Tim Elliott
Welcome to Lawgical, the first regular podcast navigating the latest legal updates here in the United Arab Emirates. I’m Tim Elliott, and as ever, I’m with Ludmila Yamalova, Managing Partner of the Dubai-based legal firm, Yamalova & Plewka. Always good to be able to speak with you, Ludmila.
Ludmila Yamalova
So good to be talking to you too, Tim, as always.
Tim Elliott
Well, I’m going to have to try and keep up with you here and understand all the acronyms and terms, but UAE data privacy laws and the use of facial recognition technology—it’s a topic that I always think we’re kind of aware of, but that most of us maybe don’t think about too much.
Ludmila Yamalova
Indeed. And it is a very important topic, especially with the increasing use of biometric technologies, particularly in the UAE, like facial recognition. So, we’re seeing parallels and contrasts between the UAE’s approach and what’s established under the EU’s General Data Protection Regulation, which is commonly referred to as GDPR.
Tim Elliott
Okay, so let’s get into it. What are the key UAE data privacy laws that govern the use of facial recognition technology, and how do they compare with the EU’s GDPR?
Ludmila Yamalova
The key regulations here in the UAE are: one, Federal Decree Law No. 45 of 2021, also known as the Personal Data Protection Law, or PDPL. A little bit of a mouthful! This law came into effect on January 2, 2022, but its executive regulations are still pending, which is delaying the full enforcement or implementation of this law.
This Personal Data Protection Law outlines broad principles for the collection and processing of biometric data such as facial recognition. So, in many ways, in its current form, it’s very similar to the EU GDPR, which also places heavy emphasis on protecting personal data, including biometrics.
One key similarity between the PDPL, which is the UAE’s version, and GDPR is the requirement for explicit consent before personal data can be processed. In other words, there has to be explicit consent to ultimately collect and process facial recognition data. Both laws mandate that individuals must be informed about how their data will be used and must give clear and affirmative consent.
Tim Elliott
Businesses in both the UAE and the EU need explicit consent to use facial recognition data. But are there any major differences between the law here in the UAE and the EU’s GDPR in that respect?
Ludmila Yamalova
Yes. While both PDPL and GDPR emphasize explicit consent, the GDPR provides more detailed guidelines on the conditions for consent, especially when it comes to specific categories of personal data like biometrics.
Under the GDPR, the definition of “freely given” consent is particularly stringent. There must be a clear distinction between consent and other terms of service. In the UAE, on the other hand, the law also requires that consent be clear and unambiguous, but we’re still waiting for the executive regulations to clarify some of the finer details, such as what constitutes freely given consent in practice.
Tim Elliott
Right, I’m still with you. So next question—are there specific requirements for how biometric data should be stored here in the UAE? How does that compare with the EU under GDPR regulations?
Ludmila Yamalova
Both laws require that personal data be stored securely. But in Europe, the GDPR, for example, provides more specific guidance on technical and organizational measures like encryption and pseudonymization.
In the UAE, the PDPL mirrors some of these general principles, emphasizing the importance of data security and confidentiality. However, we’re still waiting for more detailed requirements in the UAE through the forthcoming executive regulations.
So, kind of the grassroots are similar, but the specific mechanisms are yet to be seen in the UAE. The GDPR goes a step further at this point with the concept of data minimization. For example, it ensures that only the minimal amount of personal data necessary for the purpose is collected and stored.
While the UAE’s PDPL has similar principles, the European version of the law has much more detailed enforcement guidelines, making it very clear how it would be implemented and how strict the punishment for violations would be. In the UAE, the general principles are in place, but in terms of enforcement and penalties, that’s something to be addressed in the executive regulations.
Tim Elliott
What happens if a company needs to transfer facial recognition data outside of the UAE? Are the rules similar to what we see in the European Union?
Ludmila Yamalova
Indeed, they are. There are close similarities between the PDPL and GDPR in this area. Under the GDPR, personal data can only be transferred outside of the EU if the destination country provides an adequate level of protection—so it must be similar in its stringency.
Similarly, under Article 22 of the UAE’s PDPL, it prohibits the transfer of personal data outside the UAE unless the destination country has data protection laws that offer adequate protection. So, I’d emphasize that it’s not just about what’s written in the law but how it is enforced.
For the UAE to allow such a transfer, there must be confidence that the data will be protected and that violations will be enforced in a similar manner to the UAE. GDPR also allows for mechanisms like standard contractual clauses and binding corporate rules to facilitate such transfers.
The UAE law mentions contractual arrangements in Article 23, but we don’t yet have specifics about what those agreements will look like. Again, the details will need to be addressed in the executive regulations.
Tim Elliott
What constitutes valid customer consent under UAE law compared to the EU?
Ludmila Yamalova
That’s a great question, and we’ve actually had a few clients recently who were curious about this. It’s what inspired this podcast episode.
At a high level, both the UAE’s data protection law and the EU’s data protection law require that consent be freely given, specific, informed, and unambiguous. Under GDPR, consent must be explicitly affirmative, meaning pre-ticked boxes are not valid.
Similarly, in the UAE, the law requires clear consent that can be withdrawn at any time. We expect the executive regulations will provide more granular details about how businesses should obtain and manage consent.
Both laws also empower individuals to withdraw consent easily. For instance, you can unsubscribe from newsletters or marketing emails much more efficiently now compared to the past. Both GDPR and the UAE’s PDPL require businesses to honor such requests.
Tim Elliott
Both laws, it sounds to me, give individuals control over their data. That’s good news. But what about legal risks? Are there any differences in how risks are managed under the two frameworks?
Ludmila Yamalova
Of course. Managing legal risks is crucial under both frameworks. Both laws mandate conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities, such as facial recognition technology.
The GDPR provides more detailed criteria for when a DPIA is required and has active regulators ensuring compliance. In the UAE, under Article 21 of the PDPL, businesses must also assess risks when processing sensitive data and implement measures to mitigate those risks.
While the PDPL closely follows the GDPR, the enforcement mechanisms in Europe, including hefty fines for non-compliance, are much more established. In the UAE, we expect more clarity on enforcement when the executive regulations are issued.
Tim Elliott
How can businesses using facial recognition in the UAE—and the EU, for that matter—best mitigate these risks?
Ludmila Yamalova
Businesses in both jurisdictions should start by conducting Data Protection Impact Assessments to evaluate and mitigate risks, particularly when handling biometric data.
Appointing a Data Protection Officer (DPO) is critical for businesses handling large amounts of sensitive personal data. This requirement exists under both laws.
Additionally, businesses should train their staff, document compliance efforts, and implement robust security measures such as encryption. Documentation is key—record everything to demonstrate compliance.
Lastly, businesses must stay updated on legal changes, especially in the UAE, where the executive regulations are expected to bring further clarity to data protection obligations.
Tim Elliott
Are there any other legal considerations that businesses should keep in mind?
Ludmila Yamalova
Yes. Beyond the PDPL, businesses in the UAE should also consider other laws, such as Federal Decree Law No. 38 of 2021 on Copyright and Neighboring Rights, or the UAE’s copyright law.
This law prohibits photographing or recording individuals without their explicit consent. It’s particularly relevant to businesses using facial recognition or providing technologies that capture facial data.
In addition to data protection laws, businesses must consider copyright regulations to ensure they’re not violating individuals’ rights over their personal data or images.
The UAE’s legal framework aligns with GDPR principles in many ways. However, the EU has a more advanced enforcement framework, while the UAE is still building and refining its approach.
Tim Elliott
So, if someone is running or planning to start a business using facial recognition technology in the UAE or EU, what’s the key takeaway?
Ludmila Yamalova
The key takeaway is vigilance. Businesses need to stay informed about their legal obligations and keep a close eye on forthcoming UAE regulations.
The PDPL provides a solid foundation for protecting personal data in the UAE. However, as this area is still evolving, businesses must be proactive in understanding the regulatory landscape and implementing compliance measures.
For example, we’ve had several clients interested in starting technology-based businesses in the UAE, including those involving facial recognition. They need to know what regulations apply and how to meet licensing requirements.
In the UAE, businesses cannot simply set up operations without a specific license aligned with their activity. The UAE is highly regulated in this space, especially when it comes to collecting sensitive data like facial recognition.
Tim Elliott
That adds another layer of complexity to doing business in the UAE, doesn’t it?
Ludmila Yamalova
Absolutely. In the UAE, businesses must have a specific license for the exact activity they plan to undertake. For instance, if you want to operate in the facial recognition space, you need to find the right economic zone that offers a license for that specific activity.
This can be a new concept for many foreign businesses unfamiliar with the UAE’s legal framework. It’s not as simple as setting up shop and starting operations. You need to ensure your business activity is covered by your license and understand the limitations of operating in that space.
The licensing process and legal obligations are more stringent for businesses handling highly sensitive data, like facial recognition.
Tim Elliott
That brings us to the end of another episode of Lawgical. We’ve explored UAE data privacy laws, the use of facial recognition technology, and compared the UAE’s PDPL with the EU’s GDPR in detail. Thanks, as always, to our legal expert, Managing Partner of Yamalova & Plewka, Ludmila Yamalova.
Ludmila Yamalova
Thank you, Tim. Great to chat as always.
Tim Elliott
Find us on Instagram, Facebook, LinkedIn, TikTok, YouTube, and wherever you get your podcasts. For UAE-centric legal insights and hundreds of podcast episodes, visit lylawyers.com. If you have a legal question, you can connect with an experienced UAE legal professional or suggest a topic for a future episode of Lawgical.
