SPEAKER_01 0:12

Hello everybody. Welcome to the third episode in our podcast series exploring international privacy and data protection laws. Today's episode is part one of a two-part focus on the United Arab Emirates, where we're unpacking an evolving and often complex data protection landscape. The UAE, or the United Arab Emirates, operates under a federal personal data protection framework alongside distinct free zone regimes, including what we call Dubai International Financial Centre or the DIFC, and the Abu Dhabi Global Market, or the ADGM. For many organizations, navigating these overlapping regimes presents real compliance challenges. In this episode, Katie and I will focus primarily on the UAE federal data protection law. So that's like that's the general data protection law for the entire country and not the free zone regimes. This will set the foundation for part two, where we'll look at the more like the free zone areas. So we'll be able to understand how the system works. In our next episode, then we'll build on that discussion by taking a deeper look at the Dubai free zones, like we said, the Dubai International Financial Center and the Abu Dhabi Global Market. Across both episodes, we'll explore how these regimes align with international standards like the GDPR, and most importantly, we'll look at what businesses actually need to prioritize in practice when operating in or targeting the United Arab Emirates. So we have again 12 questions, like we always do, and uh we'll take it in turns, like we we always do as well. And I'm again I'm uh accompanied by my colleague and friend Katie. So the first question goes to you, Katie. So for our listeners who may not be familiar with the region, can you briefly explain the overall data protection landscape of the United Arab Emirates and why it is considered legally complex?

SPEAKER_00 2:18

Yeah, um, thanks for that introduction and question, Maria. So the UAE has quite a distinctive landscape legally, and that's true as well when it comes to the data protection framework. It's a multi-larder-tiered approach, and unlike many jurisdictions, they operate under a single national law, but the UAE is almost comparable to you know that the EU, and they're both unions, so they combine federal data protection laws with separate laws that govern particular regions in the union. So the federal laws have the PDPL, which is the overarching uh quite, I'd say, general one that's issued. It was issued on the 26th of September 2021, and they also have a series of factor-specific federal laws that include banking and healthcare. Because they also have fully developed legal regimes within key zones. So a couple of those is the Dubai International Financial Sector, DIFC, and the Abu Dhabi Global Market, ADGM. So as I said, we're gonna focus on the federal today and then go into the free zones more in the next episode. But so it's a third approach. Um and this is typical of the UAE's broader legal structure. It's not just that of attraction. They have a civil law system at the federal level and common law system in the financial free zones or the particular emirates, emirates, and as a result, it depends. Whatever law applies to an organization is going to depend on where you're established, where the processing occurs, and the category of data you're actually handling. So for an international organization, it is useful in a way that a lot of the requirements can be similar to the GDPR, but you need to understand exactly which applies to your processing operations.

SPEAKER_01 4:36

Absolutely. Yeah. And so you mentioned there, so the GDPR, we've always said it's industry agnostic, so it cuts across all industries. And as well, it applies to all the member states of the EU. Whereas with the the federal PDPL, it's not industry agnostic then, is it? And it and it doesn't apply to specific areas within the United Arab Emirates. Is that correct?

SPEAKER_00 5:07

Yeah, well, I suppose I I would put it this way. So they have the PDPL, which is I'd say a general standard for all industries. But then they also have sector-specific laws that are at a federal level level, like from the central bank, that just goes for further. So no matter where you are, you might have this, you know, the PDPL level, and you might not have to go deeper than that, basically. And then yeah, if you're in if you're in Dubai, the Dubai, the DIFT goes a lot deeper, it goes into a lot more granular detail than the PDPL. So then that will apply in the sense that you have more obligations. And I think that's just because they have a lot more international business in those free zones.

SPEAKER_01 6:07

So okay, okay. I don't know the so the DIFC and the ADGM are very similar. We'll see it in part two as well, but they're more similar to the GDPR, aren't they, than the the federal law.

SPEAKER_00 6:21

They are they are, yeah. They definitely go into a lot more detail in areas that the GDPR would, whereas the PDPL is it is quite surface level. It hits all the right notes, but it doesn't give exact granular detail on the controls and the considerations compared to the free zone laws.

SPEAKER_01 6:42

Yeah. And as well, we have to bear in mind that it's quite a it's a relatively new piece of legislation as well, because it came into effect in January 2022. You know what I mean? So we've only got about three years of enforcement, so it will take time to kind of mature.

SPEAKER_00 6:59

Absolutely. So we'll go on to um your next question here, Maria. So what exactly is the UE federal data personal data protection law? When did it come into force and what is its overarching aims?

SPEAKER_01 7:13

Okay, so like you said, Katie, so um the the landscape, the legal landscape in the United Arab Emirates is quite complex. So the federal personal data protection law passed in 2021, but it came into effect in January 2022. Um and it's different to the GDPR in that it has it relies very much so on executive regulations. Um and these came in in 2023, and there's more still to come in. So, what I mean by executive regulations is they're kind of legally binding, they're a legally binding set of rules issued by the government's executive branch, and so they would kind of specifically explain how to apply the law, and that kind of happens in a civil law region as opposed to a common law region. So that's kind of how how it differs as well with the GDPR um and as well with the DIFC and the ADGM. Like you said, they're common law regions as well, common law regimes. So, yeah, it depends on you know, it was passed in 2022, it needs kind of executive regulations for people to be able to understand what the what obligations they have under the law. And so, again, we're talking about three years of enforcement, so there's still more executive regulations that need to come online in order for the full enforcement of the law to take effect. The primary objective of the law is to protect individuals' personal data, to regulate how organizations collect, use, and share that data, like the GDPR. And it was also put in place as well to strengthen the trust of the United Arab Emirates digital economy. So we're seeing more and more um across various different jurisdictions. In order to attract business now, you you kind of have to put data protection laws in place. So, again, that was another kind of driving force um for getting this in place. Importantly, it's also a form of extraterritorial reach. It has, similar to the GDPR, it has extraterritorial reach, which means that you can get foreign organizations to comply with the law if they are processing the personal data of individuals that are located within the UAE. Okay, so and it's the first comprehensive UAE national data protection uh framework as well. So, very much like the GDPR, it establishes a baseline for rights, uh a set of uh data protection rights for individuals and a and obligations that organizations need to follow. Um, but again, like we said, it's slightly different in that it is a civil law regime as opposed to a common law regime.

SPEAKER_00 9:55

So the people really rely on are gonna be relying on the executive decisions to understand how to implement it because of the civil law nature.

SPEAKER_01 10:06

Exactly, yeah. And that kind of makes me think about the the DPDP Act in India because we looked at that a few weeks ago and the law came into effect in 2023, but then the rules came into effect in 2025, and they're binding kind of um rules uh to help people understand how to you know apply the law, the the DPDP law. So even though India is a common law regime, they have also given kind of a set of rules for people to understand the law better, and you can kind of see that here as well in civil law in the in the UAE. You know, they're giving guidelines how to interpret the law for organizations. So yeah, it's kind of you know a few overlaps between the GDPR and the GPDP that we we kind of look at as well. Okay, so for you, Katie, uh question three, for clarity and just um keep it brief as well, because we're gonna go into much more detail about this in uh part two. But would you be able to explain how the Dubai International Financial Centre and the Abu Dhabi Global Market data protection laws differ from the federal law? And why do these separate regimes exist?

SPEAKER_00 11:32

Absolutely. Um thanks for that, Maria. So the DIFC and ADGM are a lot more similar structurally and I suppose in the in the language used to the GDPR compared to the federal PDPL. The actual documents, the legal instruments themselves are nearly they're each nearly doubling the length compared to the PDPL. So they go into a lot more detail that we're familiar with in the GDPR, as as we'll see as we talk about you know the differences going on. So the PDPL has a lot of controls that we're comfortable with that we'd like to see in a data protection law, but uh the purpose is different. So the the DIFC and the HGDGM had this international scope in mind uh compared to the federal law. So the federal law was very much thinking of international context or whereas the free zones were thinking in an international context, or like uh they were specifically designed to uh encourage international business and to meet international standards or and expectations when it comes to financial services and digital businesses or so uh just a couple of points here of specifics before I won't get too into it because we're gonna talk about it again. But all of the laws have a lot of the same similar data subjects, right? But the free zone laws go into more explicit lawful basis, detailed guidance when it comes to transfers, and they go into more detail when it comes to penalties and non-compliance.

SPEAKER_01 13:23

They're much more um modelled on the GDPR, from what I can gather, aren't they?

SPEAKER_00 13:28

Yeah, absolutely.

SPEAKER_01 13:30

And as well, they're a common law uh regime as opposed to the civil law regime that we have in the federal law for United Arab Emirates.

SPEAKER_00 13:41

Yeah. Basically they exist because these three zones their intention is to function as a global uh business center. So they need to be on more on par with international standards compared to the national law. Like they can the the federal law they can make a bit more specific to their culture. Like you know, in previous episodes we were noting a few things that we thought spoke to the culture of the country.

SPEAKER_02 14:15

Yeah.

SPEAKER_00 14:15

So the PDPL has a bit more freedom to do that, whereas the free zone laws need to be a bit more corporate, you know, or a bit more, you know.

SPEAKER_01 14:27

And as well, I think they made them common law because you know, you have the UK, you have Europe, they're all kind of common law, it seems. So they kind of make it, it makes it easier for transfers and so on, um, and to do business in these common law regions as well, or jurisdictions for you know the GIFC and the ADGM. And we had we had that as well with the Kingdom of Saudi Arabia uh PDPL, you know, where it was, you know, a lot of we saw within the law, we saw a lot of kind of um specializations towards their culture, um well, considerations towards their culture and what was important for them in their culture, and they kind of modeled their data protection law towards their culture, and so it's kept you know, it's similar as well with the UAE. Um, the federal law is is more specific to their culture, I think. And like you say, um, then they kind of allowed for the uh the DIFC and the ABGM to be more internationally focused.

SPEAKER_00 15:28

I'd say that that's the main distinction. Yeah, yeah. And reasonable for me, I'd say. So I'll move on to the next question here for yourself, Maria. So how do organizations know which law is going to apply to them?

SPEAKER_01 15:46

Yeah, so again, like we've spoken, we've said it's quite complex. Um you have the overarching kind of federal PDP, uh PDPL, you have the DIFC law, and you have the ADGM law. So it depends really on where the organization is legally established, and that's similar to the GDPR in that you know you have the main establishments under the GDPR, and then that kind of determines uh which is this what supervisory authority you're the reporting to, and so on. So it's similar in that respect. Uh, if an organization is established onshore in the U UAE, it generally falls within under the federal GDPL. If it's established in either of the DIFC or the ADGM free zones, then those laws would apply to the organization. The complexity actually starts to arise when organizations are operate across multiple zones. So you have like um an organization that's in the DIFC, the ADGM, and then onshore as well in the UAE. So you have a case where you know you have shared uh service models or international cloud cloud infrastructures, and that gets complicated then trying to understand what laws apply if you know if if somebody's data is stored onshore, but they're actually located in the DIFC or something like that. But so we'll look at that in more detail um next week. But just you know, for the time being, just bear in mind that it's important to understand where the organization is established, and you have to consider, you know, where the data is being processed as well in order to determine you know what law applies. So I suppose it's worth just noting as well, though, that um, you know, it's similar in a way to the GDPR, in that you know, it it's kind of a layered approach. Like the GDPR sits at Brussels and it's enforced across the member states, but then the member states can kind of they have kind of a little bit of free way to interpret the GDPR and to bring it into their own uh statutes and so on. With the with the system in the UAE, you have kind of the general federal law, but you have kind of separate zones. So that's slightly different to the GDPR in that you know the the federal law does not actually apply to these separate zones, whereas the GDPR applies across all member states.

SPEAKER_00 18:14

I think that's something that is a notable difference, actually.

SPEAKER_01 18:19

Yeah. Okay, but again, like we said, we're we've broken this into kind of two parts. So we're kind of focusing on the federal law today, so we'll leave that for the time being and we'll get into more details. And if you're interested in the DIFC and the ADGN, make sure to to uh listen to part two because we'll get into much more detail um in that in that episode. But now let's move on. So um, question for you, next question, Katie's question five. To what extent does federal United Arab Emirates data protection law mirror the GDPR? So again, we can get into more detail here about you know what's the similarities and what's the differences.

SPEAKER_00 18:58

Yeah, so the PDPL is clearly GDPR inspired. The structure is quite familiar, it uses a lot of the same definitions, it has the same controller processor model, it has a lot of the same data subject rights. You need to have technical and organizational security measures, they have their breach data breach and notification requirements, or they have uh risk assessments where there's higher risk processing and they also do regulate international data transfers. So if you're an organization already operating under the GDPR, a lot of the concepts will be familiar. The main difference is detail and emphasis. So as we've seen uh with a lot of the other laws, they uh are their legal protesting is consent. So they put I suppose consent uh at the forefront of lawful protesting. The scope again is more fragmented because of what we've been saying and what we'll go into more detail in the future. And I'd also say the cross-border transfer mechanisms are given less attention. But of course, you know, there's gonna be more executive decisions on the implementation of that. So it's important to know that there are there are federal laws for specific sectors like banking, finance, and health that you're gonna need to, even if you're not in the Dubai free zone or in the of the other free zones, there are still more laws that might apply to you than just the PDPL. So if you're a financial service operating outside of the free zones, you still have the central bank rules to abide by, and they go into far more detail than the PDPL, and they have significantly more operational burden compared to the you know, the bulk standard, I'd say federal law. So you need to pay attention to whether you're in the free zone, what emirate you're in, what sector you're in. It's a lot more lower, I'd say. Another point is enforcement. So there's a lot less guidance on enforcement compared to the GDPR. There's less information on how fines and penalties will be doled out compared to the GDPR and compared to the free zones and compared to the sector-specific laws. So so yeah, GDPR is a strong starting point, but it's a large approach, and you really need to map what laws are going to apply to you because it can be a huge difference as to whether just the PDPL applies or whether the PDPL and the central bank laws apply. You know, it's quite important.

SPEAKER_01 21:55

So depending on your industry. So it's not like we said before, it's not um industry. Industry agnostic like the GDPR, we may have to enforce the federal uh data protection law of PDPL as well as other industry specific laws. Okay. Another thing to remember as well is that it's actually the UAE's a civil law regime, whereas you know the GDPR has a common law regime, and like I saw something that was kind of nice and kind of summed it up for me anyway, was that with the UAE, the question that you need to ask is what law applies? Um so you have the free zones and you have your industry laws and so on. So it's it's more it's more about like what exactly what laws apply in this specific situation, whereas the EU um the GDPR applies everywhere, and the important thing to understand is like where is your main establishment. So the one stop shop mechanism uh helps you understand you know what laws, what specific national laws apply to you, what regulator you report to, and you know, the courts that will be important to you under the GDPR. So I thought that was kind of you know interesting as well.

SPEAKER_00 23:13

Yeah, that it that is a good summary of it. So we'll move on to question six now. It's about the individual rights. So what rights do individuals have under the federal PDPL? And what can businesses do to facilitate these rights?

SPEAKER_01 23:37

Okay, yeah, so um the rights are quite similar uh to the GDPR rights. Individuals are granted uh a quite a solid set of uh data protection rights, and if you're used to the GDPR, you know you'll be it'll feel quite familiar to you, um, these set of rights. They include the right to be informed about how the individual's personal data is being processed, they have the right to access that data, to correct the data if it's wrong, and to actually even delete it if they want. They have the right to restrict or object to certain types of processing, again like the GDPR, and they have the right to request the transfer of their data to you know another service or whatever. So the law recognizes protections around automated decision making as well. So the whole idea of decision making or automated decision making is more is less explicit than the GDPR would be. Um, but they do have the ability to object where processing um produces legal or similar automated processing produces legal or similarly significant data effects. So in practice, this means that but businesses must put proper operational processes in place, like again with the GDPR. So it's not just about putting policies and then forgetting about data protection. Organizations need to have clear privacy policies, they have to have mechanisms to receive and respond to data subject rights, uh, the request, you know, like the D SARC that we have in under the GDPR. There they should put in uh internal controls to locate and amend or delete the data, so they need to understand where the personal data is being stored. So again, you would have to do that kind of mapping um like an you know uh procedure like under the GDPR, and even though ROPA is not required, you need to understand where your personal data is being stored within your organization. So for companies already operating under the GDPR, much of this infrastructure will probably exist, so it'll feel familiar to you, but you will still need to understand again, like we were saying, the cultural differences between the two uh jurisdictions. And like from my understanding, the GDPR again is a more mature regime because it started in 2018, there was a strong lead up to it as well. People were preparing for it for two years. Uh, we only have three years of enforcement with the federal law. So the GDPR has like the the rights under the GDPR, in my opinion, are broader um and they're more easily enforceable at the moment. But again, with the um executive uh regulations, we we'll probably see that changing as as we move forward with the uh with the UAU federal law. Um they're more explicit and they're more granular. Um, whereas the rights with the PDPL, they're more general and they're they're fleshed out, they will be probably fleshed out through executive regulations, like you said. And there's more kind of regulatory discretion, I think, to interpret the the others, the rights um under the UAE uh PDPN. So yeah, I think so you know they're very similar, but again, the GDPR is that a little bit further down the line, so it's you know that the rights are more kind of mature, I think. Um, but in the future we'll probably see that being refined going forward under the UAE as well. So, question seven for you, Katie. International data transfers are a major concern for businesses. How are cross-border transfers regulated under the federal UAE framework?

SPEAKER_00 27:20

Thanks, Maria. So international data transfers under the UAE federal law are conceptually similar to the GDPR, as we see again and again, you know, on the surface, you might just think it's the same, but you do have to look into it more. So they do have adequacy like the GDPR, and where adequate where an adequacy decision is relevant, it's a lot more like the GDPR. Because so they have two situations, um, international transfer where there's an adequacy decision or an adequate level of protection, or where there isn't adequacy, they have specific conditions or exceptions that apply. And the specific conditions is where it diverges from GDP or more, in my opinion. They have a couple of considerations for what constitutes an adequate level of protection, which to me is quite similar to the GDPR. Like a state that has adequate protection is gonna have controls for privacy, a regulatory authority imposing the regulation. And they've also said they need to have the ability to exercise the data subject's rights. So it is quite similar to the GDPR there, like especially with the data subjects' rights. I mean, that's a lot of people's main concerns, you know, with our citizens' personal data. Are they going to have the same rights for one if their data's transferred? So that's quite similar, in my opinion. The exemptions are a bit are a bit different. They include explicit consent of the individual, uh, performance of a contract, uh, public interest, vital interest.

SPEAKER_01 29:16

So when you say exemptions, uh these are exemptions from adequacy decisions, is it?

SPEAKER_00 29:21

Or it's so yeah, it's just so it's where you can where a trans an international transfer will remain legal in the absence of an adequacy decision.

SPEAKER_01 29:34

Okay. So alternative safeguards kind of like under the GDPR. Yeah. Yeah, yeah. So so that's consent, uh contract, what was the other one?

SPEAKER_00 29:46

Um consent, contract, vital interests, public interests.

SPEAKER_01 29:53

Okay. But that's quite general, actually, isn't it?

SPEAKER_00 29:58

It is it is quite general.

SPEAKER_01 30:00

So that would kind of leave it more up to the regulators to interpret how what that would be public interest, you know.

SPEAKER_00 30:07

Yeah, like there's a mo a lot more detail about international transfers in the free zone laws.

SPEAKER_02 30:15

Yeah.

SPEAKER_00 30:16

That is a common thread with the PDPL. You know, it does have the sections on international transfers, but it it is very, you know, high level now, anyway.

SPEAKER_01 30:30

Like what like so again that leaves it to the regulator's discretion to interpret um what is meant by the law. Yeah, okay.

SPEAKER_00 30:39

I'll move on to your next question. Maria, in relation to data breaches. So, what are the breach notification obligations under the federal PDPL?

SPEAKER_01 30:51

Okay, thanks, Katie. So um, under the federal data protection law, organizations have an obligation to notify the regulator of personal data breaches that may affect the privacy, the confidentiality, or the security of personal data. Where a breach poses a risk to individuals, affected data subjects must also be informed, and that's again similar to the GDPR. While the law does not mirror the GDPR's 72-hour rule for betum, it places a strong emphasis on the fact that they should promptly notify uh people involved and expects organizations to act without undue delay once a breach is identified. So they don't put on the, you know, they don't oblige an organization to report the breach within 72 hours like the GDPR, but if they do actually say it needs to be prompt notification. So in practice, this means that businesses need like they need to have a well-rehearsed incident response process like the GDPR. So if it's going to be prompt, you know, you need to be able to enact your your response, your breach response fairly quickly. Um so you don't rely on ad hoc reactions. Um so organizations should be able to quickly assess the nature and impact of a breach, determine whether notification thresholds are met, and coordinate internal teams to engage with regulators and any individuals that are involved. So again, companies that would be working under the GDPR would be familiar with this kind of approach. And the overall approach will be similar, but the timelines, the thresholds, and the reporting expectations would be different. And again, I think from just under you know, trying to understand the differences, the the breach notifications that you would have to carry out under the federal law as opposed to the GDPR would be it's much more kind of risk-based. So you'd have to assess okay, is this going to be a risk to the data subject? And so we'll have to notify the regulator or notify the data subject. Whereas with the GDPR, it's much more kind of like we we have to notify first, kind of, you know, if if there is some sort of harm. So I think the threshold is lower for reporting in the GDPR than it is for the UAE federal law. But you know, uh they're very similar in in the way that they approach data breaches. So moving on to question nine, then, Katie, for you. What governance and accountability requirements do organizations need to be aware of when operating under the federal law in the UAE?

SPEAKER_00 33:44

Okay, so when it when it comes to federal laws, it does depend on again what sector you are operating in. So for an organization that's subject to the PDPL alone, you're gonna have to maintain your record of processing activities of very similar information to the GDPR. You're going to need to continue doing your due diligence with all your processors and subprocessors. You need to have your documentation centralized and ready to present to the bureau. You're gonna need to implement the appropriate technical and organizational measures uh to protect the data. Or is that kind of another tier where your processing represents a higher risk to confidentiality and privacy of data subjects, personal data, or where there's systematic automated processing, or where you handle large volumes of sensitive personal data. So in those situations, you're gonna have to appoint a data protection officer, a DPO, and they're gonna have a role very similar to the GDPR. And in those situations, you're also gonna have to carry out a data protection impact assessment to identify and mitigate the risks to individuals. So that's a lot of the same.

SPEAKER_01 35:14

Yeah.

SPEAKER_00 35:15

It is, but then you could go the step further. If you're in the financial sector, you have more, you definitely have more burdens and more regulatory burdens. So organizations that offer financial services need to have a comprehensive data management control framework. They need they have a series of additional controls required when it comes to digital transactions and digital data. They need to designate internal responsibility within their organization for data management, whether there's automated processing or not.

SPEAKER_01 35:56

Okay, okay.

SPEAKER_00 35:58

So they all need are gonna need a DPO bit essentially.

SPEAKER_01 36:02

In the financial sector.

SPEAKER_00 36:04

Yeah, or even a team, you know, it doesn't matter if they don't have the sensitive data or if they don't have the automated processing, they need to have internal responsibilities no matter what. They also have more obligations when it comes to lawful basis. Like one big difference of the PDBL, there's not that much information on lawful bases other than consent. Like they have situations they have basically consent as the gold standard, and then situations where you might not need consent, whereas the sector-specific laws go into a bit more information about lawful basis, and you need to document them a bit more thoroughly. And they also this is a similar, this is actually one similar point to the European regime that they do have more additional retention periods to consider. Like we have that in Ireland too when it comes to financial information. So that's one thing that's a lot different actually. In the health sector, they also have uh additional obligations, their main additional obligations are to do with transfers. So, like we said, the PDPL, it doesn't go into that much detail about transfers, but uh in the health sector, uh, an organization is limited from storing, processing, or transferring health information and data outside of the UAE except by express decisions relevant to their relevant Emirates or jurisdiction which they're based in. So just another layer of protection there to be aware of.

SPEAKER_01 37:49

There's a different consideration there. Is that great?

SPEAKER_00 37:52

Well, yeah, I suppose it's not based on consent if it's based on the Emirate or decision. But that is one difference of like you see that you see that in the sector-specific laws and the free zone laws. That the the overarching federal PDPL doesn't give as much attention to lawful basis as every other law that might be applicable, like they go into a lot more detail when it comes to that, actually, which is is is a notable distinction. So yeah, basically no matter what, there is going to be need you are gonna need to define responsibilities and senior level oversight to data management processes. You always need to document your decision making. You always need to document um what personal data you have and the purposes for processing. You need your policies, training, vendor management, and risk assessments at a federal level. And then once you are in those other sectors, you just need to go that little bit step further in certain areas. So it it it is it is quite like GDPR style accountability.

SPEAKER_01 39:27

Just one question. Does the UAE specify like like in the GDPR special category data, or is it just personal personal data like we had with the DPDP in India?

SPEAKER_00 39:43

They have special category data, and they define it as any data, any data which directly or indirectly reveals a natural person's family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to such a person's health and physical, psychological, mental, genetic, or sexual condition, including information related to the provision of healthcare services. So that's actually interesting that a lot of these Gulf regions have considered data related to your family or your lineage to be special category data. And another thing to note that they do include someone's sexual life or sexual condition as they put it, and not all the Gulf regions include that in special category data. So that was actually a good question.

SPEAKER_01 40:47

Um that's interesting, isn't it? Yeah, yeah. So it's similar in that respect to the GDPR then. Does it include financial data as special category data?

SPEAKER_00 40:57

No, it's not special category, so then that's also you know one distinction with the sector-specific law that they say, you know, in the in the PDPL, you need your DPO if you handle a large amount of special category data. Financial data is not special category data, but still you have these further obligations.

SPEAKER_01 41:19

Again, very similar then to you know the GDPR in that respect.

SPEAKER_00 41:24

Yeah. So I'll move on to question 10 here for you, Maria. How active is enforcement in practice under the federal law and what penalties can organizations face?

SPEAKER_01 41:40

Thanks, Katie. So um enforcement under the UAE Federal Data Protection Law, it's still relatively early stage. So again, we've spoken about how it's only about three years of enforcement at the moment. It's still not as mature as the GDPR. So it's still early stage, and particularly when compared to the mature and highly visible enforcement landscapes, again, like the GDPR. The regulatory framework provides the competent authority with powers to investigate non-compliance, issue corrective measures, and to impose administrative penalties. So again, it's high level, I would say similar at a high level to the GDPR, but enforcement practice is still evolving as a regime beds down and organizations adjust to the law's requirements. So for businesses, this does not mean enforcement risk can be ignored. Uh, the law allows for financial penalties still. So if you're not compliant, you could you could still be subject to uh financial fines, uh, corrective orders, and of course the reputational consequences can be quite huge. And that's another reason why they brought it into they brought this law into effect anyway, in the first place to increase trust um in the kind of the business landscape of the country. Um so all regulators are expected to become more active as guidances, executive regulations, implementing decisions, and supervisory capacity develop. In practice, organizations should treat this phase as a window to get governance and controls right, um, rather than like sitting back and thinking that you know there's not much that they can do for the moment without the kind of executive regulations. Again, we have a lot of kind of support and guidance that you could look towards the GDPR or more mature kind of frameworks that have been in place for longer to get your compliance up and running. Um, a demonstrable good faith compliance effort supported by documentation and operational controls is likely to be critical if and when the regulatory scrutiny increases. So, again, you know, work towards getting your jobs in order. Um so that when you the these executive regulations do come down the line, it's not going to be so onerous for your organization to comply. And I think that's very similar to what we're seeing now with the digital omnibus in Europe, in that you know, we have the enforcement of the EU AI Act coming down the line, and we have certain dates coming up, you know, for high-risk systems and so on on the 2nd of August 2026. And now with the digital omnibus, there's a tendency or there's a temptation to, you know, think, oh, you know, there's nothing, you know, they're pushing it out until 2027 or 2028. But again, you know, you know, it's important to know that they will eventually come. And so why are you waiting? You know, breaches don't wait for regulation to be brought into effect, you know, so you're still at risk, you know, even if the executive regulations uh under the UAE federal law haven't come out yet, it's important that you continue with your compliance regime because you know, uh, data protection breaches and uh data protection subject access requests don't wait for the executive regulations either, you know. So you don't waste time, I would say.

SPEAKER_00 45:21

Uh I definitely agree. Like I think it's worthwhile to be conscientious about how you manage data, whether there is regulatory scrutiny or not, because at the end of the day, like all of these data protection regulations are kind of rooted in the fundamental right to privacy. So I just feel like it's also just having a respect to kind of your employees and customers' personal data, whether or not you're gonna get fined for it, you know. It's absolutely good practice.

SPEAKER_01 45:57

It's good practice, and as well, I think customers and employees they get they get a sense for whether uh an organization is respectful of their personal data or not over time. Do you know what I mean? Uh so it's I think it's really important uh for organizations to build that trust because again, trust only comes with time, you know. So exactly you know, demonstrate what you believe in. You know what I mean? That data protection is important to your organization. Yeah. Okay, so uh question eleven then, Katie. This is the penultimate question, uh, so we're doing good for time. How well equipped is the federal UAE data protection framework to deal with artificial intelligence and emerging technologies?

SPEAKER_00 46:50

So it the PDPL it does give attention to AI and emerging technologies. I mean, that is one of the biggest reasons why people are becoming so anxious about what is happening with personal data, you know. So they have their article 18, which stipulates that data subjects have the right to object to any decisions that result from automated processing or decision making. This includes profiling. And it says especially so where those decisions are going to have a legal impact or an adverse impact on the data subject. So they do have some limitations on this right. This particular right is not absolute. They cannot object where the automated process is subject to a contract that they have entered into with the controller where it's provided under their legislation or regulation applicable to their emirates or jurisdiction. So, you know, I just become a bit curious about that, like what what laws might provide for automated decision making explicitly. And then in the third situation where they have given explicit consent, they do have an absolute right, which is to request that a human be in the loop when they are subject to automated processing. So there isn't any exemptions listed for that right, probably. You know, that's quite a positive thing. There is significant interpretive work on the part of organizations. And it is just one article, but you know, it's it is there, and the fact that Human in the Loop doesn't have an exemption is I consider to be quite a positive thing. So it it can be bulked at more, like especially with the rate of how these technologies are adopting. And there is going to be more executive decisions, so there might be more details in the exact interpretation and implementation of this. Maybe even more controls.

SPEAKER_01 49:15

Does it does it have an equivalent of the EU AI Act? Do you know? I don't think it does. I don't think it does.

SPEAKER_00 49:23

I mean, the AI Act was the first one.

SPEAKER_01 49:25

Yeah. I think it it it relies more on a mixture of national strategies, ethical principles, institutional frameworks, and kind of existing laws to kind of implement AI at the moment. And like you say, the data protection law is quite heavy on the protection of data when it comes to technology and so on.

SPEAKER_00 49:45

In 2024, they officially established their Artificial Intelligence and Advanced Technology Council, and they're situated in Abu Dhabi.

SPEAKER_02 49:56

Okay.

SPEAKER_00 49:57

So they oversee advan AI projects, research, infrastructure, and investment.

SPEAKER_01 50:06

And I know that they have the UAE strategy for AI 2031, which is aiming to establish the UAE as a leader in AI. Um, and they have goals around education, infrastructure, governance, and innovation in the country. So that's another piece that's important.

SPEAKER_00 50:26

And the I do the free zones have a bit more on AI, and which I suppose we'll talk about in our next episodes. But that's a PDPL, I suppose, and national federal level anyway. So we'll move ahead here to our final question for you, Maria. So looking ahead, where do you see the federal UAE data protection regulation evolving and what should organizations prioritize right now?

SPEAKER_01 50:57

Thanks, Katie. So I think like looking ahead, the UAE's federal data protection regime is likely to evolve because, like I said, you know, like we've said throughout the podcast, it only has three years of enforcement at the moment. So I think we're going to see greater regulatory guidance is coming, clearer enforcement practices, closer alignment with international standards, rather than through wholesale legislative change. As the framework matures, we can expect more clarity on areas such as cross-border transfers, breach notification thresholds, and the application of data protection principles to advanced technologies like AI. So again, I think it's going to just mature as the years roll on and we get more and more enforcement. This will help move the law from a principle-based framework into a more operationally predictable regime like we're starting to see with the GDPR. Right now, organizations should prioritize waiting for the law, the PDPL, to mature. Organizations should prioritize getting the fundamentals right. And again, we have a lot of kind of guidance there when we look internationally at the GDPR and so on. That means understanding whether and how the federal laws apply to them. Because again, we said it's it's kind of a complex landscape. Uh, mapping data flows, putting governance and accountability structures in place, and ensuring that they can respond to rights requests and instance data breaches and instance in practice, not just on paper. So for businesses already compliant with the GDPR, the immediate task is not to reinvent the wheel, but to adapt to governance to the federal GDPL. Translating existing controls to fit the UAE's legal structure, its scope, and regulatory expectations before enforcement activities become more established. You know, again, give it time and there'll be more and more kind of clarity with time. But again, like we said before, don't wait for that to happen. Just start with your governance now.

SPEAKER_03 53:10

Yeah.

SPEAKER_01 53:11

Okay, so that kind of brings us to the end of all our questions for this week. So this is the end of part one, where we have explored the federal United Arab Emirates Data Protection Law. In our next episode, we'll continue the series by turning to the Dubai free zones and most specifically the DIFC and the ADGN. Looking at how these regimes fit into the wider regional landscape. What's already clear is that while these frameworks are increasingly aligned with international standards, organizations operating in or targeting different jurisdictions need a structured, jurisdiction-specific approach to compliance. So thanks, Katie, for taking the time today to have this conversation. Thanks to our audience for listening. And don't forget to subscribe to the podcast. And please join us in part two of this episode to help us unpack how privacy regulation is evolving in the free zones in UAE. Thank you. Thanks, everyone. Thanks, Katie.