Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
Jane Rahman - Senior Counsel - Arbitration
A version of this article first appeared in Kluwer Arbitration Blog on August 6 2020.
There are four different and distinct data protection regimes within the UAE. Onshore UAE has its own (rather fragmented) data protection regime and, in addition, each of the following free zones have their own data protection regimes: (i) Dubai International Financial Centre (‘DIFC’); (ii) the Abu Dhabi Global Market (‘ADGM’); and (iii) Dubai Healthcare City (‘DHCC’).
Parties to arbitrations that have connections to the UAE or its free zones, regardless of whether those arbitrations are seated here, should be aware of the data protection regime(s) that may apply to them to ensure that no unintended breaches occur.
In this article, we briefly describe the different data protection regimes within the UAE, and we then consider some issues that parties to arbitrations connected to the UAE may wish to keep in mind as a result of the applicable data protection laws.
The Data Protection framework in the UAE
There is no single data protection law in onshore UAE. However, that does not mean that that there is no legislation relating to data protection in onshore UAE. In fact, there is a broad and relatively far reaching concept of privacy that is protected under various UAE laws and these have data protection consequences. But it does mean that practitioners and controllers of data need to be more alert to the different sources of law that they must consider when ensuring compliance with data protection issues.
In brief, federal sources of law and regulation on data protection issues include: (i) the UAE Constitution (Federal Law No. 1 of 1971) which, at Article 31, includes broad protections for privacy of communications; (ii) the UAE Penal Code (which provides, at Articles 378 and 379, for criminal liability for certain breaches of privacy); (iii) the UAE Central Bank’s Digital Payment Regulation (the Regulatory Framework for Stored Values and Electronic Payment Systems) which relates to digital payment service providers in the UAE; (iv) the Cyber Crimes Law (Federal Law No. 5 of 2012 on Combating Cyber Crimes) which, among other things, in Article 7 prohibits obtaining and dealing with certain information relating to medical data, where Articles 12 and 13 set out certain prohibitions relating to financial information, and in Articles 21 and 22, prohibits the use of information technology to violate the privacy of an individual or disclose certain confidential information; and (v) the Law Regulating Telecommunications Sector (Federal Law by Decree No. 3 of 2003, as amended) which, among other things, establishes the Telecommunications Regulation Authority (the ‘TRA’) (Article 6) and provides that one of the TRA’s competencies is the issuing of regulations regarding the use of subscribers’ personal information (Article 14(3)).
In addition, Dubai has passed some of its own laws and regulations which may impact data protection. These laws include what is known as the Dubai Data Law (Dubai Law No. 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai) which requires that certain data that is held and which relates to the Emirate of Dubai is collated and managed and, in some cases, published as open data. Although the law is not itself a data protection law, it refers, in general terms, to data confidentiality and data protection. In addition, the Dubai Statistics Centre Law (Dubai Law No. 28 of 2015) protects personal data (not defined in the law) that has been obtained as confidential and limits how it may be disclosed or disseminated.
The net result is a patchwork of laws and regulations at the federal and emirate levels that seek to protect privacy through mandating and regulating how certain data is collected, stored, and shared. Breaches of the relevant UAE laws can lead to criminal and/or civil liabilities, imprisonment, and/or fines. For those involved in arbitrations that may involve data from or relating to this region, some considerations include whether any data in the arbitration:
Of the UAE’s many free zones, three (the DIFC, the ADGM, and the DHCC) have their own data protection regimes.
In addition, the UAE’s criminal law uniformly applies across the country, including in the free zones. Accordingly, criminal liabilities relating to data protection (as discussed above) will be equally applicable in the free zones.
The DIFC’s current data protection law, Data Protection Law No. 5 of 2020, came into effect on 1 July 2020. It replaces DIFC Law No. 01 of 2007, as amended.
The new law means the DIFC has the most up to date data protection law across the UAE and its free zones. A more detailed summary of the new law can be found here. Key takeaways include that, when the law applies, personal data may only be processed lawfully and in accordance with the new law (Section 9). In order for processing to be lawful it must either be by consent or one of the other grounds must apply (Section 10). None of these grounds make reference to judicial or arbitral proceedings but, arguably, some of the grounds could be construed as to include judicial or arbitral proceedings. In addition, some categories of personal data (Special Categories) are afforded extra protections. So, personal data that reveals or concerns “(directly or indirectly) racial or ethnic origin.
communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person” must be treated with greater care. For such personal data, unless a data subject gives explicit consent to the processing of this personal data, it may not be processed unless one of eleven other grounds applies. One of these grounds is where the processing of the personal data is necessary “for the establishment, exercise or defence of legal claims (including, without limitation, arbitration and other structured and commonly recognised alternative dispute resolution procedures, such as mediation) or is performed by the [DIFC] Court acting in its judicial capacity” (Section 11(f)). It is not clear whether the legal claim must be one to which the data subject is a party or otherwise connected. There are restrictions on where certain personal data can be stored and/or transferred.
The ADGM’s data protection law, the ADGM Data Protection Regulation 2015 (as amended) protects personal data in a similar fashion to the DIFC. Personal data is subject to relatively stringent controls and sensitive personal data is subject to extra protections. Personal data must be processed fairly, lawfully, and securely and for specified, explicit, and legitimate purposes. Again, as with the DIFC’s law, the processing must either be by consent or one of the other grounds must apply. Similar to the DIFC’s law, none of these grounds make reference to judicial or arbitral proceedings but, arguably, some of the grounds could be construed as to include judicial or arbitral proceedings. Processing of sensitive personal data requires additional consent or one of the other grounds to apply. None of these grounds refer to judicial or arbitral proceedings or legal claims but, arguably, some could be construed to include these. There are also restrictions on where certain personal data can be stored and/or transferred.
DHCC has its own data protection regulation relating to patient health information (DHCC Data Protection Regulation No. 7 of 2013). The regulations introduce rules on what data can be collected: it must be necessary for a lawful purpose, though “lawful purpose” is not defined in the regulations; how it must be stored; and how, if at all, it may be transferred and to where.
Those involved in arbitrations should consider whether the personal data (including personal data from or relating to any of the DIFC, ADGM, or DHCC):
The application of UAE data protection laws
Many aspects of a “standard” arbitration require the accessing, collection, processing, storage, and dissemination of data. It is essential that all participants in an arbitration – arbitrators, parties, counsel and experts – consider their obligations in respect of data protection. Issues to consider include:
In practice, participants in arbitrations should: