Data Protection – LYLaw Dubai

With the increase in the number of face recognition technologies in the UAE, organizations-or at least, should-be increasingly tuning into some quite strict data privacy laws. This Q&A discusses some key issues relevant to the use of face recognition technologies-namely, consent, data transfers, and risk mitigation-under UAE’s Personal Data Protection Law (PDPL) versus EU’s General Data Protection Regulation (GDPR).

Q1: The UAE has passed legislation on data protection that regulates facial recognition technologies. How does this differ from the EU’s General Data Protection Regulation?
The Federal Decree Law No. 45 of 2021, shortly referred to herein as the PDPL and brought into practice to date, is the law governing personal data processing in the UAE, including-but not limited to-biometric data such as facial recognition. Such consent to process an individual’s biometric data is required to be explicitly obtained before it may be collected or otherwise processed under the PDPL, although much-needed guidance provided by the Executive Regulations has yet to be published.
Contrasting that, the GDPR within the European Union requires express consent and even has substantive provisions on the processing of data in a special category, such as biometric information. While the underlying principles are similar, it would appear that the GDPR is better nailed down with respect to stating clearly the manner of consent, let alone what constitutes consent in the first place.

Q2: Does explicit consent provided to UAE’s PDPL and EU’s GDPR constitute consent to use facial recognition data?
Consent by both the PDPL and GDPR should be explicit, informed, and affirmative before processing any personal information. What this simply means is that UAE subjects need to know what their information regarding facial recognition will be put to and approve this off their own free will. However, the GDPR has elaborated on what constitutes “freely given consent” in strict terms so that consent is not combined with other types of terms of service.
Both laws also give individuals the right to withdraw consent at any time, and businesses must comply with this request.

Q3: According to the PDPL and GDPR, a business has to store biometric data in what manner that will be considered secure?
Thus, protection under the concerned jurisdictions of PDPL and GDPR enshrines the importance associated with its secure storage. Protecting personal data, in the meantime, calls for taking technical and organizational measures by both PDPL and GDPR, including data encryption with a view to securing it from being compromised, and pseudonymization in case data is compromised with a view to minimizing identifiability of information.
Under the GDPR, explicit enumeration has been made for data minimization to make sure no more than the minimum data is collected and stored. PDPL copied these principles, too, but further explanation is awaited from the upcoming Executive Regulations with regard to the local/cloud storage solution.

Q4: How is the cross-border transfer in the UAE and EU in regard to facial recognition data carried out?
Under both the PDPL and the GDPR, cross-border data transfer is highly regulated. According to Article 22 of the PDPL, personal data transfer and hence facial recognition data outside the UAE is not permitted, except in cases where the country to which the transfer is to be made provides an adequate level of protection.
However, GDPR also prohibits transfers to third countries that do not offer adequate protection, although it does provide mechanisms for transfers in the form of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Similarly, PDPL does contemplate transfers based on contractual agreements, but details related to this would be given in the Executive Regulations.

Q5: What is valid consent under the UAE’s PDPL, and what was the position under the GDPR?
Both the PDPL and the GDPR have the following requirements for valid consent:
• Freely given, specific, informed, and unambiguous.
• Easily revocable: An opportunity must be provided at any time to withdraw consent.
Explicit consent under the GDPR has very clear limits, notably ruling out pre-ticked boxes or implied consent. The PDPL takes a broadly similar tack but is still awaiting more detailed interpretation about how businesses should ensure they get valid consent.

Q6: What are the legal risks associated with the use of facial recognition technology and how businesses in the UAE and the EU can mitigate such risks?
Data breach and failure to adhere to the law present the most serious legal risks both in the UAE and the EU. To overcome such risks, businesses ought to:
• The processing needs to be subjected to a Data Protection Impact Assessment (DPIA). It is pretty expressive on the part of both PDPL and GDPR that such processing shall be subjected to a DPIA considering it as a high-risk activity akin to the use of face recognition technology.
• Where large volumes of sensitive personal information is being processed, the business should designate a Data Protection Officer (DPO) – another similarly fundamental requirement under the PDPL and GDPR.
• Such measures would bring in the necessity of having robust technical and organizational controls, including data encryption and periodic audits to demonstrate compliance.

Q7: What other legal considerations should businesses consider in respect of the use of FRT within the UAE?
In addition to the PDPL, it is important to note that Federal Decree-Law No. 38 of 2021 on Copyright and Neighbouring Rights provides that filming or taking photos of a person without his free consent is prohibited. It just adds another dimension to ensure that a person’s image is not filmed or distributed without permission.
This, to a great extent, aligns with the GDPR ideology – it protects permission-based rights to privacy, along with control over one’s picture/image.

Conclusion:
On the other hand, while the UAE’s PDPL and the EU’s GDPR indeed provide a robust framework for protection against biometric data and face identification, there is anticipation for the issuance of the Executive Regulations in the UAE. In practical terms, businesses would care about the mechanisms for effective data protection that would ensure compliance.

Facial recognition technology is one of the rapidly expanding in the United Arab Emirates, especially in security, retail, and customer service. On the other hand, such technologies raise key questions about privacy and legality. This blog will cover a few of the frequently asked questions a business may have when using the technology, with a current summary of the data privacy legislation in the United Arab Emirates.

Q1. What are the main UAE laws and regulations in relation to data privacy and the use of FRT regarding consent and data storage?
The Federal Decree Law No. 45 of 2021 Concerning the Protection of Personal Data, or PDPL, basically sets the main legislation and came into effect on January 2, 2022. However, the Executive Regulations seem not to be issued yet, including certain data needed for compliance, and therefore are likely to hold up the overall implementation process.
The PDPL sets general principles of how personal data is processed, and to this effect, the following shall be observed:
• Consent: A data subject, in the absence of any exceptions that shall be specifically provided for, should always provide explicit consent to process their personal data, including face-recognizing information. This exemption is provided under Article 4.

• Storage: Storage of the data must be secured. Once the Executive Regulations are out, specific details on storage will be provided.

Q2: What is the position of the law with respect to the protection of biometric data, and is there any mandate on solutions for storage locally or on the cloud?
The PDPL prescribes general criteria on how to securely store biometric data, including facial recognition. Some key concepts are:
• Technical and Organizational Measures: The controller shall adopt the necessary measures to ensure availability, confidentiality, and integrity of the personal data in accordance with Article 20.
• Procedure for Local or Cloud Storage: Details concerning cloud storage have not been issued by the Executive Regulations; in any case, whichever form of storage is used—whether local or through the cloud—it should ultimately address the legal requirements for security.

Q3: What is the law and regulation that governs the export of biometric data outside of the United Arab Emirates, and what to do in order to render any exports compliant?
Article 22 of the PDPL prohibits any transfer of personal data, including biometric data, outside the United Arab Emirates unless the recipient country provides adequate protection for the rights of data subjects. Article 23 does provide an exception to this general rule in the following:
• Contractual Protections: An agreement to apply the provisions of the PDPL between the receiving and sending entities regarding the information.
• Explicit Consent: The data subject has explicitly consented to the transfer.

• Contractual Necessity: the transfer is necessary for the performance of the contract between the controller and the data subject.

The Executive Regulations, anticipated shortly, will provide additional clarity regarding the cross-border transfer of personal data.

Q4: What is considered consent from a consumer, and what is our responsibility to ensure this is clear and to make them aware of how their data is used?

The PDPL sets a high bar for any processing of personal data, given that it requires informed, unambiguous, and affirmative consent.
• Clear and Explicit Consent: The process of consent should be intelligible, and the purpose for information collection must be clearly identified. Here, the source is a clear request with clearly defined objectives regarding the collection.

• Right to Withdraw Consent: Consent must be able to be withdrawn at any point in the process with ease.
• Exemptions from Consent: Consent is not required for archive purposes or for scientific, historical, or statistical research, provided the laws in existence are adhered to. Information providers have numerous rights, including the right to object to data processing and the right to erasure of personal information when consent is withdrawn.

Q5: How might we mitigate most legal issues surrounding face recognition? What are some potential risks?
Facial recognition technology presents a few legal pitfalls; it is mainly related to the violation of data privacy and sensitive treatment of biometric data. For businesses, one needs to address this in terms of mitigating risk by:
• Impact Assessments: Impact assessments on data protection shall be required where either automated data processing or processing of sensitive personal data, such as facial recognition, by a controller or processor forms part of the business model on a large scale. It involves looking at whether the processing of the relevant data is necessary and fair, listing any risks that might come up because of the processing, and suggesting ways to get rid of those risks (Article 21).
• Data Protection Officer: In light of but not limited to volume and sensitivity, Article 10 necessitates an organization to designate a Data Protection Officer (DPO) to ensure legality.

• Compliance with Copyright Law: It is pertinent also to refer to Federal Decree-Law No. 38 of 2021 on Copyright and Neighboring Rights, which prohibits taking pictures or recording a person without the permission of the subject thereof. Hence, consent is required under Article 45 before collecting biometric data.

This blog provides a clear and detailed overview of the key legal considerations surrounding facial recognition technology in the UAE. Businesses need to get ready for changes that are going to come and make sure their systems are adaptable to needs that may arise in the future, as the Executive Regulations have not been issued yet. If you need further guidance or have any specific legal queries, please feel free to reach out to us for a consultation.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Category: Data Protection

UAE Data Privacy Laws and Facial Recognition Technology: A Comparative Approach with the EU GDPR

Overview of UAE Data Privacy Laws and Use of Facial Recognition Technology

call us:

Whatsapp Us:

Email us:

Address:

Subscribe to get Latest News