UAE Federal Decree-Law No. 45/2021 on Personal Data Protection

1. Introduction

The UAE law on “The Federal Decree-Law N0.45 of 2021 on the Protection of Personal Data (PDPL)”  was enforced to make sure that people’s  data  such as voice, biometric data, likeness is being legally utilized. Although it is not particularly for deepfakes, the legislation covers numerous instances of AI-created content. Its main objective is to provide individuals more control over their data while making sure that businesses are using this data with responsibility.

2. Scope of the law

Personal data that is related to a defined or identifiable person will fall within this law. 

UAE incorporated businesses, foreign businesses selling products, as well as data controllers and processors dealing with data belonging to UAE residents are subject to PDPL. It also protects any sensitive personal data of political or religious views, biometric information, health information, or ethnic origins. It does not extend to the UAE government bodies processing personal data.

3. Key provisions of the Law

• Forbidden Acts: The individual’s.explicit consent is free for use by the organization to continue processing personal data. PDPL categorically prohibits collection of.personal information without notice.
• Consent Conditions: Article(5) on the basis of this article processing of personal data should be undertaken based upon the data subject’s consent. Consent must be explicit, clear, and voluntary. Individuals are eligible to withdraw from the consent at any time.
• Platform Obligations: Organisations will have to appoint a Data protection officer where they conduct high-risk processing.They will make sure to enter into agreements with third parties who process data on their behalf (Data Processing Agreements)

4. Enforcement and Sanctions

Administrative Fines: Companies violating the PDPL can be charged hefty administrative fines. The amount of the fines is not specified through decree but regulations enacting the penalties shall be enacted by the cabinet.

Criminal punishments: In some cases of significant offenses like selling data illegally, criminal penalties like jailing can be met under other laws of the UAE.

Authority for enforcement: Enforcement of law should be done by the recently formed UAE Data Office. It can make audits, and pursue complaints.

5. Notable Cases or Precedents

There have been no major public court cases ,as the PDPL only became enforceable in January 2022.Nevertheless,firms in banking,e-commerce,healthcare , and technology have begun aligning their data policies with PDPL standards.

6. Comparison to Global Standards

PDPL is influenced by the EU’s GDPR,particularly about security requirements,rights of the individual,and consent.PDPL as compared to GDPR grants slightly greater flexibility in data transfer,while  GDPR is more rigid.The PDPL in relation to U.S. laws grants strong rights to individuals with great clarity in consent.

7. Future Outlook

The government of UAE will soon release  Executive Regulations to specify in-depth  standards under PDPL,particularly for certification schemes for data controllers,cross-border data transfer,clarifying penalties and fine amounts.