Are you being served? How retailers need to balance personalisation with data privacy

With the introduction of a federally applicable data protection law, retailers in the UAE are now faced with the new challenge of attempting to balance their consumers’ right to privacy against the consumers’ expectations for personalisation, whether through customised services or tailored product recommendations.

As part of the UAE’s ‘Projects of the 50’, on 20 September 2021, the UAE issued Federal Decree-Law No. (45) of 2021 Regarding the Protection of Personal Data (“Data Protection Law”). The Data Protection Law became effective on 02 January 2021 with the aim to align the UAE’s Federal laws with global best practices in relation to data protection and to regulate the collection and processing of personal data in the country.

The Data Protection Law requires organisations that fall within its scope to implement appropriate safeguards to ensure confidentiality and protect the personal data of all data subjects. The executive regulations that supplement the Data Protection Law are due to be issued within 6 months from the issuance of the Data Protection Law. It will contain additional details on the provisions of the Data Protection Law and assist UAE companies in understanding their compliance requirements under the Data Protection Law. Entities that fall within the scope of the Data Protection Law will have 6 months from the issuance of the executive regulations to the Data Protection Law to ensure compliance with the provisions of the Data Protection Law and related executive regulations.

The new Data Protection Law focuses on the protection of personal data, defined as “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”. It prohibits the processing of such personal data without first obtaining the consent of the data subject, except where an exception provided under the Data Protection Law applies. The Law applies to controllers that include persons or entities that have personal data and determine the method, criteria and purpose for processing such personal data, and processors that include persons or entities that process personal data on behalf of the controller under their supervision and in accordance with their instructions.

The Data Protection Law has some extraterritorial application, as the Data Protection Law regulates the processing of personal data by:

• any controller or processor located in the UAE who carries out the activities of processing personal data of data subjects located inside or outside the UAE; and
• any controller or processor located outside the UAE who carries out the activities of processing personal data of data subjects located inside the UAE.

Accordingly, the new Data Protection Law is bound to have a great impact on retailers operating within the UAE, or catering to customers within the UAE, especially if they have not previously been subject to any form of a data protection regime.

The Data Protection Law does allow the newly established UAE Data Office to exempt establishments that do not process a large amount of personal data from complying with all or some of the provisions of the new Data Protection Law.  Therefore, it is possible, but not definite, that some smaller retailers may be exempted.

Why is the Data Protection Law needed?  The so-called “big data” is increasingly becoming a business imperative that businesses around the world are leveraging to transform their processes and gain a competitive advantage in the industry.

Big data is everywhere in today’s technology-centric world. Almost every person on the planet has a digital footprint capable of being tracked, analysed and quantified by retailers to connect with the target audience, and provide personalised and tailored offers and products. The employment of proper analytics to the advantage of retailers contributes towards understanding the consumer’s wants and needs, predicting market trends, making pricing decisions and creating valuable cross-channel shopping experiences, in addition to providing consumers with customised shopping experiences.

However, although businesses have been collecting data on customers for years, the sharp increase in people’s online presence and the corresponding rise in the collection and use of big data in the modern world has led to increased conversations surrounding privacy concerns. A lack of transparency with respect to the how, when, where and for how long businesses maintain and use a consumer’s personal data, coupled with wide-spread reports of data breaches has given rise to concerns relating to the collection and use of personal data. Consumers are growing ever more concerned about the protection of their personal data, whilst also expecting customised retail experiences such as being recognised, advertised relevant products, and presented with offers that satisfy their individual needs.

In light of the above, the enactment of the Data Protection Law is significant in bridging the gap between the retailer’s interest in collecting data and the consumer’s interest in protecting their privacy whilst still enjoying a personalised shopping experience.

The obligations under the Data Protection Law that retailers will need to comply with for the processing of personal data will ensure more accountability and provide data subjects with increased rights in relation to their data, which will help build more trusting relationships between retailers and their

consumers. Retailers will be limited in their collection, use, storage and overall processing of consumer data, which will help strike a balance between the rights of the data subject and the ability of retailers to process data for the purposes of their business.

The most prominent of the requirements outlined under the Data Protection Law is the requirement for controllers and processors of data, which will include retailers, to obtain consent from the data subjects prior to the processing of their personal data, subject to exceptions as provided under the Data Protection Law.

These exceptions include processing for the purposes of protecting the public interest, where the personal data is available and known by an act of the data owner, and where the processing is necessary to initiate procedures of legal claims and defence of rights.

Retailers will need to include a means of obtaining consent from consumers in compliance with the Data Protection Law. Where the retailer processes personal data based on the consent of the data subject, the retailer should be able to prove such consent.

Data subjects also have an array of additional rights enforceable against retailers that process their personal data, including the right to access and correct their personal data and the right to restrict or stop the processing of their personal data. These rights further limit the ability of retailers to process personal data against the will of the data subject. The Data Protection Law also imposes several other obligations on controllers and processors, including conducting impact assessments, notifying breaches to the Emirates Data Office and consumers, appointing data protection officers and restrictions of the transfer of data outside the UAE.

The Data Protection Law also introduces the concept of “profiling” into the UAE law. Profiling is defined as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, including analysing or predicting aspects concerning their performance, economic situation, health, personal preferences, interests, behaviour, location, movements or reliability.

While the  Data Protection Law gives data subjects the right to object to the automated processing of their data, including through profiling, this does not translate to a complete prohibition on profiling. The right to object is limited to objecting to decisions issued via automated processing that have legal consequences or seriously affects the data subject. Furthermore, the Data Protection Law also recognises that the data subject can consent to the automatic processing of their data.

In addition to the rights provided under the new Data Protection Law, Federal Decree-Law No. 15 of 2020 on Consumer Protection (“Consumer Protection Law”) also imposes an obligation on retailers to protect the confidentiality of consumer data and information. The Consumer Protection Law protects the consumer’s data and information against circulation or divulgence for the purposes of trading and marketing.

Retailers, if they are not already, need to be aware that under the Mobile Spam Regulatory Policy, Version 1.0 dated 2020 (“Spam Regulation”), as issued by the Telecommunications and Digital Government Regulatory Authority (TDRA), the consent of the recipient is required prior to a service provider, such as Etisalat or du, sending promotional SMS’ on its networks. Although the obligation to

obtain consent under the Spam Regulation is imposed on the service providers, the obligation may be pushed down onto the retailer through a messaging service agreement.

All retailers that are located within the UAE or that process personal data of data subjects within the UAE will need to perform an assessment of their processing activities and ensure they have the necessary technical and operational measures in order to ensure compliance with the new Data Protection Law before the transitional “grace” period ends.

The timeline for compliance will likely be challenging for some retailers. Although the executive regulations relating to the new Data Protection Law, which is needed to clarify the processes and procedures for implementation of the Data Protection Law, is yet to be issued, retailers will only have a relatively short period of six months after the executive regulations are issued to become compliant with the provisions of the new Data Protection Law and related executive regulations.

For more information on how we can help, please contact Andrew Fawcett (A.fawcett@tamimi.com)