and cyber-crimes are addressed throughout the Dubai Financial Centre Data Protection Law (DIFC) (Law NO.1 of 2007 as amended by law NO. 5 2012 DIFC), as well as the federal decree no.5 of 2012. 

Why GDPR is of paramount interest to UAE?

Across the EU, GDPR aims to grant citizens and residents more control over the ways in which their personal data is both used and shared. Several companies such as Google and Facebook process data for the betterment of their services; however, there are other areas of business activities that must be carefully considered. The magnitude of trade interactions between the EU and UAE is estimated to be over AED 60-70B, making the UAE the biggest EU business partner in the region. A large number of EU citizens across the UAE will therefore be affected by GDPR, particularly with regards to ‘controllers’ and ‘processors’ across agencies operating in UAE or dealing with EU citizens out of UAE.

The UAE has no single national regulatory authority in place for data protection in alignment with Article 50 of GDPR legislation. GDPR places greater emphasis on the importance of accountability in comparison to the UK Data Protection Act of 1998. This raises the question as to the conflict of new GDPR laws with older legislation across non-member state countries.

Dubai is an internationally leading financial hub (according to AIG reports). Consequently, the UAE is ranked as the fifth most-likely jurisdiction to be targeted by cybercriminals, with hundreds of attacks taking place every day. Companies operating in the UAE as controllers and processors of private EU data are at risk of attacks. The improper storage of data, as well as the poor management of data exchanges with third parties will exasperate this risk. Due to this, there are set protocols in place for UAE companies to follow in order to help avoid or to minimise the risk of GDPR fines. However, there have been doubts as to whether all UAE-based companies will be able to successfully ensure full GDPR compliance.

While there are numerous variables contributing to the current situation across the UAE, it is not the intention of this article to address these extensively. On the contrary, this article serves to briefly highlight the main ways in which GDPR has impacted the UAE since its activation. Ultimately, the UAE must establish a ‘privacy shield framework.’ Such a framework would need to uphold the authority of GDPR (with potential reciprocity in circumstances where entities in the EU deal with citizens and residents of the UAE) without causing adverse effects on trade relations, or exacerbating difficult issues of conflict of laws. The best starting point for such discussions may consider the setting up of a separate law on data protection across the DIFC.

In conclusion, there is no doubt that UAE is entering into a difficult period after GDPR activation. To guarantee the successful enforcement of GDPR outside the EU, it is vital that any conflicts of law are carefully addressed. This can only be tackled once agreements in the form of treaties have been achieved between the EU and UAE.