In recent years, the United Arab Emirates (UAE) has joined a growing list of countries in the Middle East and North Africa (MENA) to begin legislating data privacy. That’s an encouraging step toward developing a regional and international framework for organizations to follow in safeguarding individuals’ personal data. However, during the same time period, the UAE’s government has been accused of (mis)using data to surveil its own citizens and quash dissent.
For companies that do business in the UAE, navigating these legal and ethical contradictions can be challenging, especially given the lack of an independent national media to report the facts. (Reporters Without Borders’ 2019 Press Freedom Index ranked the UAE 133rd out of 180 countries).
Here, we’ll take a look at the current state of data privacy in the UAE. We’ll examine the laws in place today and new ones on the horizon. We’ll also discuss how companies can operate in a nation whose approach to big data is progressive in some ways, and authoritarian in others.
Data Privacy Laws in the UAE and the Free Zones
At the moment, data privacy laws in the UAE are complex and piecemeal. This is partly a function of the UAE’s unusual division between the areas under federal jurisdiction, and the UAE Free Zones, which are subject to their own laws.
Free Zone Laws
The Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) each have data protection laws in place that GSMA calls “generally consistent with data protection laws in other developed jurisdictions.” In July 2019, DIFC announced plans to update its 2007 data protection law, to incorporate elements of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). ADGM passed several GDPR-inspired amendments to its data protection laws in 2018, including imposing stricter requirements for data controllers to report a breach and an increase in the maximum fine for noncompliance.
On the federal level, the UAE doesn’t have overarching data privacy legislation in place, though there are laws governing specific sectors, and signs that further regulations are on the way. Mohammad Al Zarooni, Director of Policies and Programs Department at the Telecommunications Regulatory Authority, has said that a federal law, similar to GDPR, is in the works. Specifically, Zarooni said that the Emirati government plans to execute 60 data security initiatives in the next three years, starting with critical infrastructures like utilities, health, and agriculture.
In February 2019, the UAE released Federal Law No. 2 of 2019 (known as the Health Data Law), which emphasizes many of the same concepts as GDPR, although with some significant departures.
Among other things, the law has specific requirements around the following: *Data retention: Providers must retain information for not less than 25 years from the date of a patient’s last procedure. GDPR does not share this requirement and, in fact, mandates that data not be kept for longer than is necessary for processing. *Data localization: The law prohibits health data from being transferred outside the UAE, with limited exceptions. *Data processing: Health providers must ensure that data is accurate, secured, used only for its intended purpose, and providers may not share data without consent. *Data security: The Health Data law mirrors the GDPR in requiring businesses to comply with international best practices in securing health data, and specifically stipulates that only authorized personnel are permitted to access health data. *Data centralization: The law establishes the creation of a centralized data management system, operated by the Ministry of Health, through which health providers will access, store, and exchange data.
The UAE has also released a national Internet of Things (IoT) regulatory framework, which is informed by GDPR, and emphasizes the importance of purpose limitation (data used only for its stated purpose), data minimization (no more collection than needed for processing), and storage limitation (identifiable data only stored for time needed for processing). The law also requires that any entity that offers IoT services, regardless of where they are headquartered, must register with the government.
Grappling With Concerns Over UAE’s Surveillance State
While the UAE’s push for data privacy legislation puts them in line with other countries, it’s impossible to make a fair assessment of privacy in the UAE without examining the ways in which the government has failed to respect the privacy of the people within its borders.
In early 2019, Reuters broke the story of Project Raven, a secret program conducted by the UAE government to spy on journalists, activists, and dissidents in the UAE. This program, which was largely administered by ex-NSA employees, used a cutting-edge cyberwarfare tool called Karma, with which operatives could remote-access targets’ iPhones, and all the photos, texts, and location information therein. Project Raven spied not just on Emirati citizens, but foreigners, including Americans, and the story has led to calls for greater restrictions on how intelligence officials should be allowed to employ specialized cyberwarfare tools when employed by foreign nations.
Then, in December 2019, the New York Times reported that ToTok, a popular messaging app in the UAE, (where Skype and WhatsApp are restricted) was actually a spy tool designed “to try to track every conversation, movement, relationship, appointment, sound, and image of those who install it on their phones.” Even more disquieting, the Times found that employees of the app’s parent company bragged on LinkedIn that their tools were capable of finding individual faces from amongst billions of video feeds. In response to these concerns, Apple and Google both removed ToTok from their app stores (though Google later reinstated it), and it had already been downloaded millions of times by users around the world.
The Emirati government consistently denies that there is anything nefarious in its data collection policies. The Telecommunications Regulatory Authority (TRA) responded to the ToTok story by maintaining that it “imposes strict standards to protect users’ privacy, which are in compliance with international standards.” Yet the UAE has also jailed human rights activists for speaking out against the government, and in 2019, detained a British woman for calling her ex-husband’s new wife a “horse” on Facebook.
"ToTok revelations have made UAE data privacy compliance a delicate balancing act. How IAM can help minimize the risk."
In light of these stories, businesses should think critically about the UAE government’s insistence that data be stored locally, its push for centralized data management platforms, and its requirements for government registration.
Managing Data Privacy While Doing Business in the UAE
For the present, handling data in the UAE requires a delicate balancing act. Businesses must become compliant with current laws, prepare for their likely evolution, and think carefully about how to respect the law while working in a country where data can easily be misused.
On the compliance front, the most demanding aspects of the UAE laws concern localization and retention. Doing business in the UAE requires businesses to have access to local servers and commit to storing data on them for years. Meanwhile, the UAE’s requirements around security are focused on access management, and an identity platform like Auth0 can ensure that access to sensitive data is restricted to the right people.
Compliance aside, businesses should exercise caution around data in the UAE. Examine your data collection policies to ensure that you’re not potentially endangering your users. Train any employee you send to the UAE in how to minimize risk, including on their personal devices.
"While the UAE is working on a GDPR-like data privacy law, find out how to navigate current data privacy requirements."
Make Data Privacy an Ongoing Project
For companies doing business in the UAE, there are few simple answers when it comes to using data in ways that are simultaneously legal, ethical, and profitable. Rather, achieving compliance while respecting your users’ security is a conversation that you’ll need to keep having as laws, politics, cybersecurity threats, and best practices evolve.
Fortunately, though, you don’t have to navigate these complex issues alone. At Auth0, data privacy and security are at the heart of every feature on our platform, and we maintain constant awareness of data privacy legislation around the world. Reach out to our dedicated experts to learn more about how the right identity and access management platform can be the key to adapting your data strategy to changing laws and changing times.
The Auth0 Identity Platform, a product unit within Okta, takes a modern approach to identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.