Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens. In a statement announcing the new law, Dubai called the enactment “pioneering in the region” and an examination of the law reveals that the description is rightly deserved. The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.
Following a period of public consultation, Dubai (the Dubai International Financial Center, or DIFC) strengthened its previous data protection law of 2004, giving it some extra teeth and enhanced enforcement powers by a newly created independent Office of Commissioner of Data Protection. The law protects all “personal information”, which is broadly defined as “any information relating to an identifiable natural person.” The law also protects “sensitive data” such as information about a person’s political affiliation or racial identity.
Arguably the most significant aspect of the new law is its international transfer provisions, codified at Articles 11 and 12, which govern the transfer of personal data out of the DIFC to third countries. Like the European data directive, the Dubai law allows for the transfer of personal information to countries that offer an “adequate level of protection.” Transfer of information to countries that fall short of providing the adequacy requirement (such as, presumably, the United States) is permitted– provided, however, the newly appointed data protection Commission gives its consent to the transfer.
The new law’s regulations specify that a data controller (e.g. an employer) must apply to the Commissioner of Data Protection for a permit to transfer the data to a country with less than adequate protection. Unfortunately, however, the regulations do not specify which countries qualify as those that do offer an adequate level of protection– although one would not be surprised if Dubai simply adopted the EU’s list of “certified” countries, such as Argentina, Switzerland, Canada, and the Isle of Man.
Fortunately, the application process is greatly simplified by a well-drafted and user-friendly application that may be filled out by the data controller and sent to the Commissioner (there is no fee for the application to seek a permit to transfer data; nor is there a fee to apply for a permit to process sensitive data, also required under the Act).
While it remains to be seen how strictly the new data protection law is enforced, employers operating in Dubai would be well-advised to comply with its provisions. Based on the text of the law and its similarities to the EU model, one would not be surprised to find the EU soon anointing Dubai as the first Arab nation to have a data protection law that offers substantially similar protections, allowing for the free transfer of data.