Facial recognition technology is one of the rapidly expanding in the United Arab Emirates, especially in security, retail, and customer service. On the other hand, such technologies raise key questions about privacy and legality. This blog will cover a few of the frequently asked questions a business may have when using the technology, with a current summary of the data privacy legislation in the United Arab Emirates.

 

Q1. What are the main UAE laws and regulations in relation to data privacy and the use of FRT regarding consent and data storage?
The Federal Decree Law No. 45 of 2021 Concerning the Protection of Personal Data, or PDPL, basically sets the main legislation and came into effect on January 2, 2022. However, the Executive Regulations seem not to be issued yet, including certain data needed for compliance, and therefore are likely to hold up the overall implementation process.
The PDPL sets general principles of how personal data is processed, and to this effect, the following shall be observed:
• Consent: A data subject, in the absence of any exceptions that shall be specifically provided for, should always provide explicit consent to process their personal data, including face-recognizing information. This exemption is provided under Article 4.

• Storage: Storage of the data must be secured. Once the Executive Regulations are out, specific details on storage will be provided.

 

Q2: What is the position of the law with respect to the protection of biometric data, and is there any mandate on solutions for storage locally or on the cloud?
The PDPL prescribes general criteria on how to securely store biometric data, including facial recognition. Some key concepts are:
• Technical and Organizational Measures: The controller shall adopt the necessary measures to ensure availability, confidentiality, and integrity of the personal data in accordance with Article 20.
• Procedure for Local or Cloud Storage: Details concerning cloud storage have not been issued by the Executive Regulations; in any case, whichever form of storage is used—whether local or through the cloud—it should ultimately address the legal requirements for security.

 

Q3: What is the law and regulation that governs the export of biometric data outside of the United Arab Emirates, and what to do in order to render any exports compliant?
Article 22 of the PDPL prohibits any transfer of personal data, including biometric data, outside the United Arab Emirates unless the recipient country provides adequate protection for the rights of data subjects. Article 23 does provide an exception to this general rule in the following:
• Contractual Protections: An agreement to apply the provisions of the PDPL between the receiving and sending entities regarding the information.
• Explicit Consent: The data subject has explicitly consented to the transfer.

• Contractual Necessity: the transfer is necessary for the performance of the contract between the controller and the data subject.

The Executive Regulations, anticipated shortly, will provide additional clarity regarding the cross-border transfer of personal data.

 

Q4: What is considered consent from a consumer, and what is our responsibility to ensure this is clear and to make them aware of how their data is used?

The PDPL sets a high bar for any processing of personal data, given that it requires informed, unambiguous, and affirmative consent.
• Clear and Explicit Consent: The process of consent should be intelligible, and the purpose for information collection must be clearly identified. Here, the source is a clear request with clearly defined objectives regarding the collection.

• Right to Withdraw Consent: Consent must be able to be withdrawn at any point in the process with ease.
• Exemptions from Consent: Consent is not required for archive purposes or for scientific, historical, or statistical research, provided the laws in existence are adhered to. Information providers have numerous rights, including the right to object to data processing and the right to erasure of personal information when consent is withdrawn.

 

Q5: How might we mitigate most legal issues surrounding face recognition? What are some potential risks?
Facial recognition technology presents a few legal pitfalls; it is mainly related to the violation of data privacy and sensitive treatment of biometric data. For businesses, one needs to address this in terms of mitigating risk by:
• Impact Assessments: Impact assessments on data protection shall be required where either automated data processing or processing of sensitive personal data, such as facial recognition, by a controller or processor forms part of the business model on a large scale. It involves looking at whether the processing of the relevant data is necessary and fair, listing any risks that might come up because of the processing, and suggesting ways to get rid of those risks (Article 21).
• Data Protection Officer: In light of but not limited to volume and sensitivity, Article 10 necessitates an organization to designate a Data Protection Officer (DPO) to ensure legality.

• Compliance with Copyright Law: It is pertinent also to refer to Federal Decree-Law No. 38 of 2021 on Copyright and Neighboring Rights, which prohibits taking pictures or recording a person without the permission of the subject thereof. Hence, consent is required under Article 45 before collecting biometric data.

 

This blog provides a clear and detailed overview of the key legal considerations surrounding facial recognition technology in the UAE. Businesses need to get ready for changes that are going to come and make sure their systems are adaptable to needs that may arise in the future, as the Executive Regulations have not been issued yet. If you need further guidance or have any specific legal queries, please feel free to reach out to us for a consultation.