On 28 November 2021, the UAE passed the Federal Decree-Law No. 45 of 2021, better known as the Personal Data Protection Law (PDPL). It follows several other countries around the globe in coming up with concrete legislation that protects the data of all residents within its jurisdiction.
Naturally, the new law has drawn several comparisons with the EU's General Data Protection Law (GDPR), considered by many to be the most thorough piece of legislation done on the subject of data privacy and data protection. Unsurprisingly, there are numerous similarities between the two laws, along with some notable differences.
Understanding these similarities and differences can help companies and data handlers achieve data compliance for both laws and gain a competitive advantage over the rest of their competition in both regions. Additionally, it can also be a helpful exercise in assessing how and in which areas they need to amend their data processing practices to remain compliant with both laws.
Scope Of the Law
Data privacy and protection have become an essential cornerstone of any company's ability to maintain the trust of its users. As users become increasingly aware and educated about what their rights are and the responsibilities of data handlers towards them, it is imperative that organisations understand where they stand.
The most natural step to start off with is to ensure whether a company needs to comply with the new UAE data protection laws and how it compares to compliance needs as per the GDPR.
The UAE
As per the new UAE PDPL, any company registered in the UAE that collects or processes the data of UAE residents is subject to this new legislation. Additionally, any company not registered in the UAE but processing the data is also subject to this legislation.
Some notable exemptions exist for government data, public entities' data, health and credit data subject to their own dedicated legislation. Moreover, companies established in the free zones of Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are subject to their own data protection laws and exempt from the PDPL.
The GDPR
The GDPR deals with the scope and who needs to comply with it in a simpler way. Whether in the EU or outside, any company that collects data on EU residents has to comply with the legislation's provisions.
Additionally, there are provisions in the GDPR where if your product is being sold to customers in the EU or is accessible to them, you would need to comply with the GDPR. For example, if a company has an app on the App Store that is not available in the US but not the EU, they are exempt from complying with the GDPR. However, if the same app is available on a website that is available worldwide, the company would need to be GDPR compliant since EU residents can access the company's app. Interestingly, if a company's product or service is available in the EU currency or only offers to ship to the EU, it would still need to be GDPR compliant.
Data Subject Rights: GDPR vs PDPL
While the GDPR and the PDPL differ in some areas, they are on the same page when it comes to providing all users with several rights over their data. Here are all the rights that are guaranteed under both the GDPR and PDPL:
The UAE
Here’s how the UAE’s PDPL interprets Data Subjects’ rights:
- Right to Access Information - The data subject has the right to request access to the following information:
- The categories of personal data processed;
- The purpose of the processing;
- Whether the personal data is shared inside or outside the state;
- Automated decision making on his/her personal data;
- Controls or standards relating to storage of his/her personal data;
- Actions for rectification, restriction, or erasure of his/her personal data;
- Safeguards applied to his/her personal data in case of cross border data transfer;
- Actions to be taken in case of Personal Data Breach;
- Procedure to lodge a complaint with the Office.
- Right to be Informed - The PDPL requires all data handlers to inform users what kind of data is being collected on them, where it is being stored, whether it is being shared or sold to anyone, and what protective measures are in place to protect this data.
- Right to be Forgotten - The data subject will have the right to rectify any inaccuracy of their personal information and the right to require the data controller to erase their personal information.
- Right to Stop Data Processing - The data subject can exercise the right to request a data handler to cease processing their data in the following circumstances:
- Where personal data is processed for marketing purposes;
- Where the processing is for statistical survey purposes, unless the processing is essential for the reasons of public interest;
- Where the processing does not oblige with the Personal Data Protection Principles as stated under Article 5 of the PDPL.
- Right to Rectification - Similar to the right to erasure of data collected on them, the data subject can also request the data handler to make appropriate amendments and modifications if the data collected in the information collected is outdated, inaccurate, or incomplete.
- Right to Data Portability - The data subject has the right to receive their personal data in a structured and machine-readable format where the processing of personal data is subject to the data subject’s consent.
The GDPR
The GDPR remains the gold standard when it comes to data protection regulations around the world. Expectedly, it has an expansive set of rights for data subjects. The most prominent of which include:
- Right to Access Information - The GDPR gives all data subjects the right to request access to all information that a company or website may have collected on them. Additionally, a user can request to know how the data collected on them have been used, stored, processed, sold, or shared with other companies. A data handler is legally obligated to inform the data subject of the following whenever requested:
- The purpose of the processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom personal data has been disclosed
- The retention period or if not possible, the criteria used to determine that period
- The existence of data subjects’ rights
- The source of personal data where the personal data is not collected from the data subject and any available information
- The right to file a complaint to the supervisory authority
- The existence of data transfers
- The existence of automated decision-making.
- Right to be Informed - The GDPR gives all data subjects the right to be adequately informed about any data collection needs of the website and give free consent to such data collection. This includes but is not only limited to:
- The identity and contact details of the controller, controller’s representative, and DPO, where applicable
- The purpose and the legal basis of the processing
- The legitimate interests pursued by the controller or by a third party where the processing is based on legitimate interests
- The categories of personal data concerned
- The recipients of the personal data
- Data transfers to a third-party or country
- Right to be Forgotten - The GDPR gives all data subjects the right to request any company or website to delete and permanently remove any data that may have been collected or processed on the user. The data subject has the right to make this request under the following conditions:
- When the personal data is no longer necessary for the purposes it was collected
- Where consent is withdrawn by the data subject,
- When the data subject objects to data processing based on legitimate interests
- When the data subject objects to data being processed for direct marketing purposes
- When the personal data is unlawfully processed
- When personal data has to be erased for compliance with a legal obligation.
- When a child wants to erase data in case of the provision of information society services to a child.
- Right to Stop Data Processing - The GDPR gives all data subjects the right to request a company or website to cease processing data for any and all purposes effective immediately after such a request is made.
- Right to Rectification - The GDPR gives all data subjects the right to request amendments to the data collected on them or to request a modification in case of outdated or incorrect data.
- Right to Data Portability - The GDPR gives all data subjects the right to request a company or website to provide them a copy of all data collected on them in a machine-readable, easy-to-transfer manner.
Penalties for Non-Compliance
This is undoubtedly the biggest difference between the PDPL and the GDPR. While the GDPR takes a much more standardized approach where anyone in breach of the law would not know what penalties to expect, the UAE law approaches penalties on a case-by-case basis:
The UAE
The UAE's data protection law does not have any standardized penalties in place for websites and companies found in non-compliance as of yet. There will be further executive regulation carried out to set penalties after the law is implemented in January 2022.
Until such regulation is done, the courts and the UAE Data Office will oversee each case of non-compliance separately and decide the appropriate punishment in each case.
The GDPR
The GDPR is incredibly strict when penalizing companies and websites found to be in non-compliance with any of the law's provisions.
Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company's annual global turnover - whichever amount is higher.
Privacy Policy
The privacy policy is an important document and tool that can help any data handler communicate with their users exactly what they’re signing up for. Both the UAE’s PDPL and the GDPR have comprehensive and clear guidelines over what any data handler’s privacy policy must contain.
The UAE
A controller must, before processing a data subject’s personal data, provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.
The UAE’s PDPL legislation mandates all data handlers to be transparent about their data collection activities with the data subjects. This includes detailed information about what data is being collected, why it’s being collected, how the data collected is used, whether the collected data is shared or sold to another party, whom to contact if the data subjects wishes to request access, alteration or deletion of their data, and how the collected data is protected
The GDPR
The GDPR requires all data handlers to be extensive with their privacy policy. However, at the same time, all data handlers are required to ensure that the policy is easy-to-read, comprehensible, and does not use any jargon that may obfuscate the consent agreement in any way.
The privacy policy must contain information on identity and contact details of the controller, controller’s representative where applicable, controller’s data protection officer where applicable, the purposes of the processing, the lawful basis of the processing, the recipients or categories of recipients of personal data, and where applicable if the controller intends to transfer personal data outside the EU. The policy must also reiterate the rights of data subjects and how they can resscind their consent at any given time.
Cross Border Data Transfers
Data collected on data subjects is an incredibly vital asset for any data handler. In some instances, this data may need to be transferred to another country for protection or any other reason. In such a scenario, this what both the legislations have to say on the matter:
The UAE
Transfers of data outside the UAE’s jurisdiction is allowed, provided the country where the data is to be transferred has an “adequate level of protection”. This means the country having some form of data protection legislation of its own or a country that has some sort of bilateral data protection agreement signed with the UAE. Even so, transfer of data can only occur if the following conditions are met:
- Under a contract that applies the requirements of the PDPL;
- After obtaining the data subject’s express consent for such transfer;
- If the transfer is necessary for the execution of a contract between the controller and the data subject or as part of a contract between the controller and a third party that achieves the interests of a data subject;
- If the transfer is necessary for international judicial cooperation;
- If the transfer is necessary to protect the public interest.
The GDPR
The GDPR is unique in this particular case as it does not mention any jurisdiction outside the EU. Hence, the transfer of data to a country outside the EU jurisdiction is not overtly addressed. However, there are some strict criteria that need to be met as judged by the Information Commissioner's Office.
Some of these criteria include:
- Binding Corporate Rules with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures)
- Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission)
- An approved code of conduct; or
- An approved certification mechanism.
- Legally binding instruments for cross-border transfers between public authorities
How Securiti Can Help
The GDPR and PDPL legislation mean that companies must rethink and strategize their data collection mechanisms. These legislations put the users' right to privacy above all else, including user experience. This can be particularly challenging for companies for whom data processing is vital to their ability to offer better products and services.
However, thanks to its PrivacyOps framework that consists of several machine learning and artificial intelligence-powered tools, Security can help companies of varying sizes achieve data compliance swiftly and effectively. To see Securiti's tools in action and how they can help you comply with both the GDPR and PDPL, request a demo today.
