With the increase in the number of face recognition technologies in the UAE, organizations-or at least, should-be increasingly tuning into some quite strict data privacy laws. This Q&A discusses some key issues relevant to the use of face recognition technologies-namely, consent, data transfers, and risk mitigation-under UAE’s Personal Data Protection Law (PDPL) versus EU’s General Data Protection Regulation (GDPR).

Q1: The UAE has passed legislation on data protection that regulates facial recognition technologies. How does this differ from the EU’s General Data Protection Regulation?
The Federal Decree Law No. 45 of 2021, shortly referred to herein as the PDPL and brought into practice to date, is the law governing personal data processing in the UAE, including-but not limited to-biometric data such as facial recognition. Such consent to process an individual’s biometric data is required to be explicitly obtained before it may be collected or otherwise processed under the PDPL, although much-needed guidance provided by the Executive Regulations has yet to be published.
Contrasting that, the GDPR within the European Union requires express consent and even has substantive provisions on the processing of data in a special category, such as biometric information. While the underlying principles are similar, it would appear that the GDPR is better nailed down with respect to stating clearly the manner of consent, let alone what constitutes consent in the first place.

Q2: Does explicit consent provided to UAE’s PDPL and EU’s GDPR constitute consent to use facial recognition data?
Consent by both the PDPL and GDPR should be explicit, informed, and affirmative before processing any personal information. What this simply means is that UAE subjects need to know what their information regarding facial recognition will be put to and approve this off their own free will. However, the GDPR has elaborated on what constitutes “freely given consent” in strict terms so that consent is not combined with other types of terms of service.
Both laws also give individuals the right to withdraw consent at any time, and businesses must comply with this request.

Q3: According to the PDPL and GDPR, a business has to store biometric data in what manner that will be considered secure?
Thus, protection under the concerned jurisdictions of PDPL and GDPR enshrines the importance associated with its secure storage. Protecting personal data, in the meantime, calls for taking technical and organizational measures by both PDPL and GDPR, including data encryption with a view to securing it from being compromised, and pseudonymization in case data is compromised with a view to minimizing identifiability of information.
Under the GDPR, explicit enumeration has been made for data minimization to make sure no more than the minimum data is collected and stored. PDPL copied these principles, too, but further explanation is awaited from the upcoming Executive Regulations with regard to the local/cloud storage solution.

Q4: How is the cross-border transfer in the UAE and EU in regard to facial recognition data carried out?
Under both the PDPL and the GDPR, cross-border data transfer is highly regulated. According to Article 22 of the PDPL, personal data transfer and hence facial recognition data outside the UAE is not permitted, except in cases where the country to which the transfer is to be made provides an adequate level of protection.
However, GDPR also prohibits transfers to third countries that do not offer adequate protection, although it does provide mechanisms for transfers in the form of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Similarly, PDPL does contemplate transfers based on contractual agreements, but details related to this would be given in the Executive Regulations.

Q5: What is valid consent under the UAE’s PDPL, and what was the position under the GDPR?
Both the PDPL and the GDPR have the following requirements for valid consent:
• Freely given, specific, informed, and unambiguous.
• Easily revocable: An opportunity must be provided at any time to withdraw consent.
Explicit consent under the GDPR has very clear limits, notably ruling out pre-ticked boxes or implied consent. The PDPL takes a broadly similar tack but is still awaiting more detailed interpretation about how businesses should ensure they get valid consent.

Q6: What are the legal risks associated with the use of facial recognition technology and how businesses in the UAE and the EU can mitigate such risks?
Data breach and failure to adhere to the law present the most serious legal risks both in the UAE and the EU. To overcome such risks, businesses ought to:
• The processing needs to be subjected to a Data Protection Impact Assessment (DPIA). It is pretty expressive on the part of both PDPL and GDPR that such processing shall be subjected to a DPIA considering it as a high-risk activity akin to the use of face recognition technology.
• Where large volumes of sensitive personal information is being processed, the business should designate a Data Protection Officer (DPO) – another similarly fundamental requirement under the PDPL and GDPR.
• Such measures would bring in the necessity of having robust technical and organizational controls, including data encryption and periodic audits to demonstrate compliance.

Q7: What other legal considerations should businesses consider in respect of the use of FRT within the UAE?
In addition to the PDPL, it is important to note that Federal Decree-Law No. 38 of 2021 on Copyright and Neighbouring Rights provides that filming or taking photos of a person without his free consent is prohibited. It just adds another dimension to ensure that a person’s image is not filmed or distributed without permission.
This, to a great extent, aligns with the GDPR ideology – it protects permission-based rights to privacy, along with control over one’s picture/image.

Conclusion:
On the other hand, while the UAE’s PDPL and the EU’s GDPR indeed provide a robust framework for protection against biometric data and face identification, there is anticipation for the issuance of the Executive Regulations in the UAE. In practical terms, businesses would care about the mechanisms for effective data protection that would ensure compliance.