September 22, 2011
Data Protection in Dubai: The “DIFC Data Protection Law”
The following article examines the legal provisions on data protection in Dubai that are governed by the DIFC Data Protection Law 2007, DIFC Law No. 1 of 2007 (referred to in the following as “DPL-DIFC 07”), and explores the potential economic implications.
Article by Dr. Stephan Gärtner, Berlin.
Dubai as part of the UAE
The United Arab Emirates (UAE) is a federation of seven emirates, including the Emirate of Dubai. The common federal law of the UAE governs foreign matters, police, defense, intelligence and security, transportation, education, health policy, currency, passports and the rights of foreigners. However, the individual emirates also exert tremendous influence on these political areas; this applies all the more to their own areas of competency. In principle, the following hierarchy of rules underlies federal law as well as the laws of the individual emirates: 1. constitution, 2. federal and emirate legislation, 3. Sharī’a, 4. established commercial customs and practices. After Saudi Arabia, the UAE is the second largest national economy in the region.
Data protection regulations in Dubai
In Dubai itself, commerce, tourism, financial services, air traffic and freight transport are but a handful of the most important business sectors. On February 16, 2002, the Emir of Dubai inaugurated the Dubai International Financial Centre (DIFC). A special law applies within the DIFC that includes a Data Protection Act, among other laws.
Interpretive framework: Constitution of the UAE
As a limitation on interpreting this Data Protection Act, one must take into consideration the constitution of the UAE. The constitution itself establishes no distinct basic right to informational self-determination. Nonetheless, according to Article 26 of the constitution, freedom of the individual does apply; this could account for partial aspects of data protection.
Construction of DPL-DIFC 07
The DPL-DIFC 07 is lucid in construction. It consists of 35 “Articles” that are similar to sections (§) of German law in terms of scope. Added to this structure are a “Schedule” and its three additional “Articles.” Collectively, the regulatory design is reminiscent of Anglo-Saxon legislation, in particular the British Data Protection Act of 1998 (subsequently referred to here as “DPA 1998”).
Survey of DPL-DIFC 07
Generally binding regulations on the admissibility of data processing (DPL-DIFC 07, Articles 8 to 10) are aligned with less significant regulatory action, such as those on citation methods or applicability (DPL-DIFC 07, Articles 1 to 7). Thereafter come regulations on data transfer abroad (DPL-DIFC 07, Articles 11 and 12), on transparency obligations (DPL-DIFC 07, Articles 13 and 14), on security matters (DPL-DIFC 07, Articles 15 and 16) and on the rights of the affected parties (DPL-DIFC 07, Articles 17 and 18). One exception is damages compensation claims, which are governed by DPL-DIFC 07, Article 35. Thereafter, DPL-DIFC 07 grants a comparably extensive amount of space to the topic of supervisory authorities (DPL-DIFC 07, Articles 19 to 33). DPL-DIFC 07, Article 34, governs the accessibility at court. This is followed by the Schedule with explanatory provisions.
Set-up of DPL-DIFC 07
DPL-DIFC 07 is set-up as follows:
- Part 1 (Articles 1 – 7): GENERAL
- Part 2 (Articles 8 – 16): GENERAL REGULATIONS ON THE PROCESSING OF PERSONAL DATA
- Part 3 (Articles 17 – 18): RIGHTS OF DATA SUBJECTS
- Part 4 (Articles 19 – 20): NOTIFICATIONS TO THE COMMISSIONER OF DATA PROTECTION
- Part 5 (Articles 21 – 31): COMMISSIONER OF DATA PROTECTION
- Part 6 (Articles 32 – 35): REMEDIES, LIABILITY AND SANCTIONS SCHEDULE
Articles 8 to 16: General Regulations
This section can be described as the general portion of data protection law. DPL-DIFC 07, Article 8, governs data protection principles, such as the principles of restricting the appropriation of data, and of data accuracy. Similarities to the wording of Great Britain’s DPA 1998 are noteworthy. Moreover, one can ascertain that the data protection principles in certain sections were taken partially verbatim from those of the EU Directive 95/46/EC of the European Parliament and European Council of October 24, 1995 on the protection of natural persons in the processing of personal data and the free movement of such data.
Thus, DPL-DIFC 07, Article 8, governs the following data protection principles:
- Processing according to law and legislation, and in good faith (Article 8 (1)(a))
- Principle of limitation to specified purpose (Article 8(1)(b))
- Data accuracy (Article 8(1)(c)(d); (2))
- Data minimization (primarily from a chronological perspective (Article 8(1)(e))
Ban with reservation to grant permission
DPL-DIFC 07, Article 9, establishes the ban with reservation to grant permission. The wording of the provision reads: “Personal Data may only be processed if…” Thus, here as well, the European tenet of the exception-to-the-rule principle applies: accordingly, data processing actions are basically illegitimate and justified only on an exceptional basis, namely if the affected party has granted permission or the law has allowed such processing.
Permission must be granted in writing
According to data protection law in Dubai, permission is only deemed to be on an authorized basis if it was granted in writing (DPL-DIFC 07, Article 9(1)(a)).
Data processing without permission
Irrespective of the aforementioned, there are four circumstances that are not contingent on the granting of permission (DPL-DIFC 07, Article 9(1)(b)-(f)). These can be summarized to the effect that processing data without permission is only legitimate if the preponderant interests of a third party or the common welfare justify such acts. DPL-DIFC 07, Article 10, confines these permissible circumstances to the category of sensitive data, as is found under the system of European data protection guidelines.
Regulation of technical data protection
Article 16 of DPL-DIFC 07 is additionally of paramount importance. According to this article, each responsible office commits to establish “appropriate technical and organizational measures to protect Personal Data against willful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing, in particular where the Processing of Personal Data is performed pursuant to Article 10 or Article 12 above.” The parallels to the European standards here are obvious.
Rights of the affected party
The rights of the affected party are governed in DPL-DIFC 07, Articles 17 to 18. They cover the right to information, correction, deletion and blockage (DPL-DIFC 07, Article 17). The conditions essentially correspond to European standards (Data Protection Guideline Section 12 et seq.). Deletion is required in any case if storage is not permitted.
Data protection supervision in Dubai
Sections 4 and 5 of DIPL-DIFC 07 are dedicated to supervisory agencies, which in Dubai is known as the “Commissioner of Data Protection.” DPL-DIFC 07, Articles 21 to 24, deal with the duties, responsibilities and beginning and end of the Commissioner’s tenure. DPL-DIFC 07, Article 25, circumscribes the basic authorities of the supervisory agency. In doing so, it sets forth several individual authorities (such as one’s own right to file action per DPL-DIFC 07, Article 25 (3)(d)).
Article 25 of DPL-DIFC 07 is additionally significant. The wording states: “The Commissioner of Data Protection has power to do whatever he deems necessary, for or in connection with, or reasonably incidental to, the performance of his functions.”
The data protection law created in 2007 in Dubai relied heavily on European law. There are differences in the elaborateness of the legal regulations: in DPL-DIFC 07, blanket provisions and brief standards are the rule; in European laws, these tend to be the exception. Through these legal regulations, Dubai is opting to take an interesting step for the region, in order to strengthen its own economic region, because in the long term this legislation should simplify the outsourcing of data processing operations from Europe to comparably regulated regions.